EM - Security and Privacy Incidents - Module 4 Powerpoint Presentation

American Security and Privacy, LLC Emergency Management Certification
Emergency
Management Certification
Dr. Kevin F. Streff
Founder and Managing Partner
1

Dr. Kevin Streff
American Security and Privacy, LLC
 Founder & Managing Partner
 www.americansecurityandprivacy.com
 Kevin.Streff@americansecurityandprivacy.com
 605.270.4427
2

Agenda
Module 1 Emergency Preparedness Overview
Module 2 Emergency Preparedness Laws and Regulations
Module 3 The Role of Emergency Preparedness in Information Security
and Privacy Programs
Module 4 Security and Privacy Incidents
Module 5 Incident Response Programs
Module 6 Business Impact Analysis
Module 7 Business Continuity Programs
Module 8 Pandemic Preparedness Programs
Module 9 Third Party Emergency Preparedness Requirements
Module 10 Information Emergency Preparedness Auditing
Module 11 Emergency Preparedness Metrics
3

• Incident Response Handling
• Business Continuity Planning
• Pandemic Preparedness
Emergency Management
4

Module 4
SECURITY AND PRIVACY INCIDENTS
5

Security Incidents
6

• 34 newly named adversaries in 2023
• 230+ total adversaries tracked by CrowdStrike
• 2:07 mins: fastest recorded eCrime breakout time
• 75% increase in cloud intrusions
• 76% spike in data theft victims named on the dark web
• 75% of attacks were malware-free
2024 CrowdStrike Report
7

Social
Engineering
Attacks
• According to the 2024
Data Breach
Investigations Report
by Verizon, social
engineering attacks
account for 17% of all
data breaches and 10%
of cybersecurity
incidents, making
social engineering one
of the three most
common cyberattack
vectors
8

Example
• Mailchimp In January 2023,
Mailchimp, a prominent platform
for email marketing and
newsletters, detected an
unauthorized user within its
infrastructure.
• They stated that an intruder had
gained access to one of the tools
Mailchimp uses for user account
administration and customer
support.
• The intruder had previously
targeted Mailchimp employees and
managed to get their account
credentials through social
engineering techniques. Afterward,
the malicious actor used the
compromised credentials to access
data on 133 Mailchimp accounts.
9

Privilege Abuse
• Organizations usually have many users with
elevated privileges such as admins, technical
specialists, and managers. Some can only access
certain critical resources, such as specific databases
or applications.
• Others might have full access to every system in
the network and even be able to create new
privileged accounts without drawing anyone’s
attention. If privileged users have malicious intent
or have been compromised, it may lead to data
breaches, financial fraud, sabotage, and other
severe consequences.
• Unfortunately, it’s hard to detect if a user with
elevated access rights is abusing their privileges, as
these culprits often cleverly conceal their actions.
10

Example
• International Committee of the
Red Cross (ICRC)
• Malicious actors had
compromised privileged
accounts, used lateral movement
techniques to escalate their
privileges, and acted under the
guise of admins to obtain
sensitive data.
11

Data Leakage
• Occurs when sensitive
information is unintentionally
exposed to unauthorized parties.
• For example, a misconfigured
cloud storage server might allow
easy access to personally
identifiable information (PII) and
trade secrets
12

Example
• Pegasus Airlines In June 2022
• Discovered an error in the configuration of one
of their databases.
• It turned out that an airline employee had
misconfigured security settings and exposed 6.5
terabytes of the company’s valuable data.
• As a result of the improper configuration of an
AWS bucket, 23 million files with flight charts,
navigation materials, and the crew’s personal
information were available for the public to see
and modify.
13

Insider
Data Theft
• Insiders may steal
data for financial
benefit, espionage
purposes, ideological
reasons, or because
of a grudge.
• For financial
institutions, insider
data theft may cause
financial losses,
reputational damage,
loss of customer trust,
and legal liabilities.
14

Example
• In May 2023, two former employees
stole and leaked Tesla’s confidential
data to a German news outlet,
Handelsblatt.
• An investigation showed that
malicious insiders breached the
company’s IT security and data
protection policies to unlawfully
obtain and disclose 23,000 internal
documents from Tesla, amounting to
nearly 100 gigabytes of confidential
information.
• As a result, the personal information
of 75,735 current and former Tesla
employees was leaked and the
company was at risk of facing a $3,3
billion fine for insufficient data
protection
15

Intellectual property theft
• Intellectual property is one of
the most valuable types of data
an organization possesses.
• Bright ideas, innovative
technologies, and complex
formulas give businesses a
competitive advantage.
• It’s no surprise that malicious
actors often target their victims’
trade secrets
16

Example
• In May 2022, Apple sued Rivos, a chip development
startup, for allegedly stealing trade secrets after Rivos
hired away more than 40 former Apple employees.
• Apple claimed that at least two of their former
engineers took gigabytes of confidential information
with them before joining Rivos.
• Apple suggests that Rivos hired Apple’s former
employees to work on competing system-on-chip (SoC)
technology.
• Apple spent billions of dollars and more than a decade
of research to create the SoC designs that are now used
in iPhones, iPads, and MacBooks.
• Having access to SoC trade secrets would have
significantly aided Rivos in competing against Apple.
17

Third Party
Breaches
• Having a sophisticated supply chain with
numerous subcontractors, vendors, and
third-party services is the norm for
organizations these days.
• However, granting third parties access to
your network is associated with
cybersecurity risks.
• One of the reasons is that your third parties
may not always follow all necessary security
procedures.
• Thus, there’s no guarantee that hackers
won’t exploit your vendors’ vulnerabilities to
access your organization’s assets.
18

Example
• In March 2024, American Express informed its customers
that unauthorized parties gained access to sensitive
customer information through a breach in their merchant
processor.
• The breach was caused by a successful point-of-sale
attack. American Express emphasized that its internal
systems weren’t compromised during the incident.
• However, the breach at the merchant processor leaked
American Express customers’ sensitive data, such as
names, current and former account numbers, and card
expiration dates.
19

Phishing
• A threat actor masquerades as a
reputable entity or person in an
email or other communication
channel.
• The attacker uses phishing emails to
distribute malicious links or
attachments that can perform a
variety of functions, including
extracting login credentials or
account information from victims.
• A more targeted type of phishing
attack known as spear
phishing occurs when the attacker
invests time researching the victim
to pull off an even more successful
attack.
20

Malware
• This is a broad term for malicious
software for different types of
malware that are installed on an
enterprise's system.
• Malware includes Trojans, worms,
ransomware, adware, spyware and
various types of viruses.
• Some malware is inadvertently
installed when an employee clicks on
an ad, visits an infected website, or
installs freeware or other software.
• Signs of malware include unusual
system activity, such as a sudden loss
of disk space; unusually slow speeds;
repeated crashes or freezes; an
increase in unwanted internet activity;
and pop-up advertisements.
21

DDoS
Attack
• A threat actor launches a
distributed denial-of-
service attack to shut
down an individual
machine or an entire
network so that it's
unable to respond to
service requests.
• DoS attacks do this by
flooding the target with
traffic or sending it some
information that triggers
a crash.
22

Privacy Incidents
23

• Alteration of personal data – when personal data has been
unlawfully changed. This could be, for example, data that is
incorrectly updated on a system accidentally or deliberately.
• Brute force attack – when an attacker tries a large number
of possible keyword or password combinations to gain
unauthorized access to a system or file.
• Cryptographic flaw – a weakness in the security of a system
that would allow a hacker to access sensitive information.
• Data emailed to incorrect recipient – where an email
containing personal data is sent to the wrong email address.
This could be data about one person or multiple individuals.
• Data of wrong data subject shown in client portal –
where personal information about one or more individuals is
shown within the Online service area belonging to another
person.
Privacy Incidents
24

• Data posted or faxed to incorrect recipient – where a
fax or piece of post containing personal data is sent to the
wrong fax number or postal address. This could be data
about one person or multiple individuals.
• Denial of service – when a network or server, such as a
website, is maliciously flooded with manufactured traffic
(typically using botnets) to either cause it to fail or flood it
with so much traffic that legitimate users can't access it.
• Failure to redact – when personal data was disclosed
without the appropriate redaction, or if the redactions
made were inadequate.
• Failure to use bcc – when personal data was disclosed
due to an organization not using blind carbon copy (bcc)
recipients in an email. Usually bcc is used to ensure
personal email addresses are not shared inappropriately
with other customers, clients or organizations.
Privacy Incidents
25

• Hardware/software misconfiguration – any hardware or
software misconfiguration leading to a disclosure of information.
For example, permissions on a folder set incorrectly, or failing to
use a robot.txt file.
• Incorrect disposal of hardware – computers, laptops or other
devices are not fully cleared of personal data or had any personal
data it contains otherwise anonymized or encrypted.
• Incorrect disposal of paperwork – paperwork containing
personal data has been disposed of without it being shredded or
otherwise destroyed. Personal information should not be
identifiable once paper files have been disposed of.
• Loss/theft of device containing personal data – an
electronic device (for example laptop, phone or tablet) containing
personal information of others has been misplaced or stolen. This
may be of particular concern if the data is not sufficiently secure,
for example the device has not been encrypted.
• Loss/theft of paperwork or data left in insecure location –
papers containing personal data are not secured, for example
locking the paperwork in a cabinet or similar; or papers are
misplaced or stolen.
Privacy Incidents
26

• Malware– a general term used to refer to a variety of forms
of hostile or intrusive software including computer viruses,
worms, Trojan horses, spyware, adware, scareware, and other
malicious programs. Malware is short for ‘malicious software’.
• Phishing – an attempt to obtain information by posing as a
trustworthy entity, deceiving recipients into sharing sensitive
information (such as usernames, passwords, or credit card
details) or by encouraging them to visit a fake website.
• Ransomware – a type of malware that unlawfully encrypts a
user’s files and demands a ransom to unencrypt files, usually
in the form of cryptocurrency.
• Unauthorized access – an unauthorized individual has
gained access to personal data. This can include unauthorized
disclosures. This incident type is used both in instances where
an individual has unlawfully accessed or disclosed information
and where a third party has forcibly accessed a system.
• Verbal disclosure of personal data – when personal data is
shared or disclosed verbally to an inappropriate party.
Privacy Incidents
27

• Critical: A very high impact incident,
such as a customer-facing service
being down for all customers
• Major: A significant impact incident,
such as a customer-facing service
being unavailable for some
customers
• Minor: A low impact incident, such
as a minor inconvenience to
customers
Incident Response Levels
28

Level 1 A critical incident that affects a large number of users in production.
Level 2 A significant problem affecting a limited number of users in production.
Level 3 Causes errors, minor problems for users, or a heavy system load.
Level 4
A minor problem that affects the service but no serious impact on
users.
Level 5 A low-level deficiency that causes minor problems
Levels
29

• The financial institution determines how
many levels, their definitions, and the
steps that will be taken based upon these
levels.
• Specific incidents can have more specific
steps
• Risk-based program
Levels
30

Summary
• Both security and privacy incidents
need to be reflected in your incident
response and business continuity plans
• Risk-based approach
• Identify the potential issues prior to
them occurring
31

Dr. Kevin Streff
 Founder & Managing Partner
 www.americansecurityandprivacy.com
 Kevin.Streff@americansecurityandprivacy.com
 605.270.4427
32

EM - Security and Privacy Incidents - Module 4 Powerpoint Presentation

More Related Content

Similar to EM - Security and Privacy Incidents - Module 4 Powerpoint Presentation (20)

More from trevor501353 (20)

Recently uploaded (20)

EM - Security and Privacy Incidents - Module 4 Powerpoint Presentation