SlideShare a Scribd company logo

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

bugcrowd
bugcrowd

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel MCCA Global TEC Forum April 13, 2018

Law
1 of 50
Download to read offline
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel MCCA Global TEC Forum April 13, 2018 Casey Ellis | Chairman, Founder & CTO – Bugcrowd Elizabeth Cookson | Senior Analyst, Cyber – KIVU Consulting Jake Heath | Partner, Intellectual Property – Orrick LLP Moderator: Tony Kim | Partner, Cyber, Privacy & Data Innovation – Orrick LLP
The Scope of the Problem
What the World Economic Forum Thinks about Us (US)
Where Do Cyberattacks Rank? Source: World Economic Forum Global Risks 2018
(Sobering) Statistics Data Breaches Continue to Mount Source: The Breach Level Index, available at, http://breachlevelindex.com
Biggest Breaches (2008-2009) Source: The Breach Level Index, available at, http://breachlevelindex.com
Biggest Breaches (2016-2017)
Anatomy of a Typical External (Hack) Attack Nation State Organized Crime Hacktivists Initial Compromise Establish Foothold Escalate Privileges Internal Recon Lateral Movement Maintain Presence Malicious Insiders Network Perimeter Financial gain Cyber-extortion Cyber-espionage Competitive advantage Disruption Political Revenge Whistleblower WHY? Internal Damage Ransomware Data Access Data Acquisition
Anatomy of a Typical Company Response Data Access Data Acquisition Initial Triage Forensic Investigation Notifications PR/Communications Law Enforcement Systems Remediation Insurance Recovery Public Disclosures Governance Auditors Regulator Investigations Lawsuits Customer Demands Remedies or Settlements
Common Cost Components Initial Response Costs Business Losses Security consultants Lost revenue Forensic imaging Drop in stock value Restoring service / security upgrades Loss of customer confidence Customer Costs Legal Claims Breach notification Litigation (e.g., consumer or employee class action / shareholder derivative) costs and settlement payouts Identity theft problem Defense of government proceedings Credit monitoring Government fines or penalties Customer inducements PCI/Card brand assessments
Transformative Costs Source: Cybersecurity Ventures and Herjavec Group (2017) “The greatest transfer of economic wealth in history” 2015 2021 $6 trillion $3 trillion Global annual cybercrime costs estimated to grow from $3 trillion to $6 trillion by 2021 Includes estimated costs for: • Damage and destruction of data • Stolen money/fraud/embezzlement • Lost productivity/disruption to operations • Theft of IP, personal data, financial data • Forensic investigation • Restoration and remediation • Reputational harm
Brand Impact = As (or More) Important than Other Costs 74.8% 72.5% 80% of consumers worry about the security of their personal information. Temkin Group "Consumer Benchmark Survey" of consumers don’t believe organizations care about their private data and keeping it safe and secure. HyTrust Inc., the Cloud Security Automation Company 56% 40% 29% Political Action (sign a petition, contact a politician Stop/Reduce Technology Use Social Activity (post to social media, write an op-ed or letter) Actions your customers take when you falter of consumers believe failure to keep customer information secure has a significant negative impact on trust in a company. Edelman Trust Barometer: Financial Services Industry Source: Edelman Proprietary Study, 2014
Companies are Under-Resourced / Staffed / Funded “Cybersecurity has a serious talent shortage” Source: Frost & Sullivan, Center for Cyber Safety and Education (2017) 2017 2022 1.8 million worker shortfall in information security Too few information security workers in my department The most common reason given for this phenomenon is lack of qualified personnel Companies may be looking in the wrong places for talent in this space: • 87% of cyber workers did NOT start in cyber • 30% of cyber workers came from non-IT and non- Engineering background • Disconnect: Managers deeply value communication and analytical skills vs. Candidates predictably prioritize high technical skills
What is Legal’s Role? Lack of Tech Literacy Doesn’t Help “Lawyers don’t need to be coders, they just need not be Luddites” * • Techno-phobia • Continued view of cyber as primarily an IT or InfoSec function • Belief that lawyers should get involved after a breach happens (e.g., breach notification laws), or only in preparing to respond for a breach vs. preventive/mitigation measures • Belief that companies (good guys) can never keep pace with the bad guys in terms of funding, skill, or innovation * “Luddite” = (1) bands of English workers who destroyed machinery that they believed was threatening their jobs; (2) person opposed to new technology
What is Legal’s Role? Tech Competence is Part of the Job A lawyer shall provide competent representation to a client…” Comment 8 to Model Rule of Professional Conduct 1.1: Maintaining Competence To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.)
Bug Bounties and “Security Researchers”
Researchers Are Trying to Help . . . Right?
Source: Bugcrowd Bug Bounty 101 – How it Works
Bug Bounty – Is there a Code of Conduct? “Is there Honor Among ‘Security Researchers’”?  Many security researchers have “day jobs,” so they are not out to extort or otherwise disadvantage companies  If you don’t play by the Bug Bounty rules, you will not get paid – including confidentiality  Transparency with respect to payment levels for bug severity levels, and level of documentation that must be shown for payment  Security researchers are “rated,” so reputation matters!
Bug Bounty Programs = A Force Multiplier for Companies “It Takes a Crowd” Lack of Resources + expanding attack surfaces = more opportunity for adversaries.  Bug Bounty programs are used by many uber-sophisticated companies, and even the federal government  In 2 weeks, per company, security researchers typically find: Source: Bugcrowd
Third-Party Managed Bug Bounty Programs Program Types Service Elements Source: Bugcrowd
Designing Your Own Bug Bounty? The Department of Justice outlines a framework for designing a “vulnerability disclosure program” to address the concerns that such activity might violate the Computer Fraud and Abuse Act (18 U.S.C. 1030). See https://www.justice.gov/criminal-ccips/page/file/983996/download
Do Bug Bounties Increase Legal Breach Notifications? Phase 1 Identification, Scoping and Severity Assessment Phase 2 Escalation and Deployment of IR Resources Phase 3 Investigation and Remediation Phase 4 Notification and Other External Communications Phase 5 Post-Incident Analysis and Preparation 1. Statutory duty to notify customers? Legal 2. Contractual duty to notify? Legal 3. “Voluntary” notification? Transparency • Generally, triggered on unauthorized “access” or “acquisition” of PI • 47 U.S. state laws + territories • HHS OCR / PCI / Interagency Guidelines • Rest-of-world • Contractual duties override statutory or regulatory duties on notification • Includes “quasi” contracts such as Privacy Policy and Terms of Use, Marketing, Advertising • Forensics are often inconclusive, which leads to a multi- factor decision tree • Voluntary notice scenarios based on facts, risk mitigation, ethical considerations Corporate Incident Response Plan Phases
• How real is the legal risk around known security vulnerabilities? • Researchers can, and do, go public • Researchers can, and do, report to regulatory agencies • Regulators can, and do, bring investigations and enforcement actions based on vulnerabilities alone – even if there’s been no “data breach” – FTC Litigation: D-Link case – FTC/FCC: Stagefright inquiries to mobile device makers – SEC OCIE: Craig Scott Capital case – Litigation (both ways): St. Jude Medical / Muddy Waters case Is there Liability for a “Mere” Security Vulnerability?
What’s the Game Plan? • How should we address security researchers who call or email (especially on a Friday before a holiday at 4:50 pm)? – Who should interact with the researcher? – Should you email or call, or both? – Do you ever acknowledge the vulnerability? Do you pay them? – Do you keep them updated on the status of your investigation, remediation? • Very helpful to have internal game plan for security researcher engagement, including how and who will make decision on payment • IR Planning – Legal and PR/crisis communications should be briefed and ready – Consideration of incorporating into IR plan, or parallel protocol
Ransomware
Ransomware: What is it?
Ransomware: What does it look like? The visual appearance of a ransomware attack may vary widely • Format of the ransom note • File extension • Disk-level ransomware vs. file-level ransomware • Scrambled filename vs. intact filename
Ransomware: How it works
Rapid Acceleration Number of Ransomware Attacks Worldwide (in millions) Source: Statistica
The No More Ransom Project
Approach “Free” Tools With Caution
Should you pay? “The FBI does not support paying a ransom to the adversary….. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom…… Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.”
“Dude, stop crying.” Generation of rookie hackers emerges In the past, we were often engaging directly with the malware developer, who could help with software bugs and hiccups With rookie hackers, the tool is either poorly written and / or the actors are unable to help troubleshoot decryption issues
Do companies actually pay? Source: Osterman Research (Survey of 540 CIOs/CISOs/IT Directors)
How do (can) you pay? • Does your company/client have a bitcoin wallet? – Your vendor does! • Managed ransomware response: • Vendor takes over communications with attacker (often in attacker’s native language) – Vendor obtains and validates (tests) ransomware decryption tool – Vendor assists in negotiating down the ransom amount – Vendor fronts payment to attacker, in many circumstances – Vendor assists with actual/live decryption and remediation
If you decide to pay . . . Call The Professionals The transaction goes the smoothest when the incident response team is brought in early
Horror Stories Do Not Try This At Home When victims try to engage themselves, they may accidentally antagonize the attacker, or give up information that reveals their identity
Consequences and Protective Measures
What is the legal framework? Civil or criminal liability for hacking Contractual duties re: security and/or breach notification Laws requiring security measures Notification to individuals and regulators Regulator enforcement consent decrees, and related requirements Regulator and industry standards, guidelines, and frameworks
Are “Bugs” and “Ransomware” Notifiable Breach Events??? • Statutes – State statutes (plus D.C., Guam, P.R., V.I.); triggered when 1 or more affected individuals is a resident of the state; triggered on “access” or “acquisition” of PI elements – Industry/sector federal rules (e.g., HIPAA, Interagency Guidelines, NYDFS, DFARS) • Contracts – Contracts with customer and vendors (e.g., privacy policies, terms of use, etc.) – Almost always define “breaches” more broadly than statutes • Industry Rules (e.g., Payment Card Industry – PCI) • SEC public company disclosures (e.g., Form 8-K) • Client’s Internal Policies and Procedures
What have regulators said about Ransomware? “[A] breach has occurred because the [data] encrypted by the ransomware was acquired … and thus is a ‘disclosure’” where security incident defined as “the acquisition, access, use of disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” 45 C.F.C. 162.402. Special focus on results of forensic analysis and risk assessment “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.” -- (Then) Chairwoman Edith Ramirez (2016) Failure to address “pervasive security bugs” that leave systems vulnerable to malware will be a key factor in the FTC’s decision to open an investigation or pursue an enforcement action.
Board Members Under Fire
SEC and DOJ Investigations
Incident Response (IR) Planning Do you have an IR Team? An IR Plan? Have you practiced? Identify Triage & Contain Analyze & Investigate Remove & Recover Prepare Corporate IR Plan Cross- Functional IR Team Cross-Functional IR Team Key Internal Members IR Team Leader Executive Liaison General Counsel/Legal Privacy Officer IT Security Physical Security Corp. Communications Customer Support Human Resources Risk Management Key External Members Outside Counsel Forensics Crisis Communications Investor Relations Vendors (mail house, call center, credit monitoring)
Other Key Elements of Proactive Cybersecurity Programs • Executive CISO or equivalent function responsible for cybersecurity with regular and direct reporting to Board (Audit/Risk) Committee • Inventory of data and network assets subject to attack (e.g., data map, network map) • Regular enterprise-wide cybersecurity assessments, properly scoped and managed (not just “pen tests” or routine vulnerability scans, but more holistic) • Participation in threat intelligence sharing forums to develop understanding of threat landscape (e.g., ISACs) • Certifications to PCI DSS, ISO/IEC standards, such as ISO/IEC 27001:013, etc. • Encryption of sensitive data in-transit (and at-rest, as appropriate), privilege/identity access management, etc. . . . and other bare minimum protective controls
Other Key Elements (cont’d) • Inclusion of cybersecurity-related provisions and audit rights in vendor and business partner contracts, with program for auditing compliance • Implementation of training programs for employees and security team on cybersecurity awareness and response • Retention of experts and consultants to provide technical services for purpose of providing legal advice regarding risk • Procurement of cyber insurance to cover costs of forensic analysis, legal services, public relations, credit monitoring, litigation defense, etc. • Explicity consideration of evolving scenarios like Bug Bounties and Ransomware – and how they fit into, or necessitate adjustments to, company’s security breach incident response plan (IRP)
Discussion
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Recommended

MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 

Recommended

MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Who is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityWho is the next target proactive approaches to data security
Who is the next target proactive approaches to data securityUlf Mattsson
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Webinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWebinar: Be Cyber Smart – Stories from the Trenches
Webinar: Be Cyber Smart – Stories from the TrenchesWithum
 
Looking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsLooking Forward - Regulators and Data Incidents
Looking Forward - Regulators and Data IncidentsResilient Systems
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItData Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItMarc Crudgington, MBA
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouDATAVERSITY
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunitiesLuke Fretwell
 
Dlp notes
Dlp notesDlp notes
Dlp notesanuepcet
 
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Peter1020
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020Ulf Mattsson
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013- Mark - Fullbright
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyNetwork Intelligence India
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)Trustmarque
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawSynopsys Software Integrity Group
 
Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaTechBiz Forense Digital
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 

More Related Content

What's hot

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNorth Texas Chapter of the ISSA
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianPECB
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItData Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItMarc Crudgington, MBA
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentationBradford Bach
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouDATAVERSITY
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsIBM Security
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunitiesLuke Fretwell
 
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Peter1020
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020Ulf Mattsson
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNorth Texas Chapter of the ISSA
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...Ulf Mattsson
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksThis account is closed
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)Trustmarque
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 

What's hot (20)

NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea AlmeidaNTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
NTXISSACSC1 Conference - Cybersecurity 2014 by Andrea Almeida
 
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and ExperianHow to keep out of trouble with GDPR: The case of Facebook, Google and Experian
How to keep out of trouble with GDPR: The case of Facebook, Google and Experian
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 
Data Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify ItData Security: Why You Need Data Loss Prevention & How to Justify It
Data Security: Why You Need Data Loss Prevention & How to Justify It
 
Data breach presentation
Data breach presentationData breach presentation
Data breach presentation
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Big Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to YouBig Data: Beyond the Hype - Why Big Data Matters to You
Big Data: Beyond the Hype - Why Big Data Matters to You
 
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data AnalyticsSecurity Intelligence: Finding and Stopping Attackers with Big Data Analytics
Security Intelligence: Finding and Stopping Attackers with Big Data Analytics
 
Open source software in government challenges and opportunities
Open source software in government challenges and opportunitiesOpen source software in government challenges and opportunities
Open source software in government challenges and opportunities
 
Dlp notes
Dlp notesDlp notes
Dlp notes
 
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations Digital Outsourcing: Risks, Pitfalls, and Security Considerations
Digital Outsourcing: Risks, Pitfalls, and Security Considerations
 
What I Learned at RSAC 2020
What I Learned at RSAC 2020What I Learned at RSAC 2020
What I Learned at RSAC 2020
 
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon SwainNTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
NTXISSACSC2 - Bring Your Own Device: The Great Debate by Brandon Swain
 
Data Breach Guide 2013
Data Breach Guide 2013Data Breach Guide 2013
Data Breach Guide 2013
 
Data Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. MookheyData Leakage Prevention - K. K. Mookhey
Data Leakage Prevention - K. K. Mookhey
 
How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...How to protect privacy sensitive data that is collected to control the corona...
How to protect privacy sensitive data that is collected to control the corona...
 
Protecting Your Business From Cyber Risks
Protecting Your Business From Cyber RisksProtecting Your Business From Cyber Risks
Protecting Your Business From Cyber Risks
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
 
Flight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the LawFlight East 2018 Presentation–Data Breaches and the Law
Flight East 2018 Presentation–Data Breaches and the Law
 

Similar to Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Don Grauel
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdframsetl
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfgalagirishp
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCybAnastaciaShadelb
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6seadeloitte
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threatillustro
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook Kristin Judge
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of securityMatthew Pascucci
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 

Similar to Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel (20)

Cybersecurity - Sam Maccherola
Cybersecurity - Sam MaccherolaCybersecurity - Sam Maccherola
Cybersecurity - Sam Maccherola
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012Clinton- Cyber IRT Balto 10_2012
Clinton- Cyber IRT Balto 10_2012
 
Insider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdfInsider_Threats_in_Healthcare_1651617236.pdf
Insider_Threats_in_Healthcare_1651617236.pdf
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
We are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdfWe are living in a world where cyber security is a top priority for .pdf
We are living in a world where cyber security is a top priority for .pdf
 
IT & Network Security Awareness
IT & Network Security AwarenessIT & Network Security Awareness
IT & Network Security Awareness
 
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovProtecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnov
 
BEA Presentation
BEA PresentationBEA Presentation
BEA Presentation
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
12Cyber Research ProposalCyb
12Cyber Research ProposalCyb12Cyber Research ProposalCyb
12Cyber Research ProposalCyb
 
November 2017: Part 6
November 2017: Part 6November 2017: Part 6
November 2017: Part 6
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
IBM Security Services
IBM Security ServicesIBM Security Services
IBM Security Services
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
Cyber for Counties Guidebook
Cyber for Counties Guidebook Cyber for Counties Guidebook
Cyber for Counties Guidebook
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Puna 2015
Puna 2015Puna 2015
Puna 2015
 

More from bugcrowd

Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Programbugcrowd
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTEDbugcrowd
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'bugcrowd
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbersbugcrowd
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...bugcrowd
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Embugcrowd
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Healthbugcrowd
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programsbugcrowd
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVbugcrowd
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Testbugcrowd
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]bugcrowd
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programsbugcrowd
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Programbugcrowd
 

More from bugcrowd (20)

Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
3 Reasons to Swap Your Next Pen Test With a Bug Bounty Program
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
 
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)If You Can't Beat 'Em, Join 'Em (AppSecUSA)
If You Can't Beat 'Em, Join 'Em (AppSecUSA)
 
AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'AppSecUSA 2016: 'Your License for Bug Hunting Season'
AppSecUSA 2016: 'Your License for Bug Hunting Season'
 
Bug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in NumbersBug Bounty Tipping Point: Strength in Numbers
Bug Bounty Tipping Point: Strength in Numbers
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em If You Can't Beat 'Em, Join 'Em
If You Can't Beat 'Em, Join 'Em
 
Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016Writing vuln reports that maximize payouts - Nullcon 2016
Writing vuln reports that maximize payouts - Nullcon 2016
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Revitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr HealthRevitalizing Product Securtiy at Zephyr Health
Revitalizing Product Securtiy at Zephyr Health
 
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty ProgramsHI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
HI THIS IS URGENT PLZ FIX ASAP: Critical Vunlerabilities and Bug Bounty Programs
 
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLVHow Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
How Portal Can Change Your Security Forever - Kati Rodzon at BSidesLV
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]Build or Buy: The Barracuda Bug Bounty Story [Webinar]
Build or Buy: The Barracuda Bug Bounty Story [Webinar]
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
 
Key Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty ProgramKey Takeaways from Instructure's Successful Bug Bounty Program
Key Takeaways from Instructure's Successful Bug Bounty Program
 

Recently uploaded

Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseRich Bergeron
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsRich Bergeron
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its historyprasannamurthy6
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21vasanthakumarsk17
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxJFSB1
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSRoshniSingh312153
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxBharatMunjal4
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Rich Bergeron
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in SalesMelvinPernez2
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklosbeduinpower135
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasBrandy Austin
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxgurcharnsinghlecengl
 

Recently uploaded (20)

Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its history
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptx
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTSTHE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
THE INDIAN CONTRACT ACT 1872 NOTES FOR STUDENTS
 
Grey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptxGrey Area of the Information Technology Act, 2000.pptx
Grey Area of the Information Technology Act, 2000.pptx
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales
 
Hungarian legislation made by Robert Miklos
Hungarian legislation made by Robert MiklosHungarian legislation made by Robert Miklos
Hungarian legislation made by Robert Miklos
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in Texas
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
 

Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel

  • 1. Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel MCCA Global TEC Forum April 13, 2018 Casey Ellis | Chairman, Founder & CTO – Bugcrowd Elizabeth Cookson | Senior Analyst, Cyber – KIVU Consulting Jake Heath | Partner, Intellectual Property – Orrick LLP Moderator: Tony Kim | Partner, Cyber, Privacy & Data Innovation – Orrick LLP
  • 2.
  • 3. The Scope of the Problem
  • 4. What the World Economic Forum Thinks about Us (US)
  • 5. Where Do Cyberattacks Rank? Source: World Economic Forum Global Risks 2018
  • 6. (Sobering) Statistics Data Breaches Continue to Mount Source: The Breach Level Index, available at, http://breachlevelindex.com
  • 7. Biggest Breaches (2008-2009) Source: The Breach Level Index, available at, http://breachlevelindex.com
  • 9. Anatomy of a Typical External (Hack) Attack Nation State Organized Crime Hacktivists Initial Compromise Establish Foothold Escalate Privileges Internal Recon Lateral Movement Maintain Presence Malicious Insiders Network Perimeter Financial gain Cyber-extortion Cyber-espionage Competitive advantage Disruption Political Revenge Whistleblower WHY? Internal Damage Ransomware Data Access Data Acquisition
  • 10. Anatomy of a Typical Company Response Data Access Data Acquisition Initial Triage Forensic Investigation Notifications PR/Communications Law Enforcement Systems Remediation Insurance Recovery Public Disclosures Governance Auditors Regulator Investigations Lawsuits Customer Demands Remedies or Settlements
  • 11. Common Cost Components Initial Response Costs Business Losses Security consultants Lost revenue Forensic imaging Drop in stock value Restoring service / security upgrades Loss of customer confidence Customer Costs Legal Claims Breach notification Litigation (e.g., consumer or employee class action / shareholder derivative) costs and settlement payouts Identity theft problem Defense of government proceedings Credit monitoring Government fines or penalties Customer inducements PCI/Card brand assessments
  • 12. Transformative Costs Source: Cybersecurity Ventures and Herjavec Group (2017) “The greatest transfer of economic wealth in history” 2015 2021 $6 trillion $3 trillion Global annual cybercrime costs estimated to grow from $3 trillion to $6 trillion by 2021 Includes estimated costs for: • Damage and destruction of data • Stolen money/fraud/embezzlement • Lost productivity/disruption to operations • Theft of IP, personal data, financial data • Forensic investigation • Restoration and remediation • Reputational harm
  • 13. Brand Impact = As (or More) Important than Other Costs 74.8% 72.5% 80% of consumers worry about the security of their personal information. Temkin Group "Consumer Benchmark Survey" of consumers don’t believe organizations care about their private data and keeping it safe and secure. HyTrust Inc., the Cloud Security Automation Company 56% 40% 29% Political Action (sign a petition, contact a politician Stop/Reduce Technology Use Social Activity (post to social media, write an op-ed or letter) Actions your customers take when you falter of consumers believe failure to keep customer information secure has a significant negative impact on trust in a company. Edelman Trust Barometer: Financial Services Industry Source: Edelman Proprietary Study, 2014
  • 14. Companies are Under-Resourced / Staffed / Funded “Cybersecurity has a serious talent shortage” Source: Frost & Sullivan, Center for Cyber Safety and Education (2017) 2017 2022 1.8 million worker shortfall in information security Too few information security workers in my department The most common reason given for this phenomenon is lack of qualified personnel Companies may be looking in the wrong places for talent in this space: • 87% of cyber workers did NOT start in cyber • 30% of cyber workers came from non-IT and non- Engineering background • Disconnect: Managers deeply value communication and analytical skills vs. Candidates predictably prioritize high technical skills
  • 15. What is Legal’s Role? Lack of Tech Literacy Doesn’t Help “Lawyers don’t need to be coders, they just need not be Luddites” * • Techno-phobia • Continued view of cyber as primarily an IT or InfoSec function • Belief that lawyers should get involved after a breach happens (e.g., breach notification laws), or only in preparing to respond for a breach vs. preventive/mitigation measures • Belief that companies (good guys) can never keep pace with the bad guys in terms of funding, skill, or innovation * “Luddite” = (1) bands of English workers who destroyed machinery that they believed was threatening their jobs; (2) person opposed to new technology
  • 16. What is Legal’s Role? Tech Competence is Part of the Job A lawyer shall provide competent representation to a client…” Comment 8 to Model Rule of Professional Conduct 1.1: Maintaining Competence To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.)
  • 18. Researchers Are Trying to Help . . . Right?
  • 19. Source: Bugcrowd Bug Bounty 101 – How it Works
  • 20. Bug Bounty – Is there a Code of Conduct? “Is there Honor Among ‘Security Researchers’”?  Many security researchers have “day jobs,” so they are not out to extort or otherwise disadvantage companies  If you don’t play by the Bug Bounty rules, you will not get paid – including confidentiality  Transparency with respect to payment levels for bug severity levels, and level of documentation that must be shown for payment  Security researchers are “rated,” so reputation matters!
  • 21. Bug Bounty Programs = A Force Multiplier for Companies “It Takes a Crowd” Lack of Resources + expanding attack surfaces = more opportunity for adversaries.  Bug Bounty programs are used by many uber-sophisticated companies, and even the federal government  In 2 weeks, per company, security researchers typically find: Source: Bugcrowd
  • 22. Third-Party Managed Bug Bounty Programs Program Types Service Elements Source: Bugcrowd
  • 23. Designing Your Own Bug Bounty? The Department of Justice outlines a framework for designing a “vulnerability disclosure program” to address the concerns that such activity might violate the Computer Fraud and Abuse Act (18 U.S.C. 1030). See https://www.justice.gov/criminal-ccips/page/file/983996/download
  • 24. Do Bug Bounties Increase Legal Breach Notifications? Phase 1 Identification, Scoping and Severity Assessment Phase 2 Escalation and Deployment of IR Resources Phase 3 Investigation and Remediation Phase 4 Notification and Other External Communications Phase 5 Post-Incident Analysis and Preparation 1. Statutory duty to notify customers? Legal 2. Contractual duty to notify? Legal 3. “Voluntary” notification? Transparency • Generally, triggered on unauthorized “access” or “acquisition” of PI • 47 U.S. state laws + territories • HHS OCR / PCI / Interagency Guidelines • Rest-of-world • Contractual duties override statutory or regulatory duties on notification • Includes “quasi” contracts such as Privacy Policy and Terms of Use, Marketing, Advertising • Forensics are often inconclusive, which leads to a multi- factor decision tree • Voluntary notice scenarios based on facts, risk mitigation, ethical considerations Corporate Incident Response Plan Phases
  • 25. • How real is the legal risk around known security vulnerabilities? • Researchers can, and do, go public • Researchers can, and do, report to regulatory agencies • Regulators can, and do, bring investigations and enforcement actions based on vulnerabilities alone – even if there’s been no “data breach” – FTC Litigation: D-Link case – FTC/FCC: Stagefright inquiries to mobile device makers – SEC OCIE: Craig Scott Capital case – Litigation (both ways): St. Jude Medical / Muddy Waters case Is there Liability for a “Mere” Security Vulnerability?
  • 26. What’s the Game Plan? • How should we address security researchers who call or email (especially on a Friday before a holiday at 4:50 pm)? – Who should interact with the researcher? – Should you email or call, or both? – Do you ever acknowledge the vulnerability? Do you pay them? – Do you keep them updated on the status of your investigation, remediation? • Very helpful to have internal game plan for security researcher engagement, including how and who will make decision on payment • IR Planning – Legal and PR/crisis communications should be briefed and ready – Consideration of incorporating into IR plan, or parallel protocol
  • 29. Ransomware: What does it look like? The visual appearance of a ransomware attack may vary widely • Format of the ransom note • File extension • Disk-level ransomware vs. file-level ransomware • Scrambled filename vs. intact filename
  • 31. Rapid Acceleration Number of Ransomware Attacks Worldwide (in millions) Source: Statistica
  • 32. The No More Ransom Project
  • 34. Should you pay? “The FBI does not support paying a ransom to the adversary….. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations are never provided with decryption keys after paying a ransom…… Paying a ransom emboldens the adversary to target other victims for profit, and could provide incentive for other criminals to engage in similar illicit activities for financial gain. While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.”
  • 35. “Dude, stop crying.” Generation of rookie hackers emerges In the past, we were often engaging directly with the malware developer, who could help with software bugs and hiccups With rookie hackers, the tool is either poorly written and / or the actors are unable to help troubleshoot decryption issues
  • 36. Do companies actually pay? Source: Osterman Research (Survey of 540 CIOs/CISOs/IT Directors)
  • 37. How do (can) you pay? • Does your company/client have a bitcoin wallet? – Your vendor does! • Managed ransomware response: • Vendor takes over communications with attacker (often in attacker’s native language) – Vendor obtains and validates (tests) ransomware decryption tool – Vendor assists in negotiating down the ransom amount – Vendor fronts payment to attacker, in many circumstances – Vendor assists with actual/live decryption and remediation
  • 38. If you decide to pay . . . Call The Professionals The transaction goes the smoothest when the incident response team is brought in early
  • 39. Horror Stories Do Not Try This At Home When victims try to engage themselves, they may accidentally antagonize the attacker, or give up information that reveals their identity
  • 41. What is the legal framework? Civil or criminal liability for hacking Contractual duties re: security and/or breach notification Laws requiring security measures Notification to individuals and regulators Regulator enforcement consent decrees, and related requirements Regulator and industry standards, guidelines, and frameworks
  • 42. Are “Bugs” and “Ransomware” Notifiable Breach Events??? • Statutes – State statutes (plus D.C., Guam, P.R., V.I.); triggered when 1 or more affected individuals is a resident of the state; triggered on “access” or “acquisition” of PI elements – Industry/sector federal rules (e.g., HIPAA, Interagency Guidelines, NYDFS, DFARS) • Contracts – Contracts with customer and vendors (e.g., privacy policies, terms of use, etc.) – Almost always define “breaches” more broadly than statutes • Industry Rules (e.g., Payment Card Industry – PCI) • SEC public company disclosures (e.g., Form 8-K) • Client’s Internal Policies and Procedures
  • 43. What have regulators said about Ransomware? “[A] breach has occurred because the [data] encrypted by the ransomware was acquired … and thus is a ‘disclosure’” where security incident defined as “the acquisition, access, use of disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.” 45 C.F.C. 162.402. Special focus on results of forensic analysis and risk assessment “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.” -- (Then) Chairwoman Edith Ramirez (2016) Failure to address “pervasive security bugs” that leave systems vulnerable to malware will be a key factor in the FTC’s decision to open an investigation or pursue an enforcement action.
  • 45. SEC and DOJ Investigations
  • 46. Incident Response (IR) Planning Do you have an IR Team? An IR Plan? Have you practiced? Identify Triage & Contain Analyze & Investigate Remove & Recover Prepare Corporate IR Plan Cross- Functional IR Team Cross-Functional IR Team Key Internal Members IR Team Leader Executive Liaison General Counsel/Legal Privacy Officer IT Security Physical Security Corp. Communications Customer Support Human Resources Risk Management Key External Members Outside Counsel Forensics Crisis Communications Investor Relations Vendors (mail house, call center, credit monitoring)
  • 47. Other Key Elements of Proactive Cybersecurity Programs • Executive CISO or equivalent function responsible for cybersecurity with regular and direct reporting to Board (Audit/Risk) Committee • Inventory of data and network assets subject to attack (e.g., data map, network map) • Regular enterprise-wide cybersecurity assessments, properly scoped and managed (not just “pen tests” or routine vulnerability scans, but more holistic) • Participation in threat intelligence sharing forums to develop understanding of threat landscape (e.g., ISACs) • Certifications to PCI DSS, ISO/IEC standards, such as ISO/IEC 27001:013, etc. • Encryption of sensitive data in-transit (and at-rest, as appropriate), privilege/identity access management, etc. . . . and other bare minimum protective controls
  • 48. Other Key Elements (cont’d) • Inclusion of cybersecurity-related provisions and audit rights in vendor and business partner contracts, with program for auditing compliance • Implementation of training programs for employees and security team on cybersecurity awareness and response • Retention of experts and consultants to provide technical services for purpose of providing legal advice regarding risk • Procurement of cyber insurance to cover costs of forensic analysis, legal services, public relations, credit monitoring, litigation defense, etc. • Explicity consideration of evolving scenarios like Bug Bounties and Ransomware – and how they fit into, or necessitate adjustments to, company’s security breach incident response plan (IRP)