Cyber Tabletop Exercise - Gallagher · Cyber Tabletop Exercise BRUCE RADKE & PAUL DAVIS ... • You...

Community College Risk Management Consortium

July 20-21, 2017

Frontiers of Risk

Cyber Tabletop ExerciseBRUCE RADKE & PAUL DAVISJULY 21, 2017

© 2017 ARTHUR J. GALLAGHER & CO. | BUSINESS WITHOUT BARRIERS™ 2

• Bruce RadkeShareholder & Co-chair Of Privacy, Cyber Security & Media Practice, Vedder Price

• Paul DavisArea Assistant Vice President, Cyber Liability Practice, Arthur J. Gallagher & Co.

Presenters

AgendaToday’s Tabletop Exercise & Discussion

• Introduction• Cyber Event Scenario• Post Mortem Discussion• Questions and Answers


• A structured cyber incident response drill• Triggers your Incident Response Plan for testing purposes• Facilitates discussion amongst members of your Incident

Response Team • Tests the effectiveness and accuracy of the workflow of

your Incident Response Plan

What is a Tabletop Exercise?Why is it helpful?


• Mary Smith, a freshman in Art History, contacts the IS Service Desk to complain she could not access the student portal using her current password.

• Ms. Smith also informs the Service Desk that Facebook has notified her that her password has been reset. Facebook has also told Ms. Smith that the password reset was done from an IP address located in Russia.

• Upon further discussions, Ms. Smith advises the Service Desk that she had received an e-mail from Joe Doe at the Register’s office asking to click on a link to verify her credentials to the student portal.

• The Service Desk contacts the Register’s office which confirms it had not sent such an e-mail to Ms. Smith.

Initial FactsMonday, July 17th @ 11:00 a.m.:


• Do you activate the IRP?– Would Service Desk know to elevate the situation?– Who would the Service Desk contact and how?– Does this require the full involvement of the Incident Response

Team (“IRT”)? – Who is responsible for overseeing your investigation and

response efforts?• Initial thoughts and how do you respond to this?

– What are the possible containment and remediation steps?– Do you contact Joe Doe?– Do you contact Facebook?

Initial ConsiderationsMonday, July 17th @ 11:00 a.m.:


• Several students have contacted the IS Service Desk to complain they also cannot access the student portal using their current passwords and that they had received similar e-mails from Mr. Doe from the Register’s office asking them to verify their credentials to the portal.

• Upon a quick investigation, the Service Desk determines that Mr. Doe’s e-mail account had sent out e-mails to 150 current students and employees asking to verify their credentials to the portal.

Additional FactsMonday, July 17th @ 1:00 p.m.:


• Given that e-mails were sent to 150 current students and employees, what further steps should you consider?– Contact 150 students and employees to determine if clicked on

e-mail and provided credentials?– Determine what credentials provided access to?

• Are we resetting everyone’s password? If so, how would we notify the students and employees?

• How do we find the original source of the phishing e-mails?• Is there any other sensitive information accessible on the portal

that may be at risk? How would you determine whether any such other information has/has not been impacted?

Additional ConsiderationsMonday, July 17th @ 1:00 p.m.:


• You decide to activate the IRP. The IRT is assembled and begins to investigate.

• The IRP begins to contact the employees and students to determine if they had clicked on the link and provided their credentials to the portal.

• One of the employees, Pete Jones, had elevated access to HR application in the portal.



• Does the IRT advise senior leadership? If so, who from senior leadership and how?

• Have you informed your cyber insurer at this point? If so, how?

• Are you still handling this internally? • What third parties could be used? How do you engage

them?• What is the importance, if any, of Pete Jones’ access

rights?• What log sources are we triaging?• Are we calling this a “breach”?

Further ConsiderationsMonday, July 17th @ 2:30 p.m.:


• You decide to contact your broker and cyber carrier to arrange for outside legal and forensic services.

• Outside legal and forensic services are selected, and the process to engage them has begun.

• The outside forensics firm begins remote collection and your IT team has begun to provide the forensics firm with a number of the requested logs.



• The initial forensics review has determined that Joe Doe had received a phishing e-mail on Monday, May 29th at 8:30 a.m. Mr. Doe confirmed that he had clicked on the link and provided his credentials to the portal.

• Forensics determines further that the compromised credentials of Mr. Doe’s account were used on June 29th @ 9:00 a.m. to gain access to Register’s application in portal and query reports were run that contained certain PII of 350 current and former student-athletes and students.

• Further investigation determines that the PII involved with respect to these affected student-athletes includes their first and last names, Social Security numbers, student ID numbers and the sport or sports played by the student-athletes.

Additional FactsWednesday, July 19th @ 1:30 p.m.:


• If you received a list of phished accounts, what sort of internal triaging can you do to help identify trends in compromised users?

• Would it be possible to quickly understand what type of students are impacted here?

• Are there any special considerations given the student-athletes?

Further ConsiderationsWednesday, July 19th @ 1:30 p.m.:


• Forensics provides a 2nd daily update and determines that the compromised credentials of Mr. Jones were used on June 29th @ 10:30 a.m. to gain access to HR application and query reports were run.

• Forensics further determines that on June 29th @ 10:35 a.m. multiple queries were executed using the Jones account, and log evidence indicated that a successful query was executed and navigated to download PII, which returned the Social Security numbers of the current and former employees.

• You conclude that the PII that was accessed using the successful query included 2,225 current and former employees’ first and last names, Social Security numbers and university-issued employee identification numbers.

Additional FactsWednesday, July 19th @ 5:30 p.m.:


• Do we have a breach? If so, when was the breach discovered?

• What are we reporting to senior leadership?• When and how are we communicating to the student

athletes? To the employees?



• Have you informed law enforcement at this point? Or earlier?– What law enforcement? How?

• Do you advise any regulators?– Who? How?

• How are you documenting the incident and its response?

• Do you issue a legal hold?



• The Service Desk receives several calls from female students complaining that they had been informed that their Facebook passwords had been re-set and that their Facebook passwords were the same as their student portal passwords.

Additional FactsThursday, July 20th @ 9:30 a.m.:


• Your internal PR/communications team receives a new e-mail from a blogger asking questions regarding a potential data breach.

• The Service Desk receives numerous e-mails from female students stating that they had been contacted by a suspicious third party who threatened that he had been able to access their Facebook and iCloud accounts using stolen passwords.

• The third party also threatened to publish certain of the pictures maintained in the Facebook and iCloud accounts if the female students do not pay .5 Bitcoin.

Additional FactsThursday, July 20th @ 1:30 p.m.:


• Do you respond to the blogger?• Are we thinking about issuing a public statement to

get ahead of the issue?• Do you engage a PR/crisis management firm?• Who is involved in deciding to issue the statement?

Who is responsible for ultimately approving the statement?

• Do you contact law enforcement to assist with the female students?

Further ConsiderationsThursday, July 20th @ 1:30 p.m.:


• You decide to acknowledge the incident by providing a holding statement to the blogger.

• You contact the FBI and begin assisting with the FBI’s investigation.

• You determine that the 350 current and former student-athletes and female students reside in 23 states.

• You further determine that the 2,225 current and former employees reside in 43 states.

Additional FactsFriday, July 21st @ 3:32 p.m.:


• Given the forensic firm’s findings and conclusions, what further steps do you need to take with respect to impacted employees/student e-mail accounts?

• Do you discipline Joe Doe and/or Pete Jones?• Do you make any changes to policies or procedures

post-incident?

Further ConsiderationsFriday, July 21st @ 3:32 p.m.:


• How are we going to mail out notification letters? • How are we generating the mailing list?• Are we going to use a mailing service or are we going to mail

the letters?• Who will review and approve the notification letter templates?

– IRT? Senior management?• How many templates are required?• How long will it take for the letters to be ready to mail?• Will we need to use a call center to answer customer inquiries?• Will you offer credit monitoring?

Further ConsiderationsFriday, July 21st @ 3:32 p.m.:


• What went right?• What went wrong?• Did the ISIRP work as intended?• How can the IRP be improved?

Post Mortem DiscussionQuestions to ask your team


• Were you able to effectively answer each of the questions?

• What gaps exist between the ISIRP and the posed incident?

• What steps can you take to fill these gaps?

Self-AssessmentQuestions to ask yourself

Thank You Bruce [email protected]

Paul [email protected]

Cyber Tabletop Exercise - Gallagher · Cyber Tabletop Exercise BRUCE RADKE & PAUL DAVIS ... • You...

Documents

Transcript of Cyber Tabletop Exercise - Gallagher · Cyber Tabletop Exercise BRUCE RADKE & PAUL DAVIS ... • You...