Hello. This is Physics 105, if you're in the wrong room. I'm Richard Goldberg. This is
Rules of Engagement, Mitigating Security Risk in Information Security Works. And this is
meant to be an overview of some of the problems you may face that you may not have thought
of. If you've seen some of my other talks, you'll have seen some of these before. This
is a continuation of that. How not to get prone by your clients, part two. First, a
bit of a disclaimer. I am a lawyer. That's not the disclaimer. Although I noticed that
I'm the second lawyer to talk today, which usually, if you talk to two lawyers in one
day, usually you've done something very wrong or you're getting divorced. But I am a lawyer,
I am not your lawyer. This is not legal advice. Well, except some of you. I actually am some
of your lawyers. But unless you already know that, I'm not your lawyer. One more thing.
I mean for this to be a conversation. If you have something to say, you know you have a
question in the middle, just shoot it out here. Although I'm reminded there's a play
I saw called Art. And it's about three guys, one guy buys a piece of art, and they talk
about it for an hour and a half. And these three guys, one guy will talk, two guys will
talk, there will be three people talking. And one of the actors was interviewed and
said, you know, I was having trouble with some of the script, so I asked the playwright.
I said, I'm having trouble with this monologue. And the playwright said, it's not a monologue,
it's a dialogue. The other two just don't happen to interrupt you. Take from that what
you will. But if you want to scream out, go for it. So there are four things I'm covering.
As I said, it's an overview, so I'm going to group them together. But it's this kind
of work. Pen tests and audits together. And incident response and forensics together.
And it's the similarities that I want to talk about. So you do that kind of work, what's
the worst that can happen? Besides not getting paid. So imagine you do a pen tester audit
and you think, well, why don't I, you know, send them a little email and see who responds
and what happens. But you think the Nigerian scam is sort of a little, you know, it's an
obvious scam. A little too obvious. So you think, well, you know, I'm, well, I don't
know your names, but I'm Beau McBey and I want to do a test on a bank. And so, you know,
you wonder what, like we all get the bank spam, right? Where you try to, what do the
banks get? So you think, I know, I'll send them a little phishing email. And you find
an unsuspecting employee who's just trying to do her job at the bank and you send her
this email and she reads it and it looks like this. I don't know if you know this guy, his
business partner's in the room. I'll just go through it. This is a service message.
It's got to sound very serious so that somebody wants to click on it. And this is very sensitive
data and you spend a lot of time working this out, right? Contact our help desk immediately
and you try to make it sound very professional. You know, there's a verification process,
make sure it remains secure. You put the little logo of this company that's not involved,
right? Joe does not work for them, or Beau, excuse me, does not work for them. But you
put, you know, you want to make it, just, Plur is a well-known company. You think people
will believe it. Now you put all this work into it, except that, you know, she thinks,
oh, sorry, that's really well-known. All she sees is this, a link. And so, of course, she
clicks it. And then she calls her boss. And he says, what's up? She says, well, I just
got this email from a Plur. It looks very serious. He says, oh, we better investigate
that. Call the CEO and call IT and make sure they investigate this and have this thing
done in a week. And so they do the investigation. Of course, she thinks, oh, did I do a good
job? I clicked on the link and I told my boss. A few days go by, IT gets involved. They investigate
this, you know, put three people on it and, you know, hundreds of man hours just in the,
you know, working around the clock trying to figure out what this is. And then they
figure out that it's not real. And so the CEO reads the report and he calls Plur. He
says, what are you doing? You know, why are you sending this unsolicited mail trying to
get us to give you business? And so they contact Sean from the Plur. You know, it looks like
you can tell it's him because that's his mustache. You watching, Sean? And he says, I didn't
do that. Somebody's using my name, my good name, and making me look bad. Any other CEO
is going to tell his CEO buddies. And so they call their lawyer. Who sues you? So let's
avoid this. That's the idea behind what we're going to talk about today. So when I talk
about the future of security, I mean sort of in a corporate sense, who's getting hired
and what's happening. And just as a small overview, there is a PWC study that says companies
are planning to increase overall security spending by 52% this year, which is a five
year high. Thing is, they're planning to reduce the number of full-time security professionals.
43% say that, which means what we're really talking about is a lot of outsourcing of the
kind that Beau McBain does or that Plur does. So let's look at pen tests and audits together.
They have some things that are very similar, even though they don't always do the same
thing. So imagine you start a test. And you go out investigating, start checking out the
boxes and see what's happening. And then all of a sudden, something falls over. Okay, you've
set up this contract with this company to do the work. And you say, oh, here's what
we're going to do. You tell them how much it costs. And you told them basically what
you'll be doing. But you haven't figured out who to call if something goes wrong. Or if
there's a brief soon afterward, imagine you do an audit and everything looks fine. But
between the time you do the audit and they, it's, you know, maybe a week later, something
happens. Or like we just heard, you tell them all the problems and they say, oh yeah, we'll
fix them. And then they don't, but they say they did. Question becomes, did you do a negligent
audit? You know, did you certify them in some way that you shouldn't have? Or did you do
a perfectly good job and it was, there's nothing wrong with that. And someone's just going
to blame you. So there was an article in the Wired a year ago about something that happened
a few years ago. It was a first, a data breach suit against an auditor. And here's what happened.
There's a company called Cart Systems. Cart Systems took their credit card transactions.
And the suit was against a company called Savvis, which was the auditor. Savvis had
gone in and done an audit and said everything's great. The thing is that Cart Systems didn't
get sued. The auditor did. And I think, well, why wouldn't you see the company that let
all the data out, right? It was their damn fault. Well, the problem was that they went
into bankruptcy. So you couldn't sue them. And there was another company, a bank, right?
Because Cart Systems worked with a bunch of different member banks and they claimed that
Savvis had done a negligent test that should never have certified them. So was it negligent?
Well, I'm reminded there was a security contract, excuse me, a contracting security company for
physical security in Iraq, worked with the Iraqi Provisional Authority. And they were
hired to, among other things, provide bomb smiths, sniffing dogs. Now the company was
called Custer Battles, which is not what it sounds like. It was two people, one named
Custer and one named Battles. One was a military officer and the other one was, I think, a
civil service agent. And they got together, had essentially no experience doing this and
put this company together to do security for the Iraqi Provisional Authority, Collision
Provisional Authority, which of course is not the Iraqi government and isn't the U.S.
government either, right? It was just this sort of amorphous thing. So one of the things
they had to do was provide bomb sniffing dogs. And there's a certification process for that,
right? You show up with your bomb sniffing dog and you're certified and the pooch is
certified to sniff her bombs. The problem was that they just sent regular dogs.
And they did an investigation and one of the people on the ground said that the dog would
just lie down and refuse to sniff the vehicles. He'd just take a nap. That's a negligent test.
So SAVAS is sued. And in the complaint, it says at the time that they issued the certification,
this was the precursor to the modern, it was called CSP or CIS, it was the modern PCI or
the precursor PCI. Card systems had been improperly and continually storing unencrypted cardholder
data. Exactly what they weren't supposed to do. Now Merrick Bank, which is the one that
sued, it's Merrick Bank v. SAVAS, was a third party. And you might think, if I do a test
and I issue some sort of report and I do it to say this company called Card, this credit
company, and then someone of their clients has a problem because something happens afterwards.
It's not my problem, right? So why did Merrick sue SAVAS? Well, because the other company
doesn't have any money. And when a company declares bankruptcy, you still need to sue
somebody. Another kind of suit is called a shareholder derivative suit. And the idea
is that even if the company you work with doesn't sue because you're close with them
or they understand what happened or they don't believe that you're in the wrong, the shareholders
can sue on behalf of the company. In fact, it's designed so that shareholders can sue
when the company will not. And it's sort of a similar problem. If they lose money, they
may come after you. A third risk is a subpoena. Now I know that you've heard of subpoenas
on television and I'm sure that you have a perfectly accurate view of what a subpoena
is from watching television. But just in case you don't, I'll give you a...
I read the internet.
I learned it on the Google too, so. Let me just explain what it is. When one company
sues another company, there's a complaint and an answer, right? And it's called the
motions practice, the beginning of the lawsuit, okay? The next thing that happens or shortly
after is called discovery, when each side asks the other for information. And it's
just a huge dump of information all the time. And it's expensive to provide. The rules of
civil discovery, which is what we're talking about in civil suits, say this. I know you
don't care very much what the exact wording is, but here's the important part. It'll order
you to produce the following, and there'll be a list, in the responding party's possession,
custody or control. Keep that in mind. Any electronic disordered information in any medium
from which information can be obtained, hello forensics people, after translation by the
responding party into a reasonably usable form. So this is what a subpoena looks like
if you haven't been lucky enough to see one. We'll just scroll up. This one in particular
says, you are commanded to produce and permit inspection and copying of the following documents
or objects at the place, date and time specified below. All correspondence and or documents
memorializing the communication between you and any officer, manager, partner, member
or employee of sucker LLC regarding the idea we had in use stole. And then there'll be
something attached to explain exactly what kind of documents that means. And here the
word documents means all those things. And you'll remember in your possession, custody
and control, this is all the things you can think of. Which means if you are a pen tester
or an auditor, you may have to produce logs of your tests, test results, any data that
you have in your possession, custody or control still. That has two problems. One is it's
really expensive. Another is you don't want to become the company that gives up all the
data you got before, right? And didn't keep it safe. So you have the time and expense
of interrupting your business. You have to pay lawyers to do this stuff because you can't
just find yourself. You have to worry about the reputational problems. Dealing with a
lawyer is bad enough. But imagine you have all this data and this guy shows up at your
door and says, I'd like to see everything you have. You don't want to be woken up or
have your business interrupted with a bunch of guys with FBI windbreakers. But if you
have this data sitting around, that's a potential problem. So what can you do? Well, the first
is when you do this sort of thing, you need to start with rules of engagement. This is
going to be all A.D.'s movie stuff. To start with, if this box is off limits and that one
you can hit a detailed listing of what exactly you're going to touch so that someone in charge
has decided these are things that we're okay with, we're prepared if something bad happens.
More than the sort of thing you usually do when you have, just because you have to do
the work. You need to worry about the worst thing that can happen. And if a server falls
over, you need to know who to call. And he needs to know who to call. You need to decide
between you, between the company you're working for and your company, how you're going to
secure data. What's the level of security that they care about? Because it's a big pain
for you, but it's important to both of you. And how you're going to dispose of the data
when you're done, right? What kind of wipe does it have to be? Most important, once you
figure out all those things, write them down. Both sides need to agree in writing. So no
one can go back later and say, oh, that's not what I meant. Something like, you know,
do not fire unless fired upon. Some rules that will say this is exactly, I'm going to
move to reference somebody, that will say exactly what you plan to do. Another thing
you can try is indemnification. Now, does anybody have any idea what that means? You,
what does it mean? It means that you're responsible for it no matter what happens. Who's responsible?
The investor. I'm sorry? The investor. So say I ask him to indemnify me, what does that
mean? Protect you, hold you harmless. I'm sorry? Hold you harmless. What does that mean?
Hold you harmless. I promise not to sue you if you move around too much or I can't get
the camera on you. But you're doing just fine. Okay. So all that is very close. Indemnification
means that somebody agrees, the indemnifier agrees to pay in case you are sued for whatever
your loss is on, right? If you have damages. So if I'm a tester and I work for say Citibank,
Citibank agrees to indemnify me, that is to pay whatever I end up having to pay if I get
sued. So if one of their card holders sues me or in this case, you know, one of the other
banks sues me, they will pay my expenses. So it won't be up to me to pay for all that.
Now there's a little bit of a problem there. Assume that this is true. I don't know that
it was for sure. But you have card systems, right? Card systems is dealing with Merrick
Bank, one of its member banks. That's the bank that sued. And Merrick Bank has a contract
with card systems. Also Merrick Bank sues Savvas. Now why? Because card systems is in
bankruptcy. Now Savvas might have had, we don't know, but might have had indemnification
agreement with card systems where card systems agrees to pay. So even though card systems
wasn't sued, if Merrick Bank sues Savvas, then card systems will pay because Savvas
is indemnified. The problem is card systems is in bankruptcy. And so that's just not going
to work. There's nobody to collect from. That's bad. Another thing, good insurance. Not just
the kind of insurance you have on your motorcycle, right? Because you can't really hurt that
many other people with a motorcycle. Really good insurance so that if you're sued, it
doesn't put your company out of business. This is the kind of insurance you can get
pretty easily, but a lot of people don't. I end up pushing clients through all the time
and they wait. I had a client, I had two clients wait long enough that something then happened
and they couldn't get insurance. Set limits on liability. Now this will not help if the
other company goes out of business. But if they're still in business, you can set limits
on how much they can sue you for. So you might limit it. One very common thing is to limit
the value of the contract. Now that is mostly arbitrary. But that's okay because your contracts
probably aren't as big as their damages could be. And so while that's painful, it's not
the end. Of course there are still problems. If the other company declares bankruptcy,
that indemnification isn't really going to help. If the government investigates, there's
not a lot you can do. You sort of have to cooperate as best you can. If there's a subpoena
for a search warrant, one of the things you can do is when you have time to respond to
certain things, call the company up and say, look, we're not paying lawyers to defend this.
It's your data. We're happy to have you defend it. Off you go. Here's the subpoena. We're
not paying. And you can do whatever you want. We'll cooperate. And that's very common. You
need a plan in advance. When these things happen, you can't run around trying to figure
out what's going to happen right away because you're going to make bad decisions and you're
going to forget things. So you need to think these things up ahead of time. You need a
search warrant recovery plan. If the FBI shows up and takes everything, remember that line
from Animal House? They're even taking the stuff we didn't steal. If they come and take
everything, you need to be able to recover your business. This does happen. I've had
clients not get their computers back for months. Imagine not being able to get your data for
months. Now, one thing you can do is you can use offsite storage. I make a big deal about
this in a cloud talk I give about how dangerous it is. But offsite encrypted storage isn't
a bad idea if it's just sitting there and you can get it when you need it. And you need
a standard subpoena response. Your response may be we call the client and tell them they
can do whatever they want. But you need to be prepared to do that. You need to know what
you have to send over. You can't just send the subpoena and say, oh, by the way, subpoena.
Right? You need to know what you have and have a log of all the data that you have that
might be vulnerable. Right? This is an attack. Talk to the lawyer. He can help you work through
these things. Whatever lawyer you happen to use, you know, your brother-in-law, whoever
it is, work through these problems so you can come up with a plan in advance. See how
we're doing on time. Good. I'm not talking too fast. So, forensics and incident response.
We're going to put these two together also. Imagine that there's a data breach at a hospital.
Right? That never happens. Right? That's why electronic medical records are such a good
idea because hospitals never leak data. So, there's a breach and they, the hospital ships
you all the data. Now, you have all their data. Right? Now, you have to worry about
keeping all their data safe, which is a big deal. And you can't say it's, you know, it's
now your responsibility to keep this stuff safe. And you have some of, you know, very
similar problems. For instance, you may have a subpoena. There's a reason that that thing
is in big heavy font. It's the heaviest font I could find. It made the file really big
using that big font. This is a, responding to subpoena is a big deal. And if you have
all this physical data and you're doing forensics on it, what are you just going to make copies
of them and send them over? Right? You don't know what's on there. The whole point of this
exercise was to figure out what was on there. In your possession, custody, or control, remember,
it's anything you have control of or have possession of. So, what will you have to produce
if that happens? If you get a subpoena, what kinds of information will you have to turn
over? If there's a search warrant, what will you do? It will stop your business. Now, you
think, well, it's just a contract and if I can't do the contract because there's a search
warrant, what do I care? Well, there are two problems to that. The first is if you're not
working, you're not getting paid. Right? So, if you plan to do this project, now you're
not because the FBI came and borrowed the drives for a year and a half. That's how it
is. The second problem is that you have to have some agreement with the company you're
working for that says if there's some horrible thing that happens, if there's a hurricane
or a search warrant execution or some other act of God, it's okay that you stop working.
You won't get sued for it. You might say, well, it's not my fault. Well, the risk has
to be somebody's and you really need to figure out whose risk it will be ahead of time. If
they cart away all this stuff in boxes, what do you do next? You need a plan for these
things. Offside storage for this is not really an option, right? You can't use the transporter
and send a copy of, you know, the evil twin over to the offside storage place. So, you
need clear data security policies. You have to, it isn't that your security has to be
perfect. I mean, it ought to be good, right? But it doesn't have to be perfect. But you
need to agree ahead of time with the company that you're working for how secure it will
be. The reason for this is if you agree how secure it will be and then later something
happens, they can't say, well, we didn't know that. You say, of course you did. We sent
you pictures, right? We sent you models of locks. We sent you the safe we have. So, you
knew everything. And they're not just paper policies. You need to follow your policies.
You know, oh, we wrote it on paper. We have good policy. Now we can move on. Three things
you need to do. To the extent you can for data that you create, you need to encrypt
it. You also need to encrypt it. And third, you should encrypt it. And if you do all those
three things, you'll probably be a lot better off. It's a little bit of a pain but not that
much of a pain anymore, right? Keep it on and encrypt it. Drive someplace that you can
still access. I encrypt all of my client files and so I can take them around and not feel
nervous about what happens if I lose my keys, right, on my USB drive. One way or another,
you have to secure the data and you have to be careful about it. You have to be non-negligent,
one thing. But more than that, you have to be more careful than you otherwise are forced
to be. You need a safe. It seems obvious but don't get a safe if you're just going to leave
it sitting around for people to pick up and leave, right? Both the things to the floor,
right? Make it a little bit difficult. Come up with a plan for how to turn over data if
you have to. Who you're going to contact either before or during or if you have to after it
happens, right? If the FBI shows up, you know, your first call is probably to your lawyer,
your second call should be to the company you own the data. Not going to be an easy
call but if they know that that's the kind of thing that can happen, they're at least
prepared for it and you know who to call. And when they come asking nicely, you know,
this will be a shock but it won't seem like the end of the world. You need to know exactly
who the person is who's responsible and if that guy's on vacation or sick, who the next
person is. A clear line of communication is very important because companies can deal
with failures a lot of the time but they can't deal with failures they don't know about.
And again, set limits on liability. This is just like before. You need to come up with
ways to limit your exposure if they decide to sue you for something you think wasn't
your fault. Maybe they think it was your fault. Maybe they think you, you know, provided just
regular dogs. Indemnification is just as much of a problem here. Fight for it. Don't succumb
to these mutual indemnification things that really don't mean anything. You indemnify
me and I indemnify you and now none of us owes anybody, right? That's not equal. That's
just stupid. Right? There aren't two sides. You have to, the idea behind these agreements
ahead of time is one, to make sure that people know what the deal is. What are we agreeing
to ahead of time? What's going to happen so there aren't surprises? The other though is
that you want to agree whose risk it is when these things happen. It's better to do it
when you are looking at it in the objective, right? You're saying, oh well, we don't know
what's, you know, what kind of bad things would happen, whose fault it would be. Let's
think about it ahead of time without the pain of the FBI in the room, whose fault, you know,
whose risk, who should bear the risk? Because it's going to be somebody, right? Somebody's
going to have to pay for this sort of thing. Remember the indemnification problem though.
If the company goes out of business and a third party decides to sue you, that's bad.
Now this suit is still going on and it's not clear exactly who's going to be responsible.
There's a little bit of complicated law. It changes by state about when third parties
actually, when you have a duty to third parties that you know about. But you don't want to
have to fight about it because a huge lawsuit like this may just be enough to put your company
out of business. But insurance. I don't know if I mentioned this before, but you need insurance
and a plan, both types. A search warrant recovery plan, what to do if this happens, and a standard
subpoena response. All you have to do is decide what you're going to do so that you can execute
it later. But you need to decide now. And finally, talk to your lawyer. It does not
be a long conversation. You just have to figure out what the risks are. There are a few more
risks than I've discussed up here, but you want to know them ahead of time. Yes, he's
a sleazy lawyer, but he's my sleazy lawyer. You'll feel that way one day. And finally,
if you like lawyer jokes, next time you're in jail, call the committee. So, questions.
Yeah.
Does the human right here know what liability you can cover that or is there specific type
of insurance you want to pursue or end up there?
Well, you're going to want to find companies that do tech, that handle tech companies,
also to know what the heck you're talking about. You can't really send them a DVD of
sneakers, right? You want somebody ahead of time who's going to know what these things
are. And there'll be errors in them. It's similar to errors in missions. Errors in missions
is just the kind of liability insurance. But you need to actually read the thing or have
somebody who knows what they're talking about read the thing to see what's included and
whether it includes the kinds of things that you're working on. Companies will differ for
no apparent reason on what they cover. Anybody else?
No stumped alert? Have you ever heard of the case where? Okay. If you had a question that
you didn't want to, for some reason, yell out to the lawyer in a room full of your friends,
that's fine. Just come talk to me later. Otherwise, thank you for listening.