Overview
A recent accessible IAPP WebEx (PW: MRG9bh7V) in which McDermott participated and helped organize, focused on zero-day exploits with several of the leading forensic and cyber governance experts from Unit 42, Kroll and Citrix.
You can access the full session here.
Password: MRG9bh7V
The emerging threat landscape now includes zero-day exploits with rapidly expanding risks that the US Cybersecurity and Infrastructure Security Agency (CISA) is alerting us to almost daily, including to those attacks coming from Russian affiliated groups. The regulatory environment around “reasonable security” is also rapidly developing with new regulations, guidelines and proposals by numerous government agencies.
Zero-day exploits occur when sophisticated actors attack security vulnerabilities that have not yet been patched (or, at times, even discovered by the affected manufacturers). A series of vulnerabilities in the Apache Foundation’s Log4J opensource code, which had existed for years, were quickly exploited following discovery. According to CISA, the Log4j vulnerability affected some 100 million servers and devices. Both the Microsoft Exchange server malware and the supply chain compromise of SolarWinds, with the resulting breach of federal agencies and major companies, are other examples.
The regulatory response has been swift. The recent US Department of Justice (DOJ) Civil Cyber-Fraud Initiative will utilize the False Claims Act (FCA) to pursue cybersecurity fraud by government contractors and grant recipients. The Federal Trade Commission (FTC) has issued a press release warning that it would use its statutory authority to prosecute failure to investigate and patch vulnerable Log4J instances. The new EU Whistleblowing Directive now has a whistleblowing reporting category for “protection of privacy and personal data, and security of networks and information systems,” which may open the door to more whistleblowing claims.
This session explores issues and risks associated with zero-day exploits and other advanced cyber-attacks, such as: (1) the basics of such an attack – how they’re accomplished and available technical responses; (2) companies’ obligations to maintain “reasonable security” when using impacted software under various legal regimes; (3) financial and reputational risks of over-or under-investing in mitigating zero-day risks in a vendor’s products and in the supply chain; and (4) the value of recent CISA and other alerts as a baseline for demonstrating “reasonable security” with new threats.
Takeaways:
- Understanding the breadth and sophisticated nature of zero-day attacks
- Reviewing the evolving approaches to network security architecture
- Appreciating CISA’s bucket approach to severity and mitigation levels
- Understanding changing “reasonable security” legal standards
- Responding to events and selecting appropriate controls for unknown threats
- Risk evaluation strategies for cyber events
- Defining cyber risk roles and responsibilities
