Ohio 审计or of 状态 Dave Yost has taken a hard stance against cybercrime and has made it a priority to provide cybersecurity education to government entities across the state. 为此,审计员约斯特提出了一系列 免费培训讲座 aimed at helping local government leaders and businesses in Ohio combat cyberattacks.
“这个问题不会消失. 情况越来越糟了,”约斯特说 释放. “We know many local communities are strapped for resources, and some haven’t taken steps to protect their digital assets. We in the 审计or’s office have the ability to help local leaders prevent personal information from getting into the hands of evildoers.”
我有机会参加一个会议, 是由妮可·贝克维斯领导的, an investigator and digital forensic analyst for the 审计or of 状态 and highly regarded expert on cybersecurity, 政策, 网络恐怖主义, 计算机取证, 网络调查与网络入侵响应. 的 presentation focused on many of the complications entities encounter during a breach with emphasis placed on Ransomware attacks. 下面的信息特别有见地.
读也: 如何在勒索软件攻击中生存
法律方面的考虑 & 影响
Beckwith emphasized the following state and federal statues, which govern the loss of secured information by a security breach. 所有组织都应该意识到以下几点:
- 联邦计算机欺诈 & 滥用法案(CFAA): 的 CFAA有刑事和民事处罚 因为我们通常所说的黑客行为. 最初于1985年通过,目的是打击黑客行为, the CFAA has been amended to prohibit “knowingly accessed a computer without the authorization or exceeding authorized access” of another’s computer. 违反CFAA最高可判10年监禁. 另外, victims are permitted to pursue civil actions against perpetrators. 然而, damages awarded are limited to economic damages. Pain or suffering or punitive damages are not awarded.
- 俄亥俄州法律要求
- 俄亥俄州修订法典1347.12 states that a breach of any 状态 agency or political subdivision security system requires the public office to notify victims if their personal information is hacked. 不像CFAA, there is no private right action and the statute must be enforced by the Ohio Attorney General’s Office. 另外, public offices must notify credit reporting agencies if more than one thousand residents’ personal information is stolen. 最后, public offices and businesses must disclose the loss of personal information by a security breach.
- 俄亥俄州修订法典1349.19 says any person who owns or licenses computerized data that includes personal information must disclose any breach of the security of the system, 在发现或通知违规行为后, to any resident of Ohio whose personal information was, or is reasonably believed to have been accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed till cause a material risk of identity theft or other fraud to the resident.
- 俄亥俄州修订法典1349.192 规定每天州政府机构, 政治分支机构, or person has intentionally or recklessly failed to comply, 民事罚款最高可达1美元,000 for each day the agency or person fails to comply with the section will be assessed. 罚款增加到5美元,超过60天,每天收费10美元,90天内每天1万美元.
IMPORTANT: If you feel you may have had your entity’s sensitive information breached and/or stolen, you will want to contact your attorney as soon as possible to determine which laws will apply to you.
不用说,赌注是相当高的. So, 准备, the Ohio 审计or of 状态 encourages you to do the following 准备 for a cyberattack:
- 创建一个响应计划和团队
- Ensure that your response plan includes, at minimum, the following team members:
- 办公室负责人或组织的负责人
- IT
- 法律
- 金融
- 公共关系
- 建立清晰的行动项目
- 确定关键联系人
- 了解你的报告准则
- 加密敏感数据
- 绘制关键数据的位置
- 限制访问
- 遵循保留策略
- 清理旧员工账户
比特币或破产
因为勒索软件的广泛发生, some businesses and entities appear to be adopting a new preparation method – investing in bitcoin.
To be honest, I found this approach amusing when I first learned of it. After all, I like to think I would never give in to the demands of cyberscum. 然而, because of the rapidly increasing threat of Ransomware 许多执法组织, businesses and other organizations and agencies have started to consider payment to be a rational way to recover their organization’s data. 话虽如此, just because you’ve purchased bitcoin doesn’t mean you should start slacking on proper backup protection – on the contrary. Once you’ve paid up once, it’s likely you will be targeted again. Sooner or later, your bitcoin supply (and the funds you used to pay for the bitcoin) will run out.
我建议你花点时间, attention and resources go toward the backup/restore process instead of paying the criminals off. 但如果你一定要购买比特币,考虑一下 Coinbase比特币交易所, which is the most trusted digital currency available. Coinbase在美国境内运营.S. 并受美国法律的约束.S.
即将举行的网络安全培训课程
Due to the success of these 网络安全 training sessions, the 审计or of 状态 will present a second educational series. I found the event to be very informative and valuable and would encourage others to attend – especially if you have concerns with regard to a data breach and/or Ransomware attack in your own business. We are still waiting on the dates for the second installment of the series to be announced. 但是,在此期间,您可以监视 培训 & 会议注册网页 regularly for updates about this education seminar as well as other opportunities for your entity.
By 特拉维斯·斯特朗,CISA (伍斯特哦)