I recently conducted a Training Webinar on ISO 27035 Security Incident Response. This is a transcript from the class that I taught. Please excuse any transcription errors.  Michael C. Redmond

Transcript Notes

  1. Dr. Michael C. Redmond, PhD MBCP, FBCI, CEM, PMP, MBA
  2. Cyber Defense and Response An organization’s security policy and controls must be adaptable to emerging threats in todays world. The assessment of security threats is ongoing, and must be mapped against the adequacy and existence of security controls. Security controls and countermeasures that are currently in in place may not commensurate with potential risks. The effort is never ending, but knowing how to start is they key.
  3. Motivators Increase in the number of computer security incidents being reported Increase in the number and type of organizations being affected by computer security incidents More focused awareness by organizations on the need for security policies and practices as part of their overall risk-management strategies New laws and regulations that impact how organizations are required to protect information assets Realization that systems and network administrators alone cannot protect organizational systems and assets
  4. Why CRIST Security breaches and subsequent fraud are increasing in frequency and scale. While financial institutions, retailers, healthcare providers, and other targeted organizations are doing everything possible to remain one step ahead of cyber criminals, these incidents will likely continue to happen putting sensitive information at risk. While you can’t always prevent a breach, quick response can minimize reputation damage and financial impact. Proactive and timely account holder communication can help reduce costs, including those associated with increased call center activity, customer education, brand repair campaigns, regulatory compliance, and the expense of covering customer losses.
  5. Many large companies are getting hacked: Anthem, Sony, and Target to name just a few. The number of data breaches increased 27.5% in 2014 Measures against these types of security incidents are on the rise in companies.
  6. In 2012 3.8 Million Tax Records Stolen in Largest State Agency Attack • Both Social Security and credit card numbers were stolen from the South Carolina Department of Revenue by hackers in August. A phishing email enabled hackers to steal credentials from users and eventually steal 74 GB of encrypted and unencrypted data.
  7. 2012 Server Hack Leads to HIPAA Violation by Utah Department of Health • In April, 2012 780,000 individuals were affected in a server hack at the authentication level that allowed hackers to access and steal SSNs and personal health records from the Utah Department of Health. • One server was not configured according to normal procedure, and this allowed hackers to access the system.
  8. In 2012, Global Payments Inc. PCI Data Breach Affected 1.5 Million • Nearly 1.5 million consumers were affected by hackers accessing Global Payments Inc.’s payment processing system in January and February.
  9. On Dec 14 2014, Dutch government website outage caused by cyber attack • Cyber attackers crippled the Dutch government’s main websites for most of Tuesday and back-up plans proved ineffective, exposing the vulnerability of critical infrastructure at a time of heightened concern about online security. • The outage at 0900 GMT lasted more than seven hours and on Wednesday the government confirmed it was a cyber attack.
  10. Feb 2015, Chinese hackers ‘target US defense, finance firms’ after Forbes cyberattack • US cyber security firms say a Chinese espionage team hacked Forbes magazine to then attack defence contractors, financial firms and other unsuspecting prey visiting the popular news website. • Invincea and iSight Partners detailed what they described as a “watering hole” campaign late last year that took advantage of Forbes.com and other legitimate websites. • “A Chinese advanced persistent threat compromised Forbes.com to set up a watering hole style web-based drive-by attack against US defence and financial services firms in late November 2014,” Invincea said in a report posted on its website. • The “brazen attack” took advantage of vulnerabilities in Adobe Flash and Internet Explorer software which have since been patched, according to Invincea.
  11. February 13, 2015 Tennessee healthcare group notifies employees of payroll breach • Tennessee-based State of Franklin Healthcare Associates (SoFHA) has notified all employees that their personal information was accessed during a security breach at the company’s third party payroll vendor, and some if has already been used to file fraudulent tax returns. • How many victims? All employees are being notified, and 20 to 25 have been affected. • What type of personal information? Employee payroll information, including W-2s. • What happened? SoFHA’s third party payroll vendor was breached, access was gained to SoFHA employee payroll information, and fraudulent tax returns were filed. • What was the response? SoFHA is working with national, state and local law enforcement to identify the perpetrators. SoFHA is notifying all employees, and is offering them a free year of identity theft protection services. • Details: SoFHA notified local authorities in early February. As of Thursday, between 20 and 25 employees have reported being victims of tax-related identity theft. • Quote: “We do know that the cyber attack was contained to only employee payroll information, and at no time was any patient data compromised,” Richard Panek, CEO of SoFHA, was quoted as saying. “The scam is that the criminals attempt to file for, and receive, a tax refund before the real person files.”
  12. Questions • What are the basic requirements for establishing a CSIRT? • What type of CSIRT will be needed? • What type of services should be offered? • How big should the CSIRT be? • Where should the CSIRT be located in the organization? • How much will it cost to implement and support a team? • What are the initial steps to follow to create a CSIRT?
  13. CSIRT Program Plan for Managing Playbooks for each different types of Cyber Security Incidents (worse case does not work as in Disaster Recovery)
  14. What’s Needed • Cyber Security Incident Response Program – Cyber Security Incident Response Teams – Cyber Security Incident Response Documented Program – Cyber Security Incident Response Documented Plan – Cyber Security Incident Response Documented Playbooks • Internal Controls Assessments • Policy Review • Gap Analysis • REWI Risk Evaluation • Risk Assessment Facilitation • Security Awareness Training • Business Continuity and Disaster Recovery Planning
  15. Standards • ISO 2700 (Requirements) • FFIEC • PCI DSS (Credit Card Processing) • And so many more Standards and Best Practices • COBIT (Framework for IT Governance and Controls) • ISO 27005 (Information Security Risk Management) • ITIL(Framework: Identifying, planning, delivering, supporting IT for Business Functions) Maintaining
  16. General Questions were removed.
  17. ISO and Information Security 27001 Information Security Requirements 27002 Code of Practice Information Security Management 27003 Information Security Management System Implementation Guidance 27004 Information Security Measurement 27005 Information Security Risk Management 27006 Requirements Audit and Certification ISO
  18. What to Consider CSIRTs interact with other organizations How to handle sensitive information Cover both operational and technical issues •Equipment •Security •Team staffing considerations Resource to both newly forming teams and existing teams Stakeholders •CSIRT staff •Higher level managers •Others who interact with CSIRT
  19. Not Just Responding Coordination of incident handling, thereby eliminating duplication of effort Mitigate the potentially serious effects of a severe computer security- related problem Include efforts not only on the capability to react to incidents but also the resources to alert and inform the constituency
  20. Different Plans Sound Similar CIRP Computer Incident Response Plan CSIRP Cyber Security Incident Response Plan • CSIRT Cyber Security Incident Response Team
  21. Program and Plan Basics Objective Scope Assumptions Ownership Action Steps Structure
  22. CSIRT Incident Preparation Detection Precursors and Indicators Analysis Declaration Response Containment Eradication Recovery Post Incident
  23. What’s Needed • Cyber Security Incident Response Program – Cyber Security Incident Response Documented Program – Cyber Security Incident Response Documented Plan – Cyber Security Incident Response Teams – Cyber Security Incident Response Documented Playbooks • Policy Review • Gap Analysis • REWI Risk Evaluation – Internal Controls Assessments • Risk Assessment Facilitation • Security Awareness Training • Business Continuity and Disaster Recovery Planning
  24. Vision Identify your constituency. Who does the CSIRT support and serve? Define your CSIRT mission, goals, and objectives. What does the CSIRT do for the identified constituency? Select the CSIRT services to provide to the constituency (or others). How does the CSIRT support its mission? Determine the organizational model. How is the CSIRT structured and organized? Identify required resources. What staff, equipment, and infrastructure are needed to operate the CSIRT? Determine your CSIRT funding. How is the CSIRT funded for its initial startup and its long- term maintenance and growth?
  25. Who Should Be on CSIRT Teams Business managers. They need to understand what the CSIRT is and how it can help support their business processes. Agreements must be made concerning the CSIRT’s authority over business systems and who will make decisions if critical business systems must be disconnected from the network or shut down.
  26. Operation Sequencing Initiation Resolution Termination
  27. Documentation • Cyber Security Incident Response Program – Cyber Security Incident Response Documented Program – Cyber Security Incident Response Documented Plan – Cyber Security Incident Response Teams – Cyber Security Incident Response Documented Playbooks
  28. Policy Review • Computer Usage Guidelines • Acceptable Use Statement • Special Access Policy • Special Access Guidelines Agreement • Network Connection Policy • Escalation Procedures for Security Incidents • Incident Handling Procedure • Acceptable Encryp • Analog/ISDN Line Security Policytion Policy • DMZ Lab Security Policy • Guidelines on Anti-Virus Process • Application Service Providers (ASP) Policy • Acquisition Assessment Policy • ASP Security Standards • Audit Policy • Automatically Forwarded Email Policy • DB Password Policy • Dial-In Access Policy • Internet DMZ Equipment Policy • Extranet Policy • Information Sensitivity Policy • Internal Lab Security Policy
  29. Security Awareness Training is essential.
  30. Personnel Awareness Training Never, ever give your password to anyone. Don’t install every program you come across on your computer or mobile device – some of this software, disguised as a nice game or utility program, is made with the sole purpose of injecting a virus onto your computer. Disable your Bluetooth connection because it is very unsafe; but also, disable the Wi-Fi network on your mobile device when you’re not using it. Do not leave your computer in a car. Do not leave your computer unattended in public places like airports, toilets, public transport, conferences, etc.
  31. Look for Patterns Unusual activity in access or system logs Recent Changes to the system Super User ID created Deleted log files Recent escalation of privileges Recent off-hour activity Recent file transfer from System
  32. Risks • Gap Analysis • REWI Risk Evaluation – Internal Controls Assessments