• Save
Cyber incident response or how to avoid long hours of testimony
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Cyber incident response or how to avoid long hours of testimony

Uploaded on

A look at the downstream legal consequences of a cyber security incident

A look at the downstream legal consequences of a cyber security incident

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. More than just your garden variety data breach Dave Sweigert, CISSP, CISA, PMP October, 2013 10/24/2013
  • 2. Alerting events: • Call from the FBI concerning strange connectivity with threat web-sites (e.g. Eastern European) • Self-identified within your organization (e.g. based on network signatures, log files, etc.). • Discovering your organization’s data online unexpectedly at third party site • Third party bounty hunters recruiting “victims” (your organization’s customers) 10/24/2013
  • 3. Alerting events: • Average “slow and low” breaches can transpire over 12-18 months • Benign reconnaissance turning into covert infiltration • Bribed and compromised key employees • FBI discovering data in non-related cases (e.g. executing search warrants at drug crime sites and finding your data). 10/24/2013
  • 4. Pre-incident planning • Establish legal counsel privilege for discussions surrounding data breach issues • Pre-arranged relationships with appropriate triage vendor to handle sophisticated technical issues • Define scope of the incident early • Incident scope extends beyond mere governance and security issues (brand damage, media relations, etc.) 10/24/2013
  • 5. Knee jerk reactions: • Pull plug, block unfriendly I.P. address, hide (e.g. may be multiple paths of ex-filtration – false sense of security to run and hide) • Executives take charge with no plan (possibly corrupting evidence and alienation of law enforcement) • No containment or eradication plan developed, practiced, etc. 10/24/2013
  • 6. Pulling plug operations: • Is corporate e-mail system compromised; are attackers reading your response action plans? • Will you have a defensible justification for the business loss? • Will you make the decision to call the FBI Cyber Squad? 10/24/2013
  • 7. Law enforcement priorities: • L.E. may have desire to allow breach to continue for investigative reasons • Concern over brand damage with stigma of “FBI investigation” • Timing issues: evidence preserved, situation stabilization, prepare 10/24/2013
  • 8. Avoidance and mitigation: • Data modeling (where is your data?) • Information strategy (where is your key data) • Data breach response planning • Pre-established relationships with forensics vendors 10/24/2013
  • 9. Avoidance and mitigation: • Benchmarking your information security team against standards • Conduct a privileged security assessment beforehand • Pre-established incident response • Disclosing risk (public companies) 10/24/2013
  • 10. Pre/post incident conduct questions: • Plan to deal with a data breach incident • Planning with reasonable security measures in mind (with justification) • Deceptive claims made to public as to security measures (vague/ambiguous) • Breach of implied contract between users • Misrepresentation of incident response 10/24/2013
  • 11. Pitfalls: • Don’t be too smart (too technical) for your own good (clear marching orders) • Basic, simple issues regarding incident management (low hanging fruit) • Beware of emotional appeal (health records, children, minors) • Over reliance on static security measures • Not having a varsity forensics team 10/24/2013
  • 12. Discovery issues: • Justifications for not following consensus driven industry standards • Demonstration of reasonableness in assessing risk, re-mediation, etc. • Manifestations of poor practices; engineering, security, storage, etc. • Uniform Commercial Code issues • Working from home, BYOD issues 10/24/2013
  • 13. Modeling security risk: • Assessment or evaluation of organization’s incident response/management team • Technical/response maturity of team • In-place incident response plans & testing • Independent verification and validation of security processes, guidelines, etc. • Risk management team’s visibility of IT risks 10/24/2013
  • 14. About the author: An Air Force veteran, Dave Sweigert acquired significant security engineering experience with military and defense contractors before earning two Masters’ degrees (Project Management and Information Security). He holds the Certified Information Security Systems Professional (CISSP), Certified Information Systems Auditor (CISA) and Project Management Professional (PMP) certifications. Mr. Sweigert has over twenty years experience in information assurance, risk management, governance frameworks and litigation support. 10/24/2013