FTP Data Breach Incident Response

Eric Vanderburg

June 19, 2008
Scenario
• Private confidential data on an FTP server is accessed
by an unauthorized individual
• Incident: YES
• Issues
–...
Detection and Analysis
•

•

•

Determine access method
– Stolen or sniffed password
– Exploit in system
Determine the sco...
Containment Strategies
•
•
•
•
•
•

Block IP or IP subnet from the firewall
Shutdown FTP
Change FTP passwords
Move FTP to ...
Recovery
• Restore data from backup
• Request that the client resend the data
Post-incident Activities
•

Attendees:
– Management
• CEO / Senior Partner
• COO
• Network Operations Manager
• Litigation...
Preventing Future Occurrences
•
•
•
•
•

Set timeout on FTP site
Set alerts on FTP events
Encrypt username and password or...
Upcoming SlideShare
Loading in …5
×

FTP Data Breach Incident Response - Eric Vanderburg

258 views
182 views

Published on

FTP Data Breach Incident Response - Eric Vanderburg

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
258
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

FTP Data Breach Incident Response - Eric Vanderburg

  1. 1. FTP Data Breach Incident Response Eric Vanderburg June 19, 2008
  2. 2. Scenario • Private confidential data on an FTP server is accessed by an unauthorized individual • Incident: YES • Issues – Potential privacy notification is needed – More data could be viewed or stolen so the incident needs to be contained – Data needs to be replaced
  3. 3. Detection and Analysis • • • Determine access method – Stolen or sniffed password – Exploit in system Determine the scope of the incident – Find out if the incident has happened before an never discovered. – Find out which data was accessed and which stakeholders/clients are impacted by the disclosure Determine if the data obtained is in a form that would disclose private data, can be converted into a form that would disclose private data, or can be combined with data from another incident to disclose private data.
  4. 4. Containment Strategies • • • • • • Block IP or IP subnet from the firewall Shutdown FTP Change FTP passwords Move FTP to another server Change FTP ports Contact source and try to stop the distribution or use of the information
  5. 5. Recovery • Restore data from backup • Request that the client resend the data
  6. 6. Post-incident Activities • Attendees: – Management • CEO / Senior Partner • COO • Network Operations Manager • Litigation Support Manager – Public Relations Analyst – Sales Manager (Facilitator) – IT Staff • Senior Network Engineer • Network Engineer • Exchange Administrator • Network Analyst
  7. 7. Preventing Future Occurrences • • • • • Set timeout on FTP site Set alerts on FTP events Encrypt username and password or require VPN for FTP Set FTP server to only respond to specific IP addresses Configure Firewall rules for FTP ports to only allow traffic from specific pre-approved IP addresses or subnets.

×