Mark E.S. Bernard Incident Handling and Observe Orientate Decide Act


Published on

Mark E.S. Bernard Incident Handling and Observe Orientate Decide Act

Published in: Business, Technology
1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mark E.S. Bernard Incident Handling and Observe Orientate Decide Act

  1. 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT
  2. 2. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** • Management Activities -Define and maintain the Incident Handling Plan and Program. -Define and maintain the Computer Security Incident Response Team. -Review program effectiveness, efficiency regularly. -Monitor potential and actual security incidents. -Monitor regular vulnerability assessments. -InformationSecurity-Related Information •Proactive Services - Coordinate Announcements - Technology Watch - Information Security & Audit Assessments - Configuration & Maintenance of Security Tools, Applications, & Infrastructure - Monitor Intrusion Detection Reports - Identify and/or Develop Security Tools • Security Quality Management Services -Facilitate Threat-Risk Analysis -InformationSecurity Consulting -Facilitate Training/Awareness Building -Product Evaluation or Certification • Reactive Services -Alerts and Warnings -Incident Handling (analysis, response on site, support, coordination) -Vulnerability Handling (analysis, response, evidence, coordination) Every Security event and incident should result in a lessons learned to help improve the response time and mitigate future risk from materializing. The Quality Management system leverages a Plan – Do - Check – Act cycle that includes a feedback loop.
  3. 3. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** With the ISO 27001 ISMS we attempt to identify potential threats and matching vulnerabilities and mitigate these risks before they result is unplanned expenses and damage to an organizations reputation. ‘Security Events’ are not the same as ‘Security Incidents’. Security events normally occur when a vulnerability exists and a threat agent attempts to exploit a vulnerability but is not successful. There is a subtle difference between information security ‘incidents’ and ‘events’ and while we may not be able to stop events from occurring we can learn from them and take correction and/or preventive action to mitigate of eliminate the risk.
  4. 4. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Miss-configuration of infrastructure devices or vulnerabilities if software and hardware are some of the most common weaknesses within the security architecture. The miss- configuration of telecommunication devices or weakness in protocols is often the door left open by system administrators, database administrators, software engineers, external service providers, suppliers and vendors. Each has a responsibility for security and the effectiveness of security. Standardization, traceability, verification and validation, annually security testing are critical checks and balances to maintain effective security.
  5. 5. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** 1. Designated "Single Point of Contact" (“SPC”) 1.1. Incident Response Team 1.2. Incident Response Team Members 1.3. Incident Response Team Roles and Responsibilities 1.4. Incident Response Team Notification 2. Breach of Personal Information - Overview 2.1. Definition of a Security Breach 3. Requirements 3.1. Information Owner Responsibilities 3.2. Location Manager Responsibilities 3.3. When Notification Is Required 4. Incident Response – Breach of Personal Information 4.1. Technology Operation Center 4.2. Office for Central Information Security 4.3. Customer Database Owners 4.4. Web Banking Department 4.5. Credit Payment Systems 4.6. Legal 4.8. Human Resources 4.9. Network Architecture 4.10. Public Relations 4.11. Location Manager 5. Incident Handling Step-by-step 5.1. Documentation Logs 5.2. Determine If It Is Real? 5.3. Scope 5.4. Incident Communications 5.4.1. Explicit Notification 5.4.2. Factual Notification 5.4.3. Choice of Language 5.4.4. Notification of Individuals 5.4.5. Public Relations - Press Releases 5.5. Who Needs to Get Involved? The Incident Handling Procedure is fairly standard in most mature organizations. This is important because communication and training for Security Incident Team Members is crucial to the success of any Security Incident. 5.6. Containment 5.7. Evidence Handling 5.8. Chain of Custody 5.8.1. Collection of Evidence 5.8.2. Collection/Storage of Evidence 5.8.3. Storage of Evidence 5.9. Eradication 5.10. Recovery 5.11. Follow-up 5.12. Legal Affairs
  6. 6. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Establishing the Information Security Program is crucial to a consistent, reproducible approach that effective mitigates the risk of threats exploiting vulnerabilities . The Security Program provides the Shareholders, Board of Directors, Executives and Employees with assurance that data, information and knowledge is security and constantly protected. The Security Program is constantly improving and evolving to meet the challenges of modern threats to the agility and resilience of the Enterprise.
  7. 7. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** OODA is a concept originally applied to the combat operations process, often at the strategic level in military operations. It is now also often applied to understand commercial operations and learning processes. The concept was developed by military strategist and USAF Colonel John Boyd.
  8. 8. Web link; Observer: During this stage of OODA the individual scans the environment and gathers information regarding changes in the environment that affects them directly or indirectly, and how the environment reacts to the strength, weakness, manoeuvres', and intentions of their actions. Such observations aim to spot mismatches before the threat agent does. Orientate: During this stage of OODA observed information, or converting information into knowledge by developing concepts through analysis of information. The way the individual interprets knowledge depends on culture, genetic heritage, ability to analyze and synthesize, experience, and latest changes to information, and success depends on such interpretation. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Knowledge is the key to success, knowing how to identify a security incident and understanding the different between a security incident and event will improve success and recrudesce false positives. Many automated systems can help manage the volume of security events and identify patterns the are a prelude to a security incident. This gives the security administrator time to mitigate a potential breach.
  9. 9. Web link; Decide: During this stage of OODA the security administrator is weighing out several options or alternatives available from the concepts knowledge body generated during the orientation phase, and picking the best one. For instance, the individual having realized the need for a countermeasure may choose to launch a net-new strategy or repackage an existing strategy, based on what they perceive the threat agent would do with the same knowledge. Decisions are at basic level guesses, and as such, need to remain fluid or work-in-progress, ready to change as new information comes. Act: During this stage of OODA Act the security administrator is executing their decision. This completes the OODA loop and the feedback of the implementation is the basis for the next round of observation. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Once a security incident has been confirmed knowledge is again crucial in making the correct decision to contain, investigate, eradicate the root-cause of a security incident. The preservation of evident and notification management and stakeholders will be equally important as the incident handling workflow is executed by the security Administrator. Repairing damage and closing gaps in the security architecture also requires knowledge and awareness.
  10. 10. Web link; Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, it is typically trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims. "Social engineering" as an act of psychological manipulation had previously been associated with the social sciences, but its usage has caught on among computer professionals. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** When it comes to a motivated threat agent the absence of a vulnerable will not stop the attack. Security threats will do their research and target a weak link for social engineering attack. Generally humans are very helpful but even the most experienced and skilled employee can be compromised with the correct social engineering method. This is why threat agents study the target carefully before initiating any attack.
  11. 11. 1 - Information Gathering 2 - Gain Access 3 - Gain Privileged Access 4 - Hide Evidence 5 - Create Backdoors 6 - Expand Attack Web link; *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Hackers generally follow a routine when attacking an organization or individual.
  12. 12. • Social engineers use tactics to leverage trust, helpfulness, easily attainable information, knowledge of internal processes, authority, technology and any combination there of • They often use several small attacks to put them in the position to reach their final goal • Social engineering is all about taking advantage of others to gather information and infiltrate an attack • The information gained in a phone book may lead to a phone call. The information gained in the phone call may lead to another phone call • A social engineer builds on each tidbit of information he or she gains to eventually stage a final, deadly attack • A successful social engineering attempt could result in great financial loss for the target company. A motivated attacker will be willing to gain information in any way possible *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  13. 13. • Authority Attack (with or without artefact): using fake badge, utility service outfit to gain access or identify a key individual by name/title as supposed friend or acquaintance or claiming authority and demanding information (impersonation) • Zero-Sum Knowledge Attack: Baiting someone to add, deny or clarify pseudo knowledge of the attacker, claiming to know more than you do, to solicit more information • Exaggerated/Knee-jerk Response Attack: making an outlandish lie in order to get information response • Persistent Attack: Continuous harassment using guilt, intimidation and other negative ways to reveal information • Fake Survey/Questionnaire Attack: Win a free trip to Hawaii, just answer these questions about your network *** THIS DOCUMENTIS CLASSIFIEDFOR PUBLIC ACCESS ***
  14. 14. • Stake-Out Attack: Analyze activity over time, people movement & actions, deliveries of supplies • The 10 Attack: Using an attractive individual to gain information or access • Rubber-Hose Attack: Brute force, threatening, • Pay-olla Attack: Bribery, plain and simple $$$ • “The boy who cried wolf” Attack: Setting off a series of false alarms that cause the victim to disable their own alarm system • Help Desk Attack: Impersonating a current or new end-use needing help with access to a network or server • “Go with the Flow” Attack: Crowed venues are a great time and place to gain access and information, such as a corporate party that has hundreds of employees, just act like you’re one of them *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
  15. 15. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** For more information contact Skype; Mark_E_S_Bernard Twitter; @MESB_TechSecure LinkedIn;
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.