SlideShare a Scribd company logo

Cyber Security Incident Response

PECB
PECB
PECB PECB

This presentation has been delivered by Michael Redmond at the PECB Insights Conference 2018 in Paris

Cyber Security Incident Response

1 of 85
Download to read offline
Cyber Security Incident
Response
Michael C. Redmond
2
MBA, PhD
Michael C. Redmond
Certified as Lead Implementer
ISO/IEC 27001 Information Security Management
ISO/IEC 27032 Lead Cyber Security Manager
ISO/IEC 27035 Security Incident Response
ISO/IEC 22301 Business Continuity Management Systems
ISO/IEC 21500 Lead Project Manager
ISO 31000 Risk Management
ISO 55001 Asset Management
ISO/IEC 14001 Environment Management
ISO 9001 Quality Management
ISO 26000 Social Responsibility
ISO 37001 Anti-Bribery Management Systems
Certified Implementer – Foundation
ISO 22316 Security and Resiliency Management
ISO 22320 Emergency Management
ISO 20700 Management Consultancy Services
Certified as Lead Auditor:
ISO/IEC 27001 Information Security Management
ISO/IEC 22301 Business Continuity Management Systems
ISO 55001 Asset Management
ISO/IEC 14001 Environmental Management
ISO 9001 Quality Management
ISO 26000 Social Responsibility
Other Certifications:
Masters Business Continuity Planning (Disaster Recovery Institute) – MBCP
Masters Business Continuity Planning (Business Continuity Institute) – FBCI
Certified Emergency Manager – CEM
Certified Project Manager – PMP
Certified Trainer PECB
3
Attacks Are Not IF But WHEN
Many companies, hospitals, schools,
Governments and more are getting
hacked
The number of data breaches
reported increase each year
Measures against these types of security
incidents are on the rise in companies.
4
LET’S REMEMBER
History
5
Massive Cyber Attack hit 104 Countries
May 2017 WannaCry
 New family of ransomware called WannaCry has infected over 140,000
computers worldwide. This piece of ransomware is based on a zero-day
exploit that helps it jump from one infected computer to another and encrypt
all the information stored on it.
 A little background information about this new threat: Unlike other
ransomware families, the WannaCry strain does not spread via infected e-
mails or infected links. Instead, it takes advantage of a security hole in most
Windows versions to automatically execute itself on the victim PC.
 According to various reports, this attack avenue has been developed by the
National Security Agency (NSA) in the US as a cyber-weapon and it was
leaked to the public earlier in April along with other classified data allegedly
stolen from the agency.
 A number of hospitals, telecom companies, gas and utilities plants suffered
massive disruptions caused by data being held at ransom.
6
How It Was Stopped
 LONDON (AP) -- The cyberattack that spread malicious software around the world,
shutting down networks at hospitals, banks and government agencies, was thwarted
by a young British researcher and an inexpensive domain registration, with help from
another 20-something security engineer in the U.S.
 Britain's National Cyber Security Center and others were hailing the cybersecurity
researcher, a 22-year-old identified online only as MalwareTech, who —
unintentionally at first — discovered a so-called "kill switch" that halted the
unprecedented outbreak.
 By then the "ransomware" attack had crippled Britain's hospital network and
computer systems in several countries in an effort to extort money from computer
users. But the researcher's actions may have saved companies and governments
millions of dollars and slowed the outbreak before computers in the U.S. were more
widely affected.
 MalwareTech, who works for cybersecurity firm Kryptos Logic, is part of a large global
cybersecurity community who are constantly watching for attacks and working
together to stop or prevent them, often sharing information via Twitter. It's not
uncommon for them to use aliases, either to protect themselves from retaliatory
attacks or for privacy.

Recommended

Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Cyber Security Vulnerabilities
Cyber Security VulnerabilitiesCyber Security Vulnerabilities
Cyber Security VulnerabilitiesSiemplify
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 

More Related Content

What's hot

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amosAmos Oyoo
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProRonald Soh
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETTravarsaPrivateLimit
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response Darren Pauli
 

What's hot (20)

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Network forensic
Network forensicNetwork forensic
Network forensic
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Information security
Information securityInformation security
Information security
 
Incident response process
Incident response processIncident response process
Incident response process
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Security policies
Security policiesSecurity policies
Security policies
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
Cyber security
Cyber securityCyber security
Cyber security
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Cyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-ProCyber Security Awareness Training by Win-Pro
Cyber Security Awareness Training by Win-Pro
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 

Similar to Cyber Security Incident Response

What Are Strategies Used For The Home And Professional...
What Are Strategies Used For The Home And Professional...What Are Strategies Used For The Home And Professional...
What Are Strategies Used For The Home And Professional...Vickie Western
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesUlf Mattsson
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)PwC France
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaUlf Mattsson
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterPatricia M Watson
 
Abhishek kurre.pptx
Abhishek kurre.pptxAbhishek kurre.pptx
Abhishek kurre.pptxDolchandra
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistCSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistMatthew Rosenquist
 
Matt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptxMatt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptxNakhoudah
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksIRJET Journal
 
Cyber risk reporting aicpa framework
Cyber risk reporting aicpa frameworkCyber risk reporting aicpa framework
Cyber risk reporting aicpa frameworkJames Deiotte
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Cyril Soeri
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSHB Litigation Conferences
 
CYBER SECURITY (R18A0521).pdf
CYBER SECURITY (R18A0521).pdfCYBER SECURITY (R18A0521).pdf
CYBER SECURITY (R18A0521).pdfJayaMalaR6
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeUlf Mattsson
 

Similar to Cyber Security Incident Response (20)

What Are Strategies Used For The Home And Professional...
What Are Strategies Used For The Home And Professional...What Are Strategies Used For The Home And Professional...
What Are Strategies Used For The Home And Professional...
 
Securing Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best PracticesSecuring Fintech: Threats, Challenges & Best Practices
Securing Fintech: Threats, Challenges & Best Practices
 
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
Cyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise ChapterCyber Security Threats | IIA Boise Chapter
Cyber Security Threats | IIA Boise Chapter
 
Abhishek kurre.pptx
Abhishek kurre.pptxAbhishek kurre.pptx
Abhishek kurre.pptx
 
CSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew RosenquistCSE 2016 Future of Cyber Security by Matthew Rosenquist
CSE 2016 Future of Cyber Security by Matthew Rosenquist
 
Matt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptxMatt_Cyber Security Core Deck September 2016.pptx
Matt_Cyber Security Core Deck September 2016.pptx
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
 
Microsoft Digital Crimes Unit
Microsoft Digital Crimes UnitMicrosoft Digital Crimes Unit
Microsoft Digital Crimes Unit
 
Cyber risk reporting aicpa framework
Cyber risk reporting aicpa frameworkCyber risk reporting aicpa framework
Cyber risk reporting aicpa framework
 
cyber security.pdf
cyber security.pdfcyber security.pdf
cyber security.pdf
 
Cyber security
Cyber security Cyber security
Cyber security
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
 
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMSCYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
CYBER LIABILITY COVEREAGE | HB EMERGING COMPLEX CLAIMS
 
Business blackout
Business blackoutBusiness blackout
Business blackout
 
CYBER SECURITY (R18A0521).pdf
CYBER SECURITY (R18A0521).pdfCYBER SECURITY (R18A0521).pdf
CYBER SECURITY (R18A0521).pdf
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
New regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscapeNew regulations and the evolving cybersecurity technology landscape
New regulations and the evolving cybersecurity technology landscape
 

More from PECB

ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...PECB
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?PECB
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...PECB
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC PECB
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...PECB
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA PECB
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptxPECB
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxPECB
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...PECB
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?PECB
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701PECB
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...PECB
 

More from PECB (20)

ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
ISO/IEC 27032, ISO/IEC 27002, and CMMC Frameworks - Achieving Cybersecurity M...
 
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
 
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
Impact of Generative AI in Cybersecurity - How can ISO/IEC 27032 help?
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
How Can ISO/IEC 27001 Help Organizations Align With the EU Cybersecurity Regu...
 
Student Information Session University KTMC
Student Information Session University KTMC Student Information Session University KTMC
Student Information Session University KTMC
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA Student Information Session University CREST ADVISORY AFRICA
Student Information Session University CREST ADVISORY AFRICA
 
Information Session University Egybyte.pptx
Information Session University Egybyte.pptxInformation Session University Egybyte.pptx
Information Session University Egybyte.pptx
 
Student Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptxStudent Information Session University Digital Encode.pptx
Student Information Session University Digital Encode.pptx
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
George, Tony, Michael - PECB Webinar 27701 Data Protection Risk Management V1...
 
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...
 
Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?Business Continuity, Data Privacy, and Information Security: How do they link?
Business Continuity, Data Privacy, and Information Security: How do they link?
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
GDPR vs US Regulations: Their differences and Commonalities with ISO/IEC 27701
 
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?
 
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
Data Privacy, Information Security, and Cybersecurity: What Your Business Nee...
 

Recently uploaded

“ Importance of seed, seed structure & function ”.pptx
“ Importance of seed, seed structure & function ”.pptx“ Importance of seed, seed structure & function ”.pptx
“ Importance of seed, seed structure & function ”.pptxAKSHAYMAGAR17
 
Health Education - Meaning, Definition, Concept, Factors Influencing Health
Health Education - Meaning, Definition, Concept, Factors Influencing HealthHealth Education - Meaning, Definition, Concept, Factors Influencing Health
Health Education - Meaning, Definition, Concept, Factors Influencing HealthRabiya Husain
 
Bayesian Analysis Fundamentals with Examples
Bayesian Analysis Fundamentals with ExamplesBayesian Analysis Fundamentals with Examples
Bayesian Analysis Fundamentals with ExamplesTushar Tank
 
Chromatography-Gas chromatography-Principle
Chromatography-Gas chromatography-PrincipleChromatography-Gas chromatography-Principle
Chromatography-Gas chromatography-Principleblessipriyanka
 
Metabolism of Galactose & fructose .pptx
Metabolism of Galactose & fructose .pptxMetabolism of Galactose & fructose .pptx
Metabolism of Galactose & fructose .pptxDr. Santhosh Kumar. N
 
Dr. NN Chavan Keynote address on ADNEXAL MASS- APPROACH TO MANAGEMENT in the...
Dr. NN Chavan Keynote address on ADNEXAL MASS-  APPROACH TO MANAGEMENT in the...Dr. NN Chavan Keynote address on ADNEXAL MASS-  APPROACH TO MANAGEMENT in the...
Dr. NN Chavan Keynote address on ADNEXAL MASS- APPROACH TO MANAGEMENT in the...Niranjan Chavan
 
Unleashing the Power of AI Tools for Enhancing Research, International FDP on...
Unleashing the Power of AI Tools for Enhancing Research, International FDP on...Unleashing the Power of AI Tools for Enhancing Research, International FDP on...
Unleashing the Power of AI Tools for Enhancing Research, International FDP on...Dr. Vinod Kumar Kanvaria
 
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdfWriting Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdfMr Bounab Samir
 
2.15.24 The Birmingham Campaign and MLK.pptx
2.15.24 The Birmingham Campaign and MLK.pptx2.15.24 The Birmingham Campaign and MLK.pptx
2.15.24 The Birmingham Campaign and MLK.pptxMaryPotorti1
 
Media Relations for Public Relations Class
Media Relations for Public Relations ClassMedia Relations for Public Relations Class
Media Relations for Public Relations ClassCorinne Weisgerber
 
General Principles of treatment of Poisoning
General Principles of treatment of PoisoningGeneral Principles of treatment of Poisoning
General Principles of treatment of Poisoningsak109shi
 
L9 Computation for Frequency and Distribution and Weighted Mean
L9 Computation for Frequency and Distribution and Weighted MeanL9 Computation for Frequency and Distribution and Weighted Mean
L9 Computation for Frequency and Distribution and Weighted Meanays040889
 
human behaviour and personality development ppt.pptx
human behaviour and personality development ppt.pptxhuman behaviour and personality development ppt.pptx
human behaviour and personality development ppt.pptxpoonambiswas4
 
Advance Mobile Application Development class 02-B
Advance Mobile Application Development class 02-BAdvance Mobile Application Development class 02-B
Advance Mobile Application Development class 02-BDr. Mazin Mohamed alkathiri
 
“ Seed and Fruit development and Seed and Fruit Abortion ”.pptx
“ Seed and Fruit development and Seed and Fruit Abortion ”.pptx“ Seed and Fruit development and Seed and Fruit Abortion ”.pptx
“ Seed and Fruit development and Seed and Fruit Abortion ”.pptxAKSHAYMAGAR17
 
Grantseeking Solo- Securing Awards with Limited Staff PDF.pdf
Grantseeking Solo- Securing Awards with Limited Staff  PDF.pdfGrantseeking Solo- Securing Awards with Limited Staff  PDF.pdf
Grantseeking Solo- Securing Awards with Limited Staff PDF.pdfTechSoup
 
2023 MAP Data Analysis - St. Louis Region
2023 MAP Data Analysis - St. Louis Region2023 MAP Data Analysis - St. Louis Region
2023 MAP Data Analysis - St. Louis RegionThe Opportunity Trust
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Different types of animal Tissues DMLT .pptx
Different types of animal Tissues DMLT .pptxDifferent types of animal Tissues DMLT .pptx
Different types of animal Tissues DMLT .pptxPunamSahoo3
 

Recently uploaded (20)

“ Importance of seed, seed structure & function ”.pptx
“ Importance of seed, seed structure & function ”.pptx“ Importance of seed, seed structure & function ”.pptx
“ Importance of seed, seed structure & function ”.pptx
 
Health Education - Meaning, Definition, Concept, Factors Influencing Health
Health Education - Meaning, Definition, Concept, Factors Influencing HealthHealth Education - Meaning, Definition, Concept, Factors Influencing Health
Health Education - Meaning, Definition, Concept, Factors Influencing Health
 
Bayesian Analysis Fundamentals with Examples
Bayesian Analysis Fundamentals with ExamplesBayesian Analysis Fundamentals with Examples
Bayesian Analysis Fundamentals with Examples
 
Chromatography-Gas chromatography-Principle
Chromatography-Gas chromatography-PrincipleChromatography-Gas chromatography-Principle
Chromatography-Gas chromatography-Principle
 
Metabolism of Galactose & fructose .pptx
Metabolism of Galactose & fructose .pptxMetabolism of Galactose & fructose .pptx
Metabolism of Galactose & fructose .pptx
 
Dr. NN Chavan Keynote address on ADNEXAL MASS- APPROACH TO MANAGEMENT in the...
Dr. NN Chavan Keynote address on ADNEXAL MASS-  APPROACH TO MANAGEMENT in the...Dr. NN Chavan Keynote address on ADNEXAL MASS-  APPROACH TO MANAGEMENT in the...
Dr. NN Chavan Keynote address on ADNEXAL MASS- APPROACH TO MANAGEMENT in the...
 
Unleashing the Power of AI Tools for Enhancing Research, International FDP on...
Unleashing the Power of AI Tools for Enhancing Research, International FDP on...Unleashing the Power of AI Tools for Enhancing Research, International FDP on...
Unleashing the Power of AI Tools for Enhancing Research, International FDP on...
 
Pharmacovigilance of Natural Drugs.
Pharmacovigilance of Natural Drugs.Pharmacovigilance of Natural Drugs.
Pharmacovigilance of Natural Drugs.
 
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdfWriting Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
Writing Agony Letter & If type O+1 & Diphthongs + Text “Arab Science”.pdf
 
2.15.24 The Birmingham Campaign and MLK.pptx
2.15.24 The Birmingham Campaign and MLK.pptx2.15.24 The Birmingham Campaign and MLK.pptx
2.15.24 The Birmingham Campaign and MLK.pptx
 
Media Relations for Public Relations Class
Media Relations for Public Relations ClassMedia Relations for Public Relations Class
Media Relations for Public Relations Class
 
General Principles of treatment of Poisoning
General Principles of treatment of PoisoningGeneral Principles of treatment of Poisoning
General Principles of treatment of Poisoning
 
L9 Computation for Frequency and Distribution and Weighted Mean
L9 Computation for Frequency and Distribution and Weighted MeanL9 Computation for Frequency and Distribution and Weighted Mean
L9 Computation for Frequency and Distribution and Weighted Mean
 
human behaviour and personality development ppt.pptx
human behaviour and personality development ppt.pptxhuman behaviour and personality development ppt.pptx
human behaviour and personality development ppt.pptx
 
Advance Mobile Application Development class 02-B
Advance Mobile Application Development class 02-BAdvance Mobile Application Development class 02-B
Advance Mobile Application Development class 02-B
 
“ Seed and Fruit development and Seed and Fruit Abortion ”.pptx
“ Seed and Fruit development and Seed and Fruit Abortion ”.pptx“ Seed and Fruit development and Seed and Fruit Abortion ”.pptx
“ Seed and Fruit development and Seed and Fruit Abortion ”.pptx
 
Grantseeking Solo- Securing Awards with Limited Staff PDF.pdf
Grantseeking Solo- Securing Awards with Limited Staff  PDF.pdfGrantseeking Solo- Securing Awards with Limited Staff  PDF.pdf
Grantseeking Solo- Securing Awards with Limited Staff PDF.pdf
 
2023 MAP Data Analysis - St. Louis Region
2023 MAP Data Analysis - St. Louis Region2023 MAP Data Analysis - St. Louis Region
2023 MAP Data Analysis - St. Louis Region
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Different types of animal Tissues DMLT .pptx
Different types of animal Tissues DMLT .pptxDifferent types of animal Tissues DMLT .pptx
Different types of animal Tissues DMLT .pptx
 

Cyber Security Incident Response

  • 2. 2 MBA, PhD Michael C. Redmond Certified as Lead Implementer ISO/IEC 27001 Information Security Management ISO/IEC 27032 Lead Cyber Security Manager ISO/IEC 27035 Security Incident Response ISO/IEC 22301 Business Continuity Management Systems ISO/IEC 21500 Lead Project Manager ISO 31000 Risk Management ISO 55001 Asset Management ISO/IEC 14001 Environment Management ISO 9001 Quality Management ISO 26000 Social Responsibility ISO 37001 Anti-Bribery Management Systems Certified Implementer – Foundation ISO 22316 Security and Resiliency Management ISO 22320 Emergency Management ISO 20700 Management Consultancy Services Certified as Lead Auditor: ISO/IEC 27001 Information Security Management ISO/IEC 22301 Business Continuity Management Systems ISO 55001 Asset Management ISO/IEC 14001 Environmental Management ISO 9001 Quality Management ISO 26000 Social Responsibility Other Certifications: Masters Business Continuity Planning (Disaster Recovery Institute) – MBCP Masters Business Continuity Planning (Business Continuity Institute) – FBCI Certified Emergency Manager – CEM Certified Project Manager – PMP Certified Trainer PECB
  • 3. 3 Attacks Are Not IF But WHEN Many companies, hospitals, schools, Governments and more are getting hacked The number of data breaches reported increase each year Measures against these types of security incidents are on the rise in companies.
  • 5. 5 Massive Cyber Attack hit 104 Countries May 2017 WannaCry  New family of ransomware called WannaCry has infected over 140,000 computers worldwide. This piece of ransomware is based on a zero-day exploit that helps it jump from one infected computer to another and encrypt all the information stored on it.  A little background information about this new threat: Unlike other ransomware families, the WannaCry strain does not spread via infected e- mails or infected links. Instead, it takes advantage of a security hole in most Windows versions to automatically execute itself on the victim PC.  According to various reports, this attack avenue has been developed by the National Security Agency (NSA) in the US as a cyber-weapon and it was leaked to the public earlier in April along with other classified data allegedly stolen from the agency.  A number of hospitals, telecom companies, gas and utilities plants suffered massive disruptions caused by data being held at ransom.
  • 6. 6 How It Was Stopped  LONDON (AP) -- The cyberattack that spread malicious software around the world, shutting down networks at hospitals, banks and government agencies, was thwarted by a young British researcher and an inexpensive domain registration, with help from another 20-something security engineer in the U.S.  Britain's National Cyber Security Center and others were hailing the cybersecurity researcher, a 22-year-old identified online only as MalwareTech, who — unintentionally at first — discovered a so-called "kill switch" that halted the unprecedented outbreak.  By then the "ransomware" attack had crippled Britain's hospital network and computer systems in several countries in an effort to extort money from computer users. But the researcher's actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in the U.S. were more widely affected.  MalwareTech, who works for cybersecurity firm Kryptos Logic, is part of a large global cybersecurity community who are constantly watching for attacks and working together to stop or prevent them, often sharing information via Twitter. It's not uncommon for them to use aliases, either to protect themselves from retaliatory attacks or for privacy.
  • 7. 7 On Dec 14 2014, Dutch government website outage caused by cyber attack  Cyber attackers crippled the Dutch government's main websites for most of Tuesday and back-up plans proved ineffective, exposing the vulnerability of critical infrastructure at a time of heightened concern about online security.  The outage at 0900 GMT lasted more than seven hours and on Wednesday the government confirmed it was a cyber attack.
  • 8. 8 LinkedIn, Drop Box and Formspring  The US attorney's office in San Francisco on Friday (21 October, 2016) announced that the 29-year-old Russian man – Yevgeniy Nikulin – who was arrested in Czech Republic, was indicted by a federal grand jury on Thursday on multiple charges including computer intrusion, aggravated identity theft and conspiracy.  Nikulin was accused of hacking and stealing information from the computer systems at three Bay Area technology companies – LinkedIn, Drop Box and Formspring.  LinkedIn breach was executed over just two days in 2012 from 3-4 March  Dropbox hack allegedly took place over more than two months, from 14 May to July 25 in 2012  Formspring - Social media network Formspring, which shut down in March 2013, allowed users to ask or answer questions about anything. Working with unnamed co-conspirators, Nikulin allegedly tried to sell the Formspring user credential database for €5,500 (about $7,000) in 2012
  • 9. 9 2013 Verizon Data Breach Investigations Report 2012, 66 percent of breaches that led to data compromise within “days” or less remained undiscovered for months or more In 69 percent of the cases, a third party discovered the breach
  • 10. 10 In 2012, Global Payments Inc. Data Breach Affected 1.5 Million Nearly 1.5 million consumers were affected by hackers accessing Global Payments Inc.’s payment processing system in January and February. resource.onlinetech.com/global-payments-inc-pci-data-breach-affects-1-5-million
  • 11. 11
  • 12. 12 Two Years ago World Economic Forum Global Technology Risks for 2016  According to the World Economic Forum’s global risk perspectives survey for 2016, Cyberattacks were listed in the top five risks in 27 world economies.  “The internet has opened a new frontier in warfare: Everything is networked and anything networked can be hacked.”
  • 13. 13 Hackers Read The Same Publications That We Do Cnet CSO Dark Reading eWeek Krebs on Security Network World Search Security Techweb Threatpost
  • 14. 14 LET’S GET STARTED Now That We Know Why?
  • 15. 15 Efficient Incident Response Program allows an organization Maintain continuous operations. Mitigate revenue Respond with speed and agility Maintain continuous operations. Mitigate revenue loss Mitigate fines Mitigate lawsuits
  • 16. 16 Different Plans Sound Similar  CIRP Computer Incident Response Plan  CSIRP Cyber Security Incident Response Plan  CSIRT Cyber Security Incident Response Team  ISIRT per ISO 27035
  • 17. 17 Why CSIRT Security breaches and subsequent fraud are increasing in frequency and scale. While financial institutions, retailers, healthcare providers, and other targeted organizations are doing everything possible to remain one step ahead of cyber criminals, these incidents will likely continue to happen putting sensitive information at risk. While you can’t always prevent a breach, quick response can minimize reputation damage and financial impact. Proactive and timely account holder communication can help reduce costs, including those associated with increased call center activity, customer education, brand repair campaigns, regulatory compliance, and the expense of covering customer losses.
  • 18. 18 CSIRT Program Information Security, Governance & Risk, are all critical aspects of planning and execution of the Cyber Information Security Response Program. Who in your organization has key responsibility to develop a program?
  • 20. 20 Cyber Response Getting Started Adopt a systematic approach to risk tracking to enhance the effectiveness of the Cyber Incident Program • Outline the critical actions to take if an event affects the company or its partners • Understand your organizations’ susceptibility to a Cyber Attack • Cyber Incident Response: Getting started, research, training, testing and maintaining
  • 21. 21 Knowledge 1. Knowledge incident analysis processes and relevant legal, regulatory and business issues 2. Knowledge of effective communication and the communication strategies that can be adopted during an incidents 3. Knowledge of Crisis Management and Business Continuity and how to align with these processes 4. Knowledge of investigations and the principles of forensics investigations including protecting the chain of custody 5. Knowledge of the roles of the Incident Management Team and when such members are involved in Incident Handling. From: PECB ISO 27035 Test Preparation
  • 22. 22 Standards • ISO 2700 (Requirements) • ISO 27035 Incident Response • And so many more Standards and Best Practices • COBIT (Framework for IT Governance and Controls) • ISO 27005 (Information Security Risk Management) • ITIL(Framework: Identifying, planning, delivering, supporting IT for Business Functions) Maintaining
  • 23. 23 ISO and Information Security 27001 Information Security Requirements 27002 Code of Practice Information Security Management 27003 Information Security Management System Implementation Guidance 27004 Information Security Measurement 27005 Information Security Risk Management 27006 Requirements Audit and Certification ISO
  • 24. 24 Cyber Defense and Response An organization’s security policy and controls must be adaptable to emerging threats in todays world. The assessment of security threats is ongoing, and must be mapped against the adequacy and existence of security controls. Security controls and countermeasures that are currently in in place may not commensurate with potential risks. The effort is never ending, but knowing how to start is they key.
  • 26. 26 Phases ISO 27035 Incident Response  Prepare to deal with incidents e.g. prepare an incident management policy, and establish a competent team to deal with incidents;  Identify and report information security incidents;  Assess incidents and make decisions about how they are to be addressed e.g. patch things up and get back to business quickly, or collect forensic evidence even if it delays resolving the issues;  Respond to incidents i.e. contain them, investigate them and resolve them;  Learn the lessons - more than simply identifying the things that might have been done better, this stage involves actually making changes that improve the processes.
  • 27. 27 Motivators Increase in the number of computer security incidents being reported Increase in the number and type of organizations being affected by computer security incidents More focused awareness by organizations on the need for security policies and practices as part of their overall risk- management strategies New laws and regulations that impact how organizations are required to protect information assets Realization that systems and network administrators alone cannot protect organizational systems and assets
  • 28. 28 Questions For Thought  Which regulations, guidelines and white papers did you use in preparing your Cyber Incident Response Plan?  What are your 5 top tiered Cyber Risks?  Do you have separate plan for Breach?  How did you approach developing the Incident Plan?  How do you conduct incident training?  How often do you do testing for Incident Response?  What types of tests do you perform?  How often do you conduct Incident Response testing?  Do you conduct testing jointly with Disaster Recovery tests or as a separate Cyber Incident Response Test?  How are Incident Response tests evaluated?  What part does audit have in your Incident Response planning and testing?  What areas do you engage in your planning i.e. Legal, Unix?  Do you use simulation software in testing and if so which one(s)?  What automatic processes do you have in place to help with Incident Response?
  • 29. 29 Cyber Defense and Response An organization’s security policy and controls must be adaptable to emerging threats in todays world. The assessment of security threats is ongoing, and must be mapped against the adequacy and existence of security controls. Security controls and countermeasures that are currently in in place may not commensurate with potential risks. The effort is never ending, but knowing how to start is they key.
  • 30. 30 Summary of ISO 27035  Establish information security incident management policy  Updating of information security and risk management policies  Creating information security incident management plan  Establishing an Incident Response Team (IRT) [aka CSIRT]  Defining technical and other support  Creating information security incident awareness and training  Testing (or rather exercising) the information security incident management plan  Lesson learned
  • 31. 31 Benefit of Structured Approach  Improve overall security  Reduce adverse business impacts  Strengthen the Information Security Incident Prevention Focus  Strengthen Prioritization  Strengthen Evidence
  • 32. 32 Managing Incidents Effectively  Detective and corrective controls designed to recognize and respond to events and incidents, minimize adverse impacts  Gather forensic evidence (where applicable)  And in due course ‘learn the lessons’ in terms of prompting improvements to the ISMS  Typically by improving the preventive controls or other risk treatments
  • 33. 33 Objective of Controls  Stop and Contain  Eradicate  Analysis and Report  Follow-up
  • 34. 34
  • 35. 35 Integrate CSIRT into IS Integrate CSIRT Management with Enterprise Risk Management Use common business terminology, congruent methods, and common or linked risk register, and establishing mechanisms for risk acceptance. Build CSIRT regulation review process schedule and regulation requirements.
  • 36. 36 Gap Knowledge To what degree we understand the security risks How well we are protected What security incidents we can expect To what degree the organization is prepared to respond to security incidents To what degree the organization can respond to security incidents, without suffering damage To what degree the organization can ensure timely and sufficient response
  • 37. 37 Risk While financial institutions, retailers, healthcare providers, and other targeted organizations are doing everything possible to remain one step ahead of cyber criminals, these incidents will likely continue to happen putting sensitive information at risk.
  • 38. 38 Mitigation To Tell Employees Set your computers to auto lock with password if not in use for 5 minutes – this way, if an employee leaves their computer no one will be able to access it. Avoid using USB flash drives – they are the best way to get your computer infected, because very often anti-virus programs cannot detect such malicious code. Make sure you protect your mobile device with a good password, because if it gets stolen, the thief will be able to access your email, and with your email he will be able to change passwords to your cloud services and consequently access all your data stored in the cloud. Use password managers, which will enable you to save passwords for your different services and applications, because if you used the same password for all of them, the breach of only one password enables the criminals to access all of your accounts; password managers also enable you to use complex passwords for each of your services. And yes, those password managers are available for mobile devices, too. Use VPN service for connecting to the Internet so that your passwords and other sensitive information are protected when transferred over the network; this is especially important if you’re using a Wi-Fi connection that you cannot fully trust. Use 2-factor authentication when connecting to important cloud services like Gmail, Dropbox, or similar – so even if someone steals your password, he wouldn’t be able to access your sensitive information. These 2-factor authentication systems can work together with your phone (by sending you a text message), or with special USB keys, without which access to a system wouldn’t be possible. Encrypt the data stored on your hard drive, so that if it gets stolen the thieves won’t be able to read it; you can also encrypt data stored in a cloud – there are some specialized cloud companies offering this kind of service. Update your software – you should do this regularly, as soon as a security patch is published; the best route would be to set up automatic updates.
  • 39. 39 "Outsourcing Technology Services "  Many institutions depend on third-party service providers to perform or support critical operations.  These institutions should recognize that using such providers does not relieve the financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner.  The responsibility for properly overseeing outsourced relationships lies with the institution's board of directors and senior management.  An effective third-party management program should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing.
  • 40. 40 Cyber Response Ties In With Asset Management
  • 41. 41 Records* ISO 27001:2013 clause number Records of training, skills, experience and qualifications 7.2 Monitoring and measurement results 9.1 Internal audit program 9.2 Results of internal audits 9.2
  • 42. 42 Some Mitigations  Build and maintain a secure network: Install and maintain a firewall and use unique, high- security passwords with special care to replace default passwords.  Protect cardholder data: Whenever possible, do not store cardholder data. If there is a business need, you must protect this data. You must also encrypt any data passed across public networks, including your shopping cart and Web-hosting providers, and when communicating with customers.  Maintain a vulnerability management program: Use an anti-virus software program and keep it up-to-date. Develop and maintain secure operating systems and payment applications. Ensure the anti-virus software applications you use are compliant  Implement strong access control measures: Access, both electronic and physical, to cardholder data should be on a need-to-know basis. Ensure those people with electronic access have a unique ID and password. Do not allow people to share logon information. Educate yourself and your employees on data security and specifically the PCI Data Security Standard (DSS).  Regularly monitor and test networks: Track and monitor all access to networks and cardholder data. Ensure you have a regular testing schedule for security systems and processes, including: firewalls, patches, web servers, email servers, and anti-virus.  Maintain an information security policy: It is critical that your organization have a policy on how data security is handled. Ensure you have an information security policy and that it's disseminated and updated regularly.
  • 43. 43 Sample Attacker Tools  Attacker Toolkits Many attackers use toolkits containing several d ifferent types of utilities and scripts that can be used to probe and attack hosts, such as packet sniffers, port scanners, vulnerability scanners, password crackers, and attack programs and scripts.  Backdoors A backdoor is a malicious program that listens for commands on a certain TCP or UDP port. Most backdoors allow an attacker to perform a certain set of actions on a host, such as acquiring passwords or executing arbitrary commands. Types of backdoors include zombies (better known as bots), which are installed on a host to cause it to attack other hosts administration tools, which are instal led on a host to enable a remote attacker to gain access to the host’s functions and data as needed.  E-Mail Generators An email generating program can be used to create and send large quantities of email, such as malware and spam, to other hosts without the user’s permission or knowledge.  Keystroke Loggers A keystroke logger monitors and records keyboard use. Some require the attacker to retrieve the data from the host, whereas other loggers actively transfer the data to another host through email, file transfer, or other means.  Rootkits A rootkit is a coll ection of files that is installed on a host to alter its standard functionality in a malicious and stealthy way. A rootkit typically makes many changes to a host to hide the rootkit’s existence, making it very difficult to determine that the rootkit is pre sent and to identify what the rootkit has changed.  Web Browser Plug -Ins A web browser plug -in provides a way for certain types of content to be displayed or executed through a web browser. Malicious web browser plug -ins can monitor all use of a browser.
  • 44. 44 Personnel Awareness Training Never, ever give your password to anyone. Don’t install every program you come across on your computer or mobile device – some of this software, disguised as a nice game or utility program, is made with the sole purpose of injecting a virus onto your computer. Disable your Bluetooth connection because it is very unsafe; but also, disable the Wi-Fi network on your mobile device when you’re not using it. Do not leave your computer in a car. Do not leave your computer unattended in public places like airports, toilets, public transport, conferences, etc.
  • 45. 45 Mitigation for Social Engineering • Targets should include individuals from the help desk, IT department, human resources, finance, and other departments within the organization. • The objective of these calls will be to induce the users to divulge sensitive information over the phone in violation of company policy. External Social Engineering – Perform Social Engineering phone calls to individuals within the organization. • Attempt to gather sensitive information • Deliver a malicious payload onto their desktop system which could include browser and operating system buffer overflows, Trojan horses, and keystroke loggers. Targeted Email “Phishing” Attacks – Send Emails to individuals and groups within the organization in order to attempt to entice the user to click on an external link that (hypothetically) will “ • The media should contain simulated malicious code that will attempt to grab sensitive host information such as the network configuration, list of running processes, and a password hash dump. Malicious Portable Media – Leave USB Flash drives and CD-ROM drives with enticing labels such as “Salary” in public areas such as hallways, restrooms, and break rooms. • Search internal trash receptacles and external dumpster and disposal areas for sensitive documents or storage media that is disposed of in violation of company policy. Sensitive Document Disposal Audit – “Dumpster Diving”
  • 46. 46 More Every Day Security breaches and subsequent fraud are increasing in frequency and scale.
  • 47. 47 Quick Response While you can’t always prevent a breach, quick response can minimize reputation damage and financial impact.
  • 48. 48 Quick Checklist to Mitigate Network  Review all wireless access points and note any external wireless network whose signal range enters your premises.  Validate wireless network perimeter–One of the reasons wireless security is so complex is wireless networks are not limited to the physical boundaries of your buildings. Limit unnecessary exposure to the outside world.  Conduct vulnerability and penetration testing of access points  Review access points and wireless clients
  • 49. 49 CSIRT Program Plan for Managing Playbooks for each different types of Cyber Security Incidents (worse case does not work as in Disaster Recovery)
  • 50. 50 Questions  What are the basic requirements for establishing a CSIRT?  What type of CSIRT will be needed?  What type of services should be offered?  How big should the CSIRT be?  Where should the CSIRT be located in the organization?  How much will it cost to implement and support a team?  What are the initial steps to follow to create a CSIRT?
  • 53. 53 What’s Needed  Cyber Security Incident Response Program  Cyber Security Incident Response Teams  Cyber Security Incident Response Documented Program  Cyber Security Incident Response Documented Plan  Cyber Security Incident Response Documented Playbooks  Internal Controls Assessments  Policy Review  Gap Analysis  REWI Risk Evaluation  Risk Assessment Facilitation  Security Awareness Training  Business Continuity and Disaster Recovery Planning
  • 54. 54 Analysis Methodology  Identify the Scope of the Project  Identify Best Practices and Regulatory Requirements and Guidelines  Research and Gather Data  Assess Current Breach Response Security Measures and Capabilities  Review Audit Findings and Recommendations  Develop and Conduct Breach Risk and Gap Analysis, Breach Impact Analysis, Risk Early Warning Indicator (REWI) References:  Control Objectives for Information and Related Technology (COBIT) framework by ISACA  FFIEC Section J  Department of Health and Human Services, 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule  New York State Information Security Breach And Notification Act  Payment Card Industry Data Security Standard (PCI DSS)  Centers for Medicare & Medicaid Services  National Institute of Standards and Technology (NIST)  International Standards Organization (ISO) security standards  Many others
  • 55. 55 Account Holder Communications Proactive and timely account holder communication can help reduce costs, including those associated with increased call center activity, customer education, brand repair campaigns, regulatory compliance, and the expense of covering customer losses.
  • 56. 56 Gap Review Action Steps Review existing Information Security policies and standards to ascertain their adequacy in coverage scope against industry best practices, and update them as appropriate, taking into account compliance recommendations Establish Key Performance Indicators (KPI) to determine if your Information Systems Incident Response program meets business objectives and operational metrics for ongoing process improvement.
  • 57. 57 REWI The Resilience based Early Warning Indicators (REWI) method is a collection of self-assessment measures, which provides information about an organization’s resilience. The primary goal of the method is to generate early warnings that improve the organization’s ability and performance in the long run.
  • 58. 58 Risk Awareness of Your Organization Questions Do we have knowledge about the information and communication technologies (ICT) system and its components? Do we have personnel with information security competence? Whether the employees are security aware or not will affect the security risks. Do we report on security incidents? Information about past incidents will provide insight into what may go wrong in the future. Do we have appropriate defense mechanisms? Information about the technical safeguards gives knowledge about how well the system is protected.
  • 59. 59 Resilience Attribute: Risk Awareness  The risk awareness attribute measures the degree of risk understanding, as well as anticipation regarding what to expect and attention so as to know what to look for [5]. In a security incident management context these contributing success factors can be expanded into the following general issues:  Risk understanding: To what degree we understand the security risks associated with the system. Risk understanding can be understood by asking the following questions (the “general issues”)  Do we have knowledge about the information and communication technologies (ICT) system and its components? A (correct) understanding of how the system work will provide insight into how it may be attacked and the possible consequences.  Do we have personnel with information security competence? Whether the employees are security aware or not will affect the security risks.  Do we report on security incidents? Information about past incidents will provide insight into what may go wrong in the future.  Do we have appropriate defense mechanisms? Information about the technical safeguards gives knowledge about  How well the system is protected.  Is the organization’s security policy efficient? Insight in to what degree the security policy is implemented into the organization and whether it is followed by the employees will influence the efficiency of the technical safeguards and barriers.
  • 60. 60 Resilience Attribute: Support  The support attribute measures the presence of an established support systems, so that when faced with tough decisions or tradeoffs there is some kind of decision support or help that is institutionalized and part of practice .  In addition, support includes the ability to uphold critical support functions (technical, human and organizational resources) in case of disruption is essential (redundancy)  In a security incident management context these contributing success factors can be expanded into the following general issues:  Decision support: To what degree the organization support the trade-off between security and production.  Do we have adequate decision support staffing? Efficient incident response will require available personnel with knowledge, experience and authority to make decisions.  Do we have adequate ICT decision support systems? Efficient incident response will often require adequate support systems in place, including support for the support systems themselves.  Do we have adequate external support? Security incident management often requires support om external actors,such as anti-virus and third party software providers.
  • 61. 61 Response  Response: To what degree the organization is prepared to respond to security incidents.  Do we have personnel with the ability to handle incidents? There must be employees who are capable of handling  the incidents, including making critical decisions.  How do we train on dealing with potential incidents? Training on potential scenarios is essential in order to  know what to do, both with respect to expected and unexpected events. The training scenarios should be regularly  reviewed and adapted, in order to reflect the current threat picture as accurately as possible.
  • 62. 62 Response  Robustness of response: To what degree the organization can respond to security incidents, without suffering damage.  Do we have sufficient redundancy in skills among the employees? Organizations that ensure that the employees are  redundant in skills, or possess multiple skills, are more likely to successfully handle incidents that go beyond the  planned or foreseen.  Do we have sufficient backup capacity / redundancy for the necessary critical functions? Fault tolerance, redundancy  and recovery are important aspects for preserving the organization’s critical functions  Is the communication between involved actors sufficient? During incident response it is crucial that all involved  are able to communicate, without misunderstandings or confusions  Do we manage incidents in compliance with existing policies? A robust response require compliance with existing  policies and best practices.
  • 63. 63 Response  Resourcefulness: To what degree the organization can ensure timely and sufficient response.  Does the incident response team have sufficient resources? There must be a sufficient number of personnel assigned to the different roles in the incident response team, including back-up personnel in case of unavailability, and the response team must be capable of solving their tasks in a timely manner.  Do we have adequate IT systems to support timely updating of necessary information? A timely response requires timely updating necessary information and communicating this to all involved actors.
  • 64. 64 Technical Questions Authentication Servers: Authentication servers, including directory servers and single sign-on servers, typically log each authentication attempt, including its origin, username, success or failure Remote Access Software: Remote access is often granted and secured through virtual private networking (VPN). VPN systems typically log successful and failed login attempts, as well as the dates and times each user connected and disconnected, and the amount of data sent and received in each user session. VPN systems that support granular access control, such as many Secure Sockets Layer (SSL) VPNs, may log detailed information about the use of resources. Vulnerability Management Software: Vulnerability management software, which includes patch management software and vulnerability assessment software, typically logs the patch installation history and vulnerability status of each host, which includes known vulnerabilities and missing software updates.5 Vulnerability management software may also record additional information about hosts’ configurations. Vulnerability management software typically runs occasionally, not continuously, and is likely to generate large batches of log entries. Web Proxies: Web proxies are intermediate hosts through which Web sites are accessed. Web proxies make Web page requests on behalf of users, and they cache copies of retrieved Web pages to make additional accesses to those pages more efficient. Web proxies can also be used to restrict Web access and to add a layer of protection between Web clients and Web servers. Web proxies often keep a record of all URLs accessed through them.
  • 65. 65 Anticipation  What security incidents we can expect  Do we have updated knowledge about relevant threats? A systematic and regular identification of vulnerabilities and threats is necessary in order to understand what may go wrong.  Do we learn from experience? The organization’s past experiences is a valuable source of information.  Want to avoid reoccurrence of security incidents and to learn from its own success stories (“what went right”).
  • 66. 66 Risk Assessment  Risk assessment is the determination of quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat (also called hazard).  Quantitative risk assessment requires calculations of two components of risk (R): the magnitude of the potential loss (L), and the probability (p) that the loss will occur.
  • 67. 67 Incident Management Goals and Vision  To have a comprehensive Incident Management framework and set of templates for a consistent, Enterprise-wide response to incidents within the environment.  Developing the capability to effectively manage unexpected disruptive events with the objective of minimizing impacts and maintaining or restoring normal operations within defined time limits.  Scope is both small incidents such as a single infected machine to a massive data breach.  Key features of our future design needs to include:  Decision matrix for determining the type of incident we are dealing with and appropriate response.  RACI diagrams to identify responsibilities  Team charter  Team member matrix representing all aspects of the organization  Templates that can be easily and quickly adopted for any incident  Be careful with the term Incident or Breach. Some of the regulations trigger on the date you classify an event as an Incident or Breach and that is when the clock starts ticking for notifications.
  • 68. 68 How To Write a CSIRT Policy  A purpose statement, outlining why the organization is issuing the policy, and what its desired effect or outcome of the policy should be.  An applicability and scope statement, describing who the policy affects and which actions are impacted by the policy. The applicability and scope may expressly exclude certain people, organizations, or actions from the policy requirements. Applicability and scope is used to focus the policy on only the desired targets, and avoid unintended consequences where possible.  An effective date which indicates when the policy comes into force.  A responsibilities section, indicating which parties and organizations are responsible for carrying out individual policy statements.  Policy statements indicating the specific regulations, requirements, or modifications to organizational behavior that the policy is creating.  Optional  Background, indicating any reasons, history, and intent that led to the creation of the policy, which may be listed as motivating factors. This information is often quite valuable when policies must be evaluated or used in ambiguous situations, just as the intent of a law can be useful to a court when deciding a case that involves that law.  Definitions, providing clear and unambiguous definitions for terms and concepts found in the policy document.
  • 69. 69 Examples of Cyber Security Policies  Access controls and identity management  Business continuity and disaster recovery planning and resources  Capacity and performance planning  Customer data privacy  Data governance and classification  Incident response  Information security  Physical security and environmental controls  Risk assessment  Systems and application development and quality assurance  Systems and network monitoring  Systems and network security  Systems operations and availability concerns  Vendor and third-party service provider management
  • 70. 70 Third Party Service Provider Policy  Policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties and include the following:  Due diligence processes used to evaluate the adequacy of Cyber Security practices of third-parties  Minimum Cyber Security practices required  Periodic assessment, at least annually or the continued adequacy of their Cyber Security practices  Identification and risk assessment of third-parties
  • 71. 71 Plans, Playbooks, Testing and Exercises Phases ISO 27035 Incident Response 1. Prepare to deal with incidents e.g. prepare an incident management policy, and establish a competent team to deal with incidents; 2. Identify and report information security incidents; 3. Assess incidents and make decisions about how they are to be addressed e.g. patch things up and get back to business quickly, or collect forensic evidence even if it delays resolving the issues; 4. Respond to incidents i.e. contain them, investigate them and resolve them; 5. Learn the lessons - more than simply identifying the things that might have been done better, this stage involves actually making changes that improve the processes.
  • 72. 72 Plan Documentation Considerations  Action sections  Recovery team  Personnel  Responsibilities  Resources  Action plans  Specific department/individual plans  Checklists  Technical procedures
  • 73. 73 Plan Documentation Considerations  Action sections  Teams  Personnel  Responsibilities  Resources  Specific department/individual plans  Checklists  Technical procedures  Management  Administration/logistics  New equipment
  • 74. 74 Plan Documentation Considerations  Document structure and design  Ensure built-in mechanisms to ease maintenance  Plan and implement the gathering of data required for plan completion  Identify, analyze and document and agree on approach to key phases  Allocate tasks and responsibilities  Identify, analyze and document tasks to be undertaken
  • 77. 77 Playbooks One per Team per type of attack  Breach  DDOS  ETC.
  • 78. 78 Development and Documentation  Each of the teams can create their own Breach Playbook using a common template with lots of assistance  The CSIRT Program, CSIRT Breach Plan, and Breach Playbooks must be documented and vetted
  • 79. 79 Interviews and Training  Each business and technology areas that are part of the CSIRT Response solution, must be interviewed to gain information and ensure to provide information at the same sessions reference the CSIRT project.  Many training sessions must be held to prepare the teams for a Response situation. In addition, daily ‘open office hours’ should be available for the teams while they were developing their Team Playbooks
  • 80. 80 Severity Level Description Sev1 – Major Incident where the impact is severe. Examples (a) proprietary or confidential information has been compromised, (b) a virus or worm has become wide spread and is affecting over 20% percent of the employees/consultants (c) major denial of service attack where customer interfaces are not accessible. Sev2 – Critical Incident where the impact is significant. Examples are (a) Less than 500 PCI records have been breached (b) critical vulnerability for an operating system or application Sev3 – Non-Critical Incident where the impact is minimal. Examples are (a) harmless email SPAM (b) isolated Virus Infections and Malware Sev 4 – Non Incident Incident is determined to be not an incident
  • 81. 81 Look for Patterns Unusual activity in access or system logs Recent Changes to the system Super User ID created Deleted log files Recent escalation of privileges Recent off-hour activity Recent file transfer from System
  • 82. 82 Testing and Exercises  To validate the CSIRT Breach Plan, and Playbooks a number of tests and exercises must be developed and implemented.  The Paper Tests allows the teams to read their Playbooks allowed and to learn where communication links between the teams were needed to gain information in a response.  The Table Top Test allows the CSIRT to validate their playbooks while responding to a ‘mock scenario’ that can include up to 15 actual scenarios that occurred to other organizations.  The Simulation Test utilizes the original scenarios but adds a number of ‘twists’ that caused the teams to respond quickly.
  • 83. 83 3rd Party CSIRT Testing Cyber events demonstrating third-party provider's ability to respond quickly and efficiently to such an event. • For example, an organizations ability to recover from a disruption of critical functions because of a distributed denial of service (DDoS) attack or the ability to recover from a data corruption event should be subject to testing. • A financial institution may consider working with an outside party, such as other financial institutions or an industry group, to test these types of events. Simultaneous attack affecting both the institution and its service provider.
  • 84. 84 Review Summary of ISO 27035 Incident Response  Establish information security incident management policy  Updating of information security and risk management policies  Creating information security incident management plan  Establishing an Incident Response Team (IRT) [aka CSIRT]  Defining technical and other support  Creating information security incident awareness and training  Testing (or rather exercising) the information security incident management plan  Lesson learned
  • 85. 85 Thanks Dr. Michael C. Redmond, PhD 917-882-5453 585-340-5187 Audio Training Available at: www.rwknowledge.com Contact me at: mredmond@efprgroup.com