The three certainties with regards to information securityDeath and TaxesYou will have an incident.How you respond to an incident will have a direct influence on the impact that incident may have to your costs, reputation and ability to conduct business.
Traditional focus on PreventionPoliciesFirewallsAnti-Virus SoftwareIntrusion Detection SystemsIf turned on !!Little Attention Paid to RespondingResponse Focus Primarily onVirusesMinor Policy Breaches
More solutions do not necessarily guarantee you are secure.Neither does more standards such as ISO 27001 or PCI DSS. Yes they will make your security more efficient and better, but you still will at some stage suffer a breach.
Traditional ResponseAdhocUnplannedDeal with it as it happensResults inProlonged incidentsIf You Know You Have Been AttackedLack of metrics and measurementsBad Guys & Gals getting awayInappropriate Response Can Result;Disclosure of confidential information.Prolonged recovery times.Lack of evidence for a criminal or civil case.Negative impact to the organisation’s image.Potential legal and/or compliance Issues.Potential Legal Cases from Third Party Organisations.Exposure to Legal/Libel Cases From Employees/Individuals.IT Manager Updating Their CV
IT Manager Updating Their CVInvariably IT get blamed for either letting the incident happen in the first place or for not responding appropriately
Structured and Formalised Response provides;Positive Security PostureIncidents Dealt with Quickly, Efficiently and EffectivelyRapid and Accurate Assessment of IncidentsChoosing Most Appropriate Response.Shortened Recovery Times.Minimised Business Disruption.Confidence to Proceed with a Court Case.Regulatory and Legal Compliance.Potential Reduction in Incidents.Accurate Reporting and Metrics
ComposedInformation SecurityOperationsHuman ResourcesLegalPublic RelationsFacilities ManagementUnder Control of Information Security
Log filesNetwork DevicesPeopleNot just via the support deskBaseliningWhat is the norm for your network?ExternalVulernability ListsPartnersThird Parties
Forensics SoftwareCommercial vs. Open SourceIncident Tracking & RecordingDigital SignaturesSpare MediaBackupsEvidence bagsEvidence formsPhysical EvidenceCCTV, Swipe Card accessNetwork Sniffers Centralised Time SourceTraining CoursesNotebooksDigital CameraOut of Band CommunicationsEmail may be compromisedSupport System may be compromisedWar RoomSecure StorageCoffee!!
How are Incidents Reported?Incident ClassificationProcedures in Place for Expected IncidentsProcedures in Place for Unexpected IncidentsWho declares an Incident?Who to involve and when?Team available 24x7?Escalation TreeTypical ProceduresMalware/Computer Virus infectionExternal Unauthorised Access to SystemsInternal Unauthorised Access to SystemsTheft of Computer Equipment and Related Data.Discovery of Illegal Content on Company’s ResourcesSerious Breach of the AUPMinor Breach of the AUPWebsite Defacement.Denial of Service Attack.Email Flood Attack.Third Party Compromise.Disclosure of Confidential Information.
Incidents Can Occur 24x7What takes Priority?Mitigate the impact of IncidentGather as Much Evidence As PossibleRestore SystemsWhat Authority has IRT teamE.g. Take systems offlineIntegrate with Business ContinuityCan IRT invoke Business Continuity Plan?Integrate With Other ProcessesChange Control etc.Security vs Service !!
Some Skills not available In-houseLegalForensicsPublic RelationsAgree Terms & Conditions before an IncidentSuppliersISPs, Telecomms, HostingPartnersCustomersAn Garda SiochanaGarda Computer Crime UnitPart of Garda Bureau of Fraud InvestigationHow do you Report a Computer Crime?Contact Local Garda StationRefer to Garda Computer Crime UnitWhen Should You Contact Garda Computer Crime UnitToday !!Do the above before you have an incident as it is not something you want to negotiate in the middle of responding to an incident or breach.
Run Practise Drills.Identify Weaknesses in IR.Review Effectiveness of Incident Response.Ensure Everyone Aware of Roles & Responsibilities.Regularly Test Network for Vulnerabilities.Regularly Normalise Network & Systems.Test Staff Awareness.Test Management Awareness.Can you contact everyone when you need to?For example will the network engineer in their twenties who is single be available to respond at 10 p.m. on a Friday night? How about the manager who has to do the school run in the morning?
Formal Post Incident ReviewDocument OutcomesImplement RecommendationsMeasure IncidentsNumber of Incidents by ClassificationCosts of IncidentsTiming of IncidentsCorrelate with Real World EventsAnnual Report, Press Releases etc.Integrate With Other ProcessesRisk AssessmentTrainingBusiness Continuity Planning
Data Breach Code of Practise – NOT MANDATORY !!!Despite the Data Protection Act, many companies are still not adhering to best practises.Recent headlines highlight that many organisations are still not taking adequate steps to protect the personal information of their staff and/or customers. HSE – stolen laptops Bank of Ireland – stolen laptopsJobs.ie – website hacked Online Irish Retailer – website hacked exposing credit card detailsIn the main consumers are not made aware that breaches occur. This leaves them at greater risk of fraud as they do not know if they should be taking precautionary steps to protect themselves.
Balance needs to be achieved
Preparing for Failure - Best Practise for Incident Response
Preparing for Failure - What to do When Your Security is Breached<br />
More information<br />CSIRT Handbook<br />http://www.cert.org/archive/pdf/csirt-handbook.pdf<br />Forming an Incident Response Team<br />http://www.auscert.org.au/render.html?it=2252<br />Incident Response White Paper – BH Consulting<br />http://www.bhconsulting.ie/Incident%20Response%20White%20Paper.pdf<br />RFC2350: Expectations for Computer Security Incident Response<br />http://www.rfc-archive.org/getrfc.php?rfc=2350<br />Organisational Models for Computer Security Incident Response Teams<br />http://www.cert.org/archive/pdf/03hb001.pdf<br />The SANS Institute’s Reading Room<br />http://www.sans.org/reading_room<br />
More Resources<br />Guidelines for Evidence Collection and Archiving (RFC 3227)<br />http://www.ietf.org/rfc/rfc3227.txt<br />Resources for Computer Security IncidentResponse Teams (CSIRTs)<br />http://www.cert.org/csirts/resources.html<br />RFC 2196: Site Security Handbook<br />http://www.faqs.org/rfcs/rfc2196.html <br />ENISA Step by Step Guide for setting up CERTS<br />http://enisa.europa.eu/doc/pdf/deliverables/enisa_csirt_setting_up_guide.pdf<br />CSIRT Case Classification (Example for enterprise CSIRT)<br />http://www.first.org/resources/guides/csirt_case_classification.html<br />