This presentation has been delivered by Michael Redmond at the PECB Insights Conference 2018 in Paris

1. Cyber Security Incident
Response
Michael C. Redmond

2. 2
MBA, PhD
Michael C. Redmond
Certified as Lead Implementer
ISO/IEC 27001 Information Security Management
ISO/IEC 27032 Lead Cyber Security Manager
ISO/IEC 27035 Security Incident Response
ISO/IEC 22301 Business Continuity Management Systems
ISO/IEC 21500 Lead Project Manager
ISO 31000 Risk Management
ISO 55001 Asset Management
ISO/IEC 14001 Environment Management
ISO 9001 Quality Management
ISO 26000 Social Responsibility
ISO 37001 Anti-Bribery Management Systems
Certified Implementer – Foundation
ISO 22316 Security and Resiliency Management
ISO 22320 Emergency Management
ISO 20700 Management Consultancy Services
Certified as Lead Auditor:
ISO/IEC 27001 Information Security Management
ISO/IEC 22301 Business Continuity Management Systems
ISO 55001 Asset Management
ISO/IEC 14001 Environmental Management
ISO 9001 Quality Management
ISO 26000 Social Responsibility
Other Certifications:
Masters Business Continuity Planning (Disaster Recovery Institute) – MBCP
Masters Business Continuity Planning (Business Continuity Institute) – FBCI
Certified Emergency Manager – CEM
Certified Project Manager – PMP
Certified Trainer PECB

3. 3
Attacks Are Not IF But WHEN
Many companies, hospitals, schools,
Governments and more are getting
hacked
The number of data breaches
reported increase each year
Measures against these types of security
incidents are on the rise in companies.

4. 4
LET’S REMEMBER
History

5. 5
Massive Cyber Attack hit 104 Countries
May 2017 WannaCry
 New family of ransomware called WannaCry has infected over 140,000
computers worldwide. This piece of ransomware is based on a zero-day
exploit that helps it jump from one infected computer to another and encrypt
all the information stored on it.
 A little background information about this new threat: Unlike other
ransomware families, the WannaCry strain does not spread via infected e-
mails or infected links. Instead, it takes advantage of a security hole in most
Windows versions to automatically execute itself on the victim PC.
 According to various reports, this attack avenue has been developed by the
National Security Agency (NSA) in the US as a cyber-weapon and it was
leaked to the public earlier in April along with other classified data allegedly
stolen from the agency.
 A number of hospitals, telecom companies, gas and utilities plants suffered
massive disruptions caused by data being held at ransom.

6. 6
How It Was Stopped
 LONDON (AP) -- The cyberattack that spread malicious software around the world,
shutting down networks at hospitals, banks and government agencies, was thwarted
by a young British researcher and an inexpensive domain registration, with help from
another 20-something security engineer in the U.S.
 Britain's National Cyber Security Center and others were hailing the cybersecurity
researcher, a 22-year-old identified online only as MalwareTech, who —
unintentionally at first — discovered a so-called "kill switch" that halted the
unprecedented outbreak.
 By then the "ransomware" attack had crippled Britain's hospital network and
computer systems in several countries in an effort to extort money from computer
users. But the researcher's actions may have saved companies and governments
millions of dollars and slowed the outbreak before computers in the U.S. were more
widely affected.
 MalwareTech, who works for cybersecurity firm Kryptos Logic, is part of a large global
cybersecurity community who are constantly watching for attacks and working
together to stop or prevent them, often sharing information via Twitter. It's not
uncommon for them to use aliases, either to protect themselves from retaliatory
attacks or for privacy.

7. 7
On Dec 14 2014, Dutch government website outage
caused by cyber attack
 Cyber attackers crippled the Dutch government's main websites for most of
Tuesday and back-up plans proved ineffective, exposing the vulnerability of
critical infrastructure at a time of heightened concern about online security.
 The outage at 0900 GMT lasted more than seven hours and on Wednesday
the government confirmed it was a cyber attack.

8. 8
LinkedIn, Drop Box and Formspring
 The US attorney's office in San Francisco on Friday (21 October, 2016)
announced that the 29-year-old Russian man – Yevgeniy Nikulin – who was
arrested in Czech Republic, was indicted by a federal grand jury on
Thursday on multiple charges including computer intrusion, aggravated
identity theft and conspiracy.
 Nikulin was accused of hacking and stealing information from the computer
systems at three Bay Area technology companies – LinkedIn, Drop Box
and Formspring.
 LinkedIn breach was executed over just two days in 2012 from 3-4
March
 Dropbox hack allegedly took place over more than two months, from
14 May to July 25 in 2012
 Formspring - Social media network Formspring, which shut down in
March 2013, allowed users to ask or answer questions about anything.
Working with unnamed co-conspirators, Nikulin allegedly tried to sell
the Formspring user credential database for €5,500 (about $7,000) in
2012

9. 9
2013 Verizon Data Breach Investigations
Report
2012, 66 percent of
breaches that led to data
compromise within “days” or
less remained undiscovered
for months or more
In 69 percent of the cases,
a third party discovered
the breach

10. 10
In 2012, Global Payments Inc. Data Breach
Affected 1.5 Million
Nearly 1.5 million consumers were affected by
hackers accessing Global Payments Inc.’s payment
processing system in January and February.
resource.onlinetech.com/global-payments-inc-pci-data-breach-affects-1-5-million

11. 11

12. 12
Two Years ago World Economic Forum
Global Technology Risks for 2016
 According to the World Economic Forum’s global risk perspectives survey
for 2016, Cyberattacks were listed in the top five risks in 27 world
economies.
 “The internet has opened a new frontier in warfare: Everything is networked
and anything networked can be hacked.”

13. 13
Hackers Read The Same Publications
That We Do
Cnet
CSO
Dark Reading
eWeek
Krebs on Security
Network World
Search Security
Techweb
Threatpost

14. 14
LET’S GET STARTED
Now That We Know Why?

15. 15
Efficient Incident Response Program allows
an organization
Maintain
continuous
operations.
Mitigate
revenue
Respond with
speed and
agility
Maintain
continuous
operations.
Mitigate
revenue loss
Mitigate fines
Mitigate
lawsuits

16. 16
Different Plans Sound Similar
 CIRP Computer Incident Response Plan
 CSIRP Cyber Security Incident Response Plan
 CSIRT Cyber Security Incident Response Team
 ISIRT per ISO 27035

17. 17
Why CSIRT
Security breaches and subsequent fraud are increasing in frequency and
scale.
While financial institutions, retailers, healthcare providers, and other
targeted organizations are doing everything possible to remain one step
ahead of cyber criminals, these incidents will likely continue to happen
putting sensitive information at risk.
While you can’t always prevent a breach, quick response can minimize
reputation damage and financial impact.
Proactive and timely account holder communication can help reduce
costs, including those associated with increased call center activity,
customer education, brand repair campaigns, regulatory compliance, and
the expense of covering customer losses.

18. 18
CSIRT Program
Information Security, Governance & Risk, are all
critical aspects of planning and execution of the
Cyber Information Security Response Program.
Who in your organization has key responsibility
to develop a program?

19. 19
Sounds Simple

20. 20
Cyber Response Getting Started
Adopt a systematic
approach to risk tracking to
enhance the effectiveness
of the Cyber Incident
Program
• Outline the critical actions to take if
an event affects the company or its
partners
• Understand your organizations’
susceptibility to a Cyber Attack
• Cyber Incident Response: Getting
started, research, training, testing
and maintaining

21. 21
Knowledge
1. Knowledge incident analysis processes and relevant legal, regulatory and
business issues
2. Knowledge of effective communication and the communication strategies
that can be adopted during an incidents
3. Knowledge of Crisis Management and Business Continuity and how to align
with these processes
4. Knowledge of investigations and the principles of forensics investigations
including protecting the chain of custody
5. Knowledge of the roles of the Incident Management Team and when such
members are involved in Incident Handling.
From: PECB ISO 27035 Test Preparation

22. 22
Standards
• ISO 2700 (Requirements)
• ISO 27035 Incident Response
• And so many more
Standards and Best
Practices
• COBIT (Framework for IT Governance and Controls)
• ISO 27005 (Information Security Risk Management)
• ITIL(Framework: Identifying, planning, delivering,
supporting IT for Business Functions)
Maintaining

23. 23
ISO and Information Security
27001 Information Security Requirements
27002 Code of Practice Information Security Management
27003 Information Security Management System Implementation Guidance
27004 Information Security Measurement
27005 Information Security Risk Management
27006 Requirements Audit and Certification ISO

24. 24
Cyber Defense and Response
An organization’s
security policy and
controls must be
adaptable to
emerging threats in
todays world.
The assessment of
security threats is
ongoing, and must
be mapped against
the adequacy and
existence of
security controls.
Security controls
and
countermeasures
that are currently in
in place may not
commensurate with
potential risks.
The effort is never
ending, but
knowing how to
start is they key.

25. 25
NIST CSIRT Phases

26. 26
Phases ISO 27035 Incident Response
 Prepare to deal with incidents e.g. prepare an incident management policy,
and establish a competent team to deal with incidents;
 Identify and report information security incidents;
 Assess incidents and make decisions about how they are to be addressed
e.g. patch things up and get back to business quickly, or collect forensic
evidence even if it delays resolving the issues;
 Respond to incidents i.e. contain them, investigate them and resolve them;
 Learn the lessons - more than simply identifying the things that might have
been done better, this stage involves actually making changes that improve
the processes.

27. 27
Motivators
Increase in the number of computer security incidents
being reported
Increase in the number and type of organizations being
affected by computer security incidents
More focused awareness by organizations on the need for
security policies and practices as part of their overall risk-
management strategies
New laws and regulations that impact how organizations are
required to protect information assets
Realization that systems and network administrators alone
cannot protect organizational systems and assets

28. 28
Questions For Thought
 Which regulations, guidelines and white papers did you use in preparing your Cyber Incident
Response Plan?
 What are your 5 top tiered Cyber Risks?
 Do you have separate plan for Breach?
 How did you approach developing the Incident Plan?
 How do you conduct incident training?
 How often do you do testing for Incident Response?
 What types of tests do you perform?
 How often do you conduct Incident Response testing?
 Do you conduct testing jointly with Disaster Recovery tests or as a separate Cyber Incident
Response Test?
 How are Incident Response tests evaluated?
 What part does audit have in your Incident Response planning and testing?
 What areas do you engage in your planning i.e. Legal, Unix?
 Do you use simulation software in testing and if so which one(s)?
 What automatic processes do you have in place to help with Incident Response?

29. 29
Cyber Defense and Response
An organization’s
security policy and
controls must be
adaptable to
emerging threats in
todays world.
The assessment of
security threats is
ongoing, and must
be mapped against
the adequacy and
existence of
security controls.
Security controls
and
countermeasures
that are currently in
in place may not
commensurate with
potential risks.
The effort is never
ending, but
knowing how to
start is they key.

30. 30
Summary of ISO 27035
 Establish information security incident management policy
 Updating of information security and risk management policies
 Creating information security incident management plan
 Establishing an Incident Response Team (IRT) [aka CSIRT]
 Defining technical and other support
 Creating information security incident awareness and training
 Testing (or rather exercising) the information security incident management
plan
 Lesson learned

31. 31
Benefit of Structured Approach
 Improve overall security
 Reduce adverse business impacts
 Strengthen the Information Security Incident Prevention Focus
 Strengthen Prioritization
 Strengthen Evidence

32. 32
Managing Incidents Effectively
 Detective and corrective controls designed to recognize and respond to
events and incidents, minimize adverse impacts
 Gather forensic evidence (where applicable)
 And in due course ‘learn the lessons’ in terms of prompting improvements
to the ISMS
 Typically by improving the preventive controls or other risk
treatments

33. 33
Objective of Controls
 Stop and Contain
 Eradicate
 Analysis and Report
 Follow-up

34. 34

35. 35
Integrate CSIRT into IS
Integrate CSIRT
Management with Enterprise
Risk Management
Use common business
terminology, congruent
methods, and common or
linked risk register, and
establishing mechanisms for
risk acceptance.
Build CSIRT regulation
review process schedule and
regulation requirements.

36. 36
Gap Knowledge
To what
degree we
understand
the security
risks
How well we
are protected
What security
incidents we
can expect
To what
degree the
organization is
prepared to
respond to
security
incidents
To what
degree the
organization
can respond
to security
incidents,
without
suffering
damage
To what
degree the
organization
can ensure
timely and
sufficient
response

37. 37
Risk
While financial institutions, retailers, healthcare providers,
and other targeted organizations are doing everything
possible to remain one step ahead of cyber criminals, these
incidents will likely continue to happen putting sensitive
information at risk.

38. 38
Mitigation To Tell Employees
Set your computers to auto lock with password if not in use for 5 minutes – this way, if an employee leaves their computer no one will be able
to access it.
Avoid using USB flash drives – they are the best way to get your computer infected, because very often anti-virus programs cannot detect such
malicious code.
Make sure you protect your mobile device with a good password, because if it gets stolen, the thief will be able to access your email, and with
your email he will be able to change passwords to your cloud services and consequently access all your data stored in the cloud.
Use password managers, which will enable you to save passwords for your different services and applications, because if you used the same
password for all of them, the breach of only one password enables the criminals to access all of your accounts; password managers also enable
you to use complex passwords for each of your services. And yes, those password managers are available for mobile devices, too.
Use VPN service for connecting to the Internet so that your passwords and other sensitive information are protected when transferred over the
network; this is especially important if you’re using a Wi-Fi connection that you cannot fully trust.
Use 2-factor authentication when connecting to important cloud services like Gmail, Dropbox, or similar – so even if someone steals your
password, he wouldn’t be able to access your sensitive information. These 2-factor authentication systems can work together with your phone
(by sending you a text message), or with special USB keys, without which access to a system wouldn’t be possible.
Encrypt the data stored on your hard drive, so that if it gets stolen the thieves won’t be able to read it; you can also encrypt data stored in a
cloud – there are some specialized cloud companies offering this kind of service.
Update your software – you should do this regularly, as soon as a security patch is published; the best route would be to set up automatic
updates.

39. 39
"Outsourcing Technology Services "
 Many institutions depend on third-party service providers to perform or
support critical operations.
 These institutions should recognize that using such providers does not
relieve the financial institution of its responsibility to ensure that outsourced
activities are conducted in a safe and sound manner.
 The responsibility for properly overseeing outsourced relationships lies with
the institution's board of directors and senior management.
 An effective third-party management program should provide the framework
for management to identify, measure, monitor, and mitigate the risks
associated with outsourcing.

40. 40
Cyber Response Ties In With Asset
Management

41. 41
Records* ISO 27001:2013 clause number
Records of training, skills, experience and qualifications 7.2
Monitoring and measurement results 9.1
Internal audit program 9.2
Results of internal audits 9.2

42. 42
Some Mitigations
 Build and maintain a secure network: Install and maintain a firewall and use unique, high-
security passwords with special care to replace default passwords.
 Protect cardholder data: Whenever possible, do not store cardholder data. If there is a business
need, you must protect this data. You must also encrypt any data passed across public networks,
including your shopping cart and Web-hosting providers, and when communicating with
customers.
 Maintain a vulnerability management program: Use an anti-virus software program and keep it
up-to-date. Develop and maintain secure operating systems and payment applications. Ensure the
anti-virus software applications you use are compliant
 Implement strong access control measures: Access, both electronic and physical, to
cardholder data should be on a need-to-know basis. Ensure those people with electronic access
have a unique ID and password. Do not allow people to share logon information. Educate yourself
and your employees on data security and specifically the PCI Data Security Standard (DSS).
 Regularly monitor and test networks: Track and monitor all access to networks and cardholder
data. Ensure you have a regular testing schedule for security systems and processes, including:
firewalls, patches, web servers, email servers, and anti-virus.
 Maintain an information security policy: It is critical that your organization have a policy on how
data security is handled. Ensure you have an information security policy and that it's disseminated
and updated regularly.

43. 43
Sample Attacker Tools
 Attacker Toolkits Many attackers use toolkits containing several d ifferent
types of utilities and scripts that can be used to probe and attack hosts, such as
packet sniffers, port scanners, vulnerability scanners, password crackers, and
attack programs and scripts.
 Backdoors A backdoor is a malicious program that listens for commands on a
certain TCP or UDP port. Most backdoors allow an attacker to perform a certain
set of actions on a host, such as acquiring passwords or executing arbitrary
commands. Types of backdoors include zombies (better known as bots), which
are installed on a host to cause it to attack other hosts administration tools,
which are instal led on a host to enable a remote attacker to gain access to the
host’s functions and data as needed.
 E-Mail Generators An email generating program can be used to create and send
large quantities of email, such as malware and spam, to other hosts without
the user’s permission or knowledge.
 Keystroke Loggers A keystroke logger monitors and records keyboard use.
Some require the attacker to retrieve the data from the host, whereas other
loggers actively transfer the data to another host through email, file transfer,
or other means.
 Rootkits A rootkit is a coll ection of files that is installed on a host to alter its
standard functionality in a malicious and stealthy way. A rootkit typically
makes many changes to a host to hide the rootkit’s existence, making it very
difficult to determine that the rootkit is pre sent and to identify what the
rootkit has changed.
 Web Browser Plug -Ins A web browser plug -in provides a way for certain types
of content to be displayed or executed through a web browser. Malicious web
browser plug -ins can monitor all use of a browser.

44. 44
Personnel Awareness Training
Never, ever give your password to anyone.
Don’t install every program you come across on your computer or mobile device
– some of this software, disguised as a nice game or utility program, is made
with the sole purpose of injecting a virus onto your computer.
Disable your Bluetooth connection because it is very unsafe; but also, disable
the Wi-Fi network on your mobile device when you’re not using it.
Do not leave your computer in a car.
Do not leave your computer unattended in public places like airports, toilets,
public transport, conferences, etc.

45. 45
Mitigation for Social Engineering
• Targets should include individuals from the help desk, IT department,
human resources, finance, and other departments within the organization.
• The objective of these calls will be to induce the users to divulge sensitive
information over the phone in violation of company policy.
External Social Engineering – Perform
Social Engineering phone calls to
individuals within the organization.
• Attempt to gather sensitive information
• Deliver a malicious payload onto their desktop system which could include
browser and operating system buffer overflows, Trojan horses, and
keystroke loggers.
Targeted Email “Phishing” Attacks –
Send Emails to individuals and groups
within the organization in order to
attempt to entice the user to click on an
external link that (hypothetically) will “
• The media should contain simulated malicious code that will attempt to
grab sensitive host information such as the network configuration, list of
running processes, and a password hash dump.
Malicious Portable Media – Leave USB
Flash drives and CD-ROM drives with
enticing labels such as “Salary” in public
areas such as hallways, restrooms, and
break rooms.
• Search internal trash receptacles and external dumpster and disposal
areas for sensitive documents or storage media that is disposed of in
violation of company policy.
Sensitive Document Disposal Audit –
“Dumpster Diving”

46. 46
More Every Day
Security breaches and subsequent fraud are increasing
in frequency and scale.

47. 47
Quick Response
While you can’t always prevent a
breach, quick response can
minimize reputation damage and
financial impact.

48. 48
Quick Checklist to Mitigate Network
 Review all wireless access points and note any external wireless network
whose signal range enters your premises.
 Validate wireless network perimeter–One of the reasons wireless security is
so complex is wireless networks are not limited to the physical boundaries
of your buildings. Limit unnecessary exposure to the outside world.
 Conduct vulnerability and penetration testing of access points
 Review access points and wireless clients

49. 49
CSIRT
Program
Plan for Managing
Playbooks for each different types
of Cyber Security Incidents (worse
case does not work as in Disaster
Recovery)

50. 50
Questions
 What are the basic requirements for establishing a CSIRT?
 What type of CSIRT will be needed?
 What type of services should be offered?
 How big should the CSIRT be?
 Where should the CSIRT be located in the organization?
 How much will it cost to implement and support a team?
 What are the initial steps to follow to create a CSIRT?

51. 51
Basics
Objective
Scope
Assumptions
Ownership
Action Steps
Structure

52. 52
Incident
Preparation
Detection
Precursors and
Indicators
Analysis
Declaration
Response
Containment
Eradication
Recovery
Post Incident

53. 53
What’s Needed
 Cyber Security Incident Response Program
 Cyber Security Incident Response Teams
 Cyber Security Incident Response Documented Program
 Cyber Security Incident Response Documented Plan
 Cyber Security Incident Response Documented Playbooks
 Internal Controls Assessments
 Policy Review
 Gap Analysis
 REWI Risk Evaluation
 Risk Assessment Facilitation
 Security Awareness Training
 Business Continuity and Disaster Recovery Planning

54. 54
Analysis Methodology
 Identify the Scope of the Project
 Identify Best Practices and Regulatory Requirements and Guidelines
 Research and Gather Data
 Assess Current Breach Response Security Measures and Capabilities
 Review Audit Findings and Recommendations
 Develop and Conduct Breach Risk and Gap Analysis, Breach Impact Analysis, Risk Early Warning
Indicator (REWI)
References:
 Control Objectives for Information and Related Technology (COBIT) framework by ISACA
 FFIEC Section J
 Department of Health and Human Services, 45 CFR Parts 160, 162, and 164 Health
Insurance Reform: Security Standards; Final Rule
 New York State Information Security Breach And Notification Act
 Payment Card Industry Data Security Standard (PCI DSS)
 Centers for Medicare & Medicaid Services
 National Institute of Standards and Technology (NIST)
 International Standards Organization (ISO) security standards
 Many others

55. 55
Account Holder Communications
Proactive and timely account holder communication can help reduce costs,
including those associated with increased call center activity, customer
education, brand repair campaigns, regulatory compliance, and the expense
of covering customer losses.

56. 56
Gap Review Action Steps
Review existing Information Security policies
and standards to ascertain their adequacy in
coverage scope against industry best
practices, and update them as appropriate,
taking into account compliance
recommendations
Establish Key Performance Indicators (KPI) to
determine if your Information Systems
Incident Response program meets business
objectives and operational metrics for ongoing
process improvement.

57. 57
REWI
The Resilience based Early Warning Indicators (REWI)
method is a collection of self-assessment measures, which
provides information about an organization’s resilience.
The primary goal of the method is to generate early
warnings that improve the organization’s ability and
performance in the long run.

58. 58
Risk Awareness of Your Organization
Questions
Do we have
knowledge about the
information and
communication
technologies (ICT)
system and its
components?
Do we have
personnel with
information security
competence?
Whether the
employees are
security aware or not
will affect the security
risks.
Do we report on
security incidents?
Information about
past incidents will
provide insight into
what may go wrong in
the future.
Do we have
appropriate defense
mechanisms?
Information about the
technical safeguards
gives knowledge
about how well the
system is protected.

59. 59
Resilience Attribute: Risk Awareness
 The risk awareness attribute measures the degree of risk understanding, as well as
anticipation regarding what to expect and attention so as to know what to look for [5].
In a security incident management context these contributing success factors can be
expanded into the following general issues:
 Risk understanding: To what degree we understand the security risks associated with
the system. Risk understanding can be understood by asking the following questions
(the “general issues”)
 Do we have knowledge about the information and communication technologies (ICT) system and its
components? A (correct) understanding of how the system work will provide insight into how it may be
attacked and the possible consequences.
 Do we have personnel with information security competence? Whether the employees are security aware
or not will affect the security risks.
 Do we report on security incidents? Information about past incidents will provide insight into what may go
wrong in the future.
 Do we have appropriate defense mechanisms? Information about the technical safeguards gives
knowledge about
 How well the system is protected.
 Is the organization’s security policy efficient? Insight in to what degree the security policy is implemented
into the organization and whether it is followed by the employees will influence the efficiency of the
technical safeguards and barriers.

60. 60
Resilience Attribute: Support
 The support attribute measures the presence of an established support systems, so
that when faced with tough decisions or tradeoffs there is some kind of decision
support or help that is institutionalized and part of practice .
 In addition, support includes the ability to uphold critical support functions (technical,
human and organizational resources) in case of disruption is essential (redundancy)
 In a security incident management context these contributing success factors can be
expanded into the following general issues:
 Decision support: To what degree the organization support the trade-off between security and production.
 Do we have adequate decision support staffing? Efficient incident response will require available personnel
with knowledge, experience and authority to make decisions.
 Do we have adequate ICT decision support systems? Efficient incident response will often require
adequate support systems in place, including support for the support systems themselves.
 Do we have adequate external support? Security incident management often requires support om external
actors,such as anti-virus and third party software providers.

61. 61
Response
 Response: To what degree the organization is prepared to respond to
security incidents.
 Do we have personnel with the ability to handle incidents? There must be employees who
are capable of handling
 the incidents, including making critical decisions.
 How do we train on dealing with potential incidents? Training on potential scenarios is
essential in order to
 know what to do, both with respect to expected and unexpected events. The training
scenarios should be regularly
 reviewed and adapted, in order to reflect the current threat picture as accurately as
possible.

62. 62
Response
 Robustness of response: To what degree the organization can respond to
security incidents, without suffering damage.
 Do we have sufficient redundancy in skills among the employees? Organizations that
ensure that the employees are
 redundant in skills, or possess multiple skills, are more likely to successfully handle
incidents that go beyond the
 planned or foreseen.
 Do we have sufficient backup capacity / redundancy for the necessary critical functions?
Fault tolerance, redundancy
 and recovery are important aspects for preserving the organization’s critical functions
 Is the communication between involved actors sufficient? During incident response it is
crucial that all involved
 are able to communicate, without misunderstandings or confusions
 Do we manage incidents in compliance with existing policies? A robust response require
compliance with existing
 policies and best practices.

63. 63
Response
 Resourcefulness: To what degree the organization can ensure timely and
sufficient response.
 Does the incident response team have sufficient resources? There must be a sufficient
number of personnel assigned to the different roles in the incident response team, including
back-up personnel in case of unavailability, and the response team must be capable of
solving their tasks in a timely manner.
 Do we have adequate IT systems to support timely updating of necessary information? A
timely response requires timely updating necessary information and communicating this to
all involved actors.

64. 64
Technical Questions
Authentication Servers: Authentication servers, including directory servers and single sign-on servers,
typically log each authentication attempt, including its origin, username, success or failure
Remote Access Software: Remote access is often granted and secured through virtual private
networking (VPN). VPN systems typically log successful and failed login attempts, as well as the dates
and times each user connected and disconnected, and the amount of data sent and received in each
user session. VPN systems that support granular access control, such as many Secure Sockets Layer
(SSL) VPNs, may log detailed information about the use of resources.
Vulnerability Management Software: Vulnerability management software, which includes patch
management software and vulnerability assessment software, typically logs the patch installation history
and vulnerability status of each host, which includes known vulnerabilities and missing software
updates.5 Vulnerability management software may also record additional information about hosts’
configurations. Vulnerability management software typically runs occasionally, not continuously, and is
likely to generate large batches of log entries.
Web Proxies: Web proxies are intermediate hosts through which Web sites are accessed. Web proxies
make Web page requests on behalf of users, and they cache copies of retrieved Web pages to make
additional accesses to those pages more efficient. Web proxies can also be used to restrict Web access
and to add a layer of protection between Web clients and Web servers. Web proxies often keep a record
of all URLs accessed through them.

65. 65
Anticipation
 What security incidents we can expect
 Do we have updated knowledge about relevant threats? A systematic and regular
identification of vulnerabilities and threats is necessary in order to understand what may go
wrong.
 Do we learn from experience? The organization’s past experiences is a valuable source of
information.
 Want to avoid reoccurrence of security incidents and to learn from its own
success stories (“what went right”).

66. 66
Risk Assessment
 Risk assessment is the determination of quantitative or
qualitative estimate of risk related to a well-defined
situation and a recognized threat (also called hazard).
 Quantitative risk assessment requires calculations of two
components of risk (R): the magnitude of the potential
loss (L), and the probability (p) that the loss will occur.

67. 67
Incident Management Goals and Vision
 To have a comprehensive Incident Management framework and set of templates for a
consistent, Enterprise-wide response to incidents within the environment.
 Developing the capability to effectively manage unexpected disruptive events with the
objective of minimizing impacts and maintaining or restoring normal operations within
defined time limits.
 Scope is both small incidents such as a single infected machine to a massive data
breach.
 Key features of our future design needs to include:
 Decision matrix for determining the type of incident we are dealing with and appropriate response.
 RACI diagrams to identify responsibilities
 Team charter
 Team member matrix representing all aspects of the organization
 Templates that can be easily and quickly adopted for any incident
 Be careful with the term Incident or Breach. Some of the regulations trigger on the
date you classify an event as an Incident or Breach and that is when the clock starts
ticking for notifications.

68. 68
How To Write a CSIRT Policy
 A purpose statement, outlining why the organization is issuing the policy, and what its desired
effect or outcome of the policy should be.
 An applicability and scope statement, describing who the policy affects and which actions are
impacted by the policy. The applicability and scope may expressly exclude certain people,
organizations, or actions from the policy requirements. Applicability and scope is used to focus the
policy on only the desired targets, and avoid unintended consequences where possible.
 An effective date which indicates when the policy comes into force.
 A responsibilities section, indicating which parties and organizations are responsible for carrying
out individual policy statements.
 Policy statements indicating the specific regulations, requirements, or modifications to
organizational behavior that the policy is creating.
 Optional
 Background, indicating any reasons, history, and intent that led to the creation of the
policy, which may be listed as motivating factors. This information is often quite valuable
when policies must be evaluated or used in ambiguous situations, just as the intent of a law
can be useful to a court when deciding a case that involves that law.
 Definitions, providing clear and unambiguous definitions for terms and concepts found in
the policy document.

69. 69
Examples of Cyber Security Policies
 Access controls and identity management
 Business continuity and disaster recovery planning and resources
 Capacity and performance planning
 Customer data privacy
 Data governance and classification
 Incident response
 Information security
 Physical security and environmental controls
 Risk assessment
 Systems and application development and quality assurance
 Systems and network monitoring
 Systems and network security
 Systems operations and availability concerns
 Vendor and third-party service provider management

70. 70
Third Party Service Provider Policy
 Policies and procedures designed to ensure the security of information
systems and nonpublic information accessible to, or held by, third-parties
and include the following:
 Due diligence processes used to evaluate the adequacy of Cyber Security practices of
third-parties
 Minimum Cyber Security practices required
 Periodic assessment, at least annually or the continued adequacy
of their Cyber Security practices
 Identification and risk assessment of third-parties

71. 71
Plans, Playbooks, Testing and Exercises
Phases ISO 27035 Incident Response
1. Prepare to deal with incidents e.g. prepare an incident management
policy, and establish a competent team to deal with incidents;
2. Identify and report information security incidents;
3. Assess incidents and make decisions about how they are to be
addressed e.g. patch things up and get back to business quickly, or collect
forensic evidence even if it delays resolving the issues;
4. Respond to incidents i.e. contain them, investigate them and resolve
them;
5. Learn the lessons - more than simply identifying the things that might
have been done better, this stage involves actually making changes that
improve the processes.

72. 72
Plan Documentation Considerations
 Action sections
 Recovery team
 Personnel
 Responsibilities
 Resources
 Action plans
 Specific department/individual plans
 Checklists
 Technical procedures

73. 73
Plan Documentation Considerations
 Action sections
 Teams
 Personnel
 Responsibilities
 Resources
 Specific department/individual plans
 Checklists
 Technical procedures
 Management
 Administration/logistics
 New equipment

74. 74
Plan Documentation Considerations
 Document structure and design
 Ensure built-in mechanisms to ease maintenance
 Plan and implement the gathering of data required for plan completion
 Identify, analyze and document and agree on approach to key phases
 Allocate tasks and responsibilities
 Identify, analyze and document tasks to be undertaken

75. 75
Operation Sequencing
Initiation Resolution Termination

76. 76
Some Stakeholders

77. 77
Playbooks
One per Team per type of attack
 Breach
 DDOS
 ETC.

78. 78
Development and Documentation
 Each of the teams can create their own Breach Playbook using a
common template with lots of assistance
 The CSIRT Program, CSIRT Breach Plan, and Breach Playbooks
must be documented and vetted

79. 79
Interviews and Training
 Each business and technology areas that are part of the CSIRT
Response solution, must be interviewed to gain information and
ensure to provide information at the same sessions reference the
CSIRT project.
 Many training sessions must be held to prepare the teams for a
Response situation. In addition, daily ‘open office hours’ should be
available for the teams while they were developing their Team
Playbooks

80. 80
Severity Level Description
Sev1 –
Major
Incident where the impact is severe. Examples (a) proprietary or
confidential information has been compromised, (b) a virus or worm has
become wide spread and is affecting over 20% percent of the
employees/consultants (c) major denial of service attack where customer
interfaces are not accessible.
Sev2 –
Critical
Incident where the impact is significant. Examples are (a) Less than 500
PCI records have been breached (b) critical vulnerability for an operating
system or application
Sev3 –
Non-Critical
Incident where the impact is minimal. Examples are (a) harmless email
SPAM (b) isolated Virus Infections and Malware
Sev 4 –
Non Incident
Incident is determined to be not an incident

81. 81
Look for Patterns
Unusual activity in access or system logs
Recent Changes to the system
Super User ID created
Deleted log files
Recent escalation of privileges
Recent off-hour activity
Recent file transfer from System

82. 82
Testing and Exercises
 To validate the CSIRT Breach Plan, and Playbooks a number of
tests and exercises must be developed and implemented.
 The Paper Tests allows the teams to read their Playbooks allowed
and to learn where communication links between the teams were
needed to gain information in a response.
 The Table Top Test allows the CSIRT to validate their playbooks
while responding to a ‘mock scenario’ that can include up to 15
actual scenarios that occurred to other organizations.
 The Simulation Test utilizes the original scenarios but adds a
number of ‘twists’ that caused the teams to respond quickly.

83. 83
3rd Party CSIRT Testing
Cyber events demonstrating
third-party provider's ability
to respond quickly and
efficiently to such an event.
• For example, an organizations
ability to recover from a disruption of
critical functions because of a
distributed denial of service (DDoS)
attack or the ability to recover from a
data corruption event should be
subject to testing.
• A financial institution may consider
working with an outside party, such
as other financial institutions or an
industry group, to test these types of
events.
Simultaneous attack
affecting both the institution
and its service provider.

84. 84
Review Summary of ISO 27035
Incident Response
 Establish information security incident management policy
 Updating of information security and risk management policies
 Creating information security incident management plan
 Establishing an Incident Response Team (IRT) [aka CSIRT]
 Defining technical and other support
 Creating information security incident awareness and training
 Testing (or rather exercising) the information security incident
management plan
 Lesson learned

85. 85
Thanks
Dr. Michael C. Redmond, PhD
917-882-5453
585-340-5187
Audio Training Available at:
www.rwknowledge.com
Contact me at:
mredmond@efprgroup.com