Incident response : the good the bad and the ugly or how to keep your face after a security breach

1,119 views

Published on

Security breaches occur every day and we have to get used to it. But our Customers will be not- happy if their data are published. Now the question is how do we handle such a breach, which data should we offer to the public. How do we create a incident response plan and how to work with our forensic partner. Which data should you give to the Police and what should we be quiet about. All these and more will be discussed on real life examples.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,119
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Incident response : the good the bad and the ugly or how to keep your face after a security breach

  1. 1. Agenda<br />Preface<br />Who am I<br />What is a Incidet<br />How do we prepare<br />The Policy<br />The Incident response plan<br />Creating a Computer Security Incident Response Team<br />External Forensic Partner<br />
  2. 2. Agenda<br />Incident Response and Forensic techniques<br />Ressponsible disclosure<br />Now how does this look like in real life?<br />The Good<br />
  3. 3. Agenda<br />The Bad<br />The Ugly<br />So ...WTF, may i rant a bit please?<br />So x.509 is death, huh?<br />The desasters from 20/11 <br />Sony and no end<br />The comming out of the RSA Breach<br />Commodo Diginotar , StarSSL…<br />
  4. 4. Agenda<br />Preface<br />Why bother?<br />The fisrst Virus was progammed1986 and we did not learn anything!<br />You are a CIO/CSO? YOU FAILED!<br />over 80% of all incidents are techniques older than 20 YEARS ! APT, yeah right.<br />Are you any better?<br />
  5. 5. Agenda<br />Who am I<br />CIO<br />Computer nerd since the mid 70‘s<br />A Hacker <br />Spearhead and founder of BerlinSides<br />A nobody<br />
  6. 6. Agenda<br />What is a Incidet in the InfoSec<br />@indi303‘s maintenance window.<br />A attack against your Network (or Bogk in your Network)<br />A SE attempt<br />A lost USB Stick<br />A Mcafee update<br />
  7. 7. Agenda<br />How do we prepare<br />The Policy<br />What is a incident<br />Who to report to<br />What to report<br />Wich mesurements to take<br />The Incident response plan<br /> Helpdesk<br /> Intrusion detection monitoring personnel<br /> A system administrator<br /> A firewall administrator<br /> A business partner<br /> A manager<br /> The security department or a security person.<br /> An outside source.<br />
  8. 8. Agenda<br />Creating a Computer Security Incident Response Team<br /> Step 1: Obtain management support and buy-in<br /> Step 2: Determine the CSIRT strategic plan<br /> Step 3: Gather relevant information<br /> Step 4: Design the CSIRT vision<br /> Step 5: Communicate the CSIRT vision and operational plan<br /> Step 6: Begin CSIRT implementation<br /> Step 7: Announce the operational CSIRT<br /> Step 8: Evaluate CSIRT effectiveness<br />Incident Response and Forensic techniques<br />WTF is WFT (WINDOWS FORENSIC TOOLCHEST™)<br />FRED (First Responder's Evidence Disk)<br />
  9. 9. Agenda<br />Ressponsible disclosure<br />To the Police<br />To our staff<br />To our business Partners<br />To the Public<br />
  10. 10. Agenda<br />Now how does this look like in real life?<br />You‘re most likly into infosec, look for yourself<br />How many of you know your companies Incident response plan?<br />From those who had their hands up, are you sure all emploees know the IR Policy?<br />Why is that so?<br />
  11. 11. Agenda<br />The Good<br />Apache<br />https://blogs.apache.org/infra/entry/apache_org_downtime_report<br />https://blogs.apache.org/infra/entry/apache_org_04_09_2010<br />PHPFog<br />http://blog.phpfog.com/2011/03/22/how-we-got-owned-by-a-few-teenagers-and-why-it-will-never-happen-again/<br />Comodo <br />http://blogs.comodo.com/it-security/data-security/the-recent-ra-compromise/ (March 23)<br />https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html<br />
  12. 12. Agenda<br />The Bad<br />Kernel.Org<br />Can‘t find a statement on their webside on the first page in Google search<br />Sony<br />Very late under pressure did some kind of incident response, info from the Company was horrible<br />Diginotar<br />Diginotar, got into incident response, took ‘em 2 months to report<br />
  13. 13. Agenda<br />The Ugly<br />RSA<br />Kept the secret over a long time <br />Apple<br />Very late patching things, and if mostly never the Opensource parts of the OS<br />HP<br />OMG<br />
  14. 14. Agenda<br />So ...WTF, may i rant a bit please?<br />So x.509 is death, huh?<br />The desasters from 20/11 <br />Sony and no end<br />The comming out of the RSA Breach<br />Comodo Diginotar , StarSSL…<br />
  15. 15. Agenda<br />How can we change this?<br />As customer<br />As a professional<br />All the Anonymous, Lulzsec J3st3r and others<br />Are we really prepared?<br />What‘s about the daily skiddie?<br />Predictions, who will fall next?<br />Thanx for listening<br />

×