Cyber Security Incident Response Program. Dr. Michael C. Redmond, PhD MBCP,FBCI,CEM,PMP,MBA

Transcription

1 Cyber Security Incident Response Program Dr. Michael C. Redmond, PhD MBCP,FBCI,CEM,PMP,MBA

2 World Economic Forum Global Technology Risks for 2015 According to the World Economic Forum s global risk perspectives survey for 2015, information and infrastructure resilience and cyber security continue to dominate the global technology risk landscape. What is really interesting is the perception that those risks have intensified in the past 12 months. No doubt this reflects both the growing sophistication of cyber attacks and the rise of hyperconnectivity i.e. all kinds of physical objects being web enabled to make up the Internet of Things, along with personal data. The challenge with so many devices connected to the Internet other than computers, is they tend to be less adequately protected The 2015 edition of the Global Risks report completes a decade of highlighting the most significant long-term risks worldwide, drawing on the perspectives of experts and global decision

3 Banking and Cyber Nearly a third of banking organizations do not require their third-party vendors to notify them in the event of an information security breach, according to a recent study on the banking sector's cybersecurity practices. The New York State Department of Financial Services issued its Update on Cyber Security in the Banking Sector: Third-Party Service Providers earlier this month to analyze the due diligence processes, policies and procedures governing relationships with thirdparty vendors, protections for safeguarding sensitive data, and protections against loss incurred due to third party information security failures.

4 Did ALL of Your Users Update 2 weeks ago Chrome? Adobe released security updates for Flash Player on Tuesday. Windows and Macintosh users should update to and Linux users should update to in order to address a variety of vulnerabilities, some of which are deemed critical and can enable code execution. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system, according to a Tuesday release, which states Adobe is aware that an exploit for CVE exists in the wild. Security updates were additionally released for Adobe Flex and ColdFusion. Adobe Flex 4.6 and earlier versions are affected by CVE , and ColdFusion versions 11 and 10 are affected by CVE Both vulnerabilities can be leveraged in reflected cross-site scripting attacks, and both are deemed important.

5 In Million Tax Records Stolen in Largest State Agency Attack Both Social Security and credit card numbers were stolen from the South Carolina Department of Revenue by hackers in August. A phishing enabled hackers to steal credentials from users and eventually steal 74 GB of encrypted and unencrypted data.

6 2012 Server Hack Leads to HIPAA Violation by Utah Department of Health In April, ,000 individuals were affected in a server hack at the authentication level that allowed hackers to access and steal SSNs and personal health records from the Utah Department of Health. One server was not configured according to normal procedure, and this allowed hackers to access the system.

7 In 2012, Global Payments Inc. PCI Data Breach Affected 1.5 Million Nearly 1.5 million consumers were affected by hackers accessing Global Payments Inc. s payment processing system in January and February.

8 On Dec , Dutch government website outage caused by cyber attack Cyber attackers crippled the Dutch government's main websites for most of Tuesday and back-up plans proved ineffective, exposing the vulnerability of critical infrastructure at a time of heightened concern about online security. The outage at 0900 GMT lasted more than seven hours and on Wednesday the government confirmed it was a cyber attack.

9 Cyber Response Ties In With Asset Management Let s discuss what should be in your Asset Management Program

10 Cyber Defense and Response What are the steps? Who is involved? How do we prepare?

11 Process Flow How can we Project Management this? What are the needed Business Processes?

12 Records* ISO 27001:2013 clause number Records of training, skills, experience and qualifications 7.2 Monitoring and measurement results 9.1 Internal audit program 9.2 Results of internal audits 9.2

13 Hackers Read The Same Publications That We Do Cnet CSO Dark Reading eweek

14 Report: 71 percent of orgs were successfully attacked in 2014 The number of successful cyber attacks against organizations is increasing, according to the 2015 Cyberthreat Defense Report from CyberEdge Group, which surveyed 814 IT security decision makers and practitioners from organizations in 19 industries across North America and Europe. Altogether, 71 percent of respondents said that their organization's global network was compromised by a successful cyber attack in 2014 a number that jumped up from 62 percent in the year prior and 22 percent said that their organization experienced six or more successful attacks, according to the report.

15 Risk Awareness of Your Organization Questions What are the key questions What areas of the organization needs to be included How do you raise Risk Awareness How do you develop the right questions for your organizations

16 Gap Knowledge To what degree Protection What s expected Response Suffering Damage Timeliness

17 Motivators Increase in the number of computer security incidents being reported Increase in the number and type of organizations being affected by computer security incidents More focused awareness by organizations on the need for security policies and practices as part of their overall risk-management strategies New laws and regulations that impact how organizations are required to protect information assets Realization that systems and network administrators alone cannot protect organizational systems and assets

18 Efficient Incident Response Program allows an organization Continuity Impacts Cost When Mitigate What Maintain What

19 3 rd Party Contracts for Security Issues What should be stated Who is responsible Who is notified

20 Questions For Thought What When How Where Why 20

21 Bank Secrecy Act Anti-Money Laundering Examination Manual Determine the underlying cause of policy, procedure, or process deficiencies These deficiencies can be the result of a number of factors, including, but not limited to, the following: Management has not assessed, or has not accurately assessed, the bank s risks. Management is unaware of relevant issues. Management is unwilling to create or enhance policies, procedures, and processes. Management or employees disregard established policies, procedures, and processes. Management or employees are unaware of or misunderstand regulatory requirements, policies, procedures, or processes. Higher-risk operations have grown faster than the capabilities of the compliance program. Changes in internal policies, procedures, and processes are poorly communicated.

22 Standards Standards and Best Practices ISO 2700 (Requirements) FFIEC PCI DSS (Credit Card Processing) And so many more Maintaining COBIT (Framework for IT Governance and Controls) ISO (Information Security Risk Management) ITIL(Framework: Identifying, planning, delivering, supporting IT for Business Functions)

23 ISO and Information Security How You Can Use Each

24 SEC The SEC s Office of Compliance Inspections and Examinations (OCIE) issued a risk alert notifying firms it will conduct IT security examinations of more than 50 registered brokerdealers and registered investment advisers. Commission s jurisdiction in cyber security is focused on the integrity of market systems, customer data protection, and disclosure of material information.

25 FFIEC The Financial Services sector is a primary target of cyber attacks FFIEC just released new Guidance on Feb 5th entitled Strengthening the Resilience of Outsourced Technology Services. That Guidance notes, among other things, that Cyber resilience covers aspects of BCM unique to disruptions caused by cyber events. FFIEC wants to see financial institutions incorporate Cyber Attack testing into its testing scenarios.

26 FFIEC "Outsourcing Technology Services Booklet" Many financial institutions depend on third-party service providers to perform or support critical operations. These financial institutions should recognize that using such providers does not relieve the financial institution of its responsibility to ensure that outsourced activities are conducted in a safe and sound manner. The responsibility for properly overseeing outsourced relationships lies with the financial institution's board of directors and senior management. An effective third-party management program should provide the framework for management to identify, measure, monitor, and mitigate the risks associated with outsourcing.

27 What are the benefits of being in compliance with the PCI DSS? What is required How do we know we are compliant

28 What are the requirements for PCI DSS? There are twelve requirements falling into categories: Build Protect Maintain Monitor

29 Different Plans Sound Similar CIRP Computer Incident Response Plan CSIRP Cyber Security Incident Response Plan CSIRT Cyber Security Incident Response Team

30 Why CSIRT Security breaches and subsequent fraud are increasing in frequency and scale. While financial institutions, retailers, healthcare providers, and other targeted organizations are doing everything possible to remain one step ahead of cyber criminals, these incidents will likely continue to happen putting sensitive information at risk. While you can t always prevent a breach, quick response can minimize reputation damage and financial impact. Proactive and timely account holder communication can help reduce costs, including those associated with increased call center activity, customer education, brand repair campaigns, regulatory compliance, and the expense of covering customer losses.

31 CSIRT Program Information Security, Governance & Risk, are all critical aspects of planning and execution of the Cyber Information Security Response Program. Who in your organization has key responsibility to develop a program?

32 3 rd Party CSIRT Testing Types of Tests Simultaneous Testing

33 Cyber Response Getting Started Program Adopt a systematic approach

34 Severity Levels

35 Gap Review Action Steps Review Establish Key Performance Indicators (KPI).

36 Integrate CSIRT into IS Integrate CSIRT Use common Build...

37 2013 Verizon Data Breach Investigations Report 2012, 66 percent of breaches that led to data compromise within days or less remained undiscovered for months or more In 69 percent of the cases, a third party discovered the breach

38 Attacks Are Not IF But WHEN Many large companies are getting hacked: Anthem, Sony, and Target to name just a few. The number of data breaches increased 27.5% in 2014 Measures against these types of security incidents are on the rise in companies.

39 Attacker Tools Rootkits Generators Backdoors And more

40 Feb 2015, Chinese hackers target US defense, finance firms after Forbes cyberattack US cyber security firms say a Chinese espionage team hacked Forbes magazine to then attack defence contractors, financial firms and other unsuspecting prey visiting the popular news website. Invincea and isight Partners detailed what they described as a watering hole campaign late last year that took advantage of Forbes.com and other legitimate websites. A Chinese advanced persistent threat compromised Forbes.com to set up a watering hole style web-based drive-by attack against US defence and financial services firms in late November 2014, Invincea said in a report posted on its website. The brazen attack took advantage of vulnerabilities in Adobe Flash and Internet Explorer software which have since been patched, according to Invincea.

41 February 13, 2015 Tennessee healthcare group notifies employees of payroll breach Tennessee-based State of Franklin Healthcare Associates (SoFHA) has notified all employees that their personal information was accessed during a security breach at the company's third party payroll vendor, and some if has already been used to file fraudulent tax returns. How many victims? All employees are being notified, and 20 to 25 have been affected. What type of personal information? Employee payroll information, including W-2s. What happened? SoFHA's third party payroll vendor was breached, access was gained to SoFHA employee payroll information, and fraudulent tax returns were filed. What was the response? SoFHA is working with national, state and local law enforcement to identify the perpetrators. SoFHA is notifying all employees, and is offering them a free year of identity theft protection services. Details: SoFHA notified local authorities in early February. As of Thursday, between 20 and 25 employees have reported being victims of tax-related identity theft. Quote: We do know that the cyber attack was contained to only employee payroll information, and at no time was any patient data compromised, Richard Panek, CEO of SoFHA, was quoted as saying. The scam is that the criminals attempt to file for, and receive, a tax refund before the real person files.

42 More Every Day Security breaches and subsequent fraud are increasing in frequency and scale.

43 Questions Getting Started Who s included Process Steps Now What

44 Risk While financial institutions, retailers, healthcare providers, and other targeted organizations are doing everything possible to remain one step ahead of cyber criminals, these incidents will likely continue to happen putting sensitive information at risk.

45 Quick Response Why? How?

46 Account Holder Communications When, Why and What

47 Employee Mitigation Auto Lock Password Manager Flashdrives And more

48 Quick Checklist to Mitigate Network Review Validate Conduct

49 CSIRT Phases What are they How do they interconnect

50 Mitigation for Social Engineering How to Mitigate Penetration because of this

51 CSIRT Program Plan for Managing Playbooks for each different types of Cyber Security Incidents (worse case does not work as in Disaster Recovery)

52 Incident Management Goals and Vision What should be included in each When is it updated How is it written

53 Analysis Methodology Identify References Research

54 Interviews and Training What s included How specifically is it done How often

55 Development and Documentation How do I know which documentation I need Where do I get the information Who should help me Passing an Audit Making sure it works

56 Testing and Exercises Validate Types of Tests Are they good enough

57 What s Needed Cyber Security Incident Response Program What s inlcuded What s a Program What s a Plan What s a Playbook

58 Basics Objective Scope Assumptions Ownership Action Steps Structure

59 Incident Incident VS Event How do I know What plans do I need for each

60 Operation Sequencing Initiation Resolution Termination

61 Look for Patterns I m not technical, how can I do this What are the Technical Teams saying Who decides the patterns anyway

62 REWI

63 Resilience Attribute The risk awareness attribute measures the degree of risk understanding, as well as anticipation What are the attributes How well the system is protected

64 Dr. Michael C. Redmond, PhD MBCP, FBCI, CEM, PMP, MBA Certified PECB ISO Instructor International Consultant, Speaker and Author SME: CSIRT and SIEM