GEARS Cyber-Security Services

Transcription

1

2 Florida Department of Management Services Division of State Purchasing Table of Contents Introduction... 1 About GEARS Pre-Incident Services Incident Response Agreements Assessments of Incident Response Capability Incident Response Guidance Incident Response Plans Incident Response Training Post-Incident Services Incident Response Guidance Incident Response Mitigation Plans Applicable IT70 Labor Categories GEARS Cyber Security Services Catalog Florida DMS Page i of i

3 Introduction The Florida Department of Management Services (DMS), Division of State Purchasing (Department) provides centralized statewide contracts for use by all state agencies. DMS has released an RFI to identify vendors under GSA Schedule 70 who are able to perform cyber-security services listed in the table of contents. Specifically, DMS is seeking to identify vendors that are able to provide assessment and remediation services in the event of a cyber-security incident and provide identity protection, identity monitoring and identity restoration services to any affected individuals under GSA Schedule 70. As appliances for intrusion detection get more sophisticated attack vectors will migrate more from targeted system attacks to attacks that use comprised user credentials gained through social engineering attacks. As in previous years, the top three affected industries continue to be Public, Information and Financial Services. We know no industry or organization for that matter is immune to security failures, but given the trend and resurgence of phishing and other social engineering tactics, we see the core to strengthening organizational security lying with the human resources. Figure 1 provides a few statistics on incidents by industry and organization size. Figure 1. Security incidents by victim industry and organization size (from the 2015 Data Breach Investigations Report) GEARS Cyber Security Services Catalog Florida DMS Page 1 of 11

4 About GEARS Global Evaluation & Applied Research Solutions (GEARS) Inc. is ready to support DMS with seasoned cyber-security specialists to provide a variety of services. The GEARS team has practical experience assessing, advising and supporting financial institutions, large telecommunications and wireless carriers, firms that manage large databases of information, healthcare organizations and providers, as well as providing recommendations for risk and security management programs for global travel management firms the, the GEARS team is poised to support the cyber-security needs of DMS. We understand the threat level and can assess your environment, help DMS to minimize vulnerability and raise cyber-security awareness among your staff. Ted Ridley is a seasoned professional with extensive experience in information technology (IT) concentrating in information assurance, vulnerability assessments, application design and development, application and network security, program and project management, risk analysis and management, operational and security policy planning and development, business continuity and disaster recovery planning and strategy, and network design, validation and implementation across various public and private industries. Having two decades combined experience as a network engineer, network security administrator, incident response team manager, business operations practice manager (Managing Consultant) and independent consultant, Ted has an in-depth understanding of security issues and the associated business impact. Ted s breadth of experience in management, technical delivery and business process optimization, uniquely qualifies him to work to provide comprehensive, high return on investment (ROI) based security solutions. For more information, please contact: Ted Ridley, CSSLP, ECSA, CEH Director, Information Technology Services (301) tridley@getingears.com GEARS Cyber Security Services Catalog Florida DMS Page 2 of 11

5 1. Pre-Incident Services GEARS offers a suite of Pre-Incident Services, including: Incident Response Agreements Creating terms and conditions in place ahead of time to allow for quicker response in the event of a cyber-security incident. Assessments Evaluating a State Agency s current state of information security and cyber-security incident response capability. Preparation Providing guidance on requirements and best practices. Developing Cyber-Security Incident Response Plans Developing or assisting in development of written State Agency plans for incident response in the event of a cybersecurity incident. Training Providing training for State Agency staff from basic user awareness to technical education. 1.1 Incident Response Agreements Better to be safe than sorry. Let our experienced cyber security professionals draft terms and conditions for your organizational response in the event of a cyber-security incident. The GEARS team can support your organization when a computer security attack occurs, an intrusion is recognized, or some other kind of computer security incident occurs. During this critical time, having an established incident response agreement in place provides a fast and effective means of responding. When an incident occurs, the goal of the Information Systems Incident Response Team (ISIRT) is to control and minimize any damage, preserve evidence, provide quick and efficient recovery, prevent similar future events, and gain insight into threats against the organization. At GEARS, our team is well versed on preserving chain of custody and the techniques necessary to quickly isolate the affected devices, either remotely or via telephone support until such time as onsite response teams can arrive. An effective Incident Response Agreement will not only provide the organization with clear understanding of the actions that should take place in the event of an Incident, but provide service level agreements (SLAs) GEARS Cyber Security Services Catalog Florida DMS Page 3 of 11

6 by which the response time and process will be governed (e.g. Isolation of affected devices within 1 hour). 1.2 Assessments of Incident Response Capability GEARS Cyber Team Lead, Ted Ridley, has performed numerous Enterprise Security Assessments for larger commercial organizations utilizing the ISO Enterprise Security Architecture, NIST SP , Technical Guide to Information Security and Assessment: NIST SP800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations; NIST SP800-30, Guide for Conducting Risk Assessments; and NIST SP800-39, Managing Information Security Risk Organization, Mission, and Information System as the guidelines for our assessment tool. Our tool provides domain based scoring of an organization s preparedness a capability for not only Incident Response, but for enterprise security practices as a whole. The tool is designed such that specific domains such as Incident Response can be evaluated individually. Figure 2 is a representative screenshot of the section of the tool used during an incident response assessment. Figure 2 Tool Used During an Incident Response Assessment (Representative) GEARS Cyber Security Services Catalog Florida DMS Page 4 of 11

7 Utilizing the guidelines noted above and the baseline tools GEARS has, we will review the organizations policy, guidelines and procedures and develop a customized tool for performing the Incident Response assessment. 1.3 Incident Response Guidance As previously noted, the GEARS team has notable experience providing guidance on Cyber Security Awareness and preparedness. In that experience we have provided guidance on the requirements and best practices for preparation. In today s worlds of threats, it s never known who will discover and have the need to first report an incident. Therefore, Incident Response preparation is an enterprise-wide effort ensuring that all staff are aware of not only how to identify potential threats and incidents, but also how to properly report them and begin the isolation process when necessary. Routine Security Awareness Training is at the core of ensuring staff are prepared to recognize and respond to incidents. GEARS has experience providing Security Awareness Training courses developed for both staff and executive level participants. Each course is tailored specifically to the intended audience. Although a large portion of base course content is consistent across industry, we realize that industry specific items are critical to providing the best training experience and most useful outcome. Therefore, we bring to bear, industry specific data in our presentation, so that, for example, training for healthcare providers will focus on those attack vectors and most commonly exploited vulnerabilities in the healthcare industry and not those most common to the financial industry. In addition to industry specific data, GEARS will bring client specific data gathered through various black box vulnerability and social engineering assessments conducted prior to providing the training. The assessments allow our presenters the ability to provide not only scenario based information on what to do in case of threats, but actual data on how your team responded to threats. 1.4 Incident Response Plans As part of our experience developing Vulnerability Management Programs, the GEARS team has worked with all levels within information technology organizations to ensure that not only the vision and regulatory needs of the Chief Information Officer are met but the GEARS Cyber Security Services Catalog Florida DMS Page 5 of 11

8 practical and tactical needs of the operations teams that will be implementing the actions from the plan are addressed as well. Having served in capacities spanning from Network Operations Engineers to Network Operations Managers to SVP of Business Operations, our team has the breadth of understanding the needs of various responsibilities of those responsible for incident management. This understanding allows us to provide practical insight and perspective in the development of Incident Response Plans (IRP). The IRP will contain information such as actions defined for both non-it personnel and IT personnel responding to an incident. The IRP will discuss the steps taken during a response to an incident. The IRP will provide contact numbers and sequencing of contact. It will not only have language describing the steps for contacting IT and/or security and escalation through management but a checklist to be completed and submitted as part of the documentation trail for each incident. Examples of areas and associated actions covered by the IRP include: The telephone contact information for the Agency 24-hour-grounds security department who then contact the Agency IT emergency contact person or effected department contact. The grounds security office will log: o The name of the caller. o Time of the call. o Contact information about the caller. o The nature of the incident. o What equipment or persons were involved? o Location of equipment or persons involved. o How the incident was detected. The IT staff member or affected department staff member who receives the call (or discovered the incident) will refer to their contact list for both management personnel to be contacted and incident response members to be contacted. The staff member will call those designated on the list. The staff member will contact the incident response manager using both and phone messages while being sure other appropriate and backup personnel and designated managers are contacted. The staff member will log the information received in the same format as the grounds security office in the previous step. The staff member could possibly add the following: GEARS Cyber Security Services Catalog Florida DMS Page 6 of 11

9 o Is the equipment affected business critical? o What is the severity of the potential impact? o Name of system being targeted, along with operating system, IP address, and location. o IP address and any information about the origin of the attack. Contacted members of the response team will meet or discuss the situation over the telephone and determine a response strategy. o Is the incident real or perceived? o Is the incident still in progress? o What data or property is threatened and how critical is it? o What is the impact on the business should the attack succeed? Minimal, serious, or critical? o What system or systems are targeted, where are they located physically and on the network? o Is the incident inside the trusted network? o Is the response urgent? o Can the incident be quickly contained? o Will the response alert the attacker and do we care? o What type of incident is this? Example: virus, worm, intrusion, abuse, damage. An incident ticket will be created. The incident will be categorized into the highest applicable level of one of the following categories: o Category one - A threat to public safety or life. o Category two - A threat to sensitive data o Category three - A threat to computer systems o Category four - A disruption of services Team members will establish and follow one of the following procedures basing their response on the incident assessment: o Worm response procedure o Virus response procedure o System failure procedure GEARS Cyber Security Services Catalog Florida DMS Page 7 of 11

10 o Active intrusion response procedure - Is critical data at risk? o Inactive Intrusion response procedure o System abuse procedure o Property theft response procedure o Website denial of service response procedure o Database or file denial of service response procedure o Spyware response procedure. The team may create additional procedures that are unforeseen in this document. If there is no applicable procedure in place, the team must document what was done and later establish a procedure for the incident. Team members will use tools such as Encase forensic techniques, including reviewing system logs, looking for gaps in logs, reviewing intrusion detection logs, and interviewing witnesses and the incident victim to determine how the incident was caused. Only authorized personnel should be performing interviews or examining evidence, and the authorized personnel may vary by situation and the organization. Team members will recommend changes to prevent the occurrence from happening again or infecting other systems. Upon management approval, the changes will be implemented. Team members will restore the affected system(s) to the uninfected state. They may do any or more of the following: o Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this. o Make users change passwords if passwords may have been sniffed. o Be sure the system has been hardened by turning off or uninstalling unused services. o Be sure the system is fully patched. o Be sure real time virus protection and intrusion detection is running. o Be sure the system is logging the correct events and to the proper level. During the response and as part of the execution of the IRP the ISIRT will ensure that resulting Incident Report captures a few critical items including the following: GEARS Cyber Security Services Catalog Florida DMS Page 8 of 11

11 How the incident was discovered. The category of the incident. Where the incident occurred (whether through , firewall, etc.). Source of incident (IP addresses and other information about the attacker). Response type was implemented. Details of the response. Outcomes effectiveness of response. Additionally, the ISIRT will ensure that the necessary steps are taken to protect the organization s assets and position the legal counsel with all that may be required for prosecution. In doing so, the ISIRT will manage the following tasks that support the organization in its business continuity practices: Evidence Preservation make copies of logs, , and other communication. Keep lists of witnesses. Keep evidence as long as necessary to complete prosecution and beyond in case of an appeal. Notify proper external agencies notify the police and other appropriate agencies if prosecution of the intruder is possible. List the agencies and contact numbers here. Assess damage and cost assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts. Review response and update policies plan and take preventative steps so the intrusion can't happen again. o Consider whether an additional policy could have prevented the intrusion. o Consider whether a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future. o Was the incident response appropriate? How could it be improved? o Was every appropriate party informed in a timely manner? o Were the incident-response procedures detailed and did they cover the entire situation? How can they be improved? o Have changes been made to prevent a re-infection? Have all systems been patched, GEARS Cyber Security Services Catalog Florida DMS Page 9 of 11

12 o o o systems locked down, passwords changed, anti-virus updated, policies set, etc.? Have changes been made to prevent a new and similar infection? Should any security policies be updated? What lessons have been learned from this experience? 1.5 Incident Response Training As previously mentioned the GEARS team has developed Vulnerability Management Programs. Staff training is a key element of establishing a strong vulnerability management framework. Adding in robust technological appliance-based security solutions, while advantageous, will provide a low return on investment if staff is not aware of security threats, how to identify security threats, and how to respond to security threats. GEARS will work with DMS or other state departments and agencies to not only create an effective IRP, but we will develop interactive and engaging training sessions tailored for the various organizational roles and responsibilities, from staff through leadership, designed to educate on the precepts of the IRP, increase awareness of security threats, how to identify security threats, and how to respond to security threats. To measure the effectiveness, once training is complete, GEARS will design social engineering exercises to test the effectiveness of the training and the organization s ability to respond to an Incident. A full report on the outcome of the social engineering exercises will be provided to leadership. 2. Post-Incident Services 2.1 Incident Response Guidance GEARS will work with technical staff to assist State Agencies in providing a full response to an incident. Utilizing the agencies IRP and leveraging our experience in incident response GEARS will join the State Agencies ISIRT in an advisory capacity to ensure that the processes and steps taken will result in a ticket opened with the appropriate level / category assigned, and an incident report detailing the critical elements (How the incident was discovered; the category of the incident; how the incident occurred, the source of the incident; detail the response; outcome of the response effectiveness). This information is not only critical during the response, but for the GEARS Cyber Security Services Catalog Florida DMS Page 10 of 11

13 Incident post-mortem discussions that will be instrumental in the continuous improvement process of the agencies IRP. 2.2 Incident Response Mitigation Plans Based upon the information gathered through the investigation practices and response activities of the incident as noted previously and through an understanding od organizational priorities and critical infrastructure discussed during post-mortem meetings, the GEARS team will assist the State Agency to develop mitigation plans to limit the exposure in future incidents. Our team understands that no agency is going to be free of risks, but through proper planning and through activities of continuous improvement, risk mitigation can be achieved. 3. Applicable IT70 Labor Categories The table below lists the published rates from the GEARS GSA IT 70 Catalog Labor Categories that would be applicable in establishing an Incident Response team. GEARS GSA IT 70 Catalog (GS 35F-0377Y) Labor Category Maximum Price Project Manager III $ Security Specialist I $ Security Specialist II $ Security Specialist III $ Disaster Recovery Specialist $ Network Administrator $ IT Training Specialist III $ GEARS Cyber Security Services Catalog Florida DMS Page 11 of 11