Update on Cyber Security ORMIA Specialized Course

Transcription

1 Update on Cyber Security ORMIA Specialized Course Yow Lian Tay and Robert Tracey Jr May 20, 2015

2 Agenda 1. Introduction to Cyber Security 2. Cyber Security resources 3. Anatomy of a data breach 4. Cyber Security incident response 5. Why audit the Cyber Security incident response plan? 6. Items to look for during the audit 7. Question Answer Incidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handling every incident. This presentation is intended to provide focus areas for your consideration. Ask yourself: What topics do I need to pay attention to? 2

3 What is Cyber Security? VS Protection from Unauthorized Modification Protection from Disruptions in Access Protection from Unauthorized Access 3

4 Cyber Security Present Day Advanced Persistent Threat (APT) Threats in the past were one-off hackers, spammers, and script kiddies. Now: Advanced Persistent Threat (APT): State-sponsored cyber espionage and sabotage Organized Crime / For Profit Groups Anonymous / Hacktivists Situational Awareness Risk Assessments can never be static as threats are increasingly more dynamic. Understanding of the environment is critical to adequate risk identification. Skills Gap Information Security professionals are in increasingly high demand. Threat actors devote exorbitant time and resources to carrying out attacks this requires an equal and opposite defense response that cannot be accomplished by automated tools alone. 4

5 Emerging Risks Internet of Things Crimeware, Ransomware Doxxing Internetworked hardware with standard and nonstandard operating systems. Includes sensitive devices such as security cameras, environmental system controllers, and certain medical devices. Requires specialized (vendor) knowledge to maintain security. Crimeware is malware specifically used to acquire confidential information including bank accounts and passwords. Ransomware is malware that locks down a user s machine and demands a payment for unlocking it. Doxxing is a practice of obtaining and disseminating PII on individuals through internet research 5

6 Emerging Risks RAM Scraping Malware that dumps data stored in memory. Such data is normally unencrypted. Common threat for POS systems and ATMs as sensitive payment card information is utilized Insider and Third Party Threat Insider threat is the risk of employees and contractors to the security of information through inadvertent and intentional means. Third party threat is the risk of vendors and contractors interfacing with the internal network and potentially compromising information security. 6

7 Cyber Security Resources ISACA Cybersecurity Nexus (CSX) Thought leadership, training, and certification. Verizon Data Breach Investigations Report Overall trends and emerging risks. SANS Critical Security Controls 20 critical controls for the most common attacks NIST Cybersecurity Framework Detailed standards for Cybersecurity Programs 7

8 Anatomy of a Data Breach Scenario - Background Disclaimer: This scenario is purely fictional. Any similarity to actual events is merely coincidental. Despite being fiction, this hypothetical example is based on actual risks in the environment that cyber security teams must be prepared for. Hackers from a well-funded criminal organization compromise a third party vendor to a major banking institution An Opportunity Appears 8

9 Anatomy of a Data Breach Setting up a Distraction Because the bank has a devoted protestor following (like all big banks), it isn t hard to induce hacktivists to launch a significant DDoS attack. It was also trivial for the criminal organization to obtain names of employees of the bank from LinkedIn and set up a spear-phishing scam. 9

10 Anatomy of a Data Breach 1. Resolve public website outage to satisfy customers The Incident Response Team Incident Response 2. Remediate effects of the spear-phishing scam. While it takes several hours, the Incident Response Team blocks the DDoS attackers and brings back up the public website. They also deal with many angry employees that unfortunately fell for the phishing s and need to change all of their passwords. 10

11 Anatomy of a Data Breach Successful Exfiltration The Intranet Customer Page was never fully secured because it was believed to be generally safe from external attacks. Using vulnerabilities in the programming language and the use of a privileged database connection within the scripts, the hackers successfully compressed and exfiltrated the customer database. 11

12 Scenario Recap Attacks are not always in isolation. A sophisticated attacker uses multiple channels of attack. DDoS Attacks and Phishing are easy to perform but hard to resist. Logging Everything is Insufficient Trained technicians need to review and remediate logs timely Security logs should never be purged data storage is cheap. Internally-Facing Applications are still a Security Risk Just because it isn t public facing doesn t mean it can t be broken into. Controls should apply to all systems with sensitive data. Third Party / Outsourced Service Providers Accounts and interfaces to third parties should face high scrutiny. Many recent breaches were through third-party channels. 12

13 Anatomy of a Data Breach 1. Resolve public website outage to satisfy customers The Incident Response Team Incident Response 2. Remediate effects of the spear-phishing scam. While it takes several hours, the Incident Response Team blocks the DDoS attackers and brings back up the public website. They also deal with many angry employees that unfortunately fell for the phishing s and need to change all of their passwords. 13

14 Incident Response What is an Incident Response Team (IRT)? A selected and well-trained group of people whose purpose is to promptly and correctly handle an incident so that it can be quickly contained, investigated, and recovered. They must be people that can drop what they re doing (or re-delegate their duties) and have the authority to make decisions and take actions. Incident Response Plan Identifies the organizational approach to handling security incidents Brings needed resources together in an organized manner to deal with an adverse event Aides investigations, preservation of evidence, and determination of how it occurred and how to mitigate against recurrence Is adaptable and flexible Speeds response and recovery efforts Ask yourself: Did your IR team obtain management support buy-in? Are roles responsibilities defined in the IR plan? Success Metrics? What about communication? Don t over communicate! Has there been a validation of the IR plan? Don t just plan it, practice it! 14

15 Typical Cyber Security Incident Response Communication Coordination Preparation Detection Analysis Containment, Eradication Recovery Post Incident Activity Ask yourself: Does your IR plan cover these phases? 15 NIST SP r2 - COMPUTER SECURITY INCIDENT HANDLING GUIDE

16 Why audit the Cyber Security Incident Response? In conducting the audit, the auditor should be seeking answers to the following four questions: 1. Has the organization adequately assessed its cyber security incident response needs? 2. Has the organization's cyber security incident response program been designed to meet those needs? 3. As the organization changes and evolves, is the effectiveness of the cyber security incident response plan maintained? 4. In the aftermath of a critical incident, will the cyber security incident response plan work as intended? Benefits to the organization: Ensures that the plan contains accurate and current information Allows the incident response process to be assessed and fine-tuned Identifies potential issues in advance; before the breach occurs Should a breach subsequently occur, it allows the process to operate more efficiently Critical Security Control #18: Incident Response and Management Ask yourself: How supportive is Bank s Management of such an audit? 16

17 Items to look for during the audit Communication Coordination Preparation Detection Analysis Containment, Eradication Recovery Post Incident Activity 17

18 Items to look for during the audit Communication Coordination Preparation Detection Analysis Containment, Eradication Recovery Post Incident Activity Preparation 1. Verify creation of an incident response policy and plan 2. Were procedures for performing incident handling and reporting developed? 3. Has guidelines for communicating with outside parties regarding incidents been established? 4. Was a team structure and staffing model selected? 5. Has relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies) developed? 18

19 Items to look for during the audit Communication Coordination Preparation Detection Analysis Containment, Eradication Recovery Post Incident Activity Detection and Analysis 1.Determine the detection and analysis capabilities. Does it consider: Attack vectors, signs sources of an incident (precursor vs. indicator) Correlation of information events (Security Incident Event Management (SIEM) tools) Profiling Networks and Systems to understanding Normal Behaviors Employ additional tools to collect additional data 2. Determine if mechanisms/channels to document the incident. Status, summary, related incidents, actions taken, chain of custody, impact assessments, next steps, etc. 3. Incident prioritization severity - functional, informational recoverability 4. Timely and sufficient notification 19

20 Items to look for during the audit Communication Coordination Preparation Detection Analysis Containment, Eradication Recovery Post Incident Activity Containment and Recovery 1. Are there procedures to acquire, preserve, secure, and document evidence? 2. Verify if there are steps to contain eradicate the incident. Was there consideration for: Identifying and mitigating all vulnerabilities that were exploited. Removing malware, inappropriate materials, and other components. Isolating components to avoid spread. 3. Has steps been established to recover from the incident? 4. Is there confirmation that the affected systems are functioning normally upon recovery? 5. Is there a need to implement additional monitoring to look for future related activity? 20

21 Items to look for during the audit Communication Coordination Preparation Detection Analysis Containment, Eradication Recovery Post Incident Activity Post-Incident Activity 1.For high severity incidents, was there a follow-up report? 2. Was a lessons learned meeting held? 3. Rehearsing (table-top testing) and awareness 4. Evidence retention considerations for prosecution 21

22 Items to look for during the audit Communication Coordination Preparation Detection Analysis Containment, Eradication Recovery Post Incident Activity Communication Coordination 1. Is there an established communication channel? 2. Has a communication frequency been defined? 3. Have responsibilities been defined? 4. Have the relevant internal stakeholders been identified for notifications? 5. Does your organization share information with outside parties? (Internet Service Provider, Law Enforcement Agencies, Software Support Vendors, media) 22

23 Effective Practices 1. Acquire tools and resources that may be of value during incident handling. 2. Subscribe to threat intelligence services (free paid). 3. Establish mechanisms for internal and external parties to report incidents. 4. Require a baseline level of logging and auditing on all systems, and a higher baseline level on all critical systems. 5. Profile networks and systems to understand the normal behaviors of networks, systems, and applications. 6. Consult with the legal department before initiating any coordination efforts. 7. Perform incident information sharing throughout the incident response life cycle. 8. Attempt to automate as much of the information sharing process as possible. 9. Balance the benefits of information sharing with the drawbacks of sharing sensitive information 10.Prioritize handling of the incidents based on the relevant factors. 11.Include provisions regarding incident reporting in the organization s incident response policy. 12.Obtain system snapshots through full forensic disk images, not file system backups. 13.Start recording all information as soon as the team suspects that an incident has occurred. 14.Share as much of the appropriate incident information as possible with other organizations. 15.Safeguard incident data. 16.Follow established procedures for evidence gathering and handling. 17.Create a log retention policy. 18.Maintain and use a knowledge base of information. 19.Hold lessons learned meetings after major incidents. 20.Plan incident coordination with external parties. Ask yourself: Are we doing any of these? 23

24 Questions Answers Additional Resources: NIST National Checklist Program (NCP) NIST Special Publications Rev 2 Computer Security Incident Handling Guide Center for Internet Security (CIS) Best Practices COBIT= Deliver Support DS8 Manage Service Desk and Incidents ITIL = Service Operation ISO = 13.0 Information Security Incident Management, 14.0 Business Continuity Management NIST SP = Incident Response guide Consider what you ve learned share it. 24