Post on 25-May-2015
description
Are you prepared?
What is your response plan?
Mike Saunders – CISSP, GCIH, GPEN
Agenda Definition of a breach
Background statistics on breaches
What a breach may look like
Preparing your response plan
Putting your plan into action
Links to resources
Key Assumptions Small to medium-sized business (SMB)
25 – 500 employees
Few IT resources, few or none dedicated to IT security
What Is a Breach? Breach means an intrusion into a computer system, i.e.
hacking or exposure of sensitive data
Causes of a breach:
crimes of opportunity
targeted attacks
viruses
web-delivered malware
malicious insiders
unintentional disclosures
Breach Statistics 55% of SMBs surveyed were breached in the last year, 53%
more than once – Ponemon Institute
Verizon 2012 DBIR found 71.5% of incidents studied were in organizations of less than 100 employees
Up from 63% in 2011
2011 Symantec ISTR found 28% of targeted attacks were against companies with less than 500 employees
Costs of a Breach Average cost of reported
breach: $5.5 million
Average cost per stolen record: $194
Symantec ISTR
Fines
Possible jail terms under HIPAA
Loss of customer and business partner confidence
How Do I Know I’ve Been Breached?
www.digitaltrends.com
Overt Defaced website
Defaced Websites
bundlr.com
Defaced Websites
sunbeltblog.blogspot.com
Defaced Websites
news.cnet.com
Overt Defaced website
Unauthorized bank transfers
Unauthorized wire transfer
krebsonsecurity.com
Compromised PayPal Account
yadiwibowo30.blogspot.com
Overt Defaced website
Unauthorized bank transfers
Destruction of data
Data held hostage – “ransomware”
Image of Ransomware
arstechnica.com
Overt Defaced website
Unauthorized bank transfers
Destruction of data
Data held hostage – “ransomware”
Notification from outside entity
Covert System slowness
Abnormal log entries
Strange notifications when visiting a website
Helpdesk may notice a pattern
Malicious Java Applet
www.cso.com.au
Fake AntiVirus Notification
blog.unmaskparasites.com
No obvious indicators There may not be an obvious indicator of a breach
Detect through well-developed security intelligence program
66% of breaches went undiscovered for several months or longer
Verizon 2013 DBIR
Benefits of Adequate Preparation Economic
Stop ongoing loss of data or business interruption
Reduce time to resolution after incident is discovered
Public Relations
PR plan helps reassure customers to prevent loss of confidence
Legal
Demonstrates due diligence
Preparation: Getting Started Get management support!
Define your incident handling team members
Not just IT! IT, Security, Legal, HR, PR, Management, external IT vendor
Designate an incident leader. This person needs to be calm under fire
Preparation: Basics Policies
Strong policies help enforce compliance and define roles and responsibilities
Incident Handling policies provide legal authority to investigate, “sniff” network traffic, monitor activities
Procedures
Clear, thorough, tested procedures help reduce confusion when tensions are high
Checklists
Notification procedures – legal, PR, law enforcement
Preparation: Communications Define a communications plan
Email and phone may be down or compromised; make sure you have cell numbers
Identify alternate contacts
Don’t forget to include IT vendor, network provider, etc.
Test your calling tree at least annually
Keep paper copies and keep them up to date
Preparation: Testing and Practice Perform incident handling
tabletop exercises
When problems are identified,be sure to update procedures
Execution Document all steps in a notebook
Helps to have one person working, another keeping notes
Measure twice, cut once… First, do no harm…
In other words, don’t be too hasty
Step back to see the forestfor the trees
Mistakes Happen Success does not consist in never making mistakes, but in
never making the same one a second time.
– George Bernard Shaw
Lessons Learned Be sure to hold a lessons learned session after breach
Hold within two weeks
Identify what failed and why
Implement fixes and update documentation
Resources Local law enforcement, including FBI
Professional Security Organizations
ISSA
https://sites.google.com/site/northdakotaissa/
InfraGard
http://infragard-nd.org
SANS Reading Room
http://www.sans.org/reading_room/
SANS Incident Handling Forms
http://www.sans.org/score/incidentforms/
Summary All sizes of organizations are being attacked
Vast majority of attacks are from outsiders – 92%
Verizon 2013 DBIR
Hacking constitutes the majority of attacks – 52%
Verizon 2013 DBIR
Incident response plans are key to recovery and limiting liability
There is a vast array of resources available to help you build your plan
Resources An Incident Handling Process for Small and Medium Businesses
http://www.sans.org/reading_room/whitepapers/incident/incident-handling-process-small-medium-businesses_1791
Creating a Computer Security Incident Response Team (CSIRT)
http://www.cert.org/csirts/Creating-A-CSIRT.html
NIST SP800-61 Rev. 2: Computer Security Incident Handling Guide
http://crsc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
Corporate Incident Response – Why You Can’t Afford to Ignore It
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-corp-incident-response.pdf
References Ponemon Institute Survey for Hartford Steam Boiler
http://www.hsbwhistlestop.com/agents/express/2013/02/hsbSurvey.php
Verizon 2013 Data Breach Investigations Report
http://www.verizonenterprise.com/DBIR/2013/
Verizon 2012 Data Breach Investigations Report
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
Symantec 2011 Internet Security Threat Report
http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf
Contact Me msaunders.sec@gmail.com
@hardwaterhacker
http://hardwatersec.blogspot.com/
Questions?