You’ve been hacked, now what? By Wild Wild West

Post on 23-Feb-2016

48 views 0 download

Tags:

description

You’ve been hacked, now what? By Wild Wild West. Agenda. Overview What we did do Alternative Solutions Best solution: CSIRT. What we did do…. Technical Team Easy solution Patches/Updates Rebuilt. What we did do…. Business Team Senior management, legal, public relation - PowerPoint PPT Presentation

Transcript of You’ve been hacked, now what? By Wild Wild West

You’ve been hacked, now what? By Wild Wild West

Agenda

• Overview• What we did do• Alternative Solutions• Best solution: CSIRT

What we did do…

• Technical Team– Easy solution– Patches/Updates– Rebuilt

What we did do…

• Business Team – Senior management, legal, public relation– Report incident to law enforcement/government

agency– Notify business partners and investors– Decision

Downtime

• Cost per week (total $352,500) :– 2 Acoustic Engineers (consultant): $15,000– Management (5 people): $25,000– Non IT Staff (30 people): $62,500– Delay in launch: $250,000

Solution Alternatives

Alternatives Considered

1. Hire outside consultants

2. Technology-based HW/SW solution

3. Computer Security Incident Response Team (CSIRT)

InfoSecurity Consulting Firm

• $20k - $200k+ depending on scope and deliverables

• Forensics-only approach likely to be inconclusive

• Expanded scope well beyond our budget• Plus, likely to lead to further expenditures

Let Tech Solve the Problem?

• Another wide spectrum of options…

Let Tech Solve the Problem?

• Another wide spectrum of options…A. Tier I enterprise class

solution?

Tier I

Let Tech Solve the Problem?

• Another wide spectrum of options…A. Tier I enterprise class

solution?B. Homegrown

Approach?

Tier I Open Systems

Let Tech Solve the Problem?

• Another wide spectrum of options…A. Tier I enterprise class

solution?B. Homegrown

Approach?

Tier I Open Systems

Let Tech Solve the Problem?

• Another wide spectrum of options…A. Tier I enterprise class

solution?B. Homegrown

Approach?C. Something in

between?

Tier I Open Systems

What We Did Decide…

• Conduct Nessus scan of our network• Plug all high and medium risk firewall

vulnerabilities identified• ADDED! open source IDS product for faster

recognition of attempted attacks or successful exploits

What We Did Decide…

• Conduct Nessus scan of our network• Plug all high and medium risk firewall

vulnerabilities identified• ADDED! open source IDS product for faster

recognition of attempted attacks or successful exploits

• But! We didn’t stop there…

Computer Security Incident Response Team (CSIRT)

Disaster Recovery Style

Security Preparation

Prevention Recovery

Computer Security Incident Response Team

PurposeAfter a Major Security Incident:

• To be able to quickly and efficiently make and execute decisions that are the best for the organization

Computer Security Incident Response Team (CSIRT)

Roles– Team manager and backup team manager– Technical/Security expert– Executive– Legal expert– PR specialist– HR specialist

Computer Security Incident Response Team (CSIRT)

Roles Example:– Team manager and backup team manager

• (IT Director, Sys Admin)– Technical/Security expert

• (IT Director, Sys Admin)– Executive

• (CEO)– Legal expert

• (CEO)– PR specialist

• (Marketing Director)– HR specialist

• (HR Director)

Computer Security Incident Response Team (CSIRT)

Tasks– Respond quickly to a Major Security Event.– Analyze the incident– Respond to the incident in the context of the

organization as a whole• Law enforcement• Communications to employees• Legal obligations• Upstream, downstream and third party communication• Forensics

Computer Security Incident Response Team (CSIRT)

Benefits– Monetary benefits• Know the real cost of what happened• Prevent wasted time/resources of employees

– (calculation here)

– Psychological benefits• Keeps key players calmer• Keeps you from making (the wrong) decision• May help you save your job

Q & A