Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Data Breach !!What Next?

2nd Annual ICS Data Protection Conference


Infosec Professional Certainties


Typical IT Security

3


But …


Controls Will be Bypassed


Traditional Incident Response

Adhoc & Unplanned

Deal with it as it happens

Prolonged Recovery Times

Damage to Company

Lack of Metrics

Legal Issues

Bad Guys/Gals Getting Away


IT Manager In Line Of Fire


Why Improve Incident Response?

Fail to Prepare – Prepare to Fail

http://images.google.ie/imgres?imgurl=http://image.guardian.co.uk/sys-images/Football/Pix/pictures/2006/08/28/keane1.jpg&imgrefurl=http://sport.guardian.co.uk/Football/News_Story/0,,1860505,00.html&h=128&w=128&sz=7&hl=en&start=61&tbnid=99jbJEV0mODweM:&tbnh=85&tbnw=85&prev=/images?q=roy+keane&start=54&ndsp=18&svnum=10&hl=en&lr=&sa=N

http://images.google.ie/imgres?imgurl=http://andrewfalconer.com/slave/images/keano.jpg&imgrefurl=http://andrewfalconer.com/slave/&h=243&w=250&sz=21&hl=en&start=329&tbnid=YPvsas2UVXoXfM:&tbnh=108&tbnw=111&prev=/images?q=roy+keane&start=324&ndsp=18&svnum=10&hl=en&lr=&sa=N


Why Improve Incident Response?

http://images.google.ie/imgres?imgurl=http://www.iiea.com/image/renderImage/624&imgrefurl=http://www.iiea.com/videos&usg=__WcuTpRhySvYmzkb4sL7tup-wqw8=&h=179&w=239&sz=11&hl=en&start=15&itbs=1&tbnid=M8MW8puODCGznM:&tbnh=82&tbnw=109&prev=/images%3Fq%3D%2522billy%2Bhawkes%2522%26hl%3Den%26sa%3DN%26gbv%3D2%26ndsp%3D18%26tbs%3Disch:1

http://www.dataprotection.ie/


So Far in 2010

http://www.boards.ie/?

http://images.google.ie/imgres?imgurl=http://www.isical.ac.in/~fire/2008/images/google_logo.jpg&imgrefurl=http://www.isical.ac.in/~fire/2008/index.html&usg=__41o8-wnCGNfB3KZ76JFsFgeNRxo=&h=1500&w=3600&sz=277&hl=en&start=1&um=1&tbnid=o78WRIXSFwEmKM:&tbnh=63&tbnw=150&prev=/images?q=google+logo&hl=en&sa=N&um=1

http://images.google.ie/imgres?imgurl=http://www.westcongroup.com/media/jpg/logo_juniper.jpg&imgrefurl=http://forums.juniper.net/t5/The-Network-Ahead/Upcoming-Juniper-Corporate-Event-October-29-2009/ba-p/28714;jsessionid=FBAAD58364826A19C4075D31A0E33604&usg=__sa4bgjfB7jyMp3vJrb8kfM4qMN0=&h=243&w=1052&sz=104&hl=en&start=43&um=1&tbnid=8ziTOAbSaf0OLM:&tbnh=35&tbnw=150&prev=/images?q=juniper+logo&ndsp=18&hl=en&sa=N&start=36&um=1

http://images.google.ie/imgres?imgurl=http://horizoncare1.com/images/links/yahoo%20logo.bmp&imgrefurl=http://horizoncare1.com/links.aspx&usg=__k0mRbU5Xicw_QcsmkP9S-s7yuN8=&h=245&w=350&sz=168&hl=en&start=35&um=1&tbnid=DhiLU1QA4OQwrM:&tbnh=84&tbnw=120&prev=/images?q=yahoo+logo&ndsp=18&hl=en&sa=N&start=18&um=1

http://images.google.ie/imgres?imgurl=http://www.pycomall.com/images/P/adode.jpg&imgrefurl=http://www.pycomall.com/product.php?productid=18393&usg=__pnBh4mwaGosOmOhN6agmfpQiWO8=&h=400&w=400&sz=37&hl=en&start=13&um=1&tbnid=fiGuCqZwD0F4GM:&tbnh=124&tbnw=124&prev=/images?q=adobe+logo&ndsp=18&hl=en&sa=N&um=1

http://images.google.ie/imgres?imgurl=http://farm4.static.flickr.com/3196/2814328816_495e6d0341.jpg&imgrefurl=http://flickr.com/photos/mbites/2814328816/&usg=__FzK1wAMa5Na3nEPq4ZzWVoMzwQc=&h=216&w=500&sz=15&hl=en&start=37&um=1&tbnid=VHdZkFic3LGI2M:&tbnh=56&tbnw=130&prev=/images?q=techcrunch+logo&ndsp=18&hl=en&sa=N&start=36&um=1

http://images.google.ie/imgres?imgurl=http://citybration.com/buff/images/stories/northropgrumman-logo-11-24-08.jpg&imgrefurl=http://citybration.com/buff/index.php?option=com_content&view=article&id=19&Itemid=38&usg=__78_387fcphiFTRiPGWOtGlrCOeY=&h=238&w=1325&sz=105&hl=en&start=22&um=1&tbnid=3B-GNCWNWb0nGM:&tbnh=27&tbnw=150&prev=/images?q=northrop+grumman+logo&ndsp=18&hl=en&sa=N&start=18&um=1

http://images.google.ie/imgres?imgurl=http://www.palladiums.com/z/images/stories/vendor/symantec_logo.gif&imgrefurl=http://www.palladiums.com/z/index.php?option=com_content&view=article&id=7&Itemid=8&usg=__oRsfcM2H-ElsxtWvocmaOkAcBqc=&h=672&w=2126&sz=139&hl=en&start=2&um=1&tbnid=D-H7COkLlkyKrM:&tbnh=47&tbnw=150&prev=/images?q=symantec+logo&hl=en&um=1

http://images.google.ie/imgres?imgurl=http://edspumps.com/UploadMediaFiles/image//DOW%20CHEMICAL%20LOGO%20-01.jpg&imgrefurl=http://edspumps.com/watertreat_arsenic.asp&usg=__YuxTuY1pPspaZFP1bnOEAUbVO18=&h=485&w=1259&sz=136&hl=en&start=3&um=1&tbnid=zLKWxUK5d8puBM:&tbnh=58&tbnw=150&prev=/images?q=dow+chemicals+logo&hl=en&um=1

http://images.google.ie/imgres?imgurl=http://web.mit.edu/lucha/www/logo_exxonmobil.jpg&imgrefurl=http://web.mit.edu/lucha/www/eccsf_reg.htm&usg=__1__K3Oqd-3BsFsGgygrHN-XK0yI=&h=553&w=2765&sz=288&hl=en&start=1&um=1&tbnid=pAgyjks5l5dLKM:&tbnh=30&tbnw=150&prev=/images?q=exxon+mobil+logo&hl=en&um=1

http://images.google.ie/imgres?imgurl=http://www.recruitni.com/graphics/logos/ladbrokes%20logo.jpg&imgrefurl=http://www.recruitni.com/Job/Description.aspx?JobID=125875&usg=__BgG_dQmsmjRkN8oiSPejU3SNSZU=&h=148&w=591&sz=50&hl=en&start=33&um=1&tbnid=UcZLgg6rQ5RWeM:&tbnh=34&tbnw=135&prev=/images?q=ladbrokes+logo&ndsp=18&hl=en&sa=N&start=18&um=1


Increasing Number of Irish Incidents

WWW.IRISS.IE• Membership is Free

http://www.iriss.ie/


Establish Team

Information Security Operations Human

Resources Legal Public Relations

Facilities Management


Set up Alerting Mechanisms


Identify Tools


Standard Operating Procedures


Agree Authority of IRT


Establish External Relationships


Practise Makes Perfect


Response Process


Don’t


Do Nothing !!


Contain the Incident


Eradicate the Root Cause


Recover Systems


Monitor


Communicate Regularly


Disclosure?


More information

• C S IRT H andbookh t tp : / /www.c e rt .o rg /a rc h i v e /p d f/c s i r t -h a n d b o o k .p d f

• Forming an Inc ident Response Teamh t tp : / /www.a u s c e rt .o rg .a u /re n d e r .h t ml ? i t= 2 2 5 2

• Incident R esponse W hite P aper – B H C onsulti ng

h t tp : / /www.b h c o n s u l t i n g . i e / In c i d e n t% 2 0 Re s p o n s e % 2 0 W h i te % 2 0 Pa p e r .p d f

• R FC 2350: E xpec tations for Computer S ecurity Incident R esponseh t tp : / /www.rfc -a rc h i v e .o rg /g e t rfc . p h p ? rfc = 2 3 5 0

• O rganisational Models for C omputer S ecuri ty Inc ident Response Teamsh t tp : / /www.c e rt .o rg /a rc h i v e /p d f/0 3 h b 0 0 1 . p d f

• The S A N S Ins titute’s Reading R oomh t tp : / /www.s a n s .o rg /re a d i n g _ ro o m

http://www.cert.org/archive/pdf/csirt-handbook.pdf

http://www.auscert.org.au/render.html?it=2252

http://www.bhconsulting.ie/Incident%20Response%20White%20Paper.pdf

http://www.rfc-archive.org/getrfc.php?rfc=2350

http://www.cert.org/archive/pdf/03hb001.pdf

http://www.sans.org/reading_room


More Resources

• Guidelines for Evidence Collection and Archiving (RFC 3227)

http://www.ietf.org/rfc/rfc3227.txt

• Resources for Computer Security IncidentResponse Teams (CSIRTs)

http://www.cert.org/cs irts /resources .html

• RFC 2196: Site Security Handbookhttp://www.faqs.org/rfcs/rfc2196.html

• ENISA Step by Step Guide for setting up CERTShttp://enisa.europa.eu/doc /pdf/del iverables/eni sa_cs irt_setti ng_up_guide.pdf

• CSIRT Case Classification (Example for enterprise CSIRT)http://www.firs t.org/resources /guides/csi rt_case_classification.html

http://www.ietf.org/rfc/rfc3227.txt

http://www.cert.org/csirts/resources.html

http://www.faqs.org/rfcs/rfc2196.html

http://enisa.europa.eu/doc/pdf/deliverables/enisa_csirt_setting_up_guide.pdf

http://www.first.org/resources/guides/csirt_case_classification.html


Questions?

[email protected]

www.twitter.com/brianhonanwww.bhconsulting.ie/securitywatch

Tel : +353 – 1 - 4404065

mailto:[email protected]

http://www.bhconsulting.ie/

http://www.twitter.com/brianhonan

http://www.bhconsulting.ie/securitywatch


Thank you

Ic Sconf2010presentation Dp Bh

Technology

Transcript of Ic Sconf2010presentation Dp Bh