Ic Sconf2010presentation Dp Bh

31
ICS Data Protection Conference 2010 Data Breach !! What Next? 2 nd Annual ICS Data Protection Conference

description

My presentation on how to handle a data breach at the 2nd Annuual Data Protection Conference run by the Irish Computer Society

Transcript of Ic Sconf2010presentation Dp Bh

Page 1: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Data Breach !!What Next?

2nd Annual ICS Data Protection Conference

Page 2: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Infosec Professional Certainties

Page 3: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Typical IT Security

3

Page 4: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

But …

Page 5: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Controls Will be Bypassed

Page 6: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Traditional Incident Response

Adhoc & Unplanned

Deal with it as it happens

Prolonged Recovery Times

Damage to Company

Lack of Metrics

Legal Issues

Bad Guys/Gals Getting Away

Page 7: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

IT Manager In Line Of Fire

Page 10: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

So Far in 2010

Page 11: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Increasing Number of Irish Incidents

WWW.IRISS.IE• Membership is Free

Page 12: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Establish Team

Information Security Operations Human

Resources Legal Public Relations

Facilities Management

Page 13: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Set up Alerting Mechanisms

Page 14: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Identify Tools

Page 15: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Standard Operating Procedures

Page 16: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Agree Authority of IRT

Page 17: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Establish External Relationships

Page 18: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Practise Makes Perfect

Page 19: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Response Process

Page 20: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Don’t

Page 21: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Do Nothing !!

Page 22: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Contain the Incident

Page 23: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Eradicate the Root Cause

Page 24: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Recover Systems

Page 25: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Monitor

Page 26: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Communicate Regularly

Page 27: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Disclosure?

Page 28: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

More information

• C S IRT H andbookh t tp : / /www.c e rt .o rg /a rc h i v e /p d f/c s i r t -h a n d b o o k .p d f

• Forming an Inc ident Response Teamh t tp : / /www.a u s c e rt .o rg .a u /re n d e r .h t ml ? i t= 2 2 5 2

• Incident R esponse W hite P aper – B H C onsulti ng

h t tp : / /www.b h c o n s u l t i n g . i e / In c i d e n t% 2 0 Re s p o n s e % 2 0 W h i te % 2 0 Pa p e r .p d f

• R FC 2350: E xpec tations for Computer S ecurity Incident R esponseh t tp : / /www.rfc -a rc h i v e .o rg /g e t rfc . p h p ? rfc = 2 3 5 0

• O rganisational Models for C omputer S ecuri ty Inc ident Response Teamsh t tp : / /www.c e rt .o rg /a rc h i v e /p d f/0 3 h b 0 0 1 . p d f

• The S A N S Ins titute’s Reading R oomh t tp : / /www.s a n s .o rg /re a d i n g _ ro o m

Page 29: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

More Resources

• Guidelines for Evidence Collection and Archiving (RFC 3227)

http://www.ietf.org/rfc/rfc3227.txt

• Resources for Computer Security IncidentResponse Teams (CSIRTs)

http://www.cert.org/cs irts /resources .html

• RFC 2196: Site Security Handbookhttp://www.faqs.org/rfcs/rfc2196.html

• ENISA Step by Step Guide for setting up CERTShttp://enisa.europa.eu/doc /pdf/del iverables/eni sa_cs irt_setti ng_up_guide.pdf

• CSIRT Case Classification (Example for enterprise CSIRT)http://www.firs t.org/resources /guides/csi rt_case_classification.html

Page 30: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Questions?

[email protected]

www.twitter.com/brianhonanwww.bhconsulting.ie/securitywatch

Tel : +353 – 1 - 4404065

Page 31: Ic Sconf2010presentation Dp Bh

ICS Data Protection Conference 2010

Thank you