You’ve been hacked, now what? By Wild Wild West
description
Transcript of You’ve been hacked, now what? By Wild Wild West
You’ve been hacked, now what? By Wild Wild West
Agenda
• Overview• What we did do• Alternative Solutions• Best solution: CSIRT
What we did do…
• Technical Team– Easy solution– Patches/Updates– Rebuilt
What we did do…
• Business Team – Senior management, legal, public relation– Report incident to law enforcement/government
agency– Notify business partners and investors– Decision
Downtime
• Cost per week (total $352,500) :– 2 Acoustic Engineers (consultant): $15,000– Management (5 people): $25,000– Non IT Staff (30 people): $62,500– Delay in launch: $250,000
Solution Alternatives
Alternatives Considered
1. Hire outside consultants
2. Technology-based HW/SW solution
3. Computer Security Incident Response Team (CSIRT)
InfoSecurity Consulting Firm
• $20k - $200k+ depending on scope and deliverables
• Forensics-only approach likely to be inconclusive
• Expanded scope well beyond our budget• Plus, likely to lead to further expenditures
Let Tech Solve the Problem?
• Another wide spectrum of options…
Let Tech Solve the Problem?
• Another wide spectrum of options…A. Tier I enterprise class
solution?
Tier I
Let Tech Solve the Problem?
• Another wide spectrum of options…A. Tier I enterprise class
solution?B. Homegrown
Approach?
Tier I Open Systems
Let Tech Solve the Problem?
• Another wide spectrum of options…A. Tier I enterprise class
solution?B. Homegrown
Approach?
Tier I Open Systems
Let Tech Solve the Problem?
• Another wide spectrum of options…A. Tier I enterprise class
solution?B. Homegrown
Approach?C. Something in
between?
Tier I Open Systems
What We Did Decide…
• Conduct Nessus scan of our network• Plug all high and medium risk firewall
vulnerabilities identified• ADDED! open source IDS product for faster
recognition of attempted attacks or successful exploits
What We Did Decide…
• Conduct Nessus scan of our network• Plug all high and medium risk firewall
vulnerabilities identified• ADDED! open source IDS product for faster
recognition of attempted attacks or successful exploits
• But! We didn’t stop there…
Computer Security Incident Response Team (CSIRT)
Disaster Recovery Style
Security Preparation
Prevention Recovery
Computer Security Incident Response Team
PurposeAfter a Major Security Incident:
• To be able to quickly and efficiently make and execute decisions that are the best for the organization
Computer Security Incident Response Team (CSIRT)
Roles– Team manager and backup team manager– Technical/Security expert– Executive– Legal expert– PR specialist– HR specialist
Computer Security Incident Response Team (CSIRT)
Roles Example:– Team manager and backup team manager
• (IT Director, Sys Admin)– Technical/Security expert
• (IT Director, Sys Admin)– Executive
• (CEO)– Legal expert
• (CEO)– PR specialist
• (Marketing Director)– HR specialist
• (HR Director)
Computer Security Incident Response Team (CSIRT)
Tasks– Respond quickly to a Major Security Event.– Analyze the incident– Respond to the incident in the context of the
organization as a whole• Law enforcement• Communications to employees• Legal obligations• Upstream, downstream and third party communication• Forensics
Computer Security Incident Response Team (CSIRT)
Benefits– Monetary benefits• Know the real cost of what happened• Prevent wasted time/resources of employees
– (calculation here)
– Psychological benefits• Keeps key players calmer• Keeps you from making (the wrong) decision• May help you save your job
Q & A