Embed Size (px)
Citation preview
A Framework for CybersecurityIncident Response
Andy Sawyer, CISM, C|CISO
Director of Security
Locke Lord
Let’s Begin With Today’s Top 10
Cybersecurity A Top 10 Threat
Damage to Reputation/Brand
Economic Slowdown/Recovery
Regulatory/Legislative Changes
Increasing Competition
Failure to Attract/Retain Top Talent
Failure to Innovate/Meet Customer Needs
Business Interruption
Third Party Liability
Cyber Risk (computer crime/hacking/virus)
Property Damage
Survey Says
815 Companies across 19 industries found:
52% believe they will be hacked this year
Up from 39% last year
13% had a supplier data breach impact their business
59% expect more security incidents this year than last
Last Year Reported Breaches
81% of large firms
40% of midsize firms knew of a breach
60% of small firms
You Have
Firewalls
IPS
Email Security
Web Security
NIDS
Advanced MalwareDetection and Response
Data Loss Prevention
Endpoint AV/AS/AM
Endpoint Encryption
Encryption at Rest/In Motion
And Yet
You have a breach
When, not if this happens, someone is going to getblamed
Someone, maybe you, will need to provide informationabout your pre-breach preparedness and your breachresponse to:
Customers
Governmental entities
External stakeholders
Insurers
Plan Of Attack
Plan On a successful attack
The best offense is a good defense
Be prepared to defend pre-attack businessdecisions and practices
You will be asked
What policies, procedures, technology and trainingdid you have in place to mitigate the threat of abreach?
Don’t Start From Scratch
Use a Framework
What is standard for your Industry?
NIST Framework Core
First Things First
Let’s Be Reasonable
Don’t Forget to DueSpelling Intentional
Reasonable
You don’t have to be lead the pack in your industry, butdon’t be the laggard
Know Your Enemy, Know Yourself (Sun Tzu Art of War)
Perform a risk assessment
Seek assessments from trusted security partners
Make sure insurance coverage (cyber, liability, professional,malpractice) is more than adequate and that you are incompliance with the policy.
http://www.businessinsurance.com/article/20150515/NEWS06/150519893
Due Diligence
Measure of prudence, responsibility, and effort reasonablyexpected to avoid harm.
Reasonable research was done to gather information to:
Make the best decisions
Evaluate associated risk.
Before you implement protective measures, find out thevulnerabilities and weaknesses you are protecting against.
Sounds Reasonable
Due Care
Acting responsibly and doing the right thing
A standard of performance that can reasonably be expected
A minimum level of protection in accordance with industrybest practices
Reasonable actions were taken to:
Prevent a breach
Mitigate damage in the event of a breach
Practicing due care includes:
Security Policies
Countermeasures (Controls)
Security Awareness Training
Cyber Incident Phases
Before
During
After
Before A Cyber Incident
Identify “Crown Jewels”-mission critical data andassets
Understand laws/regulations requiring compliance.
Perform a risk assessment
Identify threats , vulnerabilities , business impact
Implement supporting policies, controls, and training
Prepare To Respond
Create/maintain an actionable incident response plan.
Have the technology in place to address an incident.
Have procedures in place for lawful network monitoring.
Legal counsel familiar with legal issues of cyber incidents
Align other policies (H/R, personnel) with incident responseplan.
Develop proactive relationships with law enforcement,outside counsel, P/R firms, forensic firms
A Lot Goes Into A Risk Assessment
Facility Access
Workforce Security Training
Incident Response
Backup
Disaster Recovery
Breach Notifications
Third Party Agreements
Access Controls
User Authentication
Digital Media/Asset Disposal
Workstations
Cloud Computing
Mobile Devices
Passwords
Removable Media
Performing A Risk Assessment
Use A Model
http://www.houston.org/policy/security.html
http://www.houston.org/policy/infrastructure.html
http://www.nist.gov/cyberframework/
Your Customer May Provide One
Policies, Controls, Training
Policies
If you are not educating employees about policies,don’t expect policies are followed.
Controls
What safeguards enforce what policies?
Compliance may dictate policy and controls
Training
Your people can learn, improve, get better.
They are your best firewall.
Policies
Statement of management intent, expectations, direction
Must have a written security policy
Should be available to and reviewed with employees, or
Employees don’t know what is/is not allowed
You cannot:
Enforce confidentiality
Protect intellectual property/trade secrets
You Need Policies For
Facility Access
Workforce SecurityTraining
Incident Response
Backup
Disaster Recovery
Breach Notifications
Third Party Agreements
Access Control
User Authentication
Digital Media/AssetDisposal
Workstations
Cloud Computing
Mobile Devices
Passwords
Removable Media
Policy Samples
Data center access is restricted to IT personnel only.
Video surveillance is retained for 30 days.
Software installation is only be performed by help desk.
All removable media will be encrypted.
Company information is confidential. It may not becopied or shared without prior written approval.
Employees have no expectation of email privacy.
Two-factor authentication is required for all remoteaccess.
Controls
Administrative, physical and technical safeguards that
ensure policy compliance
Preventive Detective Corrective Compensatory
Security AwarenessTraining
System Monitoring O/S Upgrade Backup Generator
Firewall IDS Backup DataRestoral
Hot Site
Anti-Virus Email Spam Filter/Quarantine
Web Filtering Server Isolation
Security Guard Motion Detector VulnerabilityMitigation
Locked Door IPS PenaltiesDismissal
Control Frameworks
ISO 27001/27002 – Information Security Standard
11 Sections/114+ Controls
Security Policy
Security Organization
Human Resources Security
Physical Security
Communications/OperationsManagement
Systems Development
Access Control
Incident Management
Business Continuity
Compliance
Response Preparation
Written incident response policy and plan
Cross-departmental incident response team
Key Contacts list
InternalExternalLaw Enforcement
Dry Run The Plan
Make Sure Employees Know
NormalWhen To Report An Incident and to whom
During A Cyber Incident
Implement your incident response plan
Initial assessment of incident scope/nature
Technical Glitch/User Error/Malicious Act
Minimize continuing damage
Collect and preserve data
Notify
Do Not
Use compromised systems
“Hack back” or intrude upon another network
After A Cyber Incident
Recover to normal state as soon as possible withoutimpeding investigation or contaminating evidence
65% of businesses that lose computing capability formore than one week never recover andsubsequently go out of business.
After A Cyber Incident
Continue communicating withInternal/external stakeholdersLaw enforcement/DHSOther possible victims
Continue monitoring for anomalous activity to ensurethe intruder has been expelled and you have regainedcontrol of your network.
Conduct a post-incident review to identify deficiencies inplanning and execution of your incident response plan.
Laws, Directives, Regulations
Horizontal Enactments
Texas HB300, Sarbanes-Oxley (SOX)
Vertical Enactments
Gramm Leach Bliley Act (GLBA)
HIPAA/HITECH
Computer Fraud and Abuse Act of 1986
Primary U.S. federal antihacking statute
Amended in 1988, 1994, 1996,
2001 by Providing Appropriate Tools Required toIntercept and Obstruct Terrorism Act
2008 by Identity Theft Enforcement Act
Initiatives, Standards, Agreements
Private Industry Initiatives
PCI DSS
Industry Standards
SAS 70 Audit/Certification
SSAE 16 Type II
Contractual Agreements
Laws, Directives, Regulations
Which Apply To You?
HIPAA
State Data Breach Notifications
Sarbanes Oxley
Payment Card Industry Data Security Standard
International Privacy/Security Laws
Federal Information Security Management Act
Gramm Leach Bliley Act
HITECH Act
Other
Penalty Levels
Vary based on regulation, intent, negligence
Office of Civil Rights enforces HIPAA/HITECH penaltiesfrom $100 to $1.5 M per violation
Penalties are seen as effective enforcement
Criminal penalties may apply in addition to civil penalties
Questions?
Helpful LinksToday’s Presentation Is Available:
http://thehumanfirewall.org/presentations
https://www.houston.org/cybersecurity/http://www.houston.org/policy/security.htmlhttp://www.securingthehuman.org/http://www.sans.edu/research/security-laboratory/article/security-controlshttp://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdfwww.justice.gov/criminal/cybercrime/docs/04272015reporting-cyber-incidents-final.pdfhttp://www.iso27001security.com/html/27002.html
