Creating the Enterprise CSIRT: Building the ecrime Response Platform

Transcription

1 Creating the Enterprise CSIRT: Building the ecrime Response Platform Lic. Julio C. Ardita, CISM May 2010 Counter-eCrime ecrime Operations Summit (CeCOS)) IV Sao Paulo, Brasil

2 Agenda - Experiences in Incident Handling in Latinamerica -ReactionTime - Building of an Internal CSIRT in Latinamerican Companies 2

3 Experiences in Incident Handling in Latinamerica FT365 Incident Handling (*) Jan-Apr Operating areas: Argentina, Uruguay, Paraguay, Chile, Bolivia and Ecuador. 3

4 Experiences in Incident Handling in Latinamerica Internal CSIRT in LA companies Incident handling: The situation in Latinamerica (LA). We have observed internal CSIRTs in: banks, finance, insurance, retail and e-commerce companies. When an internal CSIRT is (or should be) created? Collaboration between internal CSIRTs and Government CSIRT. Cultural Impact: Planning, documentation, trust in people, communication, etc. 4

5 Experiences in Incident Handling in Latinamerica Internal CSIRT in LA companies Limited knowledge about legal aspects, digital evidence management and forensic analysis. Types of incidents handled: - Theft of sensitive information - Theft and loss of notebooks with sensitive data - Denial of service due to virus and worms - Financial fraud - Corporate sabotage (trojan horses) - Threats and false accusations through fake s - Phishing attacks to local banks and companies - Attacks to individuals (identity theft) 5

6 Experiences in Incident Handling in Latinamerica Internal CSIRT Maturity in LA Do nothing (85%) Incident management disorganized (8%) Formal incident management for the picture (meet audits) (4%) Formal incident management for real (2%) Internal CSIRT (<1%) 6

7 Experiences in Incident Handling in Latinamerica Current regulations - Colombia: Circ. Ext. 52/2007 Superintendencia Financiera. - Argentina: A4609 of BCRA. - Paraguay: MCIIEF of BCP. - Chile: SBIF regulations. -etc - PCI for processors, merchants, e-commerce, etc. 7

8 Experiences in Incident Handling in Latinamerica Current regulations - ISO 27001/2 - OAS / OEA Help Member States establish national 24/7 "alert, watch, and warning" teams, also known as Computer Security Incident Response Teams (CSIRT) through technical assistance and training; build the capacity of CSIRT personnel in Member States to comply effectively with the requirements established in the OAS Comprehensive Inter- American Strategy to Combat Threats to Cyber Security, and facilitate the creation and maintenance of a hemispheric network of CSIRT to promote the sharing of information and best practices. 8

9 Experiences in Incident Handling in Latinamerica Which are the usual activities of an internal CSIRT in a LA company? 9

10 Reaction Time Reaction time during a security incident During the first hours of an incident we will have all the company s attention on us. Is essential to make the most of that momentum as attention will start to decline (very) quickly. Nivel de Atención de la Gerencia durante un Incidente 120 % Nivel de Atención hs 12 hs 24 hs 48 hs 72 hs 96 hs Tiempo 10

11 Building of an Internal CSIRT in Latinamerican Companies Most of LA organizations do not have formal response teams for incident handling Since 2008 a growing number of companies have started to create internal CSIRTs. Key reasons are: - Companies had and still have serious incidents. - Regulation requires having incident response plans. - CSO proactively shows the need. 11

12 Building of an Internal CSIRT in Latinamerican Companies Most common issues Lack of knowledge of what a CSIRT is and does. No idea about incident handling issues until a serious incident happens. When a serious incident occurs, most organizations turn to external private information security companies and incidents rarely end up in Court. CSIRT maintenance over time within the organization. CSIRT is an evolution from Incident Management. 12

13 Building of an Internal CSIRT in Latinamerican Companies Experiences in building an internal CSIRT in LA Considerable coaching to explain the need and scope of an internal CSIRT. Development and adaptation of Incident Handling Policies and of a CSIRT Framework (no need to reinvent the wheel). Procedures development taking into account the organization. Training of all areas and levels involved. Operational testing. 13

14 Building of an Internal CSIRT in Latinamerican Companies Security Incident Handling Policies Topics to considerate: 1. Detection and notification of Security Incidents 2. Security Incident tracking 3. Evidence gathering 4. Recovery process of affected systems 5. Disciplinary process 14

15 Building of an Internal CSIRT in Latinamerican Companies Internal Incident Management Procedure: flow diagram Responsibilities - Users - Internal Audit - Human Resources - Management - Legal Affairs - Phisical Security - Help Desk - System Administrator - Information Security - Others areas 15

16 Building of an Internal CSIRT in Latinamerican Companies Internal Incident Management Procedure: flow diagram 16

17 Building of an Internal CSIRT in Latinamerican Companies Action List for Developing a Computer Security Incident Response Team (CSIRT) (*) 1) Identify stakeholders and participants. 2) Obtain management support and sponsorship. 3) Develop a CSIRT project plan. 4) Gather information. 5) Identify the CSIRT constituency. 6) Define the CSIRT mission. 7) Secure funding for CSIRT operations. 8) Decide on the range and level of services the CSIRT will offer. 9) Determine the CSIRT reporting structure, authority, and organizational model. 10) Identify required resources such as staff, equipment, and infrastructure. (*) 17

18 Building of an Internal CSIRT in Latinamerican Companies Action List for Developing a Computer Security Incident Response Team (CSIRT) (*) 11) Define interactions and interfaces. 12) Define roles, responsibilities, and the corresponding authority. 13) Document the workflow. 14) Develop policies and corresponding procedures. 15) Create an implementation plan and solicit feedback. 16) Announce the CSIRT when it becomes operational. 17) Define methods for evaluating the performance of the CSIRT. 18) Have a backup plan for every element of the CSIRT. 19) Be flexible. (*) 18

19 Conclusions The creation of CSIRTs within private organizations is growing due to increasingly security incident occurance. Is key to take advantage of the moment in which an incident occurs within the organization to promote an internal CSIRT. CSO should be supported by regulations and create consciousness in senior management on Incident Handling. 19

20 Thank You!!! / Obrigado!!! / Gracias!!! Lic. Julio C. Ardita, CISM jardita@cybsec.com May 2010 Counter-eCrime ecrime Operations Summit (CeCOS)) IV Sao Paulo, Brasil