Cyber Incident Response: Step 1

Transcription

1 Cyber Incident Response: Step 1 Mary McLaughlin Cybersecurity Analyst Florida Fusion Center - FDLE Product #

2 6 STAGES OF INCIDENT HANDLING Preparation Identification Containment Eradication Recovery Lessons Learned

3 WHAT THREATS ARE THERE? System threats Information, networks, communications Safety & privacy threats Employees, customers, public Integrity threats Your reputation

4 REMEMBER WHEN YOU WALK INTO YOUR OFFICE, AND EVERYTHING IS UNDERWATER THAT IS NOT THE TIME TO FORMULATE YOUR PLAN

5 COMPUTER SECURITY INCIDENT RESPONSE PLAN Highest level support ALL groups & teams Outside contacts What is an incident? And who makes the call? Incident Manager

6 QUESTIONS YOU SHOULD KNOW THE ANSWERS TO What exactly is deployed on your network? Who is responsible for each component? What services are allowed? What services are denied? How do you stop an incident in progress? Whom do you notify of an incident? What evidence can your system provide? IF YOUARENOTSURE FIND OUT WHERE THE ANSWERS ARE!

7 WHAT EXACTLY IS DEPLOYED ON YOUR NETWORK? SOFTWARE Names Versions Patch level Proprietary OS HARDWARE Computers Switches/Hubs Routers VPN devices ARE THERE OTHER TRUSTED NETWORKS?

8 WHO IS RESPONSIBLE FOR EACH COMPONENT? Who makes the decisions? Who handles the software? Updates? Who handles the hardware? Who has what level of access? How many System Administrators? TERRY CHILDS

9 WHAT SERVICES ARE ALLOWED? WHAT ARE DENIED? What is allowed/denied physically? What is allowed/denied by policy? ALWAYS INVOKE A DEFAULT-DENY POLICY

10 HOW DO YOU STOP AN INCIDENT IN PROGRESS? Pull a cable? Flip a switch? Call someone?

11 WHOM DO YOU NOTIFY OF AN WHEN DO YOU CALL Supervisor? Sysadmin? Director/CEO? Employees? Law enforcement? The media? INCIDENT?

12 WHAT EVIDENCE CAN YOUR SYSTEM PROVIDE? How do you know something happened? What documentation is there? Do you know who/what was responsible? Will business recovery destroy evidence?

13 DEALING WITH THE MEDIA You initiate contact Facts vs. perceptions Have a fill-in-the-blank press release Always include a contact person Clear, consistent message

14 LIMITING VULNERABILITY Make rules Write them down Publish them Train Practice Audit

15 WHAT S THE BEST WAY OF DEALING WITH INCIDENTS? PREVENT THEM!

16 THIS IS WHAT YOU HAVE Rogues Renegades Delinquents Citizens Insider Threat Ecosystem presented by IDC at RSA 2006

17 8 RISKY EMPLOYEE PRACTICES Accessing the Internet using unsecured networks Sharing passwords Using the same username and password for several accounts Using personally-owned mobile devices to access the company network Leaving computers unattended outside work Not reporting a lost USB drive Failing to use privacy screen when working remotely Storing confidential data on un-encrypted USB drives

18 SOCIAL ENGINEERING Controlling and shaping people's attitudes and behavior by using knowledge of who they are and where they are from A term used among criminals for exploiting weaknesses in people, rather than software-- tricking someone into revealing security information Reformed hacker Mitnick exposes the tricks of social engineering

19 COMBATTING THE SOCIAL ENGINEER Never to give out passwords or confidential information over the phone Update your security policy to specifically address social engineering attacks Conduct regular employee awareness training

20

21 PARTNERS IN TRAINING Departments of: Law Enforcement Education Corrections Health FSU & FAMU Civitan Club Rotary Club Health Care Compliance Assn. Miami Dade County Blue Cross/Blue Shield Tallahassee Memorial Florida SROs Citizens State Bank Florida Airport Council Prof. Women s Forum Big Bend Fraud Task Force

22 CSAFE TOPICS

23 FINALLY We will Work to your schedule Focus on the topics you ask for Include your security policies in our training Conduct train-the-trainer classes Did I mention FREE?

24 QUESTIONS? Mary McLaughlin Florida Fusion Center Florida Dept of Law Enforcement (850)