T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Similar documents
Putting It All Together:

Cyber Risks in the Boardroom Conference

University of Pittsburgh Security Assessment Questionnaire (v1.7)

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

Credit Card Data Compromise: Incident Response Plan

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cybersecurity Auditing in an Unsecure World

Cyber Security Incident Response Fighting Fire with Fire

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

The Impact of Cybersecurity, Data Privacy and Social Media

Information Security Incident Response Plan

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Information Security Incident Response Plan

MANAGEMENT OF INFORMATION SECURITY INCIDENTS

Cybersecurity in Higher Ed

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

PTLGateway Data Breach Policy

Cybersecurity, safety and resilience - Airline perspective

What to do if your business is the victim of a data or security breach?

Incident Response Services

Cybersecurity The Evolving Landscape

The HIPAA Omnibus Rule

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

Oracle Data Cloud ( ODC ) Inbound Security Policies

01.0 Policy Responsibilities and Oversight

Security Breaches: How to Prepare and Respond

Lakeshore Technical College Official Policy

Information Security Risk Strategies. By

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Security and Privacy Governance Program Guidelines

Data Breach Preparation and Response. April 21, 2017

SECURITY & PRIVACY DOCUMENTATION

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

Security Policies and Procedures Principles and Practices

Summary Comparison of Current Data Security and Breach Notification Bills

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

Effective Strategies for Managing Cybersecurity Risks

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

The Data Breach: How to Stay Defensible Before, During & After the Incident

DeMystifying Data Breaches and Information Security Compliance

IMPROVING NETWORK SECURITY

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

ADIENT VENDOR SECURITY STANDARD

Cyber Security. The Question of the Day. Sylint Group, Inc. How did we come up with the company name Sylint and what does it mean?

Building a Privacy Management Program

Breaches and Remediation

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

You ve Been Hacked Now What? Incident Response Tabletop Exercise

LCU Privacy Breach Response Plan

Cyber Insurance: What is your bank doing to manage risk? presented by

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Electronic Communication of Personal Health Information

Stopsley Community Primary School. Data Breach Policy

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

Information Security Incident

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Cybersecurity and Nonprofit

Data Privacy Breach Policy and Procedure

Breaches and Remediation

Checklist: Credit Union Information Security and Privacy Policies

INTELLIGENCE DRIVEN GRC FOR SECURITY

Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007

NYDFS Cybersecurity Regulations

The Common Controls Framework BY ADOBE

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

Sage Data Security Services Directory

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Data Use and Reciprocal Support Agreement (DURSA) Overview

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Information Security Policy

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

The Honest Advantage

CA Security Management

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

Compliance with CloudCheckr

Incident Response Plans: The Emergency Shutoff Control for Cyber Risk. Tabitha Greiner, Acumera Chris Lietz, Coalfire

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

Hacking and Cyber Espionage

Audience. Overview. Enterprise Protection Platform for PCI DSS & HIPAA Compliance

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Cybersecurity and Hospitals: A Board Perspective

CCISO Blueprint v1. EC-Council

SDR Guide to Complete the SDR

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Taming the Data Breach Beast... because we all know it will happen. John Tomaszewski Seyfarth Shaw January 2015

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

locuz.com SOC Services

How will cyber risk management affect tomorrow's business?

Transcription:

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Incident Response Clinic Kieran Norton Senior Manager, Deloitte First Things First Who am I? Who are you? Together we will: Review the current landscape and common challenges Outline best practices in developing an incident response program Review the primary steps in the incident response process Walk through 3-4 incident response scenarios (interactive) 2 1

The Threat Landscape http://www.privacyrights.org/ar/chrondatabreaches.htm#total, http://www.databreaches.net/, http://datalossdb.org/search?direction=desc&order=reported_date&page=1&query= 3 Drivers for Incident Response Unauthorized access laws Forces emphasis on types of sensitive information but not just about financial data anymore! Notice Encryption State may take action against you Reasonable security program standards / rules Forces focus on holistic approach Calls for incident response program Program must be documented, risk based, part of infosec program The yard stick by which you will be measured if you have a breach Federal Action / Consent decrees Do what you say you do Oversight Known vulnerabilities Private Actions Liability (state s laws) Contractual Obligations and Penalties (PCI) 4 2

Requirements Outpace Organizations Business organizations have been significantly impacted by the increase in regulatory and industry requirements (such as PCI) to report breaches of personally identifiable information (PII) to data subjects or business partners. Driven by Breach Notification Laws in nearly all states, breach notification requirements expose businesses to potentially significant losses arising from negative publicity, loss of reputation, regulatory fines and class action lawsuits. = No legislation enacted = Legislation enacted 5 Common Challenges In assisting clients dealing with breaches, we have noticed a few common challenges: Misunderstanding of risks, misplaced trust Limited understanding of where sensitive data is collected, used, stored, shared and destroyed Insufficient emphasis on secure coding practices and security QA Permissive Access No Information Classification Flat Architecture Duties Not Segregated Third-party Connectivity/Access No Asset Controls, Limited Physical Controls End-user Computing Vulnerabilities Limited Role and Activity Based Training/Guidance Limited Incident Response Capability Where the trouble starts: Disconnect between corporate privacy and security policies, actual operational practices and technology infrastructure 6 3

Are All Breaches Created Equal? Incidents can take many forms, not all will involve customer data or notification requirements, but all must be dealt with and the line between them is continuing to blur: Unauthorized access Malicious code / software Denial of Service Inappropriate usage (and behavior) Attempted access (probing, scanning, attacks, etc.) Compound incidents While many of the following discussion points will focus on breaches affecting consumers and related response, the material applies to all of the above and a strong incident response program will deal with multiple incident types 7 Incident Response Program Your IR program should be part of your overall information security and privacy program(s) Building an effective IR program requires businesses to better understand the threat and the target Organizations can proactively reduce the likelihood of a data breach by identifying data assets and evaluating business process risk throughout the data life cycle?? The program should be framework based and response should be: Thought through (considered, intentional, appropriate, complete) Risk-based Tactical and strategic 8 4

Incident Response Program (Cont.) Early issue spotting is critical: Lost data may have the same consequences as a hacking incident Notice (who to tell, what to tell and when) may not be simple Duties and obligations may not be clear and might conflict (customers, partners, regulatory agencies, law enforcement) Post-incident analysis is essential Address the root-cause Understand what went well, where there is room for improvement Update the program based on lessons learned Practice does not make perfect but it does make better Dusting off an old IT focused IR program will not work given the complexities discussed in the prior slides 9 Incident Response Framework Objectives of Incident Response Framework: Confirms or dispels whether an incident occurred (and to what extent) Promotes accumulation of accurate information for action by responders and management Establishes controls for proper retrieval and handling of evidence Protects privacy rights Minimizes disruptions to operations Establishes the foundation for legal or civil action against perpetrators Provides accurate reports and recommendations for improvement 10 5

Incident Response Overview Integration with overall risk management strategy Long-Term Risk Mitigation Incident response team & procedures Program Development /Plan Evaluation of enforcement options Enforcement Actions Response & Recovery Identification and containment Communication and broader response strategy (notice) Communication Documentation Root & Reporting Cause Analysis Forensics Analysis Impact and evidence Reporting Weakness identification 11 Responding to Incidents: Pre Incident Preparation Roles and communications should be defined IR Tools: Investigative Team Have your toolkit ready to Response Team go and update it on a Cross-functional Participation monthly or quarterly basis Executive Participation Response strategy formulated Policies and Procedures Training/Practice Pre-canned responses Involve the right people at the right time Detection mechanisms/monitoring Importance of logging and monitoring where, what, how Asset controls Patch/vulnerability management 12 6

Responding to Incidents: Pre-Incident Preparation (Cont.) Know where your data is! Data is an asset that carries value and risk 13 Responding to Incidents: Investigation Investigation: Obtain basic facts and establish the circumstances (question what you learn) Preserve evidence (chain of custody if warranted) Assess the nature and scope of the incident, id including which h customer information systems and what specific elements of customer information have been accessed or misused Consider a scenario based investigation approach in circumstances where the impact is known but the source of the breach is vague Worth Noting: Be calm and assertive stress and panic are contagious Logging and monitoring is critical to be able to detect and scope a breach too often clients find that they don t have sufficient logging in place when they need it most Many of the breaches we have responded to involved repositories of sensitive information that the client had not identified Know thyself: do you have the right skills to respond or do you need help? 14 7

Responding to Incidents: Investigation (Cont.) Response Strategy: Perform a risk assessment to enable the company to determine the scope and risk of the incident, and how to respond to the incident Perform appraisal of incident s impact on company systems, data or business. Consider: System downtime Number of users/customers effected Monetary loss incurred Reputation loss incurred Client losses (financial, reputation, etc.) Determine which, if any, regulatory and/or law enforcement agencies require notification, and whether there are additional notifications Worth Noting: You must involve your legal team, but be aware if you are taking action based on a literal or narrow interpretation of the facts and relevant law Beware the Gonzalez Effect 15 Responding to Incidents: A Note On Notification Are notifications required? Are there regulatory obligations that require notification? Are there contractual obligations that require notification? Are there other external parties that the company would choose to notify? Potential individuals/entities to notify include: Individuals/data subjects affected Third parties Law enforcement Regulatory authorities Insurance carrier 16 8

Responding to Incidents: Another Note On Notification It is not just about PII / financial information anymore CA SB1386 was amended to include medical information and health insurance data The sections of the American Recovery and Reinvestment Act 2009 known as The Health Information and Clinical Health Act provide grants and payment incentives for organizations to adopt and make meaningful use of technology designed to create and manage electronic health records ( EHR"s) Along with the grants and payment incentives, the legislation includes provisions intended to shore up public confidence in the use of EHRs and personal health records ( PHR s) by beefing up enforcement of and expanding the scope of businesses covered by the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) Privacy and Security Rules It is somewhat complex, but this includes: Expansion of the HIPAA rules Compliance audits Breach notification Civil and criminal penalties 17 Responding to Incidents: Containment & Recovery Containment and Isolation Determine when to stop investigation, and when to start containing/controlling Take appropriate steps to contain and control the incident to prevent further loss or harm while preserving records and other evidence for further investigations Recovery Take measures to address and mitigate any harm realized by the company, customers and partners Worth Noting: Recognize a practical dead end / point of diminishing returns Recovering from technical vulnerabilities may require vendor support, significant programming or significant security configuration Recovery may be a multi-phase process as you start with temporary fixes and work your way toward permanent remediation This effort is probably not in your budget or on your list of projects impact can be significant 18 9

Responding to Incidents: Post Mortem Post mortem analysis Determine root cause of incident, and determine appropriate mitigating actions Review the specifics of this response Identify lessons learned Improve response process Update training program Update threat/risk assessment if appropriate Practice does not make perfect but it does make better Worth Noting: Many organizations will get 90% of the way done, then get distracted by the day by day and the post mortem never happens 19 Breach Scenario #1 20 10

Breach Scenario #2 21 Breach Scenario #3 22 11

Contact Information Kieran Norton Senior Manager Deloitte kinorton@deloitte.com 415-783-5382 23 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback