now what? · june 5, 2013 nys cyber security conference . comparing responses . audience survey 1....
TRANSCRIPT
![Page 1: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/1.jpg)
Now What?
Reg Harnish, CISM, CISA, CISSP Chief Security Strategist
GreyCastle Security
June 5, 2013 NYS Cyber Security Conference
![Page 5: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/5.jpg)
Comparing Responses
![Page 6: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/6.jpg)
![Page 8: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/8.jpg)
Audience Survey
1. Do your organization have an Incident Response Plan?
![Page 9: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/9.jpg)
Audience Survey
2. If yes, has your plan been tested?
![Page 10: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/10.jpg)
Audience Survey
3. If yes to 1 and 2, are you confident that your plan will be effective in the event of a real incident?
![Page 11: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/11.jpg)
You’ve Been Hacked – Planning for Failure
![Page 12: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/12.jpg)
Just don’t.
![Page 13: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/13.jpg)
Put your response capabilities where your critical assets are
![Page 14: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/14.jpg)
Develop your Incident Response Plan (IRP)
![Page 15: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/15.jpg)
Build your Incident Response Team (IRT)
![Page 16: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/16.jpg)
Define your Incident Management Team
![Page 17: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/17.jpg)
Perform triage
![Page 18: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/18.jpg)
• Decide early if you’re going to litigate
• Forensics is not just bagging and tagging
• Record everything • Make sure you’re logging • Establish secure storage
location(s) • Leave it to the experts
Forensics
![Page 19: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/19.jpg)
Don’t touch anything
![Page 20: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/20.jpg)
Compliance
• Understand your reporting requirements – 46 states and the Feds require reporting – NYS Information Security Breach and Notification
Act – HIPAA HITECH, PCI, NERC CIP – Encryption, datatypes and volume change
reporting requirements – “Reasonable” is basically undefined
• Use a recognized industry framework
![Page 21: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/21.jpg)
Testing and Training
• If you don’t test, your plan isn’t prepared • If you don’t train, your people aren’t prepared • Train early and often
– Table-topping – Simulations
• Budget for testing and training • “A good shooter can make a bad gun
shoot well”
![Page 22: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/22.jpg)
Outsourcing
• Don’t be afraid to outsource, particularly for: – Forensics – Legal counsel – Public Relations – Tasks where specialized expertise is required
• Leverage experts where necessary, but not for: – Incident reporting – Incident Response coordination
• You can’t outsource liability
![Page 24: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/24.jpg)
You’ve Been Hacked – Lessons Learned
![Page 25: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/25.jpg)
• Be prepared for litigation • Allow your legal team to
drive data retention and destruction requirements
• Decide if you plan to litigate before you respond
• Understand Cyber Liability Insurance – what it is and what it isn’t
Lessons - Legal
![Page 26: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/26.jpg)
• Know what to say, who to say it to, and when to say it
• Learn the definition of “reasonable”
• Handle information leaks • Develop communications
templates
Lessons – Public Relations
![Page 27: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/27.jpg)
You’ve Been Hacked – Incident Response Standards
![Page 28: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/28.jpg)
Standards in Incident Response
![Page 29: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/29.jpg)
Standards in Incident Response
• NIST Computer Security Incident Handling Guide http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf
• US-CERT Handbook for Computer Security Incident Response Teams (CSIRTs) www.cert.org/archive/pdf/csirt-handbook.pdf
• ENISA Incident Handling Process http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process
![Page 30: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/30.jpg)
Reporting an Incident
• Internet Crime Complaint Center – www.ic3.gov • Federal Bureau of Investigation – www.fbi.gov • Information Sharing and Analysis Center(s) • Local Police – 911
![Page 31: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/31.jpg)
Final Thoughts
![Page 32: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/32.jpg)
“Everybody has a plan until they get punched in the face.” - Mike Tyson
![Page 33: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/33.jpg)
“We’ve been on a lot of adventures together, and it seems like you
haven’t learned anything.
Anything.”
- Alan
![Page 34: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/34.jpg)
![Page 35: Now What? · June 5, 2013 NYS Cyber Security Conference . Comparing Responses . Audience Survey 1. Do your organization have an Incident Response Plan? Audience Survey 2. If yes,](https://reader034.vdocuments.mx/reader034/viewer/2022050206/5f5915039ed2ac12bc00a6e5/html5/thumbnails/35.jpg)