incident response and forensics
DESCRIPTION
Incident Response and Forensics. A Call to Action for organizations. Evolution of Incident Response. Executive Concerns Legal Concerns Technical Concerns. Technical. Business . Compliance. Who Is Behind Data Breaches?. Resulted from External Agents Were Caused by Insiders - PowerPoint PPT PresentationTRANSCRIPT
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Incident Response and ForensicsA Call to Action for organizations
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
• Executive Concerns
• Legal Concerns
• Technical Concerns
Business ComplianceTechnical
2
Evolution of Incident Response
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Who Is Behind Data Breaches?
Resulted from External Agents
Were Caused by Insiders
Implicated Business Partners
Involved Multiple Partners
45%
31%
17%
7%
3
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
How Do Breaches Occur?
Involved Privileged Misuse
Resulted from Hacking
Utilized Malware
Employed Social Tactics
Comprised Physical Attacks
29%
24%
9%
16%
22%
4
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Demographics By Industry
32%
23%
6%
15%
Financial Services
Hospitality
Retail
Manufacturing
Tech Services
Business Services
Government
Media
Healthcare
Other
5%
4%
4%
4%3%
5%
5
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
What Commonalities Exist?
98% of all breaches came from servers
85% of attacks were not considered highly difficult
61% were discovered by a third party
86% of victims had evidence of the breach in their log files
96% of breaches were avoidable through simple or intermediate controls
79% of victims subject to PCI DSS had not achieved compliance
6
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Conclusions
• Attacks are being more elaborate, with custom and targeted malware being developed
• Encryption is being bypassed at different layers
• Lax host and network security
• Easy entry for attackers.
• Passwords are paramount. Defaults need to be changed before even plugging in.
7
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Credit Card Breach
Why should you care if your card is compromised?• Personal liability
• Unauthorized Recurring Charges
• Potential downtime
Inconvenience? Yes.
Major Issue? Generally Not.
8
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Credit Card Breach
Card Brands• Reduced consumer confidence
in the payment system– Loss of revenue– Brand damage
• Investigation costs• Litigation costs
Bank• Customer service costs– Notifications cost– Re-issue cards cost
• Investigation costs• Litigation
Who Cares?
9
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Credit Card Breach
Merchants• Brand damage?
– Brick and Mortar vs. Online• Investigation costs
– $12k to well over $1M• Remediation costs
– $5k to well in the Millions• Increase in transaction fee rates
– Big ticket item• Immediate Fines from Brands• Litigation costs
– Legal, Experts
Who Cares?
10
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Case Study # 1
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Case Study 1
Strengths• Multi-layered Firewalls between
Corporate and the Retail locations.• Segmented POS networks.• Encryption from the Back of House
server to Payment Switch.
Weaknesses• ACL’s not well defined.• Multi-homed Servers bypassed Access
Control List (ACL)’s.• Outbound filtering was not
protocol aware.
PCI Level 1 Retail Merchant
12
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Case Study 1Network Layout
13
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Case Study 1Attacked Network
14
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Case Study 1
• The attacker defeated the protection of encryption before the data even hit the application.
• The data was sniffed and parsed in a nice neat packaged format.
• Weak passwords were the originations downfall which allowed the attacker to fan out to several hundred systems.
• Attacker made use the publicside of the multi-homed system to exploit and explore other systems.
• Lack of protocol awareness filtering.
Examination Findings
15
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Case Study # 2
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Case Study 2
Strengths• Small, “should be” an easy to manage
infrastructure.• Encryption from the POS Terminals to
POS Back of House with Encryption to the Payment Switch.
Weaknesses• ACL’s not well defined.• Multi-homed Servers. One leg connected the
internet, the other to the internal LAN.• Remote support often left wide open.
(e.g. PcAnywhere, VNC, RDP).
A Level 4 Merchant & Level 1 Service Provider
17
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
PCI Breach Process
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Identification
The Merchant ID is being identified by one of the card brands as Common Point of Purchase (CPP) based on fraudulent transactions
• Analysis leads to isolation of activity
19
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Identification
• Immediately contain and limit the exposure.
• Prevent further loss of data by conducting a thorough investigation of the suspected or confirmed compromise of information.
• Alert all necessary parties immediately.
– Your internal information security group and incident response team.
– Your merchant bank.
– Your local office of the United States Secret Service.
What To Do
20
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Investigation
• You need to contract with a PCI Forensic Investigator (PFI)
• 7 approved vendors in the US
• “PFI of Record”
• Forensic investigation
• Lengthy
• Expensive
• Invasive
http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf
21
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
PFI Onsite
• Forensic Analysis of (potentially) affected systems
• Breached internet-facing systems (for example, ecommerce sites) must not be brought online until
– QIRA report accepted by VISA
– Remediation actions completed
• Forensic Investigation can go into business partners, suppliers, service providers
22
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Remediation
• Become Level 1
• Remain for one year minimum
• Perform a complete Level 1 Assessment
• Fixing the problems
• HUGE expense to organization ($MM)
• Both hard and soft costs– Major retailer replaced ½
their POS systems• 2500 stores
– Enterprise Encryption– Network Redesign
23
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Litigation
• Fines
• Non-compliance fines ($5-25k/$$M)
• Increase in credit card transaction fees
• Mandates for other regulations
– FTC
• Lawsuits
• Plaintiff costs
• Trickle effect? Are others vulnerable?
– What does the trust model look like?
– Does a breach of one affect others?
24
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
5 Biggest Technical Mistakes In Response to a Breach
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Technical Mistake # 1Delaying Actions
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Delaying Actions
Time is one of the biggest enemies in responding to a breach.
• Think of the “golden hour” rule – same applies to IR and investigations.
Organizations need to pre-plan through
“what if” scenarios because at some point in time an
incident will happen.
27
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Technical Mistake # 2Change
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Change
• Giving the nature of electronic evidence and computing systems, data is constantly changing from second to second.
• Organizations need to adhere to a “change freeze” policy in the event of a data security breach so they may capture the best evidence possible.
• If an organization cannot hold changes then a full system backup or image should be taken.
29
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Technical Mistake # 3Over / Under Reacting
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Overreacting
• Organizations will move into an over reacting state rather quickly, whereby they will inadvertently change, or destroy critical evidence.
• In most cases, this is due to the lack of planning, or experience within the organization.
31
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Underreacting
• Just the opposite of over reacting, some organizations will under react whereby not notifying parties in a timely fashion.
• Some will brush the event off as an anomaly.
32
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Technical Mistake # 4Inexperience
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Inexperience
• More often organizations will call the “IT” guy to come review the systems.
– Mainly seen to be an issue with smaller organizations.
• An experienced staff or firm needs to be ready to act in a timely manner to limit the exposure of the compromise.
• Proper training is paramount and the benefits and importance of training are especially important given the constant changes in today’s technology.
34
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Inexperience
• Users can be a major source of security breaches if they are not knowledgeable concerning security policy and acceptable computer/network usage.
• The bottom line is organizations need to continuously train and educate users. Proper security awareness training should be done on a regular basis.
35
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Technical Mistake # 5Inconclusive Findings
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
Inconclusive Findings
• More often than not, organizations will have one or more areas where data is inconclusive to support the investigation.– No supporting evidence at the border
(Firewalls, Router, or IDS/IPS)
• If logging is not enabled, an organization will have no way to detect if they are compromised. – Logging also allows the investigators
to trace back to the origin, which in some cases can aid law enforcement in a successful apprehension.
37
© 2011 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. The information in this document is provided by AT&T for informational purposes only. AT&T does not warrant the accuracy or completeness of the information or commit to issue updates or corrections to the information. AT&T is not responsible for any damages resulting from use of or reliance on the information.
38