Incident Response

November 2015

Navigating a Cybersecurity Incident

2

Plan, Prepare, Manage, Mitigate and Remediate

Plan – Have a plan and test it Prepare – Create a CSIRT and practice scenarios Manage – Have a program for managing an incident Mitigate – Plans of Action to mitigate common scenarios Remediate – Action plan for addressing gaps and issues

3

Create an Incident Response Plan

Develop an Incident Response Plan- Multidisciplinary team

Roles and Responsibilities Line of Authority Triggers to Activate CSIRT Status updates – timing

Computer Security Incident Response Team (CSIRT)

Information Systems Services - Windows- Unix- Messaging- Networking- Help Desk

Information Security Legal Human Resources

The Computer Security Incident Response Team

Strategies for different types of breaches• Technical response

• Public relations response

• Legal response

Detection – Information Security

IDS – Intrusion Detection Systems

- SIEM – Security Information and Event Management FIM – File Integrity Monitoring Systems FW – Firewall activity AV – Anti-Virus Alerts Service Desk Calls

- Users

- Customers

Detection – Is this an incident

Did you lose data? How much data and exactly what type? Is the data loss ongoing? Who knows about the data loss?

This information is going to guide the next phases of the response- Will we need to report the loss

- How big is the loss – number of customers

- How will we manage the process

Managing and mitigating the incident

Identify your organizations priorities Nature of the incident Restore affected or compromised systems Apply corrective actions to any identify vulnerabilities Apply countermeasures to security systems Assign responsibility for correcting systemic issues Track progress of all corrective actions Validate the actions taken are effective Update your security policy and procedures

Remediation

The goal of those engaged in a data breach and incident response is to

- Stop the bleeding – data loss

- Quantify the loss

- Secure your information systems

- Fix any holes in your security and operations

Lessons learned – Follow up

Actions to fix infrastructure and security - Assigned an owner who is responsible for the fix

- Given adequate resources to address problems

- Required to provide regularly scheduled updates until resolution

Remediation - repairing the damage to the brand

For customers

- Credit monitoring

- Credit repair

- Litigation services for any victimized by ID Theft Company Image

- Good will gestures

- Awareness Outreach to customers on data protection

- Following up on all promises

Consider Third Party ContractorsDigitigal Forensics and Crisis Response

Benefits of third party contractors

- Equipped to deal with crisis situation

- Instant Expertise

- Typically can provide rapid response

- Can provide you with legal cover Issues of third party contractors

- Cost – they can be expensive – $300 plus per hour

- Delays in getting onsite – paper work and travel

- No guarantee of resuts

13

Overview of Administrative Elements

Management roles and responsibilities- Leadership is essential to effective response

- Let the team do its job, but keep a informed of progress

• Status meetings – as needed, but initially 3 a day

- Current Status

- Tasks to Complete

- Next Steps

- Who is assigned

• Be prepared to make timely and informed decisions

• Keep tabs on staffing and watch for fatigue

- Support your people and do not lose your temper

- If staff do not perform or are ineffective you will need to decide how to proceed, but think before you act

14

Overview of Administrative Elements

Public Relations - Single message – clear, concise and to the point

• If you have a public relations staff, let them work with your legal counsel on the message, review it and make sure all contingencies have been addressed and then let them deliver it.

- Explain what has happened

- Progress of the investigation

- Steps the organization will be taking

- How the public and press can keep informed

- A wise policy is to inform all company personnel that any inquiries about an incident must be directed to Legal council

- Templates can be prepared and vetted prior an incident and can be ready to use in event of a breach

15

Questions?

Fred Howell, MBA, MSISM, CISSP

Manager of Security and Privacy Consulting Services

RSM LLP

80 City Square

Boston, MA 02129

Office 617-241-1520

Cell 781-831-2767

Email: Fred.Howell@RSMUS.com

McGladrey is the brand under which McGladrey & Pullen, LLP serve clients’ business needs.

McGladrey LLP is the U.S. member of the RSM International (“RSMI”) network of independent accounting, tax and consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party.

McGladrey, the McGladrey signatures, The McGladrey Classic logo, The power of being understood, Power comes from being understood and Experience the power of being understood are trademarks of McGladrey LLP.

© 2013 McGladrey LLP. All Rights Reserved.

McGladrey LLP

Andy Obuchowski

80 City SquareBoston, MA 022129

617.241.1219

Andy.obuchowski@mcgladrey.com

www.mcgladrey.com