Are you prepared?

What is your response plan?

Mike Saunders – CISSP, GCIH, GPEN

Agenda Definition of a breach

Background statistics on breaches

What a breach may look like

Preparing your response plan

Putting your plan into action

Links to resources

Key Assumptions Small to medium-sized business (SMB)

25 – 500 employees

Few IT resources, few or none dedicated to IT security

What Is a Breach? Breach means an intrusion into a computer system, i.e.

hacking or exposure of sensitive data

Causes of a breach:

crimes of opportunity

targeted attacks

viruses

web-delivered malware

malicious insiders

unintentional disclosures

Breach Statistics 55% of SMBs surveyed were breached in the last year, 53%

more than once – Ponemon Institute

Verizon 2012 DBIR found 71.5% of incidents studied were in organizations of less than 100 employees

Up from 63% in 2011

2011 Symantec ISTR found 28% of targeted attacks were against companies with less than 500 employees

Costs of a Breach Average cost of reported

breach: $5.5 million

Average cost per stolen record: $194

Symantec ISTR

Fines

Possible jail terms under HIPAA

Loss of customer and business partner confidence

How Do I Know I’ve Been Breached?

www.digitaltrends.com

Overt Defaced website

Defaced Websites

bundlr.com

Defaced Websites

sunbeltblog.blogspot.com

Defaced Websites

news.cnet.com

Overt Defaced website

Unauthorized bank transfers

Unauthorized wire transfer

krebsonsecurity.com

Compromised PayPal Account

yadiwibowo30.blogspot.com

Overt Defaced website

Unauthorized bank transfers

Destruction of data

Data held hostage – “ransomware”

Image of Ransomware

arstechnica.com

Overt Defaced website

Unauthorized bank transfers

Destruction of data

Data held hostage – “ransomware”

Notification from outside entity

Covert System slowness

Abnormal log entries

Strange notifications when visiting a website

Helpdesk may notice a pattern

Malicious Java Applet

www.cso.com.au

Fake AntiVirus Notification

blog.unmaskparasites.com

No obvious indicators There may not be an obvious indicator of a breach

Detect through well-developed security intelligence program

66% of breaches went undiscovered for several months or longer

Verizon 2013 DBIR

Benefits of Adequate Preparation Economic

Stop ongoing loss of data or business interruption

Reduce time to resolution after incident is discovered

Public Relations

PR plan helps reassure customers to prevent loss of confidence

Legal

Demonstrates due diligence

Preparation: Getting Started Get management support!

Define your incident handling team members

Not just IT! IT, Security, Legal, HR, PR, Management, external IT vendor

Designate an incident leader. This person needs to be calm under fire

Preparation: Basics Policies

Strong policies help enforce compliance and define roles and responsibilities

Incident Handling policies provide legal authority to investigate, “sniff” network traffic, monitor activities

Procedures

Clear, thorough, tested procedures help reduce confusion when tensions are high

Checklists

Notification procedures – legal, PR, law enforcement

Preparation: Communications Define a communications plan

Email and phone may be down or compromised; make sure you have cell numbers

Identify alternate contacts

Don’t forget to include IT vendor, network provider, etc.

Test your calling tree at least annually

Keep paper copies and keep them up to date

Preparation: Testing and Practice Perform incident handling

tabletop exercises

When problems are identified,be sure to update procedures

Execution Document all steps in a notebook

Helps to have one person working, another keeping notes

Measure twice, cut once… First, do no harm…

In other words, don’t be too hasty

Step back to see the forestfor the trees

Mistakes Happen Success does not consist in never making mistakes, but in

never making the same one a second time.

– George Bernard Shaw

Lessons Learned Be sure to hold a lessons learned session after breach

Hold within two weeks

Identify what failed and why

Implement fixes and update documentation

Resources Local law enforcement, including FBI

Professional Security Organizations

ISSA

https://sites.google.com/site/northdakotaissa/

InfraGard

http://infragard-nd.org

SANS Reading Room

http://www.sans.org/reading_room/

SANS Incident Handling Forms

http://www.sans.org/score/incidentforms/

Summary All sizes of organizations are being attacked

Vast majority of attacks are from outsiders – 92%

Verizon 2013 DBIR

Hacking constitutes the majority of attacks – 52%

Verizon 2013 DBIR

Incident response plans are key to recovery and limiting liability

There is a vast array of resources available to help you build your plan

Resources An Incident Handling Process for Small and Medium Businesses

http://www.sans.org/reading_room/whitepapers/incident/incident-handling-process-small-medium-businesses_1791

Creating a Computer Security Incident Response Team (CSIRT)

http://www.cert.org/csirts/Creating-A-CSIRT.html

NIST SP800-61 Rev. 2: Computer Security Incident Handling Guide

http://crsc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

Corporate Incident Response – Why You Can’t Afford to Ignore It

http://www.mcafee.com/us/resources/white-papers/foundstone/wp-corp-incident-response.pdf

References Ponemon Institute Survey for Hartford Steam Boiler

http://www.hsbwhistlestop.com/agents/express/2013/02/hsbSurvey.php

Verizon 2013 Data Breach Investigations Report

http://www.verizonenterprise.com/DBIR/2013/

Verizon 2012 Data Breach Investigations Report

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

Symantec 2011 Internet Security Threat Report

http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf

Contact Me msaunders.sec@gmail.com

@hardwaterhacker

http://hardwatersec.blogspot.com/

Questions?