1 computer security incident planning (csip) · source: “computer security incident handling...
TRANSCRIPT
COMPUTER SECURITY INCIDENT
PLANNING
(CSIP)
A PRACTICLE APPROACH
24/11/2012
1
START
PRESENTED BY
TAMER MOHAMED HASSAN IBRAHIM
Tamer Mohamed Hassan Ibrahim
• Certified Information Security Manager (CISM)
• More than 8 years of experience in information security
including • Performing assessments, penetration testing & risk
assessments
• Developing policies and procedures,
• Establishing and managing Information Security programs
and digital forensics and incident response.
• Establishing and managing Security Operation Centers and
delivering Managed Security Services.
• Based in United Arab of Emirates
2 WHO AM I
Why CSIP is Important
Prerequisites
Planning
Key Success Factors
1
2
3
4
3 TABLE OF CONTENT
Sony - $170M
Palystation incident Clean up
cost estimated by Sony
7+ million user personal
details disclosed
Media
Embarrassment
Egyptian hacker dumped an
Adobe’s database of 150K
emails and passwords.
affected accounts include
Adobe employees, U.S.
military users and users from
Google, NASA, universities,
and other companies
ARAMCO - $15M
Estimated replacement costs
along with incident response
fees to the destruction of
thousands of servers and
hard drives at ARAMCO
Same can be estimated for
similar incident at RasGas
Media
Embarrassment
LG Smart World Hacked and
11,316 Accounts Leaked
Citi bank – $2.7M
At least $2.7M was lost by 3,400 customers whom their information have been accessed by a hacker mid 2011. In numerous reports, Citi was criticized for its slow response to the hack and delays in notifying customers.
Losing Trust
Amazon UK Hacked and
600+ credentials leaked
4 WHY CSIP IS IMPORTANT
5 WHY CSIP IS IMPORTANT
legal implications.
• Hackers have the time, money, and energy necessary to gain access.
• More sophisticated and targeted attacks
• Increasing numbers of Zero-day attacks
• Number of organization are being compromised is increasing
• CSIP will help
– Discovering incidents early
– Responding quickly, recovering quickly
– Reducing the chance of a successful attack
– Reducing the impact of the incident
– Reducing the negative publicity
WITHOUT CSIP YOU ARE PLANNING FOR FAILURE
Assets Identification and Classification Guide
6 PREREQUISITES
• An Asset can be any thing valuable to the business
• IT systems such web portal, Database, Source code etc
• Financial information, Strategy or marketing plans
• Personal Information
• As guidelines
• ADSIC Service Categorization
• FIPS Standards for Security Categorization
• A must have for any CSIP
• Prioritization of responses during incidents
Impact Level Description
A1
Loss of confidentiality, integrity, or availability has
great impact on business operation.
Cost of impact is more than $10M
Recovery time of the impace shall be 2 hours
A2
Loss of confidentiality, integrity, or availability has
medium impact on business operation.
Cost of impact is between $1M and $10M
Legal Impact
Recovery time of the impact shall be 4 hours
A3
Loss of confidentiality, integrity, or availability has
low impact on business operation.
Cost of impact is between $100,000 and $1M
Legal Impact
Recovery time of the impact shall be 8 hours
A4
Loss of confidentiality, integrity, or availability has no
impact on business operation.
Cost of impact is less than $100,000
Legal Impact
Recovery time of the impact shall be 48 houts
Risk Assessment
7 PREREQUISITES
• Risk Assessment consists of
• Identifying valuable assets
• Identifying vulnerabilities
• Identifying Threats
• Risk Evaluation
• Identifying and evaluating risk treatment options
• Selecting, planning and implementing cost-effective treatments.
• A must have for any CSIP
• Required for the development and improving the incident management
• Required for deciding if to initiate the incident response
• Required for mitigation actions during incident response
Select Framework
Develop Security Incident Policy and procedures
Identify and classify Types of Incidents guidelines
8 PLANNING
Develop checklists and forms
Establish Incident Response Team
Build Security Incident Response Kit
Implement security best practice
Establish Security monitoring and Analysis operation.
Framework
9 PLANNING
• The Guide covers
• Incident Response Policy, Plan, and Procedure Creation
• Incident Response Team Structure
• Incident Handling/Incident Management
• Coordination and Information Sharing
• Incident Handling Scenarios
• Step by Step Guide
• Revised and updated to reflect changes in attacks and incidents
• It is hardware- and operating system-agnostic
• Set of standards to establish effective and working Security Incident Program
• Ready to use checklists
NIST Computer Security Incident Handling Guide
Source: “Computer Security Incident Handling Guide,” National Institute of Standards and Technology Special Publication 800-61 Revision 2
PLANNING10
Security Incident Policy
11 PLANNING
• Statement Shows management commitment to react appropriately to any actual or potential incidents relating to information systems and information within their custody
• It must include enforcement statement
• Purpose:
• mitigating the risk of losing confidentiality, integrity and availability of Information or information systems
• Scope :
• including for example employees, contractors, building, hosting co-location, external consultants, service providers, external networks connected to the
enterprise network.
• Roles and Responsibilities
Security Incident Procedures
12 PLANNING
• End User security incident identification and reporting
• Security Incident identification, Analysis and reporting procedures for
• Desktops
• Servers (Windows, Linux, Unix etc)
• Network devices
• Triage and Escalation procedure.
• Incident Response procedure for each Incident identified.
• Prioritizing Incident response when multiple incidents occurring same time.
• Digital Forensics procedure
• Recovery procedure
• Backup procedure
• Reporting procedure
Identify and classify Types of Incidents guidelines
13 PLANNING
• There are many types of computer incidents , some examples include:
• Web defacement
• Breach of database data
• Denial of Service / Distributed Denial of Service
• Excessive Port Scans
• Passwords Breach
• Virus Outbreak
• hard disks wiping outbreak
• Incident severity classification
• L1: Virus Outbreak or Mass hard disks wiping or Involves serious legal issues
• L2: Excessive Port Scans and vulnerabilities scanning
Develop checklists and forms
14 PLANNING
• Incident Report
• Incident Identification
• Incident Containment
• Incident Eradication
• Incident Communication Log
• Incident Tracking Logs
• Intrusion discovery checklist for windows and Unix
• Computer Forensics Processing Checklist
Incident Response Team Structure
15 PLANNING
• Large Enterprises, It is Recommended Cross-Functional Incident Response Team
• Information Security Officer
• Business representative
• Public relation representative
• Legal representative.
• HR representative
• IT Expert(s)
• Network Expert(s)
• Digital Forensics Expert(s)
• Small & Medium,
• Dedicated Incident response Team
• Or Existing IT as Incident response Team
• Other option to outsource
• Training Training Training
Build Security Incident Response Kit
16 PLANNING
• Hardware• High specs computer/laptop• Forensics Hard Drives accusation device/toolbox• Large capacity External Hard Drive , IDE and SCSI drives• Write blocking device
• Software• Hard Drive wiper tool• Volatile information capturing tool• Imaging tools for Memory and Hard drives• Forensic Remote memory and hard drive mapping tools• Memory analysis tools• Bootable Linux built with forensics tools• Forensic suite • Automated Malware analysis sandbox or Behavioral Malware analysis tools• Utilize online analysis tools
• Anubis• CWSandbox• Norman SandBox• ThreatExpert
Establish Security Best practice
17 PLANNING
• Make sure to have updated Asset list for every network devices and include full details, Automate if you can.
• Firewalls, IPS, IDS and email gateway security.
• Endpoint security, A/V, AntiSpyWare, Host IPS, URL reputation.
• URL filtering for botnets, Browser kits, redirecting web sites etc
• Deny access to/from blacklisted IPs using Firewalls and/or Proxy server
• VLANs and network segregation
• Use NIST or Center for Internet Security standards for servers, desktops and network devices.
• Review servers and devices security configurations at least once a year.
Establish Security Best practice
18 PLANNING
• Disable USB or copying and running malicious files from USB
• Patch Patch Patch, Microsoft and non Microsoft
• Remove administrative privilege from end users
• Never use default password or one of the top worst passwords.
• Audit password strength every 6 months.
• IT Admins must use separate accounts for management
• Never share passwords across servers or network systems
• Change admins passwords every 3 months.
• Enable and collect logs to centralized log server or SIEM.
• Implement Network capturing solution
Establish Security monitoring and Analysis operation
19 PLANNING
• Collect security logs from all servers, network and security devices.
• Use log server with correlation capability or implement SIEM solution.
• Generate reports from all security solutions in place
• Top 10 attacks
• Top 10 source of attacks
• Top 10 Highest attacks
• Top 10 target of attacks
• Top 10 viruses
• Top 10 infected computers
• Top 10 blocked IPs
• Top 10 Blocked/Denied IP
• Top 10 Blacklisted IP denied or accessed
• List of countries visited by users or accessed your network.
• Review reports daily if not every 4 hours
Establish Security monitoring and Analysis operation
20 PLANNING
• If SIEM in place, develop correlation rules to detect type of incidents identified before
• Subscribe to security news letters , receive daily update.
• Establish business relationship with the local CIRT
• Monitor security blogs and news about security breaches or vulnerabilities
• Monitor hacking forums whom they may have interest in your business especially from other countries.
• Monitor Vulnerabilities used by Exploit Kits
• Check your IPs using URL and IP scanners
• http://scanurl.net/
• http://urlvoid.com/
• http://urlquery.net/
• http://www.projecthoneypot.org
• http://zulu.zscaler.com/
Management Support
Clearly defined roles and responsibilities
Budget
21 KEY SUCCESS FACTORS
Risk management
Triple T (Tools, Testing, Training)
Ongoing Security monitoring and Analysis
Incident follow up
Awareness
Integration with other processes (ITIL, Risk Management, etc.)
THANK YOUFOR YOUR TIME