COMPUTER SECURITY INCIDENT

PLANNING

(CSIP)

A PRACTICLE APPROACH

24/11/2012

1

START

PRESENTED BY

TAMER MOHAMED HASSAN IBRAHIM

Tamer Mohamed Hassan Ibrahim

• Certified Information Security Manager (CISM)

• More than 8 years of experience in information security

including • Performing assessments, penetration testing & risk

assessments

• Developing policies and procedures,

• Establishing and managing Information Security programs

and digital forensics and incident response.

• Establishing and managing Security Operation Centers and

delivering Managed Security Services.

• Based in United Arab of Emirates

2 WHO AM I

Why CSIP is Important

Prerequisites

Planning

Key Success Factors

1

2

3

4

3 TABLE OF CONTENT

Sony - $170M

Palystation incident Clean up

cost estimated by Sony

7+ million user personal

details disclosed

Media

Embarrassment

Egyptian hacker dumped an

Adobe’s database of 150K

emails and passwords.

affected accounts include

Adobe employees, U.S.

military users and users from

Google, NASA, universities,

and other companies

ARAMCO - $15M

Estimated replacement costs

along with incident response

fees to the destruction of

thousands of servers and

hard drives at ARAMCO

Same can be estimated for

similar incident at RasGas

Media

Embarrassment

LG Smart World Hacked and

11,316 Accounts Leaked

Citi bank – $2.7M

At least $2.7M was lost by 3,400 customers whom their information have been accessed by a hacker mid 2011. In numerous reports, Citi was criticized for its slow response to the hack and delays in notifying customers.

Losing Trust

Amazon UK Hacked and

600+ credentials leaked

4 WHY CSIP IS IMPORTANT

5 WHY CSIP IS IMPORTANT

legal implications.

• Hackers have the time, money, and energy necessary to gain access.

• More sophisticated and targeted attacks

• Increasing numbers of Zero-day attacks

• Number of organization are being compromised is increasing

• CSIP will help

– Discovering incidents early

– Responding quickly, recovering quickly

– Reducing the chance of a successful attack

– Reducing the impact of the incident

– Reducing the negative publicity

WITHOUT CSIP YOU ARE PLANNING FOR FAILURE

Assets Identification and Classification Guide

6 PREREQUISITES

• An Asset can be any thing valuable to the business

• IT systems such web portal, Database, Source code etc

• Financial information, Strategy or marketing plans

• Personal Information

• As guidelines

• ADSIC Service Categorization

• FIPS Standards for Security Categorization

• A must have for any CSIP

• Prioritization of responses during incidents

Impact Level Description

A1

Loss of confidentiality, integrity, or availability has

great impact on business operation.

Cost of impact is more than $10M

Recovery time of the impace shall be 2 hours

A2

Loss of confidentiality, integrity, or availability has

medium impact on business operation.

Cost of impact is between $1M and $10M

Legal Impact

Recovery time of the impact shall be 4 hours

A3

Loss of confidentiality, integrity, or availability has

low impact on business operation.

Cost of impact is between $100,000 and $1M

Legal Impact

Recovery time of the impact shall be 8 hours

A4

Loss of confidentiality, integrity, or availability has no

impact on business operation.

Cost of impact is less than $100,000

Legal Impact

Recovery time of the impact shall be 48 houts

Risk Assessment

7 PREREQUISITES

• Risk Assessment consists of

• Identifying valuable assets

• Identifying vulnerabilities

• Identifying Threats

• Risk Evaluation

• Identifying and evaluating risk treatment options

• Selecting, planning and implementing cost-effective treatments.

• A must have for any CSIP

• Required for the development and improving the incident management

• Required for deciding if to initiate the incident response

• Required for mitigation actions during incident response

Select Framework

Develop Security Incident Policy and procedures

Identify and classify Types of Incidents guidelines

8 PLANNING

Develop checklists and forms

Establish Incident Response Team

Build Security Incident Response Kit

Implement security best practice

Establish Security monitoring and Analysis operation.

Framework

9 PLANNING

• The Guide covers

• Incident Response Policy, Plan, and Procedure Creation

• Incident Response Team Structure

• Incident Handling/Incident Management

• Coordination and Information Sharing

• Incident Handling Scenarios

• Step by Step Guide

• Revised and updated to reflect changes in attacks and incidents

• It is hardware- and operating system-agnostic

• Set of standards to establish effective and working Security Incident Program

• Ready to use checklists

NIST Computer Security Incident Handling Guide

Source: “Computer Security Incident Handling Guide,” National Institute of Standards and Technology Special Publication 800-61 Revision 2

PLANNING10

Security Incident Policy

11 PLANNING

• Statement Shows management commitment to react appropriately to any actual or potential incidents relating to information systems and information within their custody

• It must include enforcement statement

• Purpose:

• mitigating the risk of losing confidentiality, integrity and availability of Information or information systems

• Scope :

• including for example employees, contractors, building, hosting co-location, external consultants, service providers, external networks connected to the

enterprise network.

• Roles and Responsibilities

Security Incident Procedures

12 PLANNING

• End User security incident identification and reporting

• Security Incident identification, Analysis and reporting procedures for

• Desktops

• Servers (Windows, Linux, Unix etc)

• Network devices

• Triage and Escalation procedure.

• Incident Response procedure for each Incident identified.

• Prioritizing Incident response when multiple incidents occurring same time.

• Digital Forensics procedure

• Recovery procedure

• Backup procedure

• Reporting procedure

Identify and classify Types of Incidents guidelines

13 PLANNING

• There are many types of computer incidents , some examples include:

• Web defacement

• Breach of database data

• Denial of Service / Distributed Denial of Service

• Excessive Port Scans

• Passwords Breach

• Virus Outbreak

• hard disks wiping outbreak

• Incident severity classification

• L1: Virus Outbreak or Mass hard disks wiping or Involves serious legal issues

• L2: Excessive Port Scans and vulnerabilities scanning

Develop checklists and forms

14 PLANNING

• Incident Report

• Incident Identification

• Incident Containment

• Incident Eradication

• Incident Communication Log

• Incident Tracking Logs

• Intrusion discovery checklist for windows and Unix

• Computer Forensics Processing Checklist

Incident Response Team Structure

15 PLANNING

• Large Enterprises, It is Recommended Cross-Functional Incident Response Team

• Information Security Officer

• Business representative

• Public relation representative

• Legal representative.

• HR representative

• IT Expert(s)

• Network Expert(s)

• Digital Forensics Expert(s)

• Small & Medium,

• Dedicated Incident response Team

• Or Existing IT as Incident response Team

• Other option to outsource

• Training Training Training

Build Security Incident Response Kit

16 PLANNING

• Hardware• High specs computer/laptop• Forensics Hard Drives accusation device/toolbox• Large capacity External Hard Drive , IDE and SCSI drives• Write blocking device

• Software• Hard Drive wiper tool• Volatile information capturing tool• Imaging tools for Memory and Hard drives• Forensic Remote memory and hard drive mapping tools• Memory analysis tools• Bootable Linux built with forensics tools• Forensic suite • Automated Malware analysis sandbox or Behavioral Malware analysis tools• Utilize online analysis tools

• Anubis• CWSandbox• Norman SandBox• ThreatExpert

Establish Security Best practice

17 PLANNING

• Make sure to have updated Asset list for every network devices and include full details, Automate if you can.

• Firewalls, IPS, IDS and email gateway security.

• Endpoint security, A/V, AntiSpyWare, Host IPS, URL reputation.

• URL filtering for botnets, Browser kits, redirecting web sites etc

• Deny access to/from blacklisted IPs using Firewalls and/or Proxy server

• VLANs and network segregation

• Use NIST or Center for Internet Security standards for servers, desktops and network devices.

• Review servers and devices security configurations at least once a year.

Establish Security Best practice

18 PLANNING

• Disable USB or copying and running malicious files from USB

• Patch Patch Patch, Microsoft and non Microsoft

• Remove administrative privilege from end users

• Never use default password or one of the top worst passwords.

• Audit password strength every 6 months.

• IT Admins must use separate accounts for management

• Never share passwords across servers or network systems

• Change admins passwords every 3 months.

• Enable and collect logs to centralized log server or SIEM.

• Implement Network capturing solution

Establish Security monitoring and Analysis operation

19 PLANNING

• Collect security logs from all servers, network and security devices.

• Use log server with correlation capability or implement SIEM solution.

• Generate reports from all security solutions in place

• Top 10 attacks

• Top 10 source of attacks

• Top 10 Highest attacks

• Top 10 target of attacks

• Top 10 viruses

• Top 10 infected computers

• Top 10 blocked IPs

• Top 10 Blocked/Denied IP

• Top 10 Blacklisted IP denied or accessed

• List of countries visited by users or accessed your network.

• Review reports daily if not every 4 hours

Establish Security monitoring and Analysis operation

20 PLANNING

• If SIEM in place, develop correlation rules to detect type of incidents identified before

• Subscribe to security news letters , receive daily update.

• Establish business relationship with the local CIRT

• Monitor security blogs and news about security breaches or vulnerabilities

• Monitor hacking forums whom they may have interest in your business especially from other countries.

• Monitor Vulnerabilities used by Exploit Kits

• Check your IPs using URL and IP scanners

• http://scanurl.net/

• http://urlvoid.com/

• http://urlquery.net/

• http://www.projecthoneypot.org

• http://zulu.zscaler.com/

Management Support

Clearly defined roles and responsibilities

Budget

21 KEY SUCCESS FACTORS

Risk management

Triple T (Tools, Testing, Training)

Ongoing Security monitoring and Analysis

Incident follow up

Awareness

Integration with other processes (ITIL, Risk Management, etc.)

THANK YOUFOR YOUR TIME

ENDtamer@csfeo.com