computer fraud - eric vanderburg - china resource network conference
TRANSCRIPT
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
China Resource Network
Computer Fraud
JurInnov, Ltd.October 5, 2012
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
Who Are We?
JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI). – Information Security– Electronic Discovery– Computer Forensics– Document and Case Management
2
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
Confidence FrameworkCF-
Strategy
CF-Assess
CF-Policy
CF-Aware
CF-Audit
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
4
Overview
• Case Study• Detection• Incident response• Post-incident activities• Prevention
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
5
?
1. US sends email
2. Email read & deleted
3. Fake response through open relay
4. Fake email with alternate address
Case Study
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
6
Detection
• Separation of duties– Approve requests for information– Validate changes in procedure– Divide sensitive tasks between multiple
persons and roles• Awareness– Suspicious activity– Social engineering
• Audit
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
7
Indicators
• Use of dormant accounts• Log alteration• Presence of malicious
code• Notification by partner or
peer• Notification by hacker• Loss of availability• Corrupt files• Data breach• Violation of policy• Violation of law
• Activity at unexpected times
• Unusual email traffic• Presence of hacker tools• Unknown accounts• Unusual consumption of
computing resources• Unusual network activity
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
8
Incident Response
• Validate incident authenticity• Determine scope and severity– Users, data and equipment impacted
• Notify team
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
9
Preservation of evidence
• Volatile data– Contents of RAM– Current network connections– Logon sessions– Open files
• Non-volatile data– Hard drives– Network device startup configurations
• Chain of custody
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
10
Recovery
• Remediate vulnerabilities• Restore services• Restore data• Restore confidence
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
11
Post-incident activities
• Refine plans and processes• Create new IRPs• Debrief (After-action review)
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
12
Debrief
• Rankless discussion• What was the goal?• Were goals achievable?• Successes• Pitfalls• Lessons learned• Action items and responsibilities• Positive summary (high note)
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
13
Prevention
• Perform background checks on key personnel, suppliers and partners
• Conduct periodic awareness training• Document and follow procedures
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
14
Prevention
• Technical controls– Antivirus/antimalware– Email filtering– Web filtering– Network Access Control (NAC)– Intrusion Prevention System (IPS)– Patch management– Password management
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
15
Incident Response Plans
• Document procedures for likely incidents• Document steps for a non-specific incident• Prepare resources
– Human– Technical
• Is geographic diversity needed?• Determine notification procedure• Roles and responsibilities• Simulation• Review and maintenance
© 2012 JurInnov Ltd. All Rights Reserved.PROPRIETARY AND CONFIDENTIAL
16
Action Items
• Obtain an overview of information security posture (Security Snapshot)
• Consider incident response and create IRPs
• Conduct security awareness training• Conduct risk assessment to identify
appropriate security controls• Baseline systems to understand normal
activity