Building a Cybersecurity Building a Cybersecurity Building a Cybersecurity Building a Cybersecurity Incident Response ProgramIncident Response ProgramIncident Response ProgramIncident Response Program

EDWARD MARCHEWKA, CISSPEDWARD MARCHEWKA, CISSPEDWARD MARCHEWKA, CISSPEDWARD MARCHEWKA, CISSP

http : //b i t . l y /marchewka

edward@marchewka.org

Some Quotes…

o Doing anything in panic mode is never a good

idea.

o Marchewka

o An ounce of prevention is worth a pound of cure.

o Benjamin Franklin

o I will prepare and some day my chance will come.

oAbraham Lincoln

Disclaimerso Everything stated in this message is to be considered my own opinion, and not an official representation of Gift of Hope or any other Gift of Hope employees.

o There may be bad jokes for which I do not apologize.

o Just a couple extras… Actual mileage may vary. Price does not include tax, title, and license. Some assembly required. Each sold separately. Batteries not included. Objects in mirror are closer than they appear. If conditions persist, contact a physician. Keep out of reach of children. Avoid prolonged exposure to direct sunlight. Keep in a cool dark place.

o Any spelling and grammar mistakes in this article are all entirely my fault and on purpose.

o Citation: Merriam-Webster's collegiate dictionary (10th ed.). (1993). Springfield, MA: Merriam-Webster.

Some interesting notes...

https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf

Agendao Risk Assessment

o Outside Council

o Communications

o End Users

o Law Enforcement

o Forensics Team

o Planning

Risk Assessmento Perform a risk assessment

o Use a risk register

o You should already have done it – compliance requires ito HIPAA

o PCI

o NIST

o Need help – NIST 800-30o http://csrc.nist.gov/publications/nistpubs/800-30-

rev1/sp800_30_r1.pdf

Outside Councilo Partner with outside council

o Look for someone (or firm) with cyber experience

o Reduce or risk/liability by protecting your communications under privilege

o Notify first in the event of suspected breach, data loss, or incident

Communicationso Prepare, prepare, prepare

o Templates (Fill in the blank)

o Get as many scenarios ready

o Get approvals to use templates – thresholds or guidelines

o Internal comms, external comms, media comms

End Userso They are going to need leadership

o Most don’t listen

o Think for them and be proactive

o Most want to do what is right

Law Enforcemento Don’t be afraid to involve law enforcement

o Have contacts ahead of time

o FBI via Chicago InfraGard

o Secret Service via Chicago Electronics Crimes Task Force

o DHS via Chicago InfraGard

o Local and State PD – Jurisdiction issues or questions

Forensics Teamo Know your action plan with respect to forensics

o Have some staff on hand to begin gathering or at least preservation

o Have a forensics team on retainer or at least as a partner

o If organization is large enough have forensics tools on hand

Planningo Do table top exercises (TTXs)

o Do actual mock drills as part of BC/DR plan

o Bring in outside parties to assisto FBI

o Chicago FIRST

o many consultants

o Involve local OEMC

What we did…

o Risk Assessment

o Outside Council

o Communications

o End Users

o Law Enforcement

o Forensics Team

o Planning

Questions

Edward Marchewka

@ejmarchewka

http://bit.ly/marchewka

edward@marchewka.org