update on cyber security - newyorkfed.org · 5/20/2015 · questions & answers . internal fr....
TRANSCRIPT
May 20, 2015
Update on Cyber Security ORMIA Specialized Course
Yow Lian Tay and Robert Tracey Jr
Agenda 1. Introduction to Cyber Security 2. Cyber Security resources 3. Anatomy of a data breach 4. Cyber Security incident response 5. Why audit the Cyber Security incident response plan? 6. Items to look for during the audit 7. Question & Answer
Inte
rnal
FR
2 Ask yourself:
What topics do I need to pay attention to?
Incidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handling every incident. This presentation is intended to provide focus areas for your consideration.
What is Cyber Security?
Inte
rnal
FR
3
VS
Protection from Unauthorized Modification
Protection from Unauthorized Access
Protection from Disruptions in Access
Cyber Security – Present Day
Inte
rnal
FR
4
Advanced Persistent Threat (APT) • Threats in the past were one-off ‘hackers’, ‘spammers’, and ‘script kiddies’. • Now: Advanced Persistent Threat (APT): • State-sponsored cyber espionage and sabotage • Organized Crime / For Profit Groups • Anonymous / Hacktivists
Situational Awareness • Risk Assessments can never be static – as threats are increasingly more dynamic. • Understanding of the environment is critical to adequate risk identification.
Skills Gap • Information Security professionals are in increasingly high demand. • Threat actors devote exorbitant time and resources to carrying out attacks – this
requires an equal and opposite defense response that cannot be accomplished by automated tools alone.
Emerging Risks
Inte
rnal
FR
5
• Internetworked hardware with standard and non-
standard operating systems. • Includes sensitive devices such as security cameras,
environmental system controllers, and certain medical devices.
• Requires specialized (vendor) knowledge to maintain security.
Internet of Things
• Crimeware is malware specifically used to
acquire confidential information including bank accounts and passwords.
• Ransomware is malware that locks down a user’s machine and demands a payment for unlocking it.
• Doxxing is a practice of obtaining and disseminating PII on individuals through internet research
Crimeware, Ransomware & Doxxing
Emerging Risks
Inte
rnal
FR
6
• Malware that dumps data stored in memory. • Such data is normally unencrypted. • Common threat for POS systems and ATMs as
sensitive payment card information is utilized
RAM Scraping
• Insider threat is the risk of employees and
contractors to the security of information through inadvertent and intentional means.
• Third party threat is the risk of vendors and contractors interfacing with the internal network and potentially compromising information security.
Insider and Third Party Threat
Cyber Security Resources
Inte
rnal
FR
7
ISACA Cybersecurity Nexus (CSX) • Thought leadership, training, and certification. • http://www.isaca.org/cyber/pages/default.aspx
Verizon Data Breach Investigations Report • Overall trends and emerging risks. • http://www.verizonenterprise.com/DBIR/2015/
SANS – Critical Security Controls • 20 critical controls for the most common attacks • https://www.sans.org/critical-security-controls/
NIST – Cybersecurity Framework • Detailed standards for Cybersecurity Programs • http://www.nist.gov/cyberframework/
Anatomy of a Data Breach
Inte
rnal
FR
8
• Disclaimer: This scenario is purely fictional. Any similarity to actual events
is merely coincidental. • Despite being fiction, this hypothetical example is based on actual risks in
the environment that cyber security teams must be prepared for. • Hackers from a well-funded criminal organization compromise a third party
vendor to a major banking institution…
Scenario - Background
An Opportunity Appears…
Anatomy of a Data Breach
Inte
rnal
FR
9
• Because the bank has a devoted protestor following (like all big banks), it
isn’t hard to induce hacktivists to launch a significant DDoS attack. • It was also trivial for the criminal organization to obtain names of employees
of the bank from LinkedIn and set up a spear-phishing scam.
Setting up a Distraction
Anatomy of a Data Breach
Inte
rnal
FR
10
• While it takes several hours, the Incident Response Team blocks the DDoS
attackers and brings back up the public website. • They also deal with many angry employees that unfortunately fell for the
phishing emails and need to change all of their passwords.
Incident Response
The Incident Response Team
1. Resolve public website outage to satisfy customers
2. Remediate effects of the spear-phishing scam.
Anatomy of a Data Breach
Inte
rnal
FR
11
• The Intranet Customer Page was never fully secured because it was believed
to be generally safe from external attacks. • Using vulnerabilities in the programming language and the use of a
privileged database connection within the scripts, the hackers successfully compressed and exfiltrated the customer database.
Successful Exfiltration…
Scenario Recap
Inte
rnal
FR
12
Attacks are not always in isolation. • A sophisticated attacker uses multiple channels of attack. • DDoS Attacks and Phishing are easy to perform but hard to resist.
Logging Everything is Insufficient • Trained technicians need to review and remediate logs timely • Security logs should never be purged – data storage is cheap.
Internally-Facing Applications are still a Security Risk • Just because it isn’t public facing doesn’t mean it can’t be broken
into. Controls should apply to all systems with sensitive data.
Third Party / Outsourced Service Providers • Accounts and interfaces to third parties should face high scrutiny. • Many recent breaches were through third-party channels.
Anatomy of a Data Breach
Inte
rnal
FR
13
• While it takes several hours, the Incident Response Team blocks the DDoS
attackers and brings back up the public website. • They also deal with many angry employees that unfortunately fell for the
phishing emails and need to change all of their passwords.
Incident Response
The Incident Response Team
1. Resolve public website outage to satisfy customers
2. Remediate effects of the spear-phishing scam.
Incident Response
Inte
rnal
FR
14
Ask yourself: • Did your IR team obtain management
support & buy-in? • Are roles & responsibilities defined in
the IR plan? Success Metrics? • What about communication?
• Don’t over communicate! • Has there been a validation of the IR
plan? • Don’t just plan it, practice it!
What is an Incident Response Team (IRT)? • A selected and well-trained group of people whose purpose is to promptly and
correctly handle an incident so that it can be quickly contained, investigated, and recovered.
• They must be people that can drop what they’re doing (or re-delegate their duties) and have the authority to make decisions and take actions.
Incident Response Plan • Identifies the organizational approach to
handling security incidents • Brings needed resources together in an
organized manner to deal with an adverse event
• Aides investigations, preservation of evidence, and determination of how it occurred and how to mitigate against recurrence
• Is adaptable and flexible • Speeds response and recovery efforts
Typical Cyber Security Incident Response
Inte
rnal
FR
15
NIST SP 800-61r2 - COMPUTER SECURITY INCIDENT HANDLING GUIDE
Ask yourself: Does your IR plan cover these
phases?
Preparation Post
Incident Activity
Containment, Eradication
& Recovery
Detection &
Analysis
Communication & Coordination
Why audit the Cyber Security Incident Response?
In conducting the audit, the auditor should be seeking answers to the following four questions: 1. Has the organization adequately assessed its cyber security incident
response needs? 2. Has the organization's cyber security incident response program been
designed to meet those needs? 3. As the organization changes and evolves, is the effectiveness of the
cyber security incident response plan maintained? 4. In the aftermath of a critical incident, will the cyber security incident
response plan work as intended? Benefits to the organization: • Ensures that the plan contains accurate and current information • Allows the incident response process to be assessed and fine-tuned • Identifies potential issues in advance; before the breach occurs • Should a breach subsequently occur, it allows the process to operate
more efficiently
Inte
rnal
FR
16 Ask yourself: How supportive is Bank’s
Management of such an audit? Critical Security Control #18: Incident Response and Management
Items to look for during the audit
Inte
rnal
FR
17
Preparation Post
Incident Activity
Containment, Eradication
& Recovery
Detection &
Analysis
Communication & Coordination
Items to look for during the audit
Inte
rnal
FR
18
Preparation Post
Incident Activity
Containment, Eradication
& Recovery
Detection &
Analysis
Communication & Coordination
Preparation 1. Verify creation of an incident response policy and plan 2. Were procedures for performing incident handling and reporting
developed? 3. Has guidelines for communicating with outside parties regarding incidents
been established? 4. Was a team structure and staffing model selected? 5. Has relationships and lines of communication between the incident
response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies) developed?
Items to look for during the audit
Inte
rnal
FR
19
Preparation Post
Incident Activity
Containment, Eradication
& Recovery
Detection &
Analysis
Communication & Coordination
Detection and Analysis 1.Determine the detection and analysis capabilities. Does it consider:
• Attack vectors, signs & sources of an incident (precursor vs. indicator) • Correlation of information & events (Security Incident & Event Management
(SIEM) tools) • Profiling Networks and Systems to understanding Normal Behaviors • Employ additional tools to collect additional data
2. Determine if mechanisms/channels to document the incident. • Status, summary, related incidents, actions taken, chain of custody, impact
assessments, next steps, etc. 3. Incident prioritization & severity - functional, informational & recoverability 4. Timely and sufficient notification
Items to look for during the audit
Inte
rnal
FR
20
Preparation Post
Incident Activity
Containment, Eradication
& Recovery
Detection &
Analysis
Communication & Coordination
Preparation Detection
& Analysis
Communication & Coordination
Containment and Recovery 1. Are there procedures to acquire, preserve, secure, and document evidence? 2. Verify if there are steps to contain & eradicate the incident. Was there consideration for:
• Identifying and mitigating all vulnerabilities that were exploited. • Removing malware, inappropriate materials, and other components. • Isolating components to avoid spread.
3. Has steps been established to recover from the incident? 4. Is there confirmation that the affected systems are functioning normally upon recovery? 5. Is there a need to implement additional monitoring to look for future related activity?
Items to look for during the audit
Inte
rnal
FR
21
Preparation Post
Incident Activity
Containment, Eradication
& Recovery
Detection &
Analysis
Communication & Coordination
Post-Incident Activity 1.For high severity incidents, was there a follow-up report? 2. Was a lessons learned meeting held? 3. Rehearsing (table-top testing) and awareness 4. Evidence retention – considerations for prosecution
Items to look for during the audit
Inte
rnal
FR
22
Preparation Post
Incident Activity
Containment, Eradication
& Recovery
Detection &
Analysis
Communication & Coordination
Communication & Coordination 1. Is there an established communication channel? 2. Has a communication frequency been defined? 3. Have responsibilities been defined? 4. Have the relevant internal stakeholders been identified for
notifications? 5. Does your organization share information with outside parties?
(Internet Service Provider, Law Enforcement Agencies, Software & Support Vendors, media)
Effective Practices
Inte
rnal
FR
23
1. Acquire tools and resources that may be of value during incident handling. 2. Subscribe to threat intelligence services (free & paid). 3. Establish mechanisms for internal and external parties to report incidents. 4. Require a baseline level of logging and auditing on all systems, and a higher baseline level on all
critical systems. 5. Profile networks and systems to understand the normal behaviors of networks, systems, and
applications. 6. Consult with the legal department before initiating any coordination efforts. 7. Perform incident information sharing throughout the incident response life cycle. 8. Attempt to automate as much of the information sharing process as possible. 9. Balance the benefits of information sharing with the drawbacks of sharing sensitive information 10.Prioritize handling of the incidents based on the relevant factors. 11.Include provisions regarding incident reporting in the organization’s incident response policy. 12.Obtain system snapshots through full forensic disk images, not file system backups. 13.Start recording all information as soon as the team suspects that an incident has occurred. 14.Share as much of the appropriate incident information as possible with other organizations. 15.Safeguard incident data. 16.Follow established procedures for evidence gathering and handling. 17.Create a log retention policy. 18.Maintain and use a knowledge base of information. 19.Hold lessons learned meetings after major incidents. 20.Plan incident coordination with external parties.
Ask yourself: Are we doing any
of these?
Questions & Answers
Inte
rnal
FR
24
Additional Resources: • NIST National Checklist Program (NCP) • NIST Special Publications 800-61 Rev 2 – Computer Security Incident Handling
Guide • Center for Internet Security (CIS) Best Practices • COBIT= Deliver & Support DS8 Manage Service Desk and Incidents • ITIL = Service Operation 4.1.5 • ISO 27002 = 13.0 Information Security Incident Management, 14.0 Business
Continuity Management • NIST SP 800-61 = Incident Response guide
Consider what you’ve
learned & share it.