Beruflich Dokumente
Kultur Dokumente
Introductions
Coordinated Response
A cybersecurity incident response planning
and consulting firm
www.CoordinatedResponse.com
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Practices in
bold support
response
planning.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Practices, continued
7.
Practices, continued
13. Monitor and control remote access from all end points,
including mobile devices.
14. Develop a comprehensive
employee termination procedure.
15. Implement secure backup and recovery processes.
16. Develop a formalized insider threat program.
17. Establish a baseline of normal network behavior.
18. Be especially vigilant regarding social media.
19. Close the doors to unauthorized data exfiltration.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
A Range of Insiders
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Information Technology
Information Security
Data Owners
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Practice 1, continued
The Guide acknowledges contractors as a potential source of an
insider threat. To that end:
Consider contractual language for contractors that specifies
their responsibilities for security;
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Practice 2 Enforcement of
Policies and Controls
The Guide recommends the following quick wins:
Secure senior management support.
Brief employees, contractors, and trusted business partners;
require signed acceptable-use policies initially and annually.
Provide consistent enforcement.
Also consider:
Policies and senior management support are key to an effective
incident response program.
Consistent execution of Incident Response procedures is also
important.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Practice 14 Comprehensive
Employee Termination Process
The Guide recommends the following quick wins:
Develop an enterprise-wide checklist to use at the time of separation.
Establish a procedure for tracking all accounts assigned to each
employee.
Notify all employees of the departing employees separation.
Also consider:
An incident may provide important documentation to support employee
termination. Identify needs and methods in the Incident Response Plan.
Treat terminations as a precursor to an indicator.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Practice 16 Develop a
Formalized Insider Threat Program
The Guide recommends the following quick wins:
Ensure that legal counsel determines the legal framework the team
will work in.
Establish policies and procedures for addressing insider threats
that include HR, Legal, Security, management, and IA.
Establish the expertise to conduct a legal, objective, and thorough
inquiry using either employees or contractors or both.
Also consider:
Implement insider threat detection rules into SIEM systems.
Employ user activity monitoring technology, especially for
privileged users.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Incident Response
Planning
Insider or Not
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Defining Incident Management Processes for CSIRTS: A Work in Process, CMU/SEI, 2004.
http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=7153
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
NIST Identifies 10
Incident Response Controls
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Regulatory Compliance
What kind of data do you have?
Personally Identifiable Information (PII)
Payment Card Industry (PCI) Data Security Standards (DSS)
Health Insurance Portability and Accountability Act (HIPAA)
Intellectual Property (IP)
Financial Fraud
Other?
There are two critical incidents data loss and denial of service.
Malware is malware unless it leads to 1 of these 2 outcomes.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
A Thought on Reputation,
Risk, and Impact
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
A Disgruntled Employee
Ex-Intel employee pleads guilty to theft charges.
Anticipate Action!
Align Investment!
Monitor Trends!
Compromised Asset
External / Internet
Malware
Loss of Equipment
Internal / Personnel
Response Team Services
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Loss of Equipment
External / Internet
Internal / Personnel
Denial of Service
Network Probing / Logical Attack
E-mail Spamming / Phishing
Threat Intelligence
Malware
Services
Destructive Malware
Ransom Ware
Other Malware
Timely notifications!
Proper Escalation!
Metrics & Management.
Enterprise Governance.
OUTSIDE
RESOURCES
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
As a result, a wide range organizational staff is involved in addressing insider threats (in
both the incident plan and response):
Management,
Human Resources (HR),
Legal Counsel,
Physical Security,
Information Technology (IT) & Software Engineers,
Information Assurance (IA), and
Data Owners.
Risk planning and response planning are linked. The risks and
resulting impacts occur in the following areas:
Reputational Risks including public relations or legal issues
with customers.
Regulatory Risks including the inability to meet regulatory
compliance.
Operational Risks including the inability to deliver key
business capabilities.
Internal, Human Relations Risks including inability to process
payroll or violations of employee privacy.
Financial Risks including loss of physical assets or
remediation expenses.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Situation
Employee uses e-mail like instant messaging for
a daylong conversation with his spouse.
Employee uses e-mail to solicit candy bar sales
for his daughters marching band. Co-workers,
subordinates and suppliers are contacted.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Situation
Outcome
Employee uses e-mail like instant messaging for Not malicious / Low impact.
a daylong conversation with his spouse.
Meet with HR. Add memo to HR records.
Employee uses e-mail to solicit candy bar sales
for her daughters marching band. Co-workers,
subordinates and suppliers are contacted.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Handling Evidence
The evidence may be used in court, and must be appropriately
gathered and maintained:
Manage chain of custody, particularly as evidence moves from
entity to entity;
Establish a physically secure location locked safe, etc.;
Preserve system logs;
Preserve email; and
Maintain file meta-data normal Windows copy does not do
this.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
The Blaze:
http://www.theblaze.com/stories/2014/02/06/how-one-hvac-worker-may-have-caused-the-entire-targetdata-breach/
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Target, continued
Detect
Later Target was alerted by an outside party, likely the U.S. Secret
Service.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
US-CERT Combating
Insider Threat
This well written document summarizes the nature of the threat and an
approach to detect and deter malicious insider activity. The paper is
valuable for 2 reasons:
It is the right document from the right source to inform executive
leadership and board members on the importance of addressing
insider threats; and
It provides a great set of references good resources for informing
an effective program to address insider threat.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.
ISACA
Incident Response Resources
From the ISACA Bookstore
The Computer Incident Response Planning Handbook,
by N.K. McCarthy.
https://www.isaca.org/bookstore/extras/Pages/The-Computer-Incident-Response-Planning-Handbook-review.aspx
https://www.isaca.org/bookstore/extras/Pages/The-Computer-Incident-Response-Planning-Handbook-review.aspx
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Incident-Management-and-Response.aspx
Copyright 2016 Information Systems Audit and Control Association, Inc. All rights reserved.