Improving Incident Response

1
Improving Incident Response
2
Incident Response Agenda

• Why Incident Response is Important
• Threats, Numbers, Traditional Response
• What is an Incident
• State of Ohio Incident Response Guidance
• Ohio HB 104
• ITP B.7 Security Incident Response
• OIT IT Bulletin No ITB-2007.02
• Governors Memo on Illegal Activity Serious
  Wrongdoing
• Incident Response Roles
• How To Report an Incident
• Incident Response Management Guide

3
Traditional Threats

• Viruses Worms
• Breaches in Acceptable Use Policy
• Hacking for Fun
• Fraud
• Accessing Illegal Content
• Website Defacement

4
New Threat Landscape

• Criminal Involvement
• Profit
• Spyware
• Botnets
• DDOS Extortion
• ID Theft
• Intellectual Property Theft
• Phishing

5
CYBERCRIME BY THE NUMBERS

• 67.2 billion FBI estimate of what U.S.
  businesses lose annually because of
  computer-related crimes.
• 8 billion Consumer Reports estimate of what
  U.S. consumers lost the past two years because of
  viruses, spyware and Internet scams.
• 93.8 million Privacy Rights Clearinghouse's
  count of personal records reported lost or stolen
  since February 2005.
• 26,150 The Anti-Phishing Working Group's count
  of unique variations of phishing scams reported
  in August 2006.

Source USA TODAY research
6
The Good The Bad The Ugly

• 40 of organizations do NOT know how many
  security incidents they have experienced
• 45 do NOT know what type of attacks have occurred

• 82 employ a CSO, CISO, or CPO
• 93 have deployed firewalls
• 72 encrypt some data

• 69 DO NOT keep an accurate inventory of user
  data
• 33 of all enterprises are NOT in compliance with
  Sarbox, HIPAA, or state privacy laws

Source CIO Magazine 2007
7
Cybersecurity

• Traditional Focus on Prevention
• Walls Barriers
• Policies
• Firewalls
• Anti-Virus Software
• IDS
• But what about response?

8
Traditional Response

• Reactive - Leads To
• Prolonged Incidents
• Muddled communications
• Senior Management learns of incident late

9
More Security Does NOT Necessarily Mean More
Secure

• Failure to Plan
• Loss of Constituent Trust
• Tarnished Image
• Prolonged Recovery Times
• Disclosure of Sensitive Data
• Compromised Evidence
• Financial Costs
• Legal Issues

10
Better Incident Management

• Ensures Incidents are Detected, Recorded, and
  Managed
• Planning, Coordination, and Reporting
• Execution of Mitigation Strategies
• Informed Outcomes
• Strategic Process Improvement

11
What is an Incident?

• Viruses
• E-mail viruses
• E-mail harassment
• Worms
• Other malicious code
• Denial of service attacks
• Intrusions
• Stolen hardware
• Stolen sensitive data
• Illegal activity
• Serious wrongdoing

• Network or system sabotage
• Website defacements
• Unauthorized access to files or systems
• Loss of system availability
• Misuse of service, systems or information
• Physical damage to computer systems, networks, or
  storage media

12
QUWY _at_

• Weve Been Hacked
• What Now???

13
Ohio Law HB 104 Breach Notification

• Applies to any state agency or entity doing
  business in Ohio that owns or licenses
  computerized data that includes personal
  information of a specified nature
• Must give notice to any Ohio resident whose
  personal information was, or reasonably is
  believed to have been, accessed and acquired by
  an unauthorized person if the access and
  acquisition causes or reasonably is believed will
  cause a material risk of identity theft or other
  fraud
• Personal info triggering notice Name plus
• SSN Tax ID
• DL number/State ID number, or
• Employer identification number
• Financial account number (ex bank account
  credit or debit card)
• Applies to unencrypted, computerized data, and
  where the number in question is not truncated to
  the last four digits
• Disclose, in the most expedient time possible
  generally not later than 45 days following
  discovery of any breach of the security of the
  system

13
14
State of Ohio PolicySecurity Incident Response
ITP-B7

• Incident. A reported adverse event or group of
  adverse events that has
• proven to be a verified information technology
  security breach. An
• incident may also be an identified violation or
  imminent threat of
• violation of information technology security
  policies, or a threat to the
• security of system assets. Some examples of
  possible information
• technology security incidents are
• Loss of confidentiality of information
• Compromise of integrity of information
• Loss of system or SERVICE availability
• Denial of service
• Misuse of service, systems or information
• Damage to systems from malicious code attacks
  such as viruses, trojan horses or logic bombs

15
OIT IT Bulletin No ITB-2007.02

• Sensitive Data An individuals last name along
  with
• First name or first initial,
• In combination with any one or more of the
  following data elements
• Social security number
• Drivers license number
• State identification card number
• Financial account number
• Credit card number
• Debit card number
• EFT (Electronic Funds Transfer) number
• Taxpayer identification number
• Medical information
• Other personal information required by law to be
  maintained in a secure manner.

16
Governors Memo on Wrongdoing or Illegal Activity

• Illegal Activity
• includes fraud, theft, assault and other
  violations of local, state and/or federal law,
  including violations of state ethics laws,
  committed or in the process of being committed,
  by a state employee on any property owned or
  leased by the state or during the course of
  executing official duties.

17
Governors Memo on Wrongdoing or Illegal Activity

• Wrongdoing
• includes a serious act or omission, committed by
  a state employee on any property owned or leased
  by the state or during the course of executing
  official duties. Wrongdoing is conduct that is
  not in accordance with standards of proper
  governmental conduct and which tends to subvert
  the process of government, including, but not
  limited, to gross violations of departmental or
  agency policies and procedures, executive orders,
  and acts of mismanagement, serious abuses of
  time, and other serious misconduct. For purposes
  of this reporting procedure, wrongdoing does not
  include illegal or suspected illegal activity.
  Likewise, wrongdoing does not include activity
  that is most appropriately handled through the
  departments human resources personnel.

18
Governors Memo on Wrongdoing or Illegal Activity

• Procedure
• Any state employee that becomes aware of
  suspected non-emergency illegal activity or
  wrongdoing shall immediately notify the Director
  or the Chief Legal Counsel of the department for
  which the reporting employee works.
• When a Director or Chief Legal Counsel of a
  department is notified or becomes aware of
  suspected or alleged illegal activity by any
  employee, the Director or the Chief Legal Counsel
  of the department shall notify the Chief Legal
  Counsel to the Governor and the Director of the
  Ohio Department of Public Safety (only for
  illegal activity)
• Any reporting employee may also contact the
  Inspector General and file a written complaint or
  file a complaint using the Inspector Generals
  anonymous hotline in the case of wrongdoing or
  nonemergency illegal activity.
• If the a Department Director and/or Chief Legal
  Counsel, is suspected of illegal activity or
  wrongdoing, the Inspector General should be
  contacted directly.

19
Suggested - Incident Response Team Roles

• Incident Coordinator
• Program Incident Coordinator PIC
• Technical Incident Contact TIC
• Executive Team Contacts
• Primary and Alternate Incident Response Contacts

20
Incident Coordinator IC

• Single point of contact for overall coordination
• Gather and communicate information about the
  incident and contact Program Incident
  Coordinators to obtain resources.
• Assist with agency communications, archiving
  incident related documentation, and situation
  assessment
• Communicate with the Executive Team should they
  need to be contacted.
• Chair the post mortem meeting for closed
  incidents and be responsible for updating the
  incident ticket and ensuring that the incident is
  documented and the ticket is closed.

21
Program Incident Coordinator PIC

• Primary PIC is the Program Administrator and the
  Alternate PIC is someone who can act on behalf of
  the Primary PIC.
• This role includes being the primary or alternate
  contact for an Agency Program Area.
• The PIC is responsible for managing and
  coordinating communications and resources within
  their program area and between their area and
  other areas.
• The PIC may be asked to provide resources from
  their area to other areas in order to assist in
  mitigation of an incident.
• The PIC will assess situations and respond as
  needed, archive incident related documentation,
  and participate in post mortem meetings.

22
Additional Roles

• Technical Incident Contact TIC This person
  may be called by the IC or PIC to provide
  technical assistance in mitigating a critical
  incident.
• Executive Team Contacts The Executive Team
  Contacts will be notified by the Incident
  Coordinator on an as needed basis depending upon
  the severity and scope of the critical incident.
• Agency Primary and Alternate Incident Response
  Contacts AIRC -Each cabinet level agency has
  identified a Primary and an Alternate Incident
  Response Contact for OIT to work with in
  reporting an mitigating incidents.

23
Incident Coordinator determines if an Extended
Team needs to be assembled, which includes the
original Incident Response Team plus any of the
following

• Legal
• Service Manager
• Program Area unit(s) representatives
• Business Office
• Communications Office
• Policy Representative
• Application owner
• Impacted Customer(s).
• Business Continuity Manager
• Other individuals with expertise or relationship
  to the incident

24
How to Report an Incident - 1

• Employees should inform their supervisor or other
  management about suspicious activities or unusual
  events that might indicate an incident has
  occurred or is in progress.
• Notify the Service Manager or Incident
  Coordinator (IC) of the service affected by the
  incident.
• Determine whether there may be alleged illegal
  activityor serious wrongdoing
• Determine whether sensitive data is missing

25
How to Report an Incident - 2

• The Incident Coordinator (IC) will contact the
  Agency Chief Legal Counsel regarding any alleged
  illegal activity, serious wrongdoing, or loss of
  sensitive data.
• Agency Chief Legal Counsel is required to contact
  the Ohio Highway Patrol regarding any alleged
  illegal activity or loss of sensitive data.

26
How to Report an Incident - 3

• When a Service Manager or Incident Coordinator
  determines that an incident has occurred or is in
  progress, they are to notify the OIT Incident
  Coordinator (OIT IC) by calling 614-644-0701 or
  800-644-0701 or sending an email to
  OCSSC_at_ohio.gov and logging a ticket. If the
  Service Manager or Incident Coordinator is not
  available then a Supervisor, Manager, or employee
  discovering the incident should log the ticket.
• If an incident, per Ohio IT Policy ITP-B.7,
  Incident Response, is logged by an agency with
  the OIT Call Center (OCSSC) that requires OIT to
  respond to a request for technical assistance for
  an incident at an agency, the OIT Incident
  Coordinator (OIT IC) will also be notified by the
  OIT Call Center (OCSSC). The OIT IC will contact
  the agency Incident Coordinator to determine what
  assistance is required.

27
Model Incident Management Guide

• Customizable guide that includes
• How to respond to an incident
• Critical Incident Response Flow Chart
• Thought Starters for Determining Extended Team
• Incident Team Contact Template
• Template Activity Log
• Template Containment and Communication Plan Log
• Template Resolution Log
• Production Incident Explanation (PIE)
• Security Incident Response Policy Template
• Incident Response Procedure Template
• Online at the State of Ohio Privacy Security
  Information Center
• http//privacy.ohio.gov/resources/OITIncidentRespo
  nseGuide.doc

28
(No Transcript)