1 / 50

Developing and Implementing a Computer Incident Response Team (CIRT)

Explore the importance and creation of a CIRT, legal and best practices requirements, business practices necessitating a CIRT, security event definition, and operating policies. Learn about CIRT authority, mission, responsibilities, and operating procedures.

Download Presentation

Developing and Implementing a Computer Incident Response Team (CIRT)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Developing and Implementing a CIRT Team Nanette S. Poulios, CISSP, CISM Senior Training Consultant Easy i

  2. Today’s Agenda • Why does anyone need a CIRT? • How do you create a CIRT? • What do you need to manage and train a CIRT? • Impediments to a successful CIRT • Case Studies

  3. Why Does Anyone Need a CIRT?

  4. Incidents on the Rise • Number of incidents reported to CERT/CC increased: • 21,756in 2000 • 52,658 in 2001 • 82,094 2002 • 137,529 in 2003 ** • ** http://www.cert.org/stats/cert_stats.html

  5. Legal and Regulatory CIRT Requirements • HIPAA 45 C.F.R. Part 164.308(a)(6) • FTC Safeguards Rule C.F.R. 314.4(b)(3) • “Detecting, preventing and responding to attacks, intrusions, or other systems failures” • OCC Safety and Soundness Standards C.F.R. Part 30 Appendix B III (c)(g) • “Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies”

  6. Legal and Regulatory CIRT Requirements (2) • GLB Act • Sarbanes-Oxley • Basel Principle 14 • “To ensure effective response to unforeseen incidents, banks should develop: Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E-banking systems that are outsourced to third-party service providers should be an integral part of these plans”

  7. Best Practices CIRT Requirements • ISO 17799 • 6.3.1 Reporting security incidents • “Security incidents should be reported through appropriate management channels as quickly as possible. A formal reporting procedure should be established, together with an incident response procedure, setting out the action to be taken on receipt of an incident report.”

  8. Best Practices CIRT Requirements(2) • 8.1.3 Incident management procedures • “Incident management responsibilities and procedures should be established to ensure a quick, effective and orderly response to security incidents (see also 6.3.1). The following controls should be considered. a) Procedures should be established to cover all potential types of security incident,including: 1) information system failures and loss of service; 2) denial of service; 3) errors resulting from incomplete or inaccurate business data; 4) breaches of confidentiality.”

  9. Best Practices CIRT Requirements(3) • “The Federal Information Security Management Act (FISMA) of 2002 requires Federal agencies to establish incident response capabilities.” * • Requires the agency to select a team • Staff the team • Train the team • *NIST COMPUTER SECURITY INCIDENT HANDLING GUIDE SP800-61

  10. Best Practices CIRT Requirements(4) • OMB Circular No. A-130, Appendix III, • “ensure that there is a capability to provide help to users when a security incident occurs in the system”

  11. Business Practices Requiring a CIRT • Fiduciary Responsibility • Liability Avoidance • Survivability

  12. Security Event Definition • Not just attacks • My include any negative or unexpected behavior • System crashes • Policy violations • Examples: • Denial of Service, • Malicious Code, • Unauthorized access, • Inappropriate usage

  13. How Do You Create a CIRT?

  14. Authority • Corporate/Agency policy must provide for CIRT creation • Board of Directors approval is recommended • Top level management supports the CIRT and releases a formal statement • CIRT reports to upper level management, not IT

  15. Mission of the CIRT • Provides clear understanding of goals and objectives • Communicates these goals and objectives to others • Prevents misunderstandings in a crisis situation • Optional purpose statement to gain support

  16. Sample Mission Statement • “The objective of the CIRT is to investigate apparent intrusion attempts and report their findings in a timely manner to executive management. The CIRT provides a centralized approach to managing computer security incidents so that current incidents can be controlled as quickly as possible to avoid serious damage to XXX systems and future incidents can be prevented. Additionally, the CIRT will provide increased security awareness so that XXX’s computer systems will be better prepared and protected in the future.”

  17. Responsibilities of CIRT • Vary by organizational needs • Proactive Examples • Awareness programs Technical publications • Advisories • Vulnerability and Penetration testing • Reactive • Incident Response • Malicious Code analysis • Liaison with law enforcement • Incident Post-mortem and Reporting

  18. Operating Policies and Procedures • CIRT should be governed by organizational and regulatory policies • Approved by management • CIRT should follow a standard operating procedure • Provide complete and concise documentation • Review periodically for updates • Revise after post-mortem review

  19. Team Composition • Core Members • Determine if the incident warrants further investigation • Categorize the security incident • Add support members to the investigation if necessary • Support Members • Provide needed technical expertise as required • Member of the team for the duration of the incident

  20. Core Members • IT Audit • IT Security • Corporate Security • Legal

  21. IT Audit Member Role • Ensure that best practices are followed • Ensure the auditability of the investigation process • Ensure that chain of custody procedures are followed correctly • Maintain accountability for all evidence collected during the investigation • Document investigation

  22. IT Security Member Role • Inform all other users that are affected by the security incident of the necessary actions to control the incident. • Perform appropriate backtracing, forensic analysis and other technical tasks required by the investigation • Provide an analysis of the incident including root causes • Compile the final report and recommendations of the CIRT • Be available as an expert witness

  23. Corporate Security Member Role • Provide a liaison with law enforcement • Ensure that investigative best practices are followed  • Contain the incident locale as appropriate • Manage the interview process for witnesses and suspects

  24. Legal Member Role • Brief other core and support members on privacy, 4th Amendment, search and seizure and wiretap issues • Ensure that suspects’ rights are protected appropriately • Act as spokesperson with the media • Review any press releases before they are released to the media • Review any management reports • Act as liaison with outside legal counsel

  25. Support Members • Platform Specialist • Financial Auditor • Fraud Examiner • Personnel • Public Information Officer/Public Relations

  26. Platform Specialist Support Role • Review audit logs and report any unusual or suspect activities • Report any unusual behaviors of the critical systems • Be prepared to brief the CIRT on operations procedure  • Protect evidence of incident according to organizational guidelines and instructions of the core team

  27. Platform Specialist Support Role (2) • Assess and report damage to system and/or data to CIRT • Aid in the determining the scope of the intrusion • Aid in identifying the point of access or the source of the intrusion • Make recommendations to close the source or point of access of the intrusion

  28. Financial Auditor Support Role • Be prepared to brief the team on financial procedures • Be prepared to conduct a financial audit if the core team deems it necessary for investigative reasons • Report findings to the CIRT • Follow investigative procedures as determined by the CIRT

  29. Fraud Examiner Support Role • Aid the core members of the CIRT in discovery and recognition of fraud • Follow guidelines for lawful search • Follow organizational and legal privacy policies/requirements • Aid in identifying objects and materials used to commit suspected fraud

  30. Fraud Examiner Support Role (2) • Preserve, using CIRT guidelines, any evidence collected until transported to CIRT • Transport evidence to CIRT for safekeeping until resolution of investigation • Report findings to the CIRT

  31. Personnel Support Role • Advise the core members on personnel policies and procedures • Make recommendations for handling sensitive employee information

  32. Public Information Officer Support Member • Act as a single point of contact for the media. • Obtain legal advice before any interview or press release is given to the media • Obtain approval from the CIRT that any interview or press release will not interfere with the investigation. • Inform all other affected users to refer any media inquires to the Public Information Officer.

  33. What do you need to manage a CIRT?

  34. Team Leadership • Management will appoint a team leader from the Core membership of the team • Duties will include: • Convene the CIRT • Contact the Chief Information Officer (or other designated Officer) • Conduct meetings of the CIRT • Periodically report status of investigations to the CIO • Manage investigations

  35. Team Leadership (2) • Duties Continued • Take responsibility for verifying chain of custody of evidence • Coordinate team activities • Appoint support members as required for particular investigations • Present findings to management • Monitor the investigation

  36. CIRT Team Responsibilities • The CIRT is an investigative body only. • Does not make policy or take action following an investigation • The CIRT is a completely independent body. • It receives its direction from the Chief Information Officer, but is accountable directly to the General Manager or the General Manager’s appointee

  37. CIRT Team Responsibilities (2) • Determining if an event constitutes an investigative security incident • Conducting an appropriate investigation to determine the root cause, source, nature, extent of damage and recommended response to a computer security incident. • Preserving evidence of the incident • Interviewing witnesses and suspects

  38. CIRT Team Responsibilities (3) • Providing appropriate liaison with law enforcement and outside legal counsel • Managing the release of information to the media • Managing interaction between Human Resources and witnesses, suspects, organized labor and other appropriate interested parties • Preparing a report of findings, root causes, lessons learned and recommended actions for management review

  39. CIRT Team Responsibilities (4) • Carrying out the directions of management communicated through the Chief Information Officer • Containing the incident scene to prevent contamination of evidence

  40. Core Team Training Requirements • Legal 4th amendment, privacy, and lawful search issues • Organizational policies and procedures • Investigative process • Storing and transporting evidence according to legal guidelines • Vendor training on all current detection and investigative tools

  41. Core Team Training Requirements (2) • Collecting, preserving and analyzing evidence of a computer security incident • Procedures for coordinating with outside organizations such as CERT, FIRST and law enforcement

  42. Support Team Training Requirements • Legal 4th amendment, privacy, and lawful search issues • Review organizational policies and procedures • Investigative process • Storing and transporting evidence according to legal guidelines • Technical training on all platforms, operating systems and applications that member is responsible for including new technologies

  43. Continuous Training Requirements • Updates in tools used in their investigations • Updates in investigative and forensic techniques • Updates in appropriate technologies • Updates and changes in laws, regulations and internal policies that affect investigations • Periodic simulation drills

  44. Impediments to a Successful CIRT

  45. Impediments to a Successful CIRT • Lack of management support • Lack of procedures and policy • Lack of access to evidence due to outsourcing • Lack of event readiness within organization • Lack of qualified personnel • Lack of training

  46. Case Studies

  47. Case Studies • Superbowl Slammer Incident • Watchful Team Incident • Blackout Incident

  48. ? ? ? Questions? ? ? ? ?

  49. Resources • http://www.sei.cmu.edu/pub/documents/98.reports/pdf/98hb001.pdf • http://www.cert.org/tech_tips/incident_reporting.html • http://www.sans.org/rr/papers/27/641.pdf • http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf • Investigating Computer-Related Crime, CRC Press by Peter Stephenson

  50. Contact InformationNanette S. Poulios, CISSP, CISM • Senior Training Consultant Easy I • 248-705-0710 (direct) • 248-375-2315 fax • nan.poulios@easyi.com • nspoulios@comcast.net

More Related