280 likes | 583 Views
Improving Incident Response. Incident Response Agenda. Why Incident Response is Important Threats, Numbers, Traditional Response What is an Incident State of Ohio Incident Response Guidance Ohio HB 104 ITP – B.7: Security Incident Response OIT IT Bulletin No: ITB-2007.02
E N D
Incident Response Agenda • Why Incident Response is Important • Threats, Numbers, Traditional Response • What is an Incident • State of Ohio Incident Response Guidance • Ohio HB 104 • ITP – B.7: Security Incident Response • OIT IT Bulletin No: ITB-2007.02 • Governor’s Memo on Illegal Activity & Serious Wrongdoing • Incident Response Roles • How To Report an Incident • Incident Response Management Guide
Traditional Threats • Viruses & Worms • Breaches in Acceptable Use Policy • Hacking for Fun • Fraud • Accessing Illegal Content • Website Defacement
New Threat Landscape • Criminal Involvement • Profit $ $ $ • Spyware • Botnets • DDOS Extortion • ID Theft • Intellectual Property Theft • Phishing
CYBERCRIME BY THE NUMBERS • $67.2 billion: FBI estimate of what U.S. businesses lose annually because of computer-related crimes. • $8 billion:Consumer Reports estimate of what U.S. consumers lost the past two years because of viruses, spyware and Internet scams. • 93.8 million: Privacy Rights Clearinghouse's count of personal records reported lost or stolen since February 2005. • 26,150: The Anti-Phishing Working Group's count of unique variations of phishing scams reported in August 2006. Source: USA TODAY research
The Good The Bad The Ugly • 82% employ a CSO, CISO, or CPO • 93% have deployed firewalls • 72% encrypt some data • 40% of organizations do NOT know how many security incidents they have experienced • 45% do NOT know what type of attacks have occurred • 69% DO NOT keep an accurate inventory of user data • 33% of all enterprises are NOT in compliance with Sarbox, HIPAA, or state privacy laws Source: CIO Magazine 2007
Cybersecurity • Traditional Focus on Prevention • Walls & Barriers • Policies • Firewalls • Anti-Virus Software • IDS • But what about response?
Traditional Response • Reactive - Leads To: • Prolonged Incidents • Muddled communications • Senior Management learns of incident late
More Security Does NOT Necessarily Mean More Secure • Failure to Plan • Loss of Constituent Trust • Tarnished Image • Prolonged Recovery Times • Disclosure of Sensitive Data • Compromised Evidence • Financial Costs • Legal Issues
Better Incident Management • Ensures Incidents are Detected, Recorded, and Managed • Planning, Coordination, and Reporting • Execution of Mitigation Strategies • Informed Outcomes • Strategic Process Improvement
Viruses E-mail viruses E-mail harassment Worms Other malicious code Denial of service attacks Intrusions Stolen hardware Stolen sensitive data Illegal activity Serious wrongdoing Network or system sabotage Website defacements Unauthorized access to files or systems Loss of system availability Misuse of service, systems or information Physical damage to computer systems, networks, or storage media What is an Incident?
QUWY ##$@%&* We’ve Been Hacked What Now???
Ohio Law: HB 104 – Breach Notification Applies to any state agency or entity doing business in Ohio that owns or licenses computerized data that includes personal information of a specified nature Must give notice to any Ohio resident whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition causes or reasonably is believed will cause a material risk of identity theft or other fraud Personal info triggering notice: Name plus SSN & Tax ID DL number/State ID number, or Employer identification number Financial account number (ex: bank account; credit or debit card) Applies to “unencrypted, computerized” data, and where the number in question is not truncated to the last four digits Disclose, in the most expedient time possible generally not later than 45 days following discovery of any breach of the security of the system 13
State of Ohio Policy:Security Incident Response ITP-B7 Incident. A reported adverse event or group of adverse events that has proven to be a verified information technology security breach. An incident may also be an identified violation or imminent threat of violation of information technology security policies, or a threat to the security of system assets. Some examples of possible information technology security incidents are: • Loss of confidentiality of information • Compromise of integrity of information • Loss of system or SERVICE availability • Denial of service • Misuse of service, systems or information • Damage to systems from malicious code attacks such as viruses, trojan horses or logic bombs
OIT IT Bulletin No: ITB-2007.02 Sensitive Data = An individual’s last name along with • First name or first initial, • In combination with any one or more of the following data elements: • Social security number; • Driver’s license number; • State identification card number; • Financial account number; • Credit card number; • Debit card number; • EFT (Electronic Funds Transfer) number; • Taxpayer identification number; • Medical information; • Other personal information required by law to be maintained in a secure manner.
Governor’s Memo on Wrongdoing or Illegal Activity • “Illegal Activity” • includes fraud, theft, assault and other violations of local, state and/or federal law, including violations of state ethics laws, committed or in the process of being committed, by a state employee on any property owned or leased by the state or during the course of executing official duties.
Governor’s Memo on Wrongdoing or Illegal Activity • “Wrongdoing” • includes a serious act or omission, committed by a state employee on any property owned or leased by the state or during the course of executing official duties. Wrongdoing is conduct that is not in accordance with standards of proper governmental conduct and which tends to subvert the process of government, including, but not limited, to gross violations of departmental or agency policies and procedures, executive orders, and acts of mismanagement, serious abuses of time, and other serious misconduct. For purposes of this reporting procedure, wrongdoing does not include illegal or suspected illegal activity. Likewise, wrongdoing does not include activity that is most appropriately handled through the department’s human resources personnel.
Governor’s Memo on Wrongdoing or Illegal Activity • Procedure • Any state employee that becomes aware of suspected non-emergency illegal activity or wrongdoing shall immediately notify the Director or the Chief Legal Counsel of the department for which the reporting employee works. • When a Director or Chief Legal Counsel of a department is notified or becomes aware of suspected or alleged illegal activity by any employee, the Director or the Chief Legal Counsel of the department shall notify the Chief Legal Counsel to the Governor and the Director of the Ohio Department of Public Safety (only for illegal activity) • Any reporting employee may also contact the Inspector General and file a written complaint or file a complaint using the Inspector General’s anonymous hotline in the case of wrongdoing or nonemergency illegal activity. • If the a Department Director and/or Chief Legal Counsel, is suspected of illegal activity or wrongdoing, the Inspector General should be contacted directly.
Suggested - Incident Response Team Roles • Incident Coordinator • Program Incident Coordinator – PIC • Technical Incident Contact – TIC • Executive Team Contacts • Primary and Alternate Incident Response Contacts
Incident Coordinator – IC • Single point of contact for overall coordination • Gather and communicate information about the incident and contact Program Incident Coordinators to obtain resources. • Assist with agency communications, archiving incident related documentation, and situation assessment • Communicate with the Executive Team should they need to be contacted. • Chair the post mortem meeting for closed incidents and be responsible for updating the incident ticket and ensuring that the incident is documented and the ticket is closed.
Program Incident Coordinator – PIC • Primary PIC is the Program Administrator and the Alternate PIC is someone who can act on behalf of the Primary PIC. • This role includes being the primary or alternate contact for an Agency Program Area. • The PIC is responsible for managing and coordinating communications and resources within their program area and between their area and other areas. • The PIC may be asked to provide resources from their area to other areas in order to assist in mitigation of an incident. • The PIC will assess situations and respond as needed, archive incident related documentation, and participate in post mortem meetings.
Additional Roles • Technical Incident Contact – TIC – This person may be called by the IC or PIC to provide technical assistance in mitigating a critical incident. • Executive Team Contacts – The Executive Team Contacts will be notified by the Incident Coordinator on an as needed basis depending upon the severity and scope of the critical incident. • Agency Primary and Alternate Incident Response Contacts – AIRC -Each cabinet level agency has identified a Primary and an Alternate Incident Response Contact for OIT to work with in reporting an mitigating incidents.
Incident Coordinator determines if an Extended Team needs to be assembled, which includes the original Incident Response Team plus any of the following: • Legal • Service Manager • Program Area unit(s) representatives • Business Office • Communication’s Office • Policy Representative • Application owner • Impacted Customer(s). • Business Continuity Manager • Other individuals with expertise or relationship to the incident
How to Report an Incident - 1 • Employees should inform their supervisor or other management about suspicious activities or unusual events that might indicate an incident has occurred or is in progress. • Notify the Service Manager or Incident Coordinator (IC) of the service affected by the incident. • Determine whether there may be alleged illegal activityor serious wrongdoing • Determine whether sensitive data is missing
How to Report an Incident - 2 • The Incident Coordinator (IC) will contact the Agency Chief Legal Counsel regarding any alleged illegal activity, serious wrongdoing, or loss of sensitive data. • Agency Chief Legal Counsel is required to contact the Ohio Highway Patrol regarding any alleged illegal activity or loss of sensitive data.
How to Report an Incident - 3 • When a Service Manager or Incident Coordinator determines that an incident has occurred or is in progress, they are to notify the OIT Incident Coordinator (OIT IC) by calling 614-644-0701 or 800-644-0701 or sending an email to OCSSC@ohio.gov and logging a ticket. If the Service Manager or Incident Coordinator is not available then a Supervisor, Manager, or employee discovering the incident should log the ticket. • If an incident, per Ohio IT Policy ITP-B.7, Incident Response, is logged by an agency with the OIT Call Center (OCSSC) that requires OIT to respond to a request for technical assistance for an incident at an agency, the OIT Incident Coordinator (OIT IC) will also be notified by the OIT Call Center (OCSSC). The OIT IC will contact the agency Incident Coordinator to determine what assistance is required.
Model Incident Management Guide Customizable guide that includes: • How to respond to an incident • Critical Incident Response Flow Chart • Thought Starters for Determining Extended Team • Incident Team Contact Template • Template Activity Log • Template Containment and Communication Plan Log • Template Resolution Log • Production Incident Explanation (PIE) • Security Incident Response Policy Template • Incident Response Procedure Template Online at the State of Ohio Privacy & Security Information Center: • http://privacy.ohio.gov/resources/OITIncidentResponseGuide.doc