2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts.

Slides:



Advertisements
Similar presentations
Identifying and Responding to Security Incidents in the Law Firm
Advertisements

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep
APA of Isfahan University of Technology In the name of God.
Information Security Issues at Casinos and eGaming
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
1 Figure 1-17: Security Management Security is a Primarily a Management Issue, not a Technology Issue Top-to-Bottom Commitment  Top-management commitment.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
FORESEC Academy FORESEC Academy Security Essentials (II)
FTC RED FLAG RULE As many as nine million Americans have their identities stolen each year. Identity thieves may drain their accounts, damage their credit,
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Note1 (Admi1) Overview of administering security.
Knowing What You Missed Forensic Techniques for Investigating Network Traffic.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
CU – Boulder Security Incidents Jon Giltner. Our Challenge.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Incident Response… Be prepared for “not if” but “when” it happens.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
IS3220 Information Technology Infrastructure Security
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Incident Response Christian Seifert IMT st October 2007.
MANAGING INCIDENT RESPONSE By: Ben Holmquist. 2 Outline Key Terms and Understanding Personnel and Plan Preparation Incident Detection Incident Response.
Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Logging and Monitoring. Motivation Attacks are common (see David's talk) – Sophisticated – hard to reveal, (still) quite limited in our environment –
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
Business Continuity Planning 101
1. Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. 2.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
SIEM Rotem Mesika System security engineering
Deployment Planning Services
WSU IT Risk Assessment Process
Critical Security Controls
INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Responding to Intrusions
Cybersecurity Policies & Procedures ICA
Joe, Larry, Josh, Susan, Mary, & Ken
I have many checklists: how do I get started with cyber security?
IS4680 Security Auditing for Compliance
Incident response and intrusion detection
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Anatomy of a Common Cyber Attack
Presentation transcript:

2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts Greg Sparrow, CompliancePoint

Agenda 1.Exposure 2.Breach Case Study 3.Best Practices 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Defining the Exposure What is my Risk? 1. Data / Electronic Funds 2. Revenue / Customers 3. Regulations / Compliance 4. Reputation 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Calculating the Exposure Quantification of Risk Industry type Data type collected by organization Market size Competitors Preparation for a breach 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Breach: A Case Study Attack Facts: Payment aggregator/gateway 1 million card accounts compromised Attacker in environment since 2009 Discovered in TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Breach: Secure Architecture 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Breach: Initial Attack Vector 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC 1. Attacked public facing web server with known vulnerability with web application server 2. Pivoted into the backup server 3. Used backup sever to reach database and application servers

Breach: Packet Captures 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Breach: Containment 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC – Began egress packet capture to create a baseline signature – Implemented ACLs to remove Backup server connectivity – Implemented ACLs for egress traffic – Reset user and service account credentials

Breach: Eradication 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC – Applied robust system hardening to all servers – Removed Backup Server – Removed Web Servers and replaced with hardened web servers – Implemented application whitelisting – Started from a known good state for all server rebuilds – Deployed Jump servers within Management segment – Performed application security assessment – Deployed more robust logging, aggregation and event correlation

Best Practices Life Cycle 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Define Governance Policies Address strategy, goals and requirements Communication policy Escalation and handling procedures Incident response team/strategy 3 rd party involvement and law enforcement Log retention policies and procedures Establish system baselines and profiles Insurance coverage 12 Proprietary & Confidential Incident Response: Preparation

Define policies and procedures for the following: Roles and responsibilities Escalation path Prioritization of events Identify team members Documentation templates Access privileges Training & tools 13 Proprietary & Confidential Incident Response: Incident Response Team

14 Proprietary & Confidential Incident Response: Incident Response Team

The detection process should include the following: Identification of Attack Vector(s) Determine the scope of the breach Identify signatures of an incident: –Multiple sources of information –Volume of suspicious behavior –Precursor Vulnerability Scans/Port Sweeps New Exploit External Threats 15 Proprietary & Confidential Incident Response: Detection

Identify the signs on an incident: Indicator IDS/IPS alerts Anti Virus Unauthorized or unusual file changes Unscheduled system configuration changes Repeated failed login attempts Network traffic flow Deep technical knowledge 16 Proprietary & Confidential Incident Response: Detection (cont.)

Create a system profile or baseline: Run and compare file integrity checks with baseline Monitor network bandwidth Understand normal system behavior (abnormal behavior) Review logs and security alerts 17 Proprietary & Confidential Incident Response: Analysis

Determine what you know and what you don’t know (don’t assume) Multiple sources of information False alarms vs a real breach Timely notification Allocate resources and time for analysis Communication and coordination of team 18 Proprietary & Confidential Incident Response: Analysis (cont.)

Short term-containment vs long term solution Limit the damage –Can the problem be isolated –Can affected systems be separated from non-affected systems Stop the spread Preserve evidence –Forensic Imaging 19 Proprietary & Confidential Incident Response: Containment

Clearly understand the scope and extent of affected systems Document a plan of attack for removal of these systems –Network –Host –Application 20 Proprietary & Confidential Incident Response: Eradication

Bring systems and services back online in production Start from a good known state Restore data from backup Implement controls to test and verify system state 21 Proprietary & Confidential Incident Response: Recovery

Is notification required? –Likely risk of harm Nature of the data elements Number of records/individuals affected Accessibility and usability Likelihood of harm Ability to mitigate risk Statutory notification requirements –Identify Legal Jurisdictions Involved –Identify Statutes Triggered 22 Proprietary & Confidential Incident Response: Notification

Timelines for notification –Dependent on the type of data breached PII PCI PHI –Notification without unreasonable delay –Law enforcement may require delay 23 Proprietary & Confidential Incident Response: Notification (cont.)

Source for notification –Senior member of management or executive. –Organizational awareness Contents of Notification –Describe what happened –Types of information breached –Steps to protect affected parties –What you are doing –Who to contact for more info Means of Notification –Telephone –First-Class Mail – 24 Proprietary & Confidential Incident Response: Notification (cont.)

Best Practices Organizing a simulation incident Who should be involved How it should be run Closing the gaps discovered 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Post Breach Response Response Process 1.Discovery 2.Analysis 3.Formulate Specific Plan 4.Responding 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Thank you TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.