Identifying and Responding to Security Incidents in the Law Firm

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

WINDOWS FORENSICS FOR INCIDENT RESPONSE CHRISTIAN KOPACSI CISSP CISM CEH CHFI SECURITY+
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
GLOBRIN Business Continuity Workshop TECHNOLOGY & INFORMATION 13 th November 2013 Graham Jack.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security+ Guide to Network Security Fundamentals
System and Network Security Practices COEN 351 E-Commerce Security.
Incidence Response & Computer Forensics, Second Edition
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Disaster Recovery and Business Continuity Ensuring Member Service in Times of Crisis.
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep
APA of Isfahan University of Technology In the name of God.
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted.
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
Intrusion Detection MIS ALTER 0A234 Lecture 11.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO
7 Handling a Digital Crime Scene Dr. John P. Abraham Professor UTPA.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Developing Plans and Procedures
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.
Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP.
CU – Boulder Security Incidents Jon Giltner. Our Challenge.
Chapter 2 Securing Network Server and User Workstations.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
IS3220 Information Technology Infrastructure Security
Incident Response Christian Seifert IMT st October 2007.
2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Business Continuity Planning 101
LESSON 12 Business Internet. Electronic business, or e-business, is the application of information and communication technologies (ICT) in support of.
IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
CompTIA Security+ Study Guide (SY0-401)
Fusion Center ITS security and Privacy Operations Joe Thomas
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Responding to Intrusions
Cybersecurity Policies & Procedures ICA
COMPTIA CAS-003 Dumps VCE
I have many checklists: how do I get started with cyber security?
Audit Planning Presentation - Disaster Recovery Plan
Introduction to Computer Forensics
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
1 Advanced Cyber Security Forensics Training for Law Enforcement Building Advanced Forensics & Digital Evidence Human Resource in the Law Enforcement sector.
Incident response and intrusion detection
Tom Barton (WG Chair) University of Chicago and Internet2
Anatomy of a Common Cyber Attack
Presentation transcript:

Identifying and Responding to Security Incidents in the Law Firm Presented by: Carlos Batista, Information Security Manager Alston & Bird LLP

Learning Objectives Understand how one law firm developed and enacted a formal Computer Incident Response Team (CIRT) Identify key stakeholders in Incident Response Identify most likely scenarios for a computer security breach Define a methodology and establish measures for how to respond to such breaches

About Alston & Bird: National, Full-Service Law Firm 725 Attorneys, 5 U.S. Offices 240 Servers & 2,100 Desktops Almost all IT & Security Services Hosted In-House 25% of Servers Virtualized

The Benefits of a Computer Incident Response Team (CIRT) Proactive approach to responding to a security breach Better prepared to collect & analyze forensic quality evidence Less downtime to impacted / breached & un-impacted systems Firm’s reputation is better preserved by following proper containment strategies

#1 Key to CIRT Planning & Success: Senior Management Support!

How to Form a CIRT – Key Players Core Team Information Security Manager (CIRT Team Leader) IT Infrastructure Manager Director of I.T. Information Security Analyst Facilities Manager Support Team Finance Manager BC / DR Representative H.R. Representative Business Development / Public Relations Attorney / Loss Prevention C.I.O.

Identify Likely Breach Scenarios There are many security breach scenarios – you need to narrow them down to a few and address how to respond to those. We chose to develop responses to four scenarios: Significant Computer or Network Equipment Theft Compromise of Firm’s Website Virus or Worm Outbreak on the Network Unauthorized Disclosure by Electronic Means

Identify a Methodology for Responding Response scenarios are typically easier to devise when an overall strategy or methodology is followed. We chose the PDCERF model (Schultz & Shumway) for incident response.

PDCERF Methodology Defined Preparation – Being ready to respond before an incident actually occurs. Detection – Determining that something malicious has actually occurred. Containment – Limiting the extent of an incident, preventing further damage from occurring. Eradication – Finding and eliminating the root cause or causes that made the incident possible. Recovery – Restoring the environment to its pre-incident state but protected so the incident cannot reoccur. Follow-Up – Reviewing and integrating “lessons learned” into your incident response plans and security operations.

Scenario #2 – Compromise of Firm’s Website

Preparation Determined Incident Response Posture & Obtained Approval Configured FW, IDS/IPS Optimally for Attack Detection Configured Web Server & Database Logging Created Known-Good System Backups with MD5 Hashes Synchronized Network Time across All Devices Established Relationship with Infragard (FBI) Created CIRT Calling Tree Created “Maintenance” Website Built Documentation on CIRT Framework and Cutover Procedures Prepare to Record Everything During an Incident (Timeline)

Detection Interfaced with Support Groups / Help Center to define a Notification Plan Defined SLAs for Initial Response, First Meeting, and Incident Updates to Management Defined Procedures for Initial Evidence Gathering Created Secure Repository for All Digital Evidence

Containment VMWare Guest Machines For Website Paused VMWare Files Copied to a Forensic Server Impacted Hosts Segmented From Rest of Network Full Disclosure Kept Strictly Confidential Help Center Instructed to Inform Others Website is Experiencing “Technical Difficulties” External Parties Not Contacted (Not Currently)

Eradication Depends Largely On The Determined Root Cause May Involve Software Updates, Software Removal, Configuration Changes, Better Change Control, Operational Security, Physical Security, etc Changes Tested in QA / Development Environment As Much as Possible

Recovery All Impacted Systems Are Flattened And Rebuilt Rebuilds Performed From Certified Known Good Backup (MD5) Procedures Developed for Rebuild to Minimize Possibility Of Breach Reoccurring Mitigations to Address Root Cause of Breach Implemented Validation Testing Performed Access to Fully Operational Website Re-enabled

Follow-Up Post-Mortem Meetings to Review the Following: Timeline Response Time Recovery Procedures Evidence Gathered Investigatory Next Steps - If Applicable Parties Involved – Should Others Be Brought In? Disposition of Evidence What Can Be Done Better? Update Scenario Response Plan

CIRT – Next Steps Continue Working on Scenarios – Incident Response is a Process, not a Project Implement Syslog Server Investigate using Tripwire for Integrity Check Integrate AlertFind Into CIRT Procedures Actively Test Scenarios – Challenging Because Downtime is Required

References Schultz & Shumway: Incident Response – A Strategic Guide to Handling System and Network Security Breaches. Mandia, Prosise & Pepe: Incident Response & Computer Forensics (2nd Edition). SANS Institute (sans.org)

“In God we trust…all others we virus scan.”  Questions / Comments? “In God we trust…all others we virus scan.”  - Anonymous

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.