Presentation is loading. Please wait.

Presentation is loading. Please wait.

2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts.

Published byMiles Rice Modified over 8 years ago

Similar presentations

Presentation on theme: "2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts."— Presentation transcript:

1 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts Greg Sparrow, CompliancePoint

2 Agenda 1.Exposure 2.Breach Case Study 3.Best Practices 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

3 Defining the Exposure What is my Risk? 1. Data / Electronic Funds 2. Revenue / Customers 3. Regulations / Compliance 4. Reputation 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

4 Calculating the Exposure Quantification of Risk Industry type Data type collected by organization Market size Competitors Preparation for a breach 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

5 Breach: A Case Study Attack Facts: Payment aggregator/gateway 1 million card accounts compromised Attacker in environment since 2009 Discovered in 2014 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

6 Breach: Secure Architecture 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

7 Breach: Initial Attack Vector 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC 1. Attacked public facing web server with known vulnerability with web application server 2. Pivoted into the backup server 3. Used backup sever to reach database and application servers

8 Breach: Packet Captures 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

9 Breach: Containment 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC – Began egress packet capture to create a baseline signature – Implemented ACLs to remove Backup server connectivity – Implemented ACLs for egress traffic – Reset user and service account credentials

10 Breach: Eradication 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC – Applied robust system hardening to all servers – Removed Backup Server – Removed Web Servers and replaced with hardened web servers – Implemented application whitelisting – Started from a known good state for all server rebuilds – Deployed Jump servers within Management segment – Performed application security assessment – Deployed more robust logging, aggregation and event correlation

11 Best Practices Life Cycle 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

12 Define Governance Policies Address strategy, goals and requirements Communication policy Escalation and handling procedures Incident response team/strategy 3 rd party involvement and law enforcement Log retention policies and procedures Establish system baselines and profiles Insurance coverage 12 Proprietary & Confidential Incident Response: Preparation

13 Define policies and procedures for the following: Roles and responsibilities Escalation path Prioritization of events Identify team members Documentation templates Access privileges Training & tools 13 Proprietary & Confidential Incident Response: Incident Response Team

14 14 Proprietary & Confidential Incident Response: Incident Response Team

15 The detection process should include the following: Identification of Attack Vector(s) Determine the scope of the breach Identify signatures of an incident: –Multiple sources of information –Volume of suspicious behavior –Precursor Vulnerability Scans/Port Sweeps New Exploit External Threats 15 Proprietary & Confidential Incident Response: Detection

16 Identify the signs on an incident: Indicator IDS/IPS alerts Anti Virus Unauthorized or unusual file changes Unscheduled system configuration changes Repeated failed login attempts Network traffic flow Deep technical knowledge 16 Proprietary & Confidential Incident Response: Detection (cont.)

17 Create a system profile or baseline: Run and compare file integrity checks with baseline Monitor network bandwidth Understand normal system behavior (abnormal behavior) Review logs and security alerts 17 Proprietary & Confidential Incident Response: Analysis

18 Determine what you know and what you don’t know (don’t assume) Multiple sources of information False alarms vs a real breach Timely notification Allocate resources and time for analysis Communication and coordination of team 18 Proprietary & Confidential Incident Response: Analysis (cont.)

19 Short term-containment vs long term solution Limit the damage –Can the problem be isolated –Can affected systems be separated from non-affected systems Stop the spread Preserve evidence –Forensic Imaging 19 Proprietary & Confidential Incident Response: Containment

20 Clearly understand the scope and extent of affected systems Document a plan of attack for removal of these systems –Network –Host –Application 20 Proprietary & Confidential Incident Response: Eradication

21 Bring systems and services back online in production Start from a good known state Restore data from backup Implement controls to test and verify system state 21 Proprietary & Confidential Incident Response: Recovery

22 Is notification required? –Likely risk of harm Nature of the data elements Number of records/individuals affected Accessibility and usability Likelihood of harm Ability to mitigate risk Statutory notification requirements –Identify Legal Jurisdictions Involved –Identify Statutes Triggered 22 Proprietary & Confidential Incident Response: Notification

23 Timelines for notification –Dependent on the type of data breached PII PCI PHI –Notification without unreasonable delay –Law enforcement may require delay 23 Proprietary & Confidential Incident Response: Notification (cont.)

24 Source for notification –Senior member of management or executive. –Organizational awareness Contents of Notification –Describe what happened –Types of information breached –Steps to protect affected parties –What you are doing –Who to contact for more info Means of Notification –Telephone –First-Class Mail –E-mail 24 Proprietary & Confidential Incident Response: Notification (cont.)

25 Best Practices Organizing a simulation incident Who should be involved How it should be run Closing the gaps discovered 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

26 Post Breach Response Response Process 1.Discovery 2.Analysis 3.Formulate Specific Plan 4.Responding 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

27 Thank you. 2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC

Download ppt "2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts."

Similar presentations

Identifying and Responding to Security Incidents in the Law Firm

Identifying and Responding to Security Incidents in the Law Firm
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.

Presentation by: Peter Thomas Blue Lance, Inc Using SIEM Solutions Effectively to meet Security, Audit, and Compliance Requirements.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Network security policy: best practices

Network security policy: best practices
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.
Information Security Issues at Casinos and eGaming

Information Security Issues at Casinos and eGaming

Similar presentations

Ads by Google