This presentation has been delivered by Michael C. Redmond at the PECB Insights Conference 2017.

1. PECB Standards Insights Conference
Cyber Security Incident
Response Planning
www.pecb.com Standards, Security, and Audit

2. Michael C. Redmond
Lead Strategic Consultant at EFPR Group
United States
Michael C. Redmond is Lead Strategic Consultant, IT Consulting and
Audit, EFPR Group. She consults and audits in the areas of
Cyber/Information Security, Organizational Resilience, Business
Continuity, Disaster Recovery, High Availability, HIPAA, and ISO.
Some of her past clients include Fidelity, JP Morgan Chase, Emblem
Health. Excellus Blue Cross and many more.
Contact Information
585 340 5187
mredmond@efprgrpup.com
www.efprgroup.com
https://www.linkedin.com/in/michaelredmond2008
twitter.com/ @msmredmond
fb.com/redmondworldwide

3. 3
Education and Certifications
Dr. Michael C. Redmond, PhD
Degrees:
 MBA PhD
Certified as Lead Implementer:
 ISO/IEC 27001 Information Security Management
 ISO/IEC 27032 Lead Cyber Security Manager
 ISO/IEC 27035 Security Incident Response
 ISO/IEC 22301 Business Continuity Management Systems
 ISO/IEC 21500 Lead Project Manager
 ISO/IEC 41001 Environmental Management
 ISO 31000 Risk Management
Certified Implementer – Foundation:
 ISO 22316 Resiliency Management
 ISO 22320 Emergency Management
Certified as Lead Auditor:
 ISO/IEC 27001 Information Security Management
 ISO/IEC 22301 Business Continuity Management Systems
 ISO/IEC 41001 Environmental Management
Other Certifications:
 Master Business Continuity Planning (Disaster Recovery Institute) – MBCP
 Master Business Continuity Planning (Business Continuity Institute) – FBCI
 Certified Emergency Manager – CEM
 Certified Project Manager – PMP
 Certified Trainer PECB

4. 4
Attacks Are Not IF But WHEN
Many large companies are getting
hacked: Anthem, Sony, and Target to
name just a few.
The number of data breaches
reported increased 40% in 2016
Measures against these types of
security incidents are on the rise in
companies.

5. 5
History
LET’S REMEMBER

6. 6
Attacks Are Not IF But WHEN
Many large companies are getting hacked: Anthem, Sony,
and Target to name just a few.
The number of data breaches reported increased
40% in 2016
Measures against these types of security incidents
are on the rise in companies.

7. 7
Massive Cyber Attack hit 104 Countries
May 2017 WannaCry
 New family of ransomware called WannaCry has infected over
140,000 computers worldwide. This piece of ransomware is based
on a zero-day exploit that helps it jump from one infected computer
to another and encrypt all the information stored on it.
 A little background information about this new threat: Unlike other
ransomware families, the WannaCry strain does not spread via
infected e-mails or infected links. Instead, it takes advantage of a
security hole in most Windows versions to automatically execute
itself on the victim PC.
 According to various reports, this attack avenue has been developed
by the National Security Agency (NSA) in the US as a cyber-weapon
and it was leaked to the public earlier in April along with other
classified data allegedly stolen from the agency.
 A number of hospitals, telecom companies, gas and utilities plants
suffered massive disruptions caused by data being held at ransom.

8. 8
How It Was Stopped
 LONDON (AP) -- The cyberattack that spread malicious software around the
world, shutting down networks at hospitals, banks and government agencies,
was thwarted by a young British researcher and an inexpensive domain
registration, with help from another 20-something security engineer in the U.S.
 Britain's National Cyber Security Center and others were hailing the
cybersecurity researcher, a 22-year-old identified online only as MalwareTech,
who — unintentionally at first — discovered a so-called "kill switch" that halted
the unprecedented outbreak.
 By then the "ransomware" attack had crippled Britain's hospital network and
computer systems in several countries in an effort to extort money from
computer users. But the researcher's actions may have saved companies and
governments millions of dollars and slowed the outbreak before computers in
the U.S. were more widely affected.
 MalwareTech, who works for cybersecurity firm Kryptos Logic, is part of a large
global cybersecurity community who are constantly watching for attacks and
working together to stop or prevent them, often sharing information via Twitter.
It's not uncommon for them to use aliases, either to protect themselves from
retaliatory attacks or for privacy.

9. 9
Feb 2017 Arby's Hit With (Point of Sale)
POS Breach, 1,100 Stores Possibly Affected
 Arby's issued a statement saying its payment card system was compromised at
an unspecified time, but that the incident has been contained and the malware
eliminated from the systems at the impacted restaurants.
 “Arby's Restaurant Group, Inc. (ARG) was recently provided with information
that prompted it to launch an investigation of its payment card systems. Upon
learning of the incident, ARG immediately notified law enforcement and enlisted
the expertise of leading security experts. ” Arby's spokesperson said.
 KrebsonSecurity reports that Arby's withheld informing the public earlier of the
attack at the request of the FBI and that the point-of-sale systems attacked were
only in the chain's corporately-owned stores.
 KrebsonSecurity, which stated 355,000 cards were involved, a number
KrebsonSecurity retrieved from a non-public service notice issued by PSCU.
PSCU is a credit union service organization that sent the notice to its member
credit unions.
 "​In comparison to other credit card breaches where the number of stolen cards
numbered in the millions, the breach at Arby's seems to have vacuumed up a
much smaller number - about 300,000 cards

10. 10
Yahoo March 2017 – Finally indicted for
2014 Attack
 A single click was all it took to launch one of the biggest data breaches ever.
 One mistaken click. That's all it took for a Canadian hacker aligned with rogue
Russian FSB spies to gain access to Yahoo's network and potentially the email
messages and private information of as many as 1.5 Billion people.
Here's how the FBI says they did it:
The hack began with a spear-phishing email sent in early 2014 to a Yahoo company
employee. It's unclear how many employees were targeted and how many emails were
sent, but it only takes one person to click on a link, and it happened. Unimaginable that
Yahoo did not sufficiently step employees through security awareness training to prevent
disasters like this.
The U.S. Federal Bureau of Investigation has been investigating the intrusion for two
years, but it was only in late 2016 that the full scale of the hack became apparent. In
March 2017, the FBI indicted four people for the attack, two of whom are rogue FSB
spies who work for the division that is supposed to cooperate with America’s FBI on
cybercrime investigations. (The FSB is the successor to the KGB).

11. 11
Yahoo Update Nov 2016
 Yahoo detected evidence that a hacker had broken into its computer
network at least 18 months before launching an investigation that
discovered personal information had been stolen from about 500 million
user accounts.
 In its regulatory filing the Nov 23, 2016, Yahoo acknowledged the company
first became aware of the hack in late 2014. The Sunnyvale, California,
company said its board is now investigating how much was known back in
2014.
 Yahoo has sought to reassure its users that the hacker no longer has
access to its computers. The company also has prompted users to
change their passwords and security questions to protect their accounts.
 In its regulatory filing, Yahoo Inc. also revealed that the hacker created
computer coding known as "cookies" that would allow someone to
view information in user accounts without the need for a password.
The company also said it will analyze information turned over by the FBI
from a hacker claiming it came from Yahoo accounts.

12. 12
Acer fined $115K for breach
 Feb 2017- Following a breach, the Taiwan-based computer manufacturer
Acer will pay $115,000 and improve its security practices in a settlement with
the New York State Attorney General (NYSAG) Eric T. Schneiderman.
 The breach, first reported in June 2016, included personally identifiable
information (PII) – including names, addresses, email addresses, card
numbers, expiration dates, security codes and user names and
passwords – and was accessed over a one-year period, May 2015
through April 2016. The PII of more than 35,000 Acer customers across the
U.S., Canada and Puerto Rico was compromised, including more than 2,200
in New York State.
 An investigation by the NYSAG office found that the data was exposed
owing to its being stored in an unsecured format, if debugging mode was
enabled on the e-commerce platform. Acer misconfigured its e-commerce
platform enabling directory browsing by unauthorized users. The AG's
investigation determined that "at least one attacker exploited Acer website
vulnerabilities to view and ex-filtrate sensitive customer data."

13. 13
IRS Warns Of New Twists To W-2
Phishing Scams
 The Internal Revenue Service (IRS) has issued a warning on W-2 phishing
scams noting that cybercriminals are not only targeting new types of victims,
but also attempting to obtain money in addition to tax form data.
 The directive noted that the malicious actors have begun attacking schools,
hospitals, tribal organizations and restaurants, in addition to their favorite
target – major corporations. In addition, the scams attempt to extract money
from their victim using a wire scam and not just the personal information
found on the W-2 form.
 Feb 2017 A swarm of W-2 attacks have taken place over the last several
days that include some of the newer targets, such as the Lexington County
(SC) School District Two and Scotty's Brewhouse, along with more
traditional targets like Mitchell Gold + Bob Williams Furniture.
 The new twist on the W-2 scams that the IRS pointed out has
cybercriminals doubling down on their basic tax-form attack: In another
email, they instruct targets to transfer funds to a certain account.
Essentially, the scammer uses the same socially engineered information
used in the W-2 attack to then request a money transfer.

14. 14
Pair of ad fraud campaigns linked to
defacement attacks by Indonesian hackers
 Researchers have discovered two connected advertising fraud campaigns
that compromise legitimate web sites and abuse Google AdSense, using
tactics that are almost polar opposites of each other. While one campaign
obtrusively places advertisements over web content, compelling users to
click on them, the other attempts to generate clicks by furtively hiding ads
underneath a free gift offer.
 Researchers at Sucuri detected both malware-driven campaigns, which
appear to be either perpetrated by or linked to Indonesian hackers who
have defaced some of the websites that also displayed the fraudulent ads.
 Visitors who click on the nuisance ads in hopes they will disappear are
actually playing right into the hands of the fraudsters, who profit with every
click generated as they essentially steal from legitimate advertisers.
 The campaign infects sites with the malware either by inserting an iframe
directly into their HTML code or by appending the script to legitimate
JavaScript files, Sucuri reported. The malicious script is platform-agnostic
and successfully compromises sites running on a variety of content
management systems, as well as pure HTML sites.

15. 15
Amazon Customers Targeted In Phishing
Scam
January 2017
 The scam is run by the supposed Amazon merchant Sc-Elegance
and hooks victims by offering products at well below market prices,
Sc-Elegance has been caught using this tactic before on Amazon.
 The con starts when the victim attempts to check out. A message
appears stating the product is no longer available, but then the
vendor will email the target saying the item is available and can be
purchased by clicking on an imitation Amazon link included in the
email. The link leads to a fake, but quite real looking, Amazon
payment screen where all of the victim's Amazon login, payment and
personal information is asked for.
 A few clues exist pointing out the scam. There are some
misspellings and the site's domain is outside of Amazon's.

16. 16
On Dec 14 2014, Dutch government
website outage caused by cyber attack
Cyber attackers crippled the Dutch government's main websites
for most of Tuesday and back-up plans proved ineffective,
exposing the vulnerability of critical infrastructure at a time of
heightened concern about online security.
The outage at 0900 GMT lasted more than seven hours and on
Wednesday the government confirmed it was a cyber attack.

17. 17
LinkedIn, Drop Box and Formspring
 The US attorney's office in San Francisco on Friday (21 October, 2016)
announced that the 29-year-old Russian man – Yevgeniy Nikulin – who was
arrested in Czech Republic, was indicted by a federal grand jury on
Thursday on multiple charges including computer intrusion, aggravated
identity theft and conspiracy.
 Nikulin was accused of hacking and stealing information from the computer
systems at three Bay Area technology companies – LinkedIn, Drop Box
and Formspring.
 LinkedIn breach was executed over just two days in 2012 from 3-4
March
 Dropbox hack allegedly took place over more than two months, from 14
May to July 25 in 2012
 Formspring - Social media network Formspring, which shut down in
March 2013, allowed users to ask or answer questions about anything.
Working with unnamed co-conspirators, Nikulin allegedly tried to sell
the Formspring user credential database for €5,500 (about $7,000) in
2012

18. 18
2013 Verizon Data Breach Investigations
Report
2012, 66 percent of breaches that led
to data compromise within “days” or
less remained undiscovered for
months or more
In 69 percent of the cases, a third
party discovered the breach

19. 19
In 2012, Global Payments Inc. Data
Breach Affected 1.5 Million
Nearly 1.5 million consumers were
affected by hackers accessing Global
Payments Inc.’s payment processing
system in January and February.

20. 20

21. 21
Banking and Cyber
 Nearly a third of banking organizations do not require
their third-party vendors to notify them in the event of
an information security breach, according to a recent
study on the banking sector's cybersecurity practices.
 The New York State Department of Financial Services
issued its “Update on Cyber Security in the Banking
Sector: Third-Party Service Providers” March 2017 to
analyze the “due diligence processes, policies and
procedures governing relationships with third-party
vendors, protections for safeguarding sensitive data,
and protections against loss incurred due to third party
information security failures.”

22. 22
World Economic Forum
Global Technology Risks for 2016
 According to the World Economic Forum’s global risk
perspectives survey for 2016, Cyberattacks were listed
in the top five risks in 27 world economies.
 “The internet has opened a new frontier in warfare:
Everything is networked and anything networked can
be hacked.”

23. 23
Hackers Read The Same Publications
That We Do
Cnet
CSO
Dark Reading
eWeek
Krebs on Security
Network World
Search Security
Techweb
Threatpost

24. 24
Now That We Know Why…
LET’S GET STARTED

25. 25
Efficient Incident Response Program
allows an organization
Maintain
continuous
operations.
Mitigate
revenue
Respond
with speed
and agility
Maintain
continuous
operations.
Mitigate
revenue loss
Mitigate
fines
Mitigate
lawsuits

26. 26
Different Plans Sound Similar
 CSIRT Cyber Security Incident Response Team
 ISIRT per ISO 27035
CIRP Computer Incident Response
Plan
CSIRP Cyber Security Incident
Response Plan

27. 27
Why CSIRT
Security breaches and subsequent fraud are increasing in frequency and
scale.
While financial institutions, retailers, healthcare providers, and other
targeted organizations are doing everything possible to remain one step
ahead of cyber criminals, these incidents will likely continue to happen
putting sensitive information at risk.
While you can’t always prevent a breach, quick response can minimize
reputation damage and financial impact.
Proactive and timely account holder communication can help reduce
costs, including those associated with increased call center activity,
customer education, brand repair campaigns, regulatory compliance, and
the expense of covering customer losses.

28. 28
CSIRT Program
Information Security, Governance
& Risk, are all critical aspects of
planning and execution of the
Cyber Information Security
Response Program.
Who in your organization has key
responsibility to develop a
program?

29. 29
Sounds Simple

30. 30
Cyber Response Getting Started
Adopt a systematic
approach to risk
tracking to enhance
the effectiveness of
the Cyber Incident
Program
• Outline the critical
actions to take if an
event affects the
company or its partners
• Understand your
organizations’
susceptibility to a Cyber
Attack
• Cyber Incident
Response: Getting
started, research,
training, testing and
maintaining

31. 31
Knowledge
1. Knowledge incident analysis processes and relevant legal,
regulatory and business issues
2. Knowledge of effective communication and the
communication strategies that can be adopted during an
incident
3. Knowledge of Crisis Management and Business Continuity
and how to align with these processes
4. Knowledge of investigations and the principles of forensics
investigations including protecting the chain of custody
5. Knowledge of the roles of the Incident Management Team
and when such members are involved in Incident Handling
From: PECB ISO 27035
Test Preparation

32. 32
Standards
• ISO 2700 (Requirements)
• ISO 27035 Incident Response
• And so many more
Standards
and Best
Practices
• COBIT (Framework for IT Governance and
Controls)
• ISO 27005 (Information Security Risk
Management)
• ITIL(Framework: Identifying, planning, delivering,
supporting IT for Business Functions)
Maintaining

33. 33
ISO and Information Security
27001 Information Security Requirements
27002 Code of Practice Information Security Management
27003 Information Security Management System Implementation Guidance
27004 Information Security Measurement
27005 Information Security Risk Management
27006 Requirements Audit and Certification ISO

34. 34
Cyber Defense and Response
An organization’s
security policy and
controls must be
adaptable to
emerging threats
in todays world.
The assessment
of security threats
is ongoing, and
must be mapped
against the
adequacy and
existence of
security controls.
Security controls
and
countermeasures
that are currently
in in place may not
commensurate
with potential
risks.
The effort is never
ending, but
knowing how to
start is they key.

35. 35
NIST CSIRT Phases

36. 36
Phases ISO 27035 Incident Response
 Prepare to deal with incidents e.g. prepare an incident
management policy, and establish a competent team to deal
with incidents;
 Identify and report information security incidents;
 Assess incidents and make decisions about how they are to
be addressed e.g. patch things up and get back to business
quickly, or collect forensic evidence even if it delays resolving
the issues;
 Respond to incidents i.e. contain them, investigate them and
resolve them;
 Learn the lessons - more than simply identifying the things
that might have been done better, this stage involves actually
making changes that improve the processes.

37. 37
Motivators
Increase in the number of computer security incidents being
reported
Increase in the number and type of organizations being
affected by computer security incidents
More focused awareness by organizations on the need for
security policies and practices as part of their overall risk-
management strategies
New laws and regulations that impact how organizations are
required to protect information assets
Realization that systems and network administrators alone
cannot protect organizational systems and assets

38. 38
Questions For Thought
 Which regulations, guidelines and white papers did you use in preparing your Cyber
Incident Response Plan?
 What are your 5 top tiered Cyber Risks?
 Do you have separate plan for Breach?
 How did you approach developing the Incident Plan?
 How do you conduct incident training?
 How often do you do testing for Incident Response?
 What types of tests do you perform?
 How often do you conduct Incident Response testing?
 Do you conduct testing jointly with Disaster Recovery tests or as a separate Cyber Incident
Response Test?
 How are Incident Response tests evaluated?
 What part does audit have in your Incident Response planning and testing?
 What areas do you engage in your planning i.e. Legal, Unix?
 Do you use simulation software in testing and if so which one(s)?
 What automatic processes do you have in place to help with Incident Response?

39. 39
Cyber Defense and Response
An organization’s
security policy and
controls must be
adaptable to
emerging threats
in todays world.
The assessment
of security threats
is ongoing, and
must be mapped
against the
adequacy and
existence of
security controls.
Security controls
and
countermeasures
that are currently
in in place may not
commensurate
with potential
risks.
The effort is never
ending, but
knowing how to
start is they key.

40. 40
Summary of ISO 27035
 Establish information security incident management policy
 Updating of information security and risk management
policies
 Creating information security incident management plan
 Establishing an Incident Response Team (IRT) [aka CSIRT]
 Defining technical and other support
 Creating information security incident awareness and training
 Testing (or rather exercising) the information security incident
management plan
 Lesson learned

41. 41
Benefit of Structured Approach
 Improve overall security
 Reduce adverse business impacts
 Strengthen the Information Security Incident Prevention
Focus
 Strengthen Prioritization
 Strengthen Evidence

42. 42
Managing Incidents Effectively
 Detective and corrective controls designed to
recognize and respond to events and incidents,
minimize adverse impacts
 Gather forensic evidence (where applicable)
 And in due course ‘learn the lessons’ in terms of
prompting improvements to the ISMS
• Typically by improving the preventive controls or other
risk treatments

43. 43
Objective of Controls
 Stop and Contain
 Eradicate
 Analysis and Report
 Follow-up

44. 44

45. 45
Integrate CSIRT into IS
Integrate CSIRT
Management with
Enterprise Risk
Management
Use common business
terminology, congruent
methods, and common
or linked risk register,
and establishing
mechanisms for risk
acceptance.
Build CSIRT regulation
review process
schedule and regulation
requirements.

46. 46
Gap Knowledge
To what
degree we
understand
the security
risks
How well we
are protected
What security
incidents we
can expect
To what
degree the
organization is
prepared to
respond to
security
incidents
To what
degree the
organization
can respond
to security
incidents,
without
suffering
damage
To what
degree the
organization
can ensure
timely and
sufficient
response

47. 47
Risk
While financial institutions, retailers,
healthcare providers, and other
targeted organizations are doing
everything possible to remain one step
ahead of cyber criminals, these
incidents will likely continue to happen
putting sensitive information at risk.

48. 48
Mitigation To Tell Employees
Set your computers to auto lock with password if not in use for 5 minutes – this way, if an employee leaves their computer no one will be able
to access it.
Avoid using USB flash drives – they are the best way to get your computer infected, because very often anti-virus programs cannot detect
such malicious code.
Make sure you protect your mobile device with a good password, because if it gets stolen, the thief will be able to access your email, and
with your email he will be able to change passwords to your cloud services and consequently access all your data stored in the cloud.
Use password managers, which will enable you to save passwords for your different services and applications, because if you used the same
password for all of them, the breach of only one password enables the criminals to access all of your accounts; password managers also enable
you to use complex passwords for each of your services. And yes, those password managers are available for mobile devices, too.
Use VPN service for connecting to the Internet so that your passwords and other sensitive information are protected when transferred over the
network; this is especially important if you’re using a Wi-Fi connection that you cannot fully trust.
Use 2-factor authentication when connecting to important cloud services like Gmail, Dropbox, or similar – so even if someone steals your
password, he wouldn’t be able to access your sensitive information. These 2-factor authentication systems can work together with your phone
(by sending you a text message), or with special USB keys, without which access to a system wouldn’t be possible.
Encrypt the data stored on your hard drive, so that if it gets stolen the thieves won’t be able to read it; you can also encrypt data stored in a
cloud – there are some specialized cloud companies offering this kind of service.
Update your software – you should do this regularly, as soon as a security patch is published; the best route would be to set up automatic
updates.

49. 49
"Outsourcing Technology Services "
Many institutions depend on third-party service providers to perform or
support critical operations.
These institutions should recognize that using such providers does not
relieve the financial institution of its responsibility to ensure that
outsourced activities are conducted in a safe and sound manner.
The responsibility for properly overseeing outsourced relationships lies
with the institution's board of directors and senior management.
An effective third-party management program should provide the
framework for management to identify, measure, monitor, and mitigate
the risks associated with outsourcing.

50. 50
Cyber Response Ties In With Asset
Management

51. 51
Records* ISO 27001:2013 clause number
Records of training, skills, experience and qualifications 7.2
Monitoring and measurement results 9.1
Internal audit program 9.2
Results of internal audits 9.2

52. 52
 Build and maintain a secure network: Install and maintain a firewall and use unique,
high-security passwords with special care to replace default passwords.
 Protect cardholder data: Whenever possible, do not store cardholder data. If there is a
business need, you must protect this data. You must also encrypt any data passed across
public networks, including your shopping cart and Web-hosting providers, and when
communicating with customers.
 Maintain a vulnerability management program: Use an anti-virus software program and
keep it up-to-date. Develop and maintain secure operating systems and payment
applications. Ensure the anti-virus software applications you use are compliant
 Implement strong access control measures: Access, both electronic and physical, to
cardholder data should be on a need-to-know basis. Ensure those people with electronic
access have a unique ID and password. Do not allow people to share logon information.
Educate yourself and your employees on data security and specifically the PCI Data
Security Standard (DSS).
 Regularly monitor and test networks: Track and monitor all access to networks and
cardholder data. Ensure you have a regular testing schedule for security systems and
processes, including: firewalls, patches, web servers, email servers, and anti-virus.
 Maintain an information security policy: It is critical that your organization have a policy
on how data security is handled. Ensure you have an information security policy and that
it's disseminated and updated regularly.
Some Mitigations

53. 53
Sample Attacker Tools
 Attacker Toolkits Many attackers use toolkits containing several different types of utilities and
scripts that can be used to probe and attack hosts, such as packet sniffers, port scanners,
vulnerability scanners, password crackers, and attack programs and scripts.
 Backdoors A backdoor is a malicious program that listens for commands on a certain TCP or
UDP port. Most backdoors allow an attacker to perform a certain set of actions on a host, such as
acquiring passwords or executing arbitrary commands. Types of backdoors include zombies
(better known as bots), which are installed on a host to cause it to attack other hosts
administration tools, which are installed on a host to enable a remote attacker to gain access to
the host’s functions and data as needed.
 E-mail Generators An email generating program can be used to create and send large
quantities of email, such as malware and spam, to other hosts without the user’s permission or
knowledge.
 Keystroke Loggers A keystroke logger monitors and records keyboard use. Some require the
attacker to retrieve the data from the host, whereas other loggers actively transfer the data to
another host through email, file transfer, or other means.
 Rootkits A rootkit is a collection of files that is installed on a host to alter its standards
functionality in a malicious and stealthy way. A rootkit typically makes many changes to a host to
hide the rootkit’s existence, making it very difficult to determine that the rootkit is present and to
identify what the rootkit has changed.
 Web Browser Plug-Ins A web browser plug-in provides a way for certain types of content to be
displayed or executed through a web browser. Malicious web browser plug-ins can monitor all
use of a browser.

54. 54
Personnel Awareness Training
Never, ever give your password to anyone.
Don’t install every program you come across on your computer or mobile
device – some of this software, disguised as a nice game or utility program,
is made with the sole purpose of injecting a virus onto your computer.
Disable your Bluetooth connection because it is very unsafe; but also,
disable the Wi-Fi network on your mobile device when you’re not using it.
Do not leave your computer in a car.
Do not leave your computer unattended in public places like airports,
toilets, public transport, conferences, etc.

55. 55
Mitigation for Social Engineering
• Targets should include individuals from the help desk, IT department, human
resources, finance, and other departments within the organization.
• The objective of these calls will be to induce the users to divulge sensitive
information over the phone in violation of company policy.
External Social Engineering – Perform
Social Engineering phone calls to
individuals within the organization.
• Attempt to gather sensitive information
• Deliver a malicious payload onto their desktop system which could include
browser and operating system buffer overflows, Trojan horses, and
keystroke loggers.
Targeted Email “Phishing” Attacks –
Send Emails to individuals and groups
within the organization in order to attempt
to entice the user to click on an external
link that (hypothetically) will “
• The media should contain simulated malicious code that will attempt to grab
sensitive host information such as the network configuration, list of running
processes, and a password hash dump.
Malicious Portable Media – Leave USB
Flash drives and CD-ROM drives with
enticing labels such as “Salary” in public
areas such as hallways, restrooms, and
break rooms.
• Search internal trash receptacles and external dumpster and disposal areas
for sensitive documents or storage media that is disposed of in violation of
company policy.
Sensitive Document Disposal Audit –
“Dumpster Diving”

56. 56
More Every Day
Security breaches and subsequent fraud
are increasing in frequency and scale.

57. 57
Quick Response
While you can’t always prevent a
breach, quick response can
minimize reputation damage and
financial impact.

58. 58
Quick Checklist to Mitigate Network
 Review all wireless access points and note any external
wireless network whose signal range enters your
premises.
 Validate wireless network perimeter–One of the reasons
wireless security is so complex is wireless networks are
not limited to the physical boundaries of your buildings.
Limit unnecessary exposure to the outside world.
 Conduct vulnerability and penetration testing of access
points
 Review access points and wireless clients

59. 59
CSIRT
Program
Plan for Managing
Playbooks for each different
types of Cyber Security
Incidents (worse case does not
work as in Disaster Recovery)

60. 60
Questions
 What are the basic requirements for establishing a
CSIRT?
 What type of CSIRT will be needed?
 What type of services should be offered?
 How big should the CSIRT be?
 Where should the CSIRT be located in the organization?
 How much will it cost to implement and support a team?
 What are the initial steps to follow to create a CSIRT?

61. 61
Basics
Objective
Scope
Assumptions
Ownership
Action Steps
Structure

62. 62
Incident
Preparation
Detection
Precursors
and Indicators
Analysis
Declaration
Response
Containment
Eradication
Recovery
Post Incident

63. 63
What’s Needed
 Cyber Security Incident Response Program
 Cyber Security Incident Response Teams
 Cyber Security Incident Response Documented Program
 Cyber Security Incident Response Documented Plan
 Cyber Security Incident Response Documented Playbooks
 Internal Controls Assessments
 Policy Review
 Gap Analysis
 REWI Risk Evaluation
 Risk Assessment Facilitation
 Security Awareness Training
 Business Continuity and Disaster Recovery Planning

64. 64
Analysis Methodology
 Identify the Scope of the Project
 Identify Best Practices and Regulatory Requirements and Guidelines
 Research and Gather Data
 Assess Current Breach Response Security Measures and Capabilities
 Review Audit Findings and Recommendations
 Develop and Conduct Breach Risk and Gap Analysis, Breach Impact Analysis, Risk
Early Warning Indicator (REWI)
References:
 Control Objectives for Information and Related Technology (COBIT) framework by ISACA
 FFIEC Section J
 Department of Health and Human Services, 45 CFR Parts 160, 162, and 164 Health
Insurance Reform: Security Standards; Final Rule
 New York State Information Security Breach And Notification Act
 Payment Card Industry Data Security Standard (PCI DSS)
 Centers for Medicare & Medicaid Services
 National Institute of Standards and Technology (NIST)
 International Standards Organization (ISO) security standards
 Many others

65. 65
Account Holder Communications
Proactive and timely account holder
communication can help reduce costs,
including those associated with
increased call center activity, customer
education, brand repair campaigns,
regulatory compliance, and the expense
of covering customer losses.

66. 66
Gap Review Action Steps
Review existing Information Security
policies and standards to ascertain their
adequacy in coverage scope against
industry best practices, and update
them as appropriate, taking into account
compliance recommendations
Establish Key Performance Indicators
(KPI) to determine if your Information
Systems Incident Response program
meets business objectives and
operational metrics for ongoing process
improvement.

67. 67
REWI
The Resilience based Early Warning Indicators
(REWI) method is a collection of self-
assessment measures, which provides
information about an organization’s resilience.
The primary goal of the method is to generate
early warnings that improve the organization’s
ability and performance in the long run.

68. 68
Risk Awareness of Your Organization
Questions
Do we have
knowledge about the
information and
communication
technologies (ICT)
system and its
components?
Do we have
personnel with
information security
competence?
Whether the
employees are
security aware or not
will affect the security
risks.
Do we report on
security incidents?
Information about
past incidents will
provide insight into
what may go wrong
in the future.
Do we have
appropriate defense
mechanisms?
Information about the
technical safeguards
gives knowledge
about how well the
system is protected.

69. 69
Resilience Attribute: Risk Awareness
The risk awareness attribute measures the degree of risk understanding, as well as anticipation
regarding what to expect and attention so as to know what to look for [5]. In a security incident
management context these contributing success factors can be expanded into the following general
issues:
Risk understanding: To what degree we understand the security risks associated with the system.
Risk understanding can be understood by asking the following questions (the “general issues”)
•Do we have knowledge about the information and communication technologies (ICT) system and its components? A (correct)
understanding of how the system work will provide insight into how it may be attacked and the possible consequences.
•Do we have personnel with information security competence? Whether the employees are security aware or not will affect the
security risks.
•Do we report on security incidents? Information about past incidents will provide insight into what may go wrong in the future.
•Do we have appropriate defense mechanisms? Information about the technical safeguards gives knowledge about
How well the system is protected.
•Is the organization’s security policy efficient? Insight in to what degree the security policy is implemented into the organization
and whether it is followed by the employees will influence the efficiency of the technical safeguards and barriers.

70. 70
Resilience Attribute: Support
The support attribute measures the presence of an established support
systems, so that when faced with tough decisions or tradeoffs there is some
kind of decision support or help that is institutionalized and part of practice .
In addition, support includes the ability to uphold critical support functions
(technical, human and organizational resources) in case of disruption is
essential (redundancy)
In a security incident management context these contributing success factors
can be expanded into the following general issues:
• Decision support: To what degree the organization support the trade-off between security and
production.
• Do we have adequate decision support staffing? Efficient incident response will require available
personnel with knowledge, experience and authority to make decisions.
• Do we have adequate ICT decision support systems? Efficient incident response will often require
adequate support systems in place, including support for the support systems themselves.
• Do we have adequate external support? Security incident management often requires support om
external actors,such as anti-virus and third party software providers.

71. 71
Response
Response: To what degree the organization is prepared to respond to security incidents.
•Do we have personnel with the ability to handle incidents? There must be employees who are capable of handling
•the incidents, including making critical decisions.
•How do we train on dealing with potential incidents? Training on potential scenarios is essential in order to
•know what to do, both with respect to expected and unexpected events. The training scenarios should be regularly
•reviewed and adapted, in order to reflect the current threat picture as accurately as possible.
Robustness of response: To what degree the organization can respond to security incidents, without suffering
damage.
•Do we have sufficient redundancy in skills among the employees? Organizations that ensure that the employees are
•redundant in skills, or possess multiple skills, are more likely to successfully handle incidents that go beyond the
•planned or foreseen.
•Do we have sufficient backup capacity / redundancy for the necessary critical functions? Fault tolerance, redundancy
•and recovery are important aspects for preserving the organization’s critical functions
•Is the communication between involved actors sufficient? During incident response it is crucial that all involved
•are able to communicate, without misunderstandings or confusions
•Do we manage incidents in compliance with existing policies? A robust response require compliance with existing
•policies and best practices.
Resourcefulness: To what degree the organization can ensure timely and sufficient response.
•Does the incident response team have sufficient resources? There must be a sufficient number of personnel assigned to the different roles
in the incident response team, including back-up personnel in case of unavailability, and the response team must be capable of solving
their tasks in a timely manner.
•Do we have adequate IT systems to support timely updating of necessary information? A timely response requires timely updating
necessary information and communicating this to all involved actors.

72. 72
Technical Questions
Authentication Servers: Authentication servers, including directory servers and single sign-on servers,
typically log each authentication attempt, including its origin, username, success or failure
Remote Access Software: Remote access is often granted and secured through virtual private
networking (VPN). VPN systems typically log successful and failed login attempts, as well as the dates
and times each user connected and disconnected, and the amount of data sent and received in each
user session. VPN systems that support granular access control, such as many Secure Sockets Layer
(SSL) VPNs, may log detailed information about the use of resources.
Vulnerability Management Software: Vulnerability management software, which includes patch
management software and vulnerability assessment software, typically logs the patch installation history
and vulnerability status of each host, which includes known vulnerabilities and missing software
updates.5 Vulnerability management software may also record additional information about hosts’
configurations. Vulnerability management software typically runs occasionally, not continuously, and is
likely to generate large batches of log entries.
Web Proxies: Web proxies are intermediate hosts through which Web sites are accessed. Web proxies
make Web page requests on behalf of users, and they cache copies of retrieved Web pages to make
additional accesses to those pages more efficient. Web proxies can also be used to restrict Web access
and to add a layer of protection between Web clients and Web servers. Web proxies often keep a record
of all URLs accessed through them.

73. 73
Anticipation
What security incidents we can expect
• Do we have updated knowledge about relevant threats? A
systematic and regular identification of vulnerabilities and
threats is necessary in order to understand what may go wrong.
• Do we learn from experience? The organization’s past
experiences is a valuable source of information.
Want to avoid reoccurrence of security incidents
and to learn from its own success stories (“what
went right”).

74. 74
Risk Assessment
 Risk assessment is the determination of
quantitative or qualitative estimate of risk related
to a well-defined situation and a recognized
threat (also called hazard).
 Quantitative risk assessment requires
calculations of two components of risk (R): the
magnitude of the potential loss (L), and the
probability (p) that the loss will occur.

75. 75
Incident Management
Goals and Vision
 To have a comprehensive Incident Management framework and set of templates for a
consistent, Enterprise-wide response to incidents within the environment.
 Developing the capability to effectively manage unexpected disruptive events with the
objective of minimizing impacts and maintaining or restoring normal operations within
defined time limits.
 Scope is both small incidents such as a single infected machine to a massive data
breach.
 Key features of our future design needs to include:
 Decision matrix for determining the type of incident we are dealing with and appropriate
response.
 RACI diagrams to identify responsibilities
 Team charter
 Team member matrix representing all aspects of the organization
 Templates that can be easily and quickly adopted for any incident
 Be careful with the term Incident or Breach. Some of the regulations trigger on the
date you classify an event as an Incident or Breach and that is when the clock starts
ticking for notifications.

76. 76
 A purpose statement, outlining why the organization is issuing the policy, and what its
desired effect or outcome of the policy should be.
 An applicability and scope statement, describing who the policy affects and which actions
are impacted by the policy. The applicability and scope may expressly exclude certain
people, organizations, or actions from the policy requirements. Applicability and scope is
used to focus the policy on only the desired targets, and avoid unintended consequences
where possible.
 An effective date which indicates when the policy comes into force.
 A responsibilities section, indicating which parties and organizations are responsible for
carrying out individual policy statements.
 Policy statements indicating the specific regulations, requirements, or modifications to
organizational behavior that the policy is creating.
 Optional
 Background, indicating any reasons, history, and intent that led to the creation of the
policy, which may be listed as motivating factors. This information is often quite
valuable when policies must be evaluated or used in ambiguous situations, just as the
intent of a law can be useful to a court when deciding a case that involves that law.
 Definitions, providing clear and unambiguous definitions for terms and concepts
found in the policy document.
How To Write a CSIRT Policy

77. 77
Examples of Cyber Security Policies
 Access controls and identity management
 Business continuity and disaster recovery planning and resources
 Capacity and performance planning
 Customer data privacy
 Data governance and classification
 Incident response
 Information security
 Physical security and environmental controls
 Risk assessment
 Systems and application development and quality assurance
 Systems and network monitoring
 Systems and network security
 Systems operations and availability concerns
 Vendor and third-party service provider management

78. 78
Third Party Service Provider Policy
 Policies and procedures designed to ensure the security
of information systems and nonpublic information
accessible to, or held by, third-parties and include the
following:
 Due diligence processes used to evaluate the adequacy of
Cyber Security practices of third-parties
 Minimum Cyber Security practices required
 Periodic assessment, at least annually or the continued
adequacy
of their Cyber Security practices
 Identification and risk assessment of third-parties

79. 79
Plans, Playbooks, Testing and Exercises
Phases ISO 27035 Incident Response
1. Prepare to deal with incidents e.g. prepare an incident
management policy, and establish a competent team to deal
with incidents;
2. Identify and report information security incidents;
3. Assess incidents and make decisions about how they are to
be addressed e.g. patch things up and get back to business
quickly, or collect forensic evidence even if it delays resolving
the issues;
4. Respond to incidents i.e. contain them, investigate them and
resolve them;
5. Learn the lessons - more than simply identifying the things
that might have been done better, this stage involves actually
making changes that improve the processes.

80. 80
Plan Documentation Considerations
 Action sections
 Recovery team
 Personnel
 Responsibilities
 Resources
 Action plans
 Specific department/individual plans
 Checklists
 Technical procedures

81. 81
Plan Documentation Considerations
 Action sections
 Teams
 Personnel
 Responsibilities
 Resources
 Specific department/individual plans
 Checklists
 Technical procedures
 Management
 Administration/logistics
 New equipment

82. 82
Plan Documentation Considerations
 Document structure and design
 Ensure built-in mechanisms to ease maintenance
 Plan and implement the gathering of data required for
plan completion
 Identify, analyze and document and agree on approach
to key phases
 Allocate tasks and responsibilities
 Identify, analyze and document tasks to be undertaken

83. 83
Operation Sequencing
Initiation Resolution Termination

84. 84
Some Stakeholders
Incident
Response
Team
Other
Incident
Response
Teams
Internet
Service
Providers
Incident
Reporters
Law
Enforcement
Agencies
Software
&
Support
Vendors
Customers,
Constituents,
& Media

85. 85
Playbooks
 Breach
 DDOS
 ETC.
One per Team per type of attack

86. 86
Development and Documentation
 Each of the teams can create their own Breach
Playbook using a common template with lots of
assistance
 The CSIRT Program, CSIRT Breach Plan, and
Breach Playbooks must be documented and vetted

87. 87
Interviews and Training
 Each business and technology areas that are part of
the CSIRT Response solution, must be interviewed
to gain information and ensure to provide
information at the same sessions reference the
CSIRT project.
 Many training sessions must be held to prepare the
teams for a Response situation. In addition, daily
‘open office hours’ should be available for the teams
while they were developing their Team Playbooks

88. 88
Severity
Level
Description
Sev1 –
Major
Incident where the impact is severe. Examples (a) proprietary or
confidential information has been compromised, (b) a virus or worm has
become wide spread and is affecting over 20% percent of the
employees/consultants (c) major denial of service attack where customer
interfaces are not accessible.
Sev2 –
Critical
Incident where the impact is significant. Examples are (a) Less than
500 PCI records have been breached (b) critical vulnerability for an
operating system or application
Sev3 – Non-
Critical
Incident where the impact is minimal. Examples are (a) harmless
email SPAM (b) isolated Virus Infections and Malware
Sev 4-
Non Incident
Incident is determined to be not an incident

89. 89
Look for Patterns
Unusual activity in
access or system logs
Recent Changes to the
system
Super User ID created
Deleted log files
Recent escalation of
privileges
Recent off-hour activity
Recent file transfer from
System

90. 90
Testing and Exercises
 To validate the CSIRT Breach Plan, and Playbooks a
number of tests and exercises must be developed and
implemented.
 The Paper Tests allows the teams to read their
Playbooks allowed and to learn where communication
links between the teams were needed to gain
information in a response.
 The Table Top Test allows the CSIRT to validate their
playbooks while responding to a ‘mock scenario’ that can
include up to 15 actual scenarios that occurred to other
organizations.
 The Simulation Test utilizes the original scenarios but
adds a number of ‘twists’ that caused the teams to
respond quickly.

91. 91
3rd Party CSIRT Testing
Cyber events demonstrating the
financial institution's and third-
party provider's ability to
respond quickly and efficiently to
such an event.
• For example, an organizations ability to
recover from a disruption of critical
functions because of a distributed
denial of service (DDoS) attack or the
ability to recover from a data corruption
event should be subject to testing.
• A financial institution may consider
working with an outside party, such as
other financial institutions or an industry
group, to test these types of events.
Simultaneous attack affecting
both the institution and its
service provider.

92. 92
Review Summary of ISO 27035 Incident
Response
 Establish information security incident management policy
 Updating of information security and risk management
policies
 Creating information security incident management plan
 Establishing an Incident Response Team (IRT) [aka CSIRT]
 Defining technical and other support
 Creating information security incident awareness and
training
 Testing (or rather exercising) the information security
incident management plan
 Lesson learned

93. 93
Michael C. Redmond
 Please contact me if you have a need anywhere in
the world for:
 Consulting
 Audit
 Governance Programs
 Risk Programs
 Compliance Management
 Speaking Engagements
 I have a series of Audit Training Programs Available at
Discount if you use the code PECB
 Shortcut is www.rwknowledge.com
• Introduction to Cyber Security
• Business Continuity Management

94. THANK YOU
?