230 likes | 395 Vues
You’ve been hacked, now what? By Wild Wild West. Agenda. Overview What we did do Alternative Solutions Best solution: CSIRT. What we did do…. Technical Team Easy solution Patches/Updates Rebuilt. What we did do…. Business Team Senior management, legal, public relation
E N D
Agenda • Overview • What we did do • Alternative Solutions • Best solution: CSIRT
What we did do… • TechnicalTeam • Easy solution • Patches/Updates • Rebuilt
What we did do… • Business Team • Senior management, legal, public relation • Report incident to law enforcement/government agency • Notify business partners and investors • Decision
Downtime • Cost per week (total $352,500) : • 2 Acoustic Engineers (consultant): $15,000 • Management (5 people): $25,000 • Non IT Staff (30 people): $62,500 • Delay in launch: $250,000
Alternatives Considered • Hire outside consultants • Technology-based HW/SW solution • Computer SecurityIncident Response Team (CSIRT)
InfoSecurity Consulting Firm • $20k - $200k+ depending on scope and deliverables • Forensics-only approach likely to be inconclusive • Expanded scope well beyond our budget • Plus, likely to lead to further expenditures
Let Tech Solve the Problem? • Another wide spectrum of options…
Let Tech Solve the Problem? • Another wide spectrum of options… • Tier I enterprise class solution?
Let Tech Solve the Problem? • Another wide spectrum of options… • Tier I enterprise class solution? • Homegrown Approach?
Let Tech Solve the Problem? • Another wide spectrum of options… • Tier I enterprise class solution? • Homegrown Approach?
Let Tech Solve the Problem? • Another wide spectrum of options… • Tier I enterprise class solution? • Homegrown Approach? • Something in between?
What We Did Decide… • Conduct Nessus scan of our network • Plug all high and medium risk firewall vulnerabilities identified • ADDED! open source IDS product for faster recognition of attempted attacks or successful exploits
What We Did Decide… • Conduct Nessus scan of our network • Plug all high and medium risk firewall vulnerabilities identified • ADDED! open source IDS product for faster recognition of attempted attacks or successful exploits • But! We didn’t stop there…
Computer Security Incident Response Team (CSIRT) Disaster Recovery Style
Computer Security Incident Response Team Purpose After a Major Security Incident: • To be able to quickly and efficiently make and execute decisions that are the best for the organization
Computer Security Incident Response Team (CSIRT) Roles • Team manager and backup team manager • Technical/Security expert • Executive • Legal expert • PR specialist • HR specialist
Computer Security Incident Response Team (CSIRT) Roles Example: • Team manager and backup team manager • (IT Director, Sys Admin) • Technical/Security expert • (IT Director, Sys Admin) • Executive • (CEO) • Legal expert • (CEO) • PR specialist • (Marketing Director) • HR specialist • (HR Director)
Computer Security Incident Response Team (CSIRT) Tasks • Respond quickly to a Major Security Event. • Analyze the incident • Respond to the incident in the context of the organization as a whole • Law enforcement • Communications to employees • Legal obligations • Upstream, downstream and third party communication • Forensics
Computer Security Incident Response Team (CSIRT) Benefits • Monetary benefits • Know the real cost of what happened • Prevent wasted time/resources of employees • (calculation here) • Psychological benefits • Keeps key players calmer • Keeps you from making (the wrong) decision • May help you save your job