We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byEan Clower
Modified over 2 years ago
© 2005 The Trustees of Boston College & Calvin Weeks Slide 1 UNIVERSITY OF OKLAHOMA Effective Incident Response Teams: Two Case Studies Tuesday, April 05, 2005 10:00 a.m. - 11:00 a.m. Imperial Room I (lower level) David Escalante, Director of Computer Policy & Security, Boston College Calvin Weeks, Director, OU Cyber Forensics Lab, University of Oklahoma
© 2005 The Trustees of Boston College & Calvin Weeks Slide 2 UNIVERSITY OF OKLAHOMA Summary »Why you need/want incident response »What is best practice »Problems with best practice for Higher Ed »OU established model »BC established model »Roles »What works and what does not
© 2005 The Trustees of Boston College & Calvin Weeks Slide 3 UNIVERSITY OF OKLAHOMA Why You Need Incident Response »Compliance with laws and regulations o Gramm-Leach Bliley Act (GLBA) o Sarbanes-Oxley (SOX) o Health Information Privacy Portability Act (HIPPA) o FERPA »Security improvement »Improve network and system uptime »What is an “incident” for the purposes of this presentation? »Strong incident response cultures o Government (in some places) o ISPs o Financials (recently) o ISACs
© 2005 The Trustees of Boston College & Calvin Weeks Slide 4 UNIVERSITY OF OKLAHOMA Resources »SEI/CERT http://www.cert.org/csirts/Creating-A-CSIRT.html http://www.sei.cmu.edu/publications/documents/03.reports/03hb002.html »O’Reilly book »FIRST: The Forum of Incident Response and Security Teams http://www.first.org/ »RFC 2196, Site Security Handbook »RFC 2350, Expectations for Computer Security Incident Response »NIST http://csrc.nist.gov/topics/inchand.html »NSA »Educause http://www.educause.edu/Browse/645?PARENT_ID=660
© 2005 The Trustees of Boston College & Calvin Weeks Slide 5 UNIVERSITY OF OKLAHOMA Summary of Best Practices »Create a Dedicated team »Have clearly Defined roles »Build a formal Reporting structure »Write a series of Defined plans »Publish the team’s interfaces widely
© 2005 The Trustees of Boston College & Calvin Weeks Slide 6 UNIVERSITY OF OKLAHOMA Issues for Higher Ed »Dedicated Team? o And what’s your budget! o If team is multi-departmental, those politics come into play »Define Roles… o OK. Who will fill them? »Reporting Structure. o OK, but who is in charge or who has the authority? EDUs tend to be non-hierarchical »Defined Plans o The best laid plans are almost never followed. »Publish Contact & other Information o Communications channels in EDUs are diffuse o Audience is different technical levels
© 2005 The Trustees of Boston College & Calvin Weeks Slide 7 UNIVERSITY OF OKLAHOMA University Of Oklahoma Norman Campus DepartmentsCollegesResearch Health Science Center Campus DepartmentsCollegesHospital Tulsa Campus DepartmentsColleges Oklahoma Structure
© 2005 The Trustees of Boston College & Calvin Weeks Slide 8 UNIVERSITY OF OKLAHOMA OU Iterative Approach »Phase one – 2001 o Assign Security Officer »Phase two – 2002 o Establish Computer Assessment Response Team (CART) »Phase three – 2002 o Established Field Security Officers (FSO) »Phase four – 2003 o Approved Computer Security Incident Response Team (CSIRT) »Phase five – 2003 o Established IT Service Centers »Phase six – 2004 o Established OU Cyber Forensics Lab (OUCFL)
© 2005 The Trustees of Boston College & Calvin Weeks Slide 9 UNIVERSITY OF OKLAHOMA BC Structure President
© 2005 The Trustees of Boston College & Calvin Weeks Slide 10 UNIVERSITY OF OKLAHOMA BC Iterative Approach »Phase 1 - 2002 Senior Management recognizes need for security office due to serious computer security incident »Phase 2 - 2003 Office of Computer Policy & Security established and staffed »Phase 3 - 2003 Create “best practice” style incident response team »Phase 4 - 2004 Refine team based on real-world experience »Phase 5 - 2005 Re-define incidents and response based on cultural issues on campus, moving toward universal culture of security
© 2005 The Trustees of Boston College & Calvin Weeks Slide 11 UNIVERSITY OF OKLAHOMA Phase 3 -- 2003 »Use the resources on the earlier slide to define Computer Security Incident Response Team (CSIRT) And immediately run into problems »Everyone wanted to be on the team Management vs. practitioners issue »When a real incident came up, didn't need whole team, and sometimes needed other resources not on team Lack of tools in an incident »Team runs into exhaustion, lack of interest, or both
© 2005 The Trustees of Boston College & Calvin Weeks Slide 12 UNIVERSITY OF OKLAHOMA Phase 4 -- 2004 »Stop using formal team from Phase 3 »Resolve management vs. practitioner issue by setting up senior management team interface with intermediary to incident team »Security group declares team in the course of declaring incident »Clarify responsibilities (Security is the boss) »Flexibility and understanding of process is more important than who's doing what role in a given incident -- in our last major incident, CIO was boss, not Security, all worked the same since everyone understood roles and just people were swapped
© 2005 The Trustees of Boston College & Calvin Weeks Slide 13 UNIVERSITY OF OKLAHOMA Phase 5 -- 2005 »Security group has too many incidents to make progress on other, strategic tasks »Need to empower other parts of IT and university to run “minor” incidents o Framework and tools for doing this »Improve incident reporting such that we achieve better coverage and more accurate classification »Improve initial handling of people and technology issues when incident occurs
© 2005 The Trustees of Boston College & Calvin Weeks Slide 14 UNIVERSITY OF OKLAHOMA OU Workflow
© 2005 The Trustees of Boston College & Calvin Weeks Slide 15 UNIVERSITY OF OKLAHOMA OU Roles »CART – Executive oversight »Service Centers – Direct Customer Support during incident »Security Team – Handle and execute security response plan »FSO – Coordinate with response efforts »OUCFL – Perform any forensics, investigations, and/or law enforcement communications. »CSIRT – is the handbook that we use only as a reference and guide.
© 2005 The Trustees of Boston College & Calvin Weeks Slide 16 UNIVERSITY OF OKLAHOMA OU Response Cost Relation Model Reactive ProactiveQualitative COSTS and Resource Utilization Quantitative 5% 10% 20% 40% 80% Security Model and Posture
© 2005 The Trustees of Boston College & Calvin Weeks Slide 17 UNIVERSITY OF OKLAHOMA What works/does not work? »User is very happy »Easier to track response capability »Large or sensitive incidents is a new learning process every time »Better control over desired actions or reactions to the incident »Sometimes the whole process is slower than desired »Better and more information is achieved
© 2005 The Trustees of Boston College & Calvin Weeks Slide 18 UNIVERSITY OF OKLAHOMA Questions Calvin Weeks, EnCE, CISSP, CISM OU Cyber Forensics Lab email@example.com http://cfl.ou.edu David Escalante, CISSP firstname.lastname@example.org
Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.
Cyber Forensics: Find Out What You Are Missing Calvin Weeks, CISSP, CISM, EnCE University of Oklahoma Director, Cyber Forensics Lab Sean Ensz, CISSP, GSEC.
Security Training & Awareness on a Budget Presented by: Calvin Weeks, (CISSP), CISM, EnCE.
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
© 2003, EDUCAUSE/Internet2 Computer and Network Security Task Force Computer Access, Privacy and Security: Legal Obligations and Liabilities Rodney J.
The Minnesota State Colleges and Universities system is an Equal Opportunity employer and educator. Information Technology Enterprise Strategic Investment.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Resources Performance time. resources Performance time 2.
1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.
A NASSCOM ® Initiative DSCI-KPMG Survey 2010 State Of Data Security and Privacy in the Indian Banking Industry Vinayak Godse Director- Data Protection,
Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Security and Personnel
© 2006 The Trustees of Boston College Slide 1 Staying Out of the Security Headlines Educause Security Professionals Conference Track 4 Wednesday, April.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Philippine Cybercrime Efforts
Project Management Planning Minder Chen, Ph.D. CSU Channel Islands
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Strategic Planning for the Department of Health and Human Performance Iowa State University T. Gilmour Reeve Director of Strategic Planning Office of the.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Patricia Alafaireet Patricia E. Alafaireet, PhD Director of Applied Health Informatics University of Missouri-School of Medicine Department of Health.
Privacy Project Framework & Structure HIPAA Summit Brent Saunders
Security Controls – What Works
1 Tuesday, August 16, 2005 W E B C A S T August 16, 2005 Policy Development Theory & Practice: An Emphasis on IT Pat Spellacy Director of Policy & Process.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
Our study’s purpose is to understand how groups and teams function in actual organizations. 2.
Incident Documentation Campus Security Officer Training.
Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor Travis Schack, Colorado’s Information Security Officer Chris Ingram,
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
1 Crisis Management and Communication Dr. Joy Smith and Ms. Robin Denny.
UNM and Health System Internal Audit Departments Internal Audit Department Orientation Manu Patel, Internal Audit Director Purvi Mody, Executive Director,
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
Business Ethics: Ethics can be defined as standards or principles of conduct that govern the behavior of an individual or a group of individuals. Ethics.
CHAPTER 7 Business Management.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Center for Health Care Quality Licensing & Certification Program Evaluation 1 August 2014 rev.
Copyright Dong Chen, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Criminal Justice, Substance Abuse & Mental Health Reinvestment Grant
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Higher Education Cybersecurity Strategy, Programs, and Initiatives Rodney Petersen Policy Analyst & Security Task Force Coordinator EDUCAUSE.
#327 – Legal and Regulatory Risk: Silent and Possibly Deadly Deborah Frazer, CPA CISA CISSP Senior Director, Internal Audit PalmSource, Inc.
Koen Maris – The Human Factor in Information technology – Copyright 2005 – The Human Factor in Information Technology.
© 2017 SlidePlayer.com Inc. All rights reserved.