Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Developing and Implementing a CIRT Team Nanette S. Poulios, CISSP, CISM Senior Training Consultant Easy i.

Published byRandolph Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Developing and Implementing a CIRT Team Nanette S. Poulios, CISSP, CISM Senior Training Consultant Easy i."— Presentation transcript:

1 1 Developing and Implementing a CIRT Team Nanette S. Poulios, CISSP, CISM Senior Training Consultant Easy i

2 2 Today’s Agenda Why does anyone need a CIRT? How do you create a CIRT? What do you need to manage and train a CIRT? Impediments to a successful CIRT Case Studies

3 3 Why Does Anyone Need a CIRT?

4 4 Incidents on the Rise Number of incidents reported to CERT/CC increased: 21,756 in 2000 52,658 in 2001 82,094 2002 137,529 in 2003 ** ** http://www.cert.org/stats/cert_stats.html

5 5 Legal and Regulatory CIRT Requirements HIPAA 45 C.F.R. Part 164.308(a)(6) FTC Safeguards Rule C.F.R. 314.4(b)(3) “ Detecting, preventing and responding to attacks, intrusions, or other systems failures ” OCC Safety and Soundness Standards C.F.R. Part 30 Appendix B III (c)(g) “ Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies”

6 6 Legal and Regulatory CIRT Requirements (2) GLB Act Sarbanes-Oxley Basel Principle 14 “To ensure effective response to unforeseen incidents, banks should develop: Incident response plans to address recovery of e-banking systems and services under various scenarios, businesses and geographic locations. Scenario analysis should include consideration of the likelihood of the risk occurring and its impact on the bank. E- banking systems that are outsourced to third- party service providers should be an integral part of these plans”

7 7 Best Practices CIRT Requirements ISO 17799 6.3.1 Reporting security incidents “Security incidents should be reported through appropriate management channels as quickly as possible. A formal reporting procedure should be established, together with an incident response procedure, setting out the action to be taken on receipt of an incident report.”

8 8 Best Practices CIRT Requirements (2) 8.1.3 Incident management procedures “Incident management responsibilities and procedures should be established to ensure a quick, effective and orderly response to security incidents (see also 6.3.1). The following controls should be considered. a) Procedures should be established to cover all potential types of security incident,including: 1) information system failures and loss of service; 2) denial of service; 3) errors resulting from incomplete or inaccurate business data; 4) breaches of confidentiality.”

9 9 Best Practices CIRT Requirements (3)  “The Federal Information Security Management Act (FISMA) of 2002 requires Federal agencies to establish incident response capabilities.” * Requires the agency to select a team Staff the team Train the team * NIST COMPUTER SECURITY INCIDENT HANDLING GUIDE SP800-61

10 10 Best Practices CIRT Requirements (4) OMB Circular No. A-130, Appendix III,  “ensure that there is a capability to provide help to users when a security incident occurs in the system”

11 11 Business Practices Requiring a CIRT Fiduciary Responsibility Liability Avoidance Survivability

12 12 Security Event Definition  Not just attacks  My include any negative or unexpected behavior  System crashes  Policy violations  Examples:  Denial of Service,  Malicious Code,  Unauthorized access,  Inappropriate usage

13 13 How Do You Create a CIRT?

14 14 Authority Corporate/Agency policy must provide for CIRT creation Board of Directors approval is recommended Top level management supports the CIRT and releases a formal statement CIRT reports to upper level management, not IT

15 15 Mission of the CIRT Provides clear understanding of goals and objectives Communicates these goals and objectives to others Prevents misunderstandings in a crisis situation Optional purpose statement to gain support

16 16 Sample Mission Statement “ The objective of the CIRT is to investigate apparent intrusion attempts and report their findings in a timely manner to executive management. The CIRT provides a centralized approach to managing computer security incidents so that current incidents can be controlled as quickly as possible to avoid serious damage to XXX systems and future incidents can be prevented. Additionally, the CIRT will provide increased security awareness so that XXX’s computer systems will be better prepared and protected in the future.”

17 17 Responsibilities of CIRT Vary by organizational needs Proactive Examples Awareness programs Technical publications Advisories Vulnerability and Penetration testing Reactive Incident Response Malicious Code analysis Liaison with law enforcement Incident Post-mortem and Reporting

18 18 Operating Policies and Procedures CIRT should be governed by organizational and regulatory policies Approved by management CIRT should follow a standard operating procedure Provide complete and concise documentation Review periodically for updates Revise after post-mortem review

19 19 Team Composition Core Members Determine if the incident warrants further investigation Categorize the security incident Add support members to the investigation if necessary Support Members Provide needed technical expertise as required Member of the team for the duration of the incident

20 20 Core Members IT Audit IT Security Corporate Security Legal

21 21 IT Audit Member Role Ensure that best practices are followed Ensure the auditability of the investigation process Ensure that chain of custody procedures are followed correctly Maintain accountability for all evidence collected during the investigation Document investigation

22 22 IT Security Member Role Inform all other users that are affected by the security incident of the necessary actions to control the incident. Perform appropriate backtracing, forensic analysis and other technical tasks required by the investigation Provide an analysis of the incident including root causes Compile the final report and recommendations of the CIRT Be available as an expert witness

23 23 Corporate Security Member Role Provide a liaison with law enforcement Ensure that investigative best practices are followed Contain the incident locale as appropriate Manage the interview process for witnesses and suspects

24 24 Legal Member Role Brief other core and support members on privacy, 4th Amendment, search and seizure and wiretap issues Ensure that suspects’ rights are protected appropriately Act as spokesperson with the media Review any press releases before they are released to the media Review any management reports Act as liaison with outside legal counsel

25 25 Support Members Platform Specialist Financial Auditor Fraud Examiner Personnel Public Information Officer/Public Relations

26 26 Platform Specialist Support Role Review audit logs and report any unusual or suspect activities Report any unusual behaviors of the critical systems Be prepared to brief the CIRT on operations procedure Protect evidence of incident according to organizational guidelines and instructions of the core team

27 27 Platform Specialist Support Role (2) Assess and report damage to system and/or data to CIRT Aid in the determining the scope of the intrusion Aid in identifying the point of access or the source of the intrusion Make recommendations to close the source or point of access of the intrusion

28 28 Financial Auditor Support Role Be prepared to brief the team on financial procedures Be prepared to conduct a financial audit if the core team deems it necessary for investigative reasons Report findings to the CIRT Follow investigative procedures as determined by the CIRT

29 29 Fraud Examiner Support Role Aid the core members of the CIRT in discovery and recognition of fraud Follow guidelines for lawful search Follow organizational and legal privacy policies/requirements Aid in identifying objects and materials used to commit suspected fraud

30 30 Fraud Examiner Support Role (2) Preserve, using CIRT guidelines, any evidence collected until transported to CIRT Transport evidence to CIRT for safekeeping until resolution of investigation Report findings to the CIRT

31 31 Personnel Support Role Advise the core members on personnel policies and procedures Make recommendations for handling sensitive employee information

32 32 Public Information Officer Support Member Act as a single point of contact for the media. Obtain legal advice before any interview or press release is given to the media Obtain approval from the CIRT that any interview or press release will not interfere with the investigation. Inform all other affected users to refer any media inquires to the Public Information Officer.

33 33 What do you need to manage a CIRT?

34 34 Team Leadership Management will appoint a team leader from the Core membership of the team Duties will include: Convene the CIRT Contact the Chief Information Officer (or other designated Officer) Conduct meetings of the CIRT Periodically report status of investigations to the CIO Manage investigations

35 35 Team Leadership (2) Duties Continued Take responsibility for verifying chain of custody of evidence Coordinate team activities Appoint support members as required for particular investigations Present findings to management Monitor the investigation

36 36 CIRT Team Responsibilities The CIRT is an investigative body only. Does not make policy or take action following an investigation The CIRT is a completely independent body. It receives its direction from the Chief Information Officer, but is accountable directly to the General Manager or the General Manager’s appointee

37 37 CIRT Team Responsibilities (2) Determining if an event constitutes an investigative security incident Conducting an appropriate investigation to determine the root cause, source, nature, extent of damage and recommended response to a computer security incident. Preserving evidence of the incident Interviewing witnesses and suspects

38 38 CIRT Team Responsibilities (3) Providing appropriate liaison with law enforcement and outside legal counsel Managing the release of information to the media Managing interaction between Human Resources and witnesses, suspects, organized labor and other appropriate interested parties Preparing a report of findings, root causes, lessons learned and recommended actions for management review

39 39 CIRT Team Responsibilities (4) Carrying out the directions of management communicated through the Chief Information Officer Containing the incident scene to prevent contamination of evidence

40 40 Core Team Training Requirements Legal 4th amendment, privacy, and lawful search issues Organizational policies and procedures Investigative process Storing and transporting evidence according to legal guidelines Vendor training on all current detection and investigative tools

41 41 Core Team Training Requirements (2) Collecting, preserving and analyzing evidence of a computer security incident Procedures for coordinating with outside organizations such as CERT, FIRST and law enforcement

42 42 Support Team Training Requirements Legal 4th amendment, privacy, and lawful search issues Review organizational policies and procedures Investigative process Storing and transporting evidence according to legal guidelines Technical training on all platforms, operating systems and applications that member is responsible for including new technologies

43 43 Continuous Training Requirements Updates in tools used in their investigations Updates in investigative and forensic techniques Updates in appropriate technologies Updates and changes in laws, regulations and internal policies that affect investigations Periodic simulation drills

44 44 Impediments to a Successful CIRT

45 45 Impediments to a Successful CIRT Lack of management support Lack of procedures and policy Lack of access to evidence due to outsourcing Lack of event readiness within organization Lack of qualified personnel Lack of training

46 46 Case Studies

47 47 Case Studies Superbowl Slammer Incident Watchful Team Incident Blackout Incident

48 48

49 49 Resources http://www.sei.cmu.edu/pub/docume nts/98.reports/pdf/98hb001.pdf http://www.cert.org/tech_tips/incident _reporting.html http://www.sans.org/rr/papers/27/64 1.pdf http://csrc.nist.gov/publications/nistp ubs/800-61/sp800-61.pdf Investigating Computer-Related Crime, CRC Press by Peter Stephenson

50 50 Contact Information Nanette S. Poulios, CISSP, CISM Senior Training Consultant Easy I 248-705-0710 (direct) 248-375-2315 fax nan.poulios@easyi.com nspoulios@comcast.net

Download ppt "1 Developing and Implementing a CIRT Team Nanette S. Poulios, CISSP, CISM Senior Training Consultant Easy i."

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Areti Moularas, Senior Manager

Areti Moularas, Senior Manager
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
IS Audit Function Knowledge

IS Audit Function Knowledge
Information Systems Security Officer

Information Systems Security Officer
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Purpose of the Standards

Purpose of the Standards
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Planning for Continuity

Planning for Continuity

Similar presentations

Ads by Google