Incident Response November 2015 Navigating a Cybersecurity Incident

Plan, Prepare, Manage, Mitigate and Remediate  Plan – Have a plan and test it  Prepare – Create a CSIRT and practice scenarios  Manage – Have a program for managing an incident  Mitigate – Plans of Action to mitigate common scenarios  Remediate – Action plan for addressing gaps and issues 1

Create an Incident Response Plan  Develop an Incident Response Plan - Multidisciplinary team  Roles and Responsibilities  Line of Authority  Triggers to Activate CSIRT  Status updates – timing 2

Computer Security Incident Response Team (CSIRT)  Information Systems Services - Windows - Unix - Messaging - Networking - Help Desk  Information Security  Legal  Human Resources

The Computer Security Incident Response Team  Strategies for different types of breaches Technical response Public relations response Legal response

Detection – Information Security  IDS – Intrusion Detection Systems - SIEM – Security Information and Event Management  FIM – File Integrity Monitoring Systems  FW – Firewall activity  AV – Anti-Virus Alerts  Service Desk Calls - Users - Customers

Detection – Is this an incident  Did you lose data?  How much data and exactly what type?  Is the data loss ongoing?  Who knows about the data loss?  This information is going to guide the next phases of the response - Will we need to report the loss - How big is the loss – number of customers - How will we manage the process

Managing and mitigating the incident  Identify your organizations priorities  Nature of the incident  Restore affected or compromised systems  Apply corrective actions to any identify vulnerabilities  Apply countermeasures to security systems  Assign responsibility for correcting systemic issues  Track progress of all corrective actions  Validate the actions taken are effective  Update your security policy and procedures

Remediation  The goal of those engaged in a data breach and incident response is to - Stop the bleeding – data loss - Quantify the loss - Secure your information systems - Fix any holes in your security and operations

Lessons learned – Follow up  Actions to fix infrastructure and security - Assigned an owner who is responsible for the fix - Given adequate resources to address problems - Required to provide regularly scheduled updates until resolution

Remediation - repairing the damage to the brand  For customers - Credit monitoring - Credit repair - Litigation services for any victimized by ID Theft  Company Image - Good will gestures - Awareness Outreach to customers on data protection - Following up on all promises

Consider Third Party Contractors Digitigal Forensics and Crisis Response  Benefits of third party contractors - Equipped to deal with crisis situation - Instant Expertise - Typically can provide rapid response - Can provide you with legal cover  Issues of third party contractors - Cost – they can be expensive – $300 plus per hour - Delays in getting onsite – paper work and travel - No guarantee of resuts

Overview of Administrative Elements  Management roles and responsibilities - Leadership is essential to effective response - Let the team do its job, but keep a informed of progress Status meetings – as needed, but initially 3 a day - Current Status - Tasks to Complete - Next Steps - Who is assigned Be prepared to make timely and informed decisions Keep tabs on staffing and watch for fatigue - Support your people and do not lose your temper - If staff do not perform or are ineffective you will need to decide how to proceed, but think before you act 12

Overview of Administrative Elements  Public Relations - Single message – clear, concise and to the point If you have a public relations staff, let them work with your legal counsel on the message, review it and make sure all contingencies have been addressed and then let them deliver it. - Explain what has happened - Progress of the investigation - Steps the organization will be taking - How the public and press can keep informed - A wise policy is to inform all company personnel that any inquiries about an incident must be directed to Legal council - Templates can be prepared and vetted prior an incident and can be ready to use in event of a breach 13

Questions? Fred Howell, MBA, MSISM, CISSP Manager of Security and Privacy Consulting Services RSM LLP 80 City Square Boston, MA Office Cell

McGladrey is the brand under which McGladrey & Pullen, LLP serve clients’ business needs. McGladrey LLP is the U.S. member of the RSM International (“RSMI”) network of independent accounting, tax and consulting firms. The member firms of RSMI collaborate to provide services to global clients, but are separate and distinct legal entities which cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. McGladrey, the McGladrey signatures, The McGladrey Classic logo, The power of being understood, Power comes from being understood and Experience the power of being understood are trademarks of McGladrey LLP. © 2013 McGladrey LLP. All Rights Reserved. McGladrey LLP Andy Obuchowski 80 City Square Boston, MA