Improving Incident Response Incident Response Agenda Why Incident Response is Important Threats, Numbers, Traditional Response What is an Incident.

Improving Incident Response

Incident Response Agenda Why Incident Response is Important

Threats, Numbers, Traditional Response What is an Incident State of Ohio Incident Response Guidance

Ohio HB 104 ITP – B.7: Security Incident Response OIT IT Bulletin No: ITB-2007.02 Governor’s Memo on Illegal Activity & Serious Wrongdoing

Incident Response Roles How To Report an Incident Incident Response Management Guide

Traditional Threats Viruses & Worms Breaches in Acceptable Use Policy Hacking for Fun Fraud Accessing Illegal Content Website Defacement

New Threat Landscape

Criminal Involvement Profit $ $ $ Spyware Botnets DDOS Extortion ID Theft Intellectual Property Theft Phishing

CYBERCRIME BY THE NUMBERS $67.2 billion: FBI estimate of what U.S. businesses lose

annually because of computer-related crimes.

$8 billion: Consumer Reports estimate of what U.S. consumers lost the past two years because of viruses, spyware and Internet scams.

93.8 million: Privacy Rights Clearinghouse's count of personal records reported lost or stolen since February 2005.

26,150: The Anti-Phishing Working Group's count of unique variations of phishing scams reported in August 2006.

Source: USA TODAY research

The Good The Bad The Ugly

82% employ a CSO, CISO, or CPO

93% have deployed firewalls

72% encrypt some data

69% DO NOT keep an accurate inventory of user data

33% of all enterprises are NOT in compliance with Sarbox, HIPAA, or state privacy laws

40% of organizations do NOT know how many security incidents they have experienced

45% do NOT know what type of attacks have occurred

Source: CIO Magazine 2007

Cybersecurity

Traditional Focus on PreventionWalls & Barriers

Policies Firewalls Anti-Virus Software IDS

But what about response?

Traditional Response Reactive - Leads To:

Prolonged Incidents Muddled communications Senior Management learns of incident late

Failure to Plan Loss of Constituent Trust Tarnished Image Prolonged Recovery Times Disclosure of Sensitive Data Compromised Evidence Financial Costs Legal Issues

More Security Does NOT Necessarily Mean More Secure

Better Incident Management

Ensures Incidents are Detected, Recorded, and ManagedPlanning, Coordination, and ReportingExecution of Mitigation Strategies Informed OutcomesStrategic Process Improvement

What is an Incident? Viruses E-mail viruses E-mail harassment Worms Other malicious code Denial of service attacks Intrusions Stolen hardware Stolen sensitive data Illegal activity Serious wrongdoing

Network or system sabotage

Website defacements Unauthorized access to

files or systems Loss of system availability Misuse of service, systems

or information Physical damage to

computer systems, networks, or storage media

QUWY ##$@%&*

We’ve Been Hacked

What Now???

13

Ohio Law: HB 104 – Breach Notification Applies to any state agency or entity doing business in Ohio that owns

or licenses computerized data that includes personal information of a specified nature

Must give notice to any Ohio resident whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition causes or reasonably is believed will cause a material risk of identity theft or other fraud Personal info triggering notice: Name plus

SSN & Tax ID DL number/State ID number, or Employer identification number Financial account number (ex: bank account; credit or debit card)

Applies to “unencrypted, computerized” data, and where the number in question is not truncated to the last four digits

Disclose, in the most expedient time possible generally not later than 45 days following discovery of any breach of the security of the system

State of Ohio Policy:Security Incident Response ITP-B7

Incident. A reported adverse event or group of adverse events that hasproven to be a verified information technology security breach. Anincident may also be an identified violation or imminent threat ofviolation of information technology security policies, or a threat to thesecurity of system assets. Some examples of possible informationtechnology security incidents are:

Loss of confidentiality of information Compromise of integrity of information Loss of system or SERVICE availability Denial of service Misuse of service, systems or information Damage to systems from malicious code attacks such as viruses, trojan

horses or logic bombs

OIT IT Bulletin No: ITB-2007.02 Sensitive Data = An individual’s last name along with

First name or first initial, In combination with any one or more of the following data

elements: Social security number; Driver’s license number; State identification card number; Financial account number; Credit card number; Debit card number; EFT (Electronic Funds Transfer) number; Taxpayer identification number; Medical information; Other personal information required by law to be maintained in

a secure manner.

Governor’s Memo on Wrongdoing or Illegal Activity “Illegal Activity”

includes fraud, theft, assault and other violations of local, state and/or federal law, including violations of state ethics laws, committed or in the process of being committed, by a state employee on any property owned or leased by the state or during the course of executing official duties.

Governor’s Memo on Wrongdoing or Illegal Activity “Wrongdoing”

includes a serious act or omission, committed by a state employee on any property owned or leased by the state or during the course of executing official duties. Wrongdoing is conduct that is not in accordance with standards of proper governmental conduct and which tends to subvert the process of government, including, but not limited, to gross violations of departmental or agency policies and procedures, executive orders, and acts of mismanagement, serious abuses of time, and other serious misconduct. For purposes of this reporting procedure, wrongdoing does not include illegal or suspected illegal activity. Likewise, wrongdoing does not include activity that is most appropriately handled through the department’s human resources personnel.

Governor’s Memo on Wrongdoing or Illegal Activity Procedure

Any state employee that becomes aware of suspected non-emergency illegal activity or wrongdoing shall immediately notify the Director or the Chief Legal Counsel of the department for which the reporting employee works.

When a Director or Chief Legal Counsel of a department is notified or becomes aware of suspected or alleged illegal activity by any employee, the Director or the Chief Legal Counsel of the department shall notify the Chief Legal Counsel to the Governor and the Director of the Ohio Department of Public Safety (only for illegal activity)

Any reporting employee may also contact the Inspector General and file a written complaint or file a complaint using the Inspector General’s anonymous hotline in the case of wrongdoing or nonemergency illegal activity.

If the a Department Director and/or Chief Legal Counsel, is suspected of illegal activity or wrongdoing, the Inspector General should be contacted directly.

Suggested - Incident Response Team Roles Incident Coordinator

Program Incident Coordinator – PIC

Technical Incident Contact – TIC

Executive Team Contacts

Primary and Alternate Incident Response Contacts

Incident Coordinator – IC

Single point of contact for overall coordination

Gather and communicate information about the incident and contact Program Incident Coordinators to obtain resources.

Assist with agency communications, archiving incident related documentation, and situation assessment

Communicate with the Executive Team should they need to be contacted.

Chair the post mortem meeting for closed incidents and be

responsible for updating the incident ticket and ensuring that the incident is documented and the ticket is closed.

Program Incident Coordinator – PIC

Primary PIC is the Program Administrator and the Alternate PIC is someone who can act on behalf of the Primary PIC.

This role includes being the primary or alternate contact for an Agency Program Area.

The PIC is responsible for managing and coordinating communications and resources within their program area and between their area and other areas.

The PIC may be asked to provide resources from their area to other areas in order to assist in mitigation of an incident.

The PIC will assess situations and respond as needed, archive incident related

documentation, and participate in post mortem meetings.

Additional Roles

Technical Incident Contact – TIC – This person may be called by the IC or PIC to provide technical assistance in mitigating a critical incident.

Executive Team Contacts – The Executive Team Contacts will be notified by the Incident Coordinator on an as needed basis depending upon the severity and scope of the critical incident.

Agency Primary and Alternate Incident Response Contacts – AIRC -Each cabinet level agency has identified a Primary and an Alternate Incident Response Contact for OIT to work with in reporting an mitigating incidents.

Incident Coordinator determines if an Extended Team needs to be assembled, which includes the original Incident Response Team plus any of the following:

Legal Service Manager Program Area unit(s) representatives Business Office Communication’s Office Policy Representative Application owner Impacted Customer(s). Business Continuity Manager Other individuals with expertise or relationship to the

incident

How to Report an Incident - 1 Employees should inform their supervisor or other

management about suspicious activities or unusual events that might indicate an incident has occurred or is in progress.

Notify the Service Manager or Incident Coordinator (IC) of the service affected by the incident.

Determine whether there may be alleged illegal activityor serious wrongdoing

Determine whether sensitive data is missing

How to Report an Incident - 2

The Incident Coordinator (IC) will contact the Agency Chief Legal Counsel regarding any alleged illegal activity, serious wrongdoing, or loss of sensitive data.

Agency Chief Legal Counsel is required to contact the Ohio Highway Patrol regarding any alleged illegal activity or loss of sensitive data.

How to Report an Incident - 3 When a Service Manager or Incident Coordinator determines that an

incident has occurred or is in progress, they are to notify the OIT Incident Coordinator (OIT IC) by calling 614-644-0701 or 800-644-0701 or sending an email to [email protected] and logging a ticket. If the Service Manager or Incident Coordinator is not available then a Supervisor, Manager, or employee discovering the incident should log the ticket.

If an incident, per Ohio IT Policy ITP-B.7, Incident Response, is logged by an agency with the OIT Call Center (OCSSC) that requires OIT to respond to a request for technical assistance for an incident at an agency, the OIT Incident Coordinator (OIT IC) will also be notified by the OIT Call Center (OCSSC). The OIT IC will contact the agency Incident Coordinator to determine what assistance is required.

Model Incident Management Guide Customizable guide that includes:

How to respond to an incident Critical Incident Response Flow Chart Thought Starters for Determining Extended Team Incident Team Contact Template Template Activity Log Template Containment and Communication Plan Log Template Resolution Log Production Incident Explanation (PIE) Security Incident Response Policy Template Incident Response Procedure Template

Online at the State of Ohio Privacy & Security Information Center: http://privacy.ohio.gov/resources/OITIncidentResponseGuide.doc