The BIG One It’s coming, it will get all of us at some point What will you do? No REALLY, what will YOU and management do ? Michael Gough HackerHurricane.com
The BIG ONE 2.0 - HouSecCon
Oct 19, 2014
Presentation on Incident Response of the BIG ONE event we all might encounter.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The BIG One It’s coming, it will get all of us at some point
What will you do? No REALLY, what will YOU and management do ?
Michael Gough HackerHurricane.com
About Me
Michael Gough CISSP, CISA
LinkedIn Profile www.HackerHurricane.com
• We already know the answer… Google or Maltego my name
• No, I’m not Batman’s Butler or Dumbledore
• No, I’m not the voice or musician for hire
• I’m the one who…
– Coined the term ‘Virtual Visitation’ – Wrote “Skype Me!” & “Video Conferencing over IP”
• And the one that found Card Key systems can suck
2 HackerHurricane.com
Why are we here?
HackerHurricane.com 3
• How we can prepare ourselves and our management for….
The
BIG
ONE !
Assumptions
• I am assuming you know the breach stats • I am assuming you know of the recent breaches
– Find them at: datalossdb.org
• I assume you know Why and What they want – The nafarious ne’er-do-wellers and Malwarians from
Hackistan… of course
• I assume you know How they get or got into your network
• I assume you have or know about an Incident Response program and/or plan HackerHurricane.com 4
Oh No EO Sony…
5
Oh No EO Sony…
6
Can be found at: http://www.veracode.com/resources/sony-psn-infographic
Yup.. Bad press
7
Closer to home…
•We’re #1
• TX Comptroller
• 3.5 million records exposed No indication of misuse of this data at this point - CSIdentity
8
Yup.. Bad press
9
National Breach Notification Law?
•This will save us !!!!
• Congress is working on a Data Breach Law • The three bills passed by the committee are
– the Personal Data Privacy and Security Act (S. 1151) sponsored by Judiciary Chairman Patrick Leahy (D-Vt.),
– the Data Breach Notification Act (S. 1408) sponsored by Sen. Dianne Feinstein (D-Calif.), and
– the Personal Data Protection and Breach Accountability Act (S. 1535) sponsored by Sen. Richard Blumenthal (D-Conn.).
10
So what will YOU do ?
• Start by updating your resume…
• Because we now know we are just a bunch of scapegoats…
• No really.. What will YOU do?
• Inform Management?
• Or do you fear telling management will get you terminated?
11
BaaaaaaD
Management
HackerHurricane.com 12
So what will THEY do ?
• I did not have relations with that security person…
• Me me me me me
• What about my BONUS?
• When in danger or in doubt, run around, scream and shout
• And, of course….……………………………. >>>
13
What about ME?
So what would management do?
• How would management act if you had a data disclosure or breach of the magnitude of Sony, TJX, the Comptroller, Heartland and others?
• How would YOU respond?
• How do YOU prepare?
• Can YOU prepare Management for
–The BIG ONE !!!
14
Management
• Nothing gets managements attention like their name or the company’s name in the press – Sony lost 1/3 its stock value
• Fired security people just prior to the breach (Revenge?)
– Comptroller reputation (politics of course)
• Or having to do a data breach notification with or to one or more of your clients – Mail everyone a letter, notice or coupon?
• How management reacts can make the situation worse, or manageable
15
You !
HackerHurricane.com 16
What does YOUR company have?
• Start off with collecting and understand what you have – The type of business you do – Political statements – Intellectual Property (IP) – Trade secrets – Cloud presence – Reputation (aka Ego) – Info about your clients – Cash if you are a financial institution – Wire Transfers of course (kaCHING) – Competition
17
So what should YOU do?
• Have you discussed a Sony and Comptroller sized breach with Management?
• Do you have a communication and reaction plan?
• Have you prepared and trained management?
• Think and speak in “How does this affect our ability to do business?”
– Recall TJX giving discount coupons!
HackerHurricane.com 18
So what should YOU do ?
• Role based awareness training – Yup, you heard me…
– Management is a role and this topic is something they should have training on
– Make them aware of the laws
– Tell them how bad it can be (cough cough… Sony…TX Comptroller… Train wreck
– Or how good it can be (TJX.. $ discount coupon)
– Why it is important NOT to drop the axe before Incident Response has a chance to work
19
What if someone finds an issue
• For those of us that are security researchers, by accident or purpose – people find things and report them to your company
• How will your management react? • Will they cooperate like our Card Key vendor? • Or will they say thank you and send the authorities to the
researchers home threatening action? – Patrick Webster in OZ with First State Super – This will NOT end well – It will backfire – Angry people say and post things
• Priority to fix issues reported by outsiders? • Pay a reward?
HackerHurricane.com 20
The Blame Game
• Management and employees tend to point fingers and assign fault
• Really it is everyone’s fault since the organization failed, not just one or more individuals
• Fault can not really be determined until all the evidence, facts, history, interviews and understanding of the event is complete – AKA Post-Mortem – Were/are you understaffed? Under budgeted?
• You might consider former employees could be used as the scapegoats
21
Training Management
• So what do we train management to do?
• It’s important for them to think about it
• It’s important to understand their options
BEFORE The
Hits…..
HackerHurricane.com 22
Do not over-react – Incident Response
• Interfering with the experts who know how to deal with a Breach the best – let them/us do their jobs
• Hiring consultants to evaluate your business – Don’t, we already know what’s wrong.. Trust us
• The $$$ you pay consultants can be better spent funding that which you did not fund to begin with that led or contributed to the breach
• How does hiring consultants impact your budget? • Yes, Information Security is always under funded so blaming us is
not the answer • Information Security professionals should not be scapegoats, unless
they have unlimited budgets and 100% authority and responsibility, which is rarely the case
• Do NOT start making security decisions if you are not a security professional… aka one of us…
23
Dropping the axe too soon
• You lose key individual(s) that know about your environment • More bad press… people talk, especially fired.. Errr “employees
whose resignation was accepted”… • InfoSec folks CAN help and are motivated.. Not to lose their
jobs, their/our reputation… it’s sorta fun for us • Others loyal to the scapegoats will also leave
– Resulting in significant negative security impact and people to deal with the issue that know the issue best
• Dropping the axe does not increase stock price or improve public perception, it is plain and simple over-reaction
• Truthfully it is not any one person(s) fault. We share in stock impact and reputation
• Firing or threat of termination causes others to jump ship and lose faith in their job security and management
• Termination of key people weakens you short term and makes it harder to hire quality InfoSec professionals (cough cough.. Sony and Comptroller job postings) we talk and tweet
24
Take Aways
HackerHurricane.com 25
Take Aways
• We InfoSec professionals need to prepare our Management • Create a Role based training presentation for Management • Consider a Faux cyber event exercise • Create pre-decisions to certain events • Try and come up with clever responses to The BIG ONE • Get management to consider a worst case scenario and how they would react • Play nicey nice with Security Researchers – many of us have morals • Warn them of the loss of talent and difficulty to hire new talent if they overreact
and practice Scapegoat and the Bus methodology • Build trust with management – We ARE your CYA if you let us • Don’t play the blame game – let final post-mortem tell the story and provide
direction for improvements • Cost savings by trusting us and NOT hiring the contractors unless we say we need
them and spend the savings on already requested improvements • Be proactive and discuss this subject with management!!! • Think about our options long before the BIG ONE hits!
HackerHurricane.com 26
Faux Cyber event
• Cyber Storm III – Create your own scenario that fits your company
• Have key people participate in a ½ day or multi-day event
• Get people thinking.. “Oh crap, what would I we do if this happened?”
• You might come up with a Discount Coupon idea
• Repeat every year or two • Output should be pre-decisions and
improvement to Incident Response and to reduce over-reaction when The BIG ONE hits
HackerHurricane.com 27
Take Aways
• If you prepare….
– A bad breach won’t be as much of a surprise and you can help to avoid or mitigate over-reaction if you do prepare…
– thus avoiding the ScapeGoat and Bus methodologies
HackerHurricane.com 28
References
• The Personal Data Privacy and Security Act – http://judiciary.senate.gov/legislation/upload/Leahy-Sub-ALB11637-S-
1151.pdf
• the Data Breach Notification Act – http://judiciary.senate.gov/legislation/upload/Substitute-ALB11762-
S1408.pdf
• the Personal Data Protection and Breach Accountability Act – http://judiciary.senate.gov/legislation/upload/ALB11771-Blumenthal-Sub.pdf
29
The End – Q & A? • Contact me at:
– www.HackerHurricane.com
– @HackerHurricane
30 www.HackerHurricane.com
Related Documents
