Week 3 Lecture 1 Cybersecurity: Risk Management and Incident Response PDF

Summary

This is a lecture on cybersecurity, risk management, and incident response. It covers topics including risk management frameworks (NIST), incident response lifecycle, and communication plans.

Full Transcript

CSEC1001K : Foundation of
Computing and Cyber
Security

Week 3
Lecture 1: Risk Management and
Incident Response
Outline
Risk Management
Risk Treatment
Incident Response Planning
Incident Response lifecycle
Risk Management
What is Risk?

The potential for loss, damage, or
destruction of an asset as a result of a
threat exploiting vulnerabilities of an asset
or group of assets thereby causing harm to
the organization.
Risk Management Framework (NIST)

Ref:
https://csrc.nist.gov/projects/risk-management/about-rmf
Process of identifying, controlling , and
minimizing or eliminating security risks that may
affect information systems, for an acceptable
cost.
Risk Management
Establish the context
Process (ISO)

Communicate and consult
ISO 31000:2018, Risk Identify risks

Monitor and review
Risk assessment
management – Guidelines,
provides principles,
Estimate risks
framework and a process for
managing risk.
Evaluate risks
It can be used by any
organization regardless of
its size, activity or sector. Treat risks

What could happen, when,
how?
Source: https://www.iso.org/iso-31000-risk-
management.html
Risk Management Process
Risk Analysis Terminology

Ass Weaknes
et s Reduced
Thre Risk
at

Ris
k
Evaluate the risks
and decide on
precautions
Asset valuation

Identify the categories to assign to each asset:
– Most critical to the success of the organization
– The most revenue
– The highest profitability
– The most expensive to replace
– The most expensive to protect
– Liability of organization if revealed
Likelihood

The probability that a given threat is
capable of exploiting a given
vulnerability

–Each attacker will have:
Intent
Capability
Impact

– The magnitude of harm that a threat
event can cause.

– Organisations must prioritise and value
assets
– What is the impact to different
stakeholders?
Purpose of Risk Assessment
A risk assessment is the process of
identifying and prioritizing risks to the
business.
– Estimate current risk
– Prioritise risks
– Identify sensible measures
– Without an assessment, it is impossible to
design good security policies and
procedures that will defend your
company’s critical assets.
Risk Assessment Procedure

Prepare
Conduct risk assessment
Communicate risk assessment (e.g., executive,
briefings, risk assessment reports,
dashboards)
Maintain the risk assessment
Apply risk treatments
Preparation
– Identify Scope
Organisational considerations
– Assist decision makers in a particular part of the business
– Sources of information:
Previous assessments
Incident reporting
UK CERT (Computer Emergency Response Team)/CPNI (Centre
for the Protection of National Infrastructure)
Research Organisations
Conduct a Risk Assessment
Identify all Assets
 Information assets
 Software assets
 Physical assets
 Services
 Others
Money
Reputation
 Identify Threats

– Identify threats to
Confidentiality
Integrity
Availability
– Threat Sources
Adversarial
Non-adversarial
– Assess the impact of each threat
Types of Threats
– Unintentional
– Hardware/software failure
– Human error
– Intentional
– Unauthorized access by insider
– Unauthorized access by outsider
– Malicious software
Identify Vulnerabilities

– Known system weaknesses
– Vulnerabilities (CVE)
– For each Vulnerability
Identify threats
Assess likelihood
– Attempt
– Success
Determine Risk
– Severity of the impact
– Likelihood of occurrence

Risk = Impact X Likelihood
Risk Analysis Matrix

Risk = Impact X
Likelihood
Communication
– Communications methods
Executive Briefing
Risk assessment Report
Dashboard
– Who to communicate with
Stakeholders
Other organisations
Government bodies
 Maintaining the Risk
Assessment
Reconfirm scope, purpose, and assumptions
Identify key risk factors
Identify the frequency of risk factors for monitoring
Risk Treatment
– Avoid
Do not perform that activity
– Accept
Deal with risk by accepting the potential cost and loss if
the risk occurs.
Plans should be in place e.g recovery
– Reduce
Implement a countermeasure to alter or reduce the risk.
Likelihood of risk occurring
Impact of the risk
Transfer the risk
Incident Response Planning
Incident Management
– Incidents would not happen if
we had infinite security budgets
we had infinitely capable security personnel
– However, things can go wrong
In spite of your best attempts
We call them incidents
– It is an unplanned interruption to an IT
service, or reduction of an IT service or failure
Configuration Item (CI)
– Important to develop standard procedures to
respond to incidents
Refine these procedures based on experience
Incident Management
– ISO27002 Section 10 is all about incident
management
You should use ISO27001 to build the
foundations of information security in your
organization, and devise its framework
You should use ISO27002 to implement
controls
– Legal requirement for certain industries (e.g., banks,
e-commerce, public institutions)
– Highly recommended for all organisations
Incidents
– CIA related incidents
– Other types of incidents
Reconnaissance Attacks
DSL and cable modem connections are more
exposed than others because they are usually
open (through port scanning, vulnerability scans)
Repudiation
o Someone takes action and denies it later on.
Harassment (through harassing messages
using like email and instant message)
o Bothering, threatening, embarrassing
Incidents
– Extortion
Forces the victim to pay money or deliver something else of
worth by threatening to reveal information that could lead a
severe loss for the victim
– Pornography Trafficking
– Organized Crime Activity
Performs criminal acts like drug trafficking.
– Subversion
A system does not behave in the expected manner which leads
to users to believe that this behavior is due to an attack to the
integrity of the system, network, or application
E.g. Putting a bogus financial server on a network
Adversary modifies web links
Anyone connects to a particular web page, the connection is actually to
another, completely different, web page.
Example: Attacking a bank account
Example: Attack-Defense Tree
Incident Response: Three Major Parts
of Cycle
Actions taken to deal with an incident to eliminate or
minimize the impact.
Countermeasu
res

Detecti
Incident
on
Respon
se
Incident Response lifecycle

Preparation

Recovery Detection

Remediation Containment

Investigation
Preparation
– First step in creating an incident response plan
Listing all possible threat scenarios
Appropriate response to each of these scenarios
– Incident response policy
Helps focus on incident as a whole, from start to finish
Incident response team (often cross-departmental)
o Quickly identifying threats to the data infrastructure
o Assessing the level of risk
o Taking immediate steps to mitigate risks
o Notifying management/local personnel of the event and associated
risk
o Issuing a final report as needed, including lessons learned
– Tools: Hardware and software (e.g., disc imager, reverse engineering
tools)
– Incident Communication Plans
Inbound Communication: direct report, anonymous report, help desk
Outbound Communication:
o IT personnel, IT Help Desk, Inform Managers/Executives
o End-Users and Customers: They can be very angry if they don’t know
what’s going on
Preparation: Questions to address

– Has everyone been trained on security
policies?
– Have your security policies and incident
response plan been approved by
appropriate management?
– Does the Incident Response Team know
their roles and the required notifications to
make?
– Are all Incident Response Team members
Detection
– This is the process where you determine whether
you’ve been breached.
– Automated tools
– Analysts of Security Operations Center (SOC)
SOC (7/24 is active): Security incident event
management, firewall logs, network device logs
etc.
– We can ask
the employees about the incident, or
external Agency (like CERT)
– This includes declaration and initial classification of the
incident
Detection: Questions to address

– When did the event happen?
– How was it discovered?
– Who discovered it?
– Have any other areas been impacted?
– What is the scope of the compromise?
– Does it affect operations?
– Has the source (point of entry) of the event
been discovered?
Containment
– The act of preventing the expansion of harm
– Typically involves disconnecting affected computers from
the network
May involve temporary shutdown of services (but need to be very
careful!)
– Strategies
Shutting down a system
Disconnect from the network
Change filtering rules of firewalls
Disabling or deleting compromised accounts
Increasing monitoring levels
Striking back at the attacker’s system (hack back but has legal
issues)
– Discover affected systems
– Isolate the systems (e.g., to protect confidential and
sensitive data)
–
Containment: Questions to address

– What’s been done to contain the breach short term?
– What’s been done to contain the breach long term?
– Has any discovered malware been quarantined from
the rest of the environment?
– What sort of backups are in place?
– Does your remote access require multi-factor
authentication?
– Have all access credentials been reviewed for
legitimacy, hardened and changed?
– Have you applied all recent security patches and
updates?
Investigation
– Determine
Priority
Scope
Root cause of incident
– Evidence handling and seizure
Remediation

– Once you’ve contained the issue, you need to find and
eliminate the root cause of the breach.
All malware should be securely removed, systems should again
be hardened and patched, and updates should be applied.
– Post incident repair of affected systems
– Communication to all affected parties
Do’s and Don’ts for users and system admins
– Need-to-know principle
People only provided information necessary to perform their job
– Regulatory reporting
Sanctions for infractions
Remediation: Questions to address

– Have artifacts/malware from the attacker been
securely removed?
– Has the system be hardened, patched, and
updates applied?
– Can the system be re-installed?
Recovery
– Return compromised systems back to its normal
mission status.
– Recovery procedures
Full rebuilt for system files.
Restore data from last backup.
– Gathering of metrics and reporting
Record every action
Keep users aware of status.
– Incorporation of “lessons learnt” into future incident
management
 Recovery: Questions to
address
– When can systems be returned to production?
– Have systems been patched, hardened and
tested?
– Can the system be restored from a trusted
back-up?
– How long will the affected systems be
monitored and what will you look for when
monitoring?
– What tools will ensure similar attacks will not
reoccur? (e.g., File integrity monitoring,
intrusion detection/protection)
Forensic Readiness Planning
– Under the Security Policy Framework (April 2014) it is a
requirement for all government affiliated agencies to
have a Forensic Readiness Plan

– It is recommended that all organisations have one.

https://www.ncsc.gov.uk/section/about-ncsc/incident-management
 Forensic Readiness
Principles
There are 12 principles of a Forensic Readiness plan that are
recommended by the NCSC:

1. It is a requirement for Government departments to
have a Forensic Readiness Policy
2. Forensic Readiness policy should be owned at the
director level
3. A SPOC (Single-Point-of-Contact) should be
established to coordinate investigations
4. Forensic policy and capability should be in line with the
level of information risk
 Forensic Readiness
Principles

5. Planning should be scenario based, to enable
learning from incidents
6. Forensic readiness should be integrated with
incident management and other related business
planning
7. Investigations should be in line with the best
standards of forensic evidence (Association of
Chief Police Officers (ACPO))
8. All persons involved should adhere to evidence
handling rules, and be competent
 Forensic Readiness
Principles
9. Record Management Systems should be capable
of producing evidence.
10. A record retrieval process must be implemented to
enable disclosure
11. All methods of investigation and detection must be
lawful
12. There must be a review process that improves
plans based upon experience and new knowledge.
Questions
Additional Reading Slides
Association of Chief Police Officers
(ACPO) Principles
– Developed by the police in conjunction with
experts.
– Fundamental principles of digital
forensics
– Lays down the current guidelines for digital
investigations (Good Practice for Computer
based Electronic Evidence)
– 4 Primary principles
 ACPO Principle 1
– No action taken by law enforcement agencies or their agents
should change data held on a computer or storage
media which may subsequently be relied upon in court
 ACPO Principle 2
– In exceptional circumstances, where a person finds it necessary to
access original data held on a computer or on storage media, that
person must be competent to do so and be able to give
evidence explaining the relevance and the implications of their
actions.
 ACPO Principle 3
– An audit trail or other record of all processes applied to computer
based electronic evidence should be created and preserved.
– An independent third party should be able to examine those
processes and achieve the same results.
 ACPO Principle 4
– The person in charge of the investigation (Officer In Charge
(OIC)) has overall responsibility for ensuring that the law and these
principles are adhered to.
Chain of Custody

– A legal record showing the control of any item
which may be used as evidence.
– Secure backups and define who can access
the backups.
– Used to prove no tampering has occurred.
Checking the integrity of the evidence (using
hash functions such as SHA256)
– Used in conjunction with evidence bags
First Responders Toolkit
– The forensic unit – i.e. the imaging/investigation
hardware and software
– Digital Camera (Spare batteries/SD card)
Volatile capture tools (live boot environment, CD
with tools)
– Clean analysis mobile telephone/laptop,
Notebook/pen, Books
– Network card
– Screwdrivers
First on Scene
– Don't touch anything and come up with a plan!
– Start making notes of everything that you do
– Photograph everything
– Take notes of serial number of devices
– Prioritise your efforts.
– If you do an action note your justification
 System on or off?
– If the system is on
Consider a RAM dump
Check for full disk encryption
Capture live system status
– If the system is off:
Do not switch it on!
OS may update some records and create
new logs
Forming and Managing an IR-Team
– Reasons for in-house incident response
Sensitive data is better handled by
employees.
In house team responds better to
corporate culture.
Forming and Managing an IR-Team
– Reasons for outsourcing
Specialists can maintain and add to a
complex skill set.
Specialists can charge for service.
Company might lack resources.
Small organizations do not need a team.
“It takes many good deeds to build a good
reputation, and only one bad one to lose it”

- Benjamin Franklin
Questions