Week 3 Lecture 1 Cybersecurity: Risk Management and Incident Response PDF

Summary

This is a lecture on cybersecurity, risk management, and incident response. It covers topics including risk management frameworks (NIST), incident response lifecycle, and communication plans.

Full Transcript

CSEC1001K : Foundation of Computing and Cyber Security Week 3 Lecture 1: Risk Management and Incident Response Outline Risk Management Risk Treatment Incident Response Planning Incident Response lifecycle Risk Management What is Risk? The potential...

CSEC1001K : Foundation of Computing and Cyber Security Week 3 Lecture 1: Risk Management and Incident Response Outline Risk Management Risk Treatment Incident Response Planning Incident Response lifecycle Risk Management What is Risk? The potential for loss, damage, or destruction of an asset as a result of a threat exploiting vulnerabilities of an asset or group of assets thereby causing harm to the organization. Risk Management Framework (NIST) Ref: https://csrc.nist.gov/projects/risk-management/about-rmf Process of identifying, controlling , and minimizing or eliminating security risks that may affect information systems, for an acceptable cost. Risk Management Establish the context Process (ISO) Communicate and consult ISO 31000:2018, Risk Identify risks Monitor and review Risk assessment management – Guidelines, provides principles, Estimate risks framework and a process for managing risk. Evaluate risks It can be used by any organization regardless of its size, activity or sector. Treat risks What could happen, when, how? Source: https://www.iso.org/iso-31000-risk- management.html Risk Management Process Risk Analysis Terminology Ass Weaknes et s Reduced Thre Risk at Ris k Evaluate the risks and decide on precautions Asset valuation Identify the categories to assign to each asset: – Most critical to the success of the organization – The most revenue – The highest profitability – The most expensive to replace – The most expensive to protect – Liability of organization if revealed Likelihood The probability that a given threat is capable of exploiting a given vulnerability –Each attacker will have: Intent Capability Impact – The magnitude of harm that a threat event can cause. – Organisations must prioritise and value assets – What is the impact to different stakeholders? Purpose of Risk Assessment A risk assessment is the process of identifying and prioritizing risks to the business. – Estimate current risk – Prioritise risks – Identify sensible measures – Without an assessment, it is impossible to design good security policies and procedures that will defend your company’s critical assets. Risk Assessment Procedure Prepare Conduct risk assessment Communicate risk assessment (e.g., executive, briefings, risk assessment reports, dashboards) Maintain the risk assessment Apply risk treatments Preparation – Identify Scope Organisational considerations – Assist decision makers in a particular part of the business – Sources of information: Previous assessments Incident reporting UK CERT (Computer Emergency Response Team)/CPNI (Centre for the Protection of National Infrastructure) Research Organisations Conduct a Risk Assessment Identify all Assets  Information assets  Software assets  Physical assets  Services  Others Money Reputation Identify Threats – Identify threats to Confidentiality Integrity Availability – Threat Sources Adversarial Non-adversarial – Assess the impact of each threat Types of Threats – Unintentional – Hardware/software failure – Human error – Intentional – Unauthorized access by insider – Unauthorized access by outsider – Malicious software Identify Vulnerabilities – Known system weaknesses – Vulnerabilities (CVE) – For each Vulnerability Identify threats Assess likelihood – Attempt – Success Determine Risk – Severity of the impact – Likelihood of occurrence Risk = Impact X Likelihood Risk Analysis Matrix Risk = Impact X Likelihood Communication – Communications methods Executive Briefing Risk assessment Report Dashboard – Who to communicate with Stakeholders Other organisations Government bodies Maintaining the Risk Assessment Reconfirm scope, purpose, and assumptions Identify key risk factors Identify the frequency of risk factors for monitoring Risk Treatment – Avoid Do not perform that activity – Accept Deal with risk by accepting the potential cost and loss if the risk occurs. Plans should be in place e.g recovery – Reduce Implement a countermeasure to alter or reduce the risk. Likelihood of risk occurring Impact of the risk Transfer the risk Incident Response Planning Incident Management – Incidents would not happen if we had infinite security budgets we had infinitely capable security personnel – However, things can go wrong In spite of your best attempts We call them incidents – It is an unplanned interruption to an IT service, or reduction of an IT service or failure Configuration Item (CI) – Important to develop standard procedures to respond to incidents Refine these procedures based on experience Incident Management – ISO27002 Section 10 is all about incident management You should use ISO27001 to build the foundations of information security in your organization, and devise its framework You should use ISO27002 to implement controls – Legal requirement for certain industries (e.g., banks, e-commerce, public institutions) – Highly recommended for all organisations Incidents – CIA related incidents – Other types of incidents Reconnaissance Attacks DSL and cable modem connections are more exposed than others because they are usually open (through port scanning, vulnerability scans) Repudiation o Someone takes action and denies it later on. Harassment (through harassing messages using like email and instant message) o Bothering, threatening, embarrassing Incidents – Extortion Forces the victim to pay money or deliver something else of worth by threatening to reveal information that could lead a severe loss for the victim – Pornography Trafficking – Organized Crime Activity Performs criminal acts like drug trafficking. – Subversion A system does not behave in the expected manner which leads to users to believe that this behavior is due to an attack to the integrity of the system, network, or application E.g. Putting a bogus financial server on a network Adversary modifies web links Anyone connects to a particular web page, the connection is actually to another, completely different, web page. Example: Attacking a bank account Example: Attack-Defense Tree Incident Response: Three Major Parts of Cycle Actions taken to deal with an incident to eliminate or minimize the impact. Countermeasu res Detecti Incident on Respon se Incident Response lifecycle Preparation Recovery Detection Remediation Containment Investigation Preparation – First step in creating an incident response plan Listing all possible threat scenarios Appropriate response to each of these scenarios – Incident response policy Helps focus on incident as a whole, from start to finish Incident response team (often cross-departmental) o Quickly identifying threats to the data infrastructure o Assessing the level of risk o Taking immediate steps to mitigate risks o Notifying management/local personnel of the event and associated risk o Issuing a final report as needed, including lessons learned – Tools: Hardware and software (e.g., disc imager, reverse engineering tools) – Incident Communication Plans Inbound Communication: direct report, anonymous report, help desk Outbound Communication: o IT personnel, IT Help Desk, Inform Managers/Executives o End-Users and Customers: They can be very angry if they don’t know what’s going on Preparation: Questions to address – Has everyone been trained on security policies? – Have your security policies and incident response plan been approved by appropriate management? – Does the Incident Response Team know their roles and the required notifications to make? – Are all Incident Response Team members Detection – This is the process where you determine whether you’ve been breached. – Automated tools – Analysts of Security Operations Center (SOC) SOC (7/24 is active): Security incident event management, firewall logs, network device logs etc. – We can ask the employees about the incident, or external Agency (like CERT) – This includes declaration and initial classification of the incident Detection: Questions to address – When did the event happen? – How was it discovered? – Who discovered it? – Have any other areas been impacted? – What is the scope of the compromise? – Does it affect operations? – Has the source (point of entry) of the event been discovered? Containment – The act of preventing the expansion of harm – Typically involves disconnecting affected computers from the network May involve temporary shutdown of services (but need to be very careful!) – Strategies Shutting down a system Disconnect from the network Change filtering rules of firewalls Disabling or deleting compromised accounts Increasing monitoring levels Striking back at the attacker’s system (hack back but has legal issues) – Discover affected systems – Isolate the systems (e.g., to protect confidential and sensitive data) – Containment: Questions to address – What’s been done to contain the breach short term? – What’s been done to contain the breach long term? – Has any discovered malware been quarantined from the rest of the environment? – What sort of backups are in place? – Does your remote access require multi-factor authentication? – Have all access credentials been reviewed for legitimacy, hardened and changed? – Have you applied all recent security patches and updates? Investigation – Determine Priority Scope Root cause of incident – Evidence handling and seizure Remediation – Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. All malware should be securely removed, systems should again be hardened and patched, and updates should be applied. – Post incident repair of affected systems – Communication to all affected parties Do’s and Don’ts for users and system admins – Need-to-know principle People only provided information necessary to perform their job – Regulatory reporting Sanctions for infractions Remediation: Questions to address – Have artifacts/malware from the attacker been securely removed? – Has the system be hardened, patched, and updates applied? – Can the system be re-installed? Recovery – Return compromised systems back to its normal mission status. – Recovery procedures Full rebuilt for system files. Restore data from last backup. – Gathering of metrics and reporting Record every action Keep users aware of status. – Incorporation of “lessons learnt” into future incident management Recovery: Questions to address – When can systems be returned to production? – Have systems been patched, hardened and tested? – Can the system be restored from a trusted back-up? – How long will the affected systems be monitored and what will you look for when monitoring? – What tools will ensure similar attacks will not reoccur? (e.g., File integrity monitoring, intrusion detection/protection) Forensic Readiness Planning – Under the Security Policy Framework (April 2014) it is a requirement for all government affiliated agencies to have a Forensic Readiness Plan – It is recommended that all organisations have one. https://www.ncsc.gov.uk/section/about-ncsc/incident-management Forensic Readiness Principles There are 12 principles of a Forensic Readiness plan that are recommended by the NCSC: 1. It is a requirement for Government departments to have a Forensic Readiness Policy 2. Forensic Readiness policy should be owned at the director level 3. A SPOC (Single-Point-of-Contact) should be established to coordinate investigations 4. Forensic policy and capability should be in line with the level of information risk Forensic Readiness Principles 5. Planning should be scenario based, to enable learning from incidents 6. Forensic readiness should be integrated with incident management and other related business planning 7. Investigations should be in line with the best standards of forensic evidence (Association of Chief Police Officers (ACPO)) 8. All persons involved should adhere to evidence handling rules, and be competent Forensic Readiness Principles 9. Record Management Systems should be capable of producing evidence. 10. A record retrieval process must be implemented to enable disclosure 11. All methods of investigation and detection must be lawful 12. There must be a review process that improves plans based upon experience and new knowledge. Questions Additional Reading Slides Association of Chief Police Officers (ACPO) Principles – Developed by the police in conjunction with experts. – Fundamental principles of digital forensics – Lays down the current guidelines for digital investigations (Good Practice for Computer based Electronic Evidence) – 4 Primary principles ACPO Principle 1 – No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court ACPO Principle 2 – In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions. ACPO Principle 3 – An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. – An independent third party should be able to examine those processes and achieve the same results. ACPO Principle 4 – The person in charge of the investigation (Officer In Charge (OIC)) has overall responsibility for ensuring that the law and these principles are adhered to. Chain of Custody – A legal record showing the control of any item which may be used as evidence. – Secure backups and define who can access the backups. – Used to prove no tampering has occurred. Checking the integrity of the evidence (using hash functions such as SHA256) – Used in conjunction with evidence bags First Responders Toolkit – The forensic unit – i.e. the imaging/investigation hardware and software – Digital Camera (Spare batteries/SD card) Volatile capture tools (live boot environment, CD with tools) – Clean analysis mobile telephone/laptop, Notebook/pen, Books – Network card – Screwdrivers First on Scene – Don't touch anything and come up with a plan! – Start making notes of everything that you do – Photograph everything – Take notes of serial number of devices – Prioritise your efforts. – If you do an action note your justification System on or off? – If the system is on Consider a RAM dump Check for full disk encryption Capture live system status – If the system is off: Do not switch it on! OS may update some records and create new logs Forming and Managing an IR-Team – Reasons for in-house incident response Sensitive data is better handled by employees. In house team responds better to corporate culture. Forming and Managing an IR-Team – Reasons for outsourcing Specialists can maintain and add to a complex skill set. Specialists can charge for service. Company might lack resources. Small organizations do not need a team. “It takes many good deeds to build a good reputation, and only one bad one to lose it” - Benjamin Franklin Questions

Use Quizgecko on...
Browser
Browser