oc rims cyber safety & security incident response

OC RIMSOC RIMSCyber Safety & SecurityCyber Safety & Security

Incident ResponseIncident Response

Types of Cyber EventsTypes of Cyber Events

- Intrusion (external/internal)- Intrusion (external/internal)

- Hackers Targeting Asset/Account - Hackers Targeting Asset/Account ManagersManagers

- Sexual Harassment- Sexual Harassment

- Termination- Termination

- Workmen's Comp Claims- Workmen's Comp Claims

- Theft of IP- Theft of IP

Civil vs. CriminalCivil vs. Criminal

Theft of Personal DataTheft of Personal DataTheft of IPTheft of IPStalkingStalkingCyber ImpersonationCyber ImpersonationHackingHackingWire TappingWire TappingChild PornographyChild Pornography

Look Familiar?Look Familiar?

PreservationPreservation

PPreserve Digital Evidencereserve Digital Evidence

• The most important thing to The most important thing to remember is to protect and remember is to protect and preserve the evidence no matter preserve the evidence no matter what the final outcome!what the final outcome!

• If you choose not to preserve the If you choose not to preserve the evidence now it may be altered or evidence now it may be altered or destroyed when you need it!destroyed when you need it!

What is Imaging?What is Imaging?

o Write blocked/protectedWrite blocked/protectedo Bit-by-bit copy of the deviceBit-by-bit copy of the deviceo VerifiedVerifiedo Proven and court accepted Proven and court accepted

methodologymethodologyo DifferentDifferent then Ghost or other file then Ghost or other file

copying!!copying!!

ForensicsForensicsWhat can it do for What can it do for

you?you?Clear and concise explanation of:Clear and concise explanation of:

• Forensic copy of original evidenceForensic copy of original evidence• Methodology used for examinationMethodology used for examination• Whether or not the date/time Whether or not the date/time stamps are a reliable indicatorstamps are a reliable indicator

• What is slack and unallocated What is slack and unallocated spacespace

• How is data stored and recoveredHow is data stored and recovered

DeletingDeleting

- Recycle Bin ArtifactsRecycle Bin Artifacts- File systemsFile systems- RecoverableRecoverable

Anti-ForensicsAnti-Forensics

WipingWiping

MonitoringMonitoringo Third party Third party o Offsite, appliance or applicationOffsite, appliance or applicationo Local Local

EncryptionEncryption

o Transmission (SSH)Transmission (SSH)o User and Master KeysUser and Master Keyso Securing Your KeysSecuring Your Keyso Whole Disk, Volume or File LevelWhole Disk, Volume or File Level

PreventionPrevention

#1 hacking tool = social engineering#1 hacking tool = social engineering

o Operating System PermissionsOperating System Permissionso Logging of Data Access & Transfers Logging of Data Access & Transfers (system wide/centralized/long term)(system wide/centralized/long term)o MonitoringMonitoringo Restrict Web Browsing (browser)Restrict Web Browsing (browser)o Removable MediaRemovable Mediao Vulnerability TestingVulnerability Testing

Secure WirelessSecure Wireless

SSID SSID WEP/WAPWEP/WAP MAC AddressMAC Address WiredWired Air CardAir Card

WirelessWireless

The “Cloud”The “Cloud”

Dangers and RiskDangers and Risk Uncontrolled

Access by Users Unsecured Access Internet

Dependant

CloudCloud

Tools and TipsTools and Tips Google/MSN Admin

Controls Secure

Computer/Connection Password Rules Backup Two-Factor

Authentication

David McCainDavid McCain

dmccain@dataclues.comdmccain@dataclues.com

877-328-2258877-328-2258