mark e.s. bernard incident handling and observe orientate decide act

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Compiled by; Mark E.S. Bernard, ISO 27001 Lead Auditor, CISSP, CISM, SABSA-F2, CISA, CRISC, CGEIT


• Management Activities -Define and maintain the Incident Handling Plan and Program. -Define and maintain the Computer Security Incident Response Team. -Review program effectiveness, efficiency regularly. -Monitor potential and actual security incidents. -Monitor regular vulnerability assessments. -Information Security-Related Information

•Proactive Services - Coordinate Announcements - Technology Watch - Information Security & Audit Assessments - Configuration & Maintenance of Security Tools, Applications, & Infrastructure - Monitor Intrusion Detection Reports - Identify and/or Develop Security Tools

• Security Quality Management Services -Facilitate Threat-Risk Analysis -Information Security Consulting -Facilitate Training/Awareness Building -Product Evaluation or Certification

• Reactive Services -Alerts and Warnings -Incident Handling (analysis, response on site, support, coordination) -Vulnerability Handling (analysis, response, evidence, coordination)

Every Security event and incident should result in a lessons learned to help improve the response time and mitigate future risk from materializing. The Quality Management system leverages a

Plan – Do - Check – Act cycle that includes a feedback loop.


With the ISO 27001 ISMS we attempt to

identify potential threats and matching

vulnerabilities and mitigate these risks before they result is unplanned expenses

and damage to an organizations reputation.

‘Security Events’ are not the same as

‘Security Incidents’. Security events normally occur

when a vulnerability exists and a threat agent attempts to

exploit a vulnerability but is

not successful.

There is a subtle difference between information security ‘incidents’ and ‘events’ and while we may not be able to stop events from occurring we can learn from them and take correction and/or preventive action to mitigate of eliminate the risk.


Miss-configuration of infrastructure devices or vulnerabilities if software and hardware are some of the most

common weaknesses within the security architecture. The miss-

configuration of telecommunication devices or weakness in protocols is often the door left open by system

administrators, database administrators, software engineers, external service providers, suppliers

and vendors. Each has a responsibility for security and the effectiveness of

security. Standardization, traceability, verification and validation, annually

security testing are critical checks and balances to maintain effective security.


1. Designated "Single Point of Contact" (“SPC”) 1.1. Incident Response Team 1.2. Incident Response Team Members 1.3. Incident Response Team Roles and Responsibilities 1.4. Incident Response Team Notification 2. Breach of Personal Information - Overview 2.1. Definition of a Security Breach 3. Requirements 3.1. Information Owner Responsibilities 3.2. Location Manager Responsibilities 3.3. When Notification Is Required 4. Incident Response – Breach of Personal Information 4.1. Technology Operation Center 4.2. Office for Central Information Security 4.3. Customer Database Owners 4.4. Web Banking Department 4.5. Credit Payment Systems 4.6. Legal 4.8. Human Resources 4.9. Network Architecture 4.10. Public Relations 4.11. Location Manager

5. Incident Handling Step-by-step 5.1. Documentation Logs 5.2. Determine If It Is Real? 5.3. Scope 5.4. Incident Communications 5.4.1. Explicit Notification 5.4.2. Factual Notification 5.4.3. Choice of Language 5.4.4. Notification of Individuals 5.4.5. Public Relations - Press Releases 5.5. Who Needs to Get Involved?

The Incident Handling Procedure is fairly standard in most mature organizations.

This is important because communication and training for Security Incident Team

Members is crucial to the success of any Security Incident.

5.6. Containment 5.7. Evidence Handling 5.8. Chain of Custody 5.8.1. Collection of Evidence 5.8.2. Collection/Storage of Evidence 5.8.3. Storage of Evidence 5.9. Eradication 5.10. Recovery 5.11. Follow-up 5.12. Legal Affairs


Establishing the Information

Security Program is crucial to a

consistent, reproducible approach

that effective mitigates the risk of

threats exploiting vulnerabilities .

The Security Program provides the

Shareholders, Board of Directors,

Executives and Employees with

assurance that data, information and

knowledge is security and constantly

protected.

The Security Program is constantly

improving and evolving to meet the

challenges of modern threats to the

agility and resilience of the

Enterprise.


OODA is a concept

originally applied to the

combat operations

process, often at the

strategic level in military

operations. It is now also

often applied to

understand commercial

operations and learning

processes. The concept

was developed by

military strategist and

USAF Colonel John

Boyd.

Web link; http://en.wikipedia.org/wiki/OODA_loop

Observer: During this stage of OODA the individual scans the environment and gathers

information regarding changes in the environment that affects them directly or indirectly,

and how the environment reacts to the strength, weakness, manoeuvres', and intentions of

their actions. Such observations aim to spot mismatches before the threat agent does.

Orientate: During this stage of OODA observed information, or converting information

into knowledge by developing concepts through analysis of information. The way the

individual interprets knowledge depends on culture, genetic heritage, ability to analyze

and synthesize, experience, and latest changes to information, and success depends on

such interpretation.


Knowledge is the key to success, knowing how to identify a security incident and understanding the different between a security incident and event will improve success

and recrudesce false positives. Many automated systems can help manage the volume of security events and identify patterns the are a prelude to a security incident. This gives

the security administrator time to mitigate a potential breach.

Web link; http://en.wikipedia.org/wiki/OODA_loop

Decide: During this stage of OODA the security administrator is weighing out several

options or alternatives available from the concepts knowledge body generated during the

orientation phase, and picking the best one. For instance, the individual having realized

the need for a countermeasure may choose to launch a net-new strategy or repackage an

existing strategy, based on what they perceive the threat agent would do with the same

knowledge. Decisions are at basic level guesses, and as such, need to remain fluid or

work-in-progress, ready to change as new information comes.

Act: During this stage of OODA Act the security administrator is executing their

decision. This completes the OODA loop and the feedback of the implementation is the

basis for the next round of observation.


Once a security incident has been confirmed knowledge is again crucial in making the correct decision to contain, investigate, eradicate the root-cause of a security incident.

The preservation of evident and notification management and stakeholders will be equally important as the incident handling workflow is executed by the security

Administrator. Repairing damage and closing gaps in the security architecture also requires knowledge and awareness.

Web link; http://en.wikipedia.org/wiki/Social_engineering_(security)

Social engineering, in the context of security, is understood to mean the art of

manipulating people into performing actions or divulging confidential information.

While it is similar to a confidence trick or simple fraud, it is typically trickery or

deception for the purpose of information gathering, fraud, or computer system access;

in most cases the attacker never comes face-to-face with the victims.

"Social engineering" as an act of psychological manipulation had previously been

associated with the social sciences, but its usage has caught on among computer

professionals.


When it comes to a motivated threat agent the absence of a vulnerable will not stop the attack. Security threats will do their research and target a weak link for social

engineering attack. Generally humans are very helpful but even the most experienced and skilled employee can be compromised with the correct social engineering method.

This is why threat agents study the target carefully before initiating any attack.

1 - Information Gathering

2 - Gain Access

3 - Gain Privileged Access

4 - Hide Evidence

5 - Create Backdoors

6 - Expand Attack

Web link; http://en.wikipedia.org/wiki/Hacker_(computer_security)


Hackers generally follow a routine when attacking an organization

or individual.

• Social engineers use tactics to leverage trust, helpfulness, easily attainable information, knowledge of internal processes, authority, technology and any combination there of

• They often use several small attacks to put them in the position to reach their final goal

• Social engineering is all about taking advantage of others to gather information and infiltrate an attack

• The information gained in a phone book may lead to a phone call. The information gained in the phone call may lead to another phone call

• A social engineer builds on each tidbit of information he or she gains to eventually stage a final, deadly attack

• A successful social engineering attempt could result in great financial loss for the target company. A motivated attacker will be willing to gain information in any way possible


• Authority Attack (with or without artefact): using fake badge, utility service outfit to gain access or identify a key individual by name/title as supposed friend or acquaintance or claiming authority and demanding information (impersonation)

• Zero-Sum Knowledge Attack: Baiting someone to add, deny or clarify pseudo knowledge of the attacker, claiming to know more than you do, to solicit more information

• Exaggerated/Knee-jerk Response Attack: making an outlandish lie in order to get information response

• Persistent Attack: Continuous harassment using guilt, intimidation and other negative ways to reveal information

• Fake Survey/Questionnaire Attack: Win a free trip to Hawaii, just answer these questions about your network


• Stake-Out Attack: Analyze activity over time, people movement & actions, deliveries of supplies

• The 10 Attack: Using an attractive individual to gain information or access

• Rubber-Hose Attack: Brute force, threatening,

• Pay-olla Attack: Bribery, plain and simple $$$

• “The boy who cried wolf” Attack: Setting off a series of false alarms that cause the victim to disable their own alarm system

• Help Desk Attack: Impersonating a current or new end-use needing help with access to a network or server

• “Go with the Flow” Attack: Crowed venues are a great time and place to gain access and information, such as a corporate party that has hundreds of employees, just act like you’re one of them



For more information contact Skype; Mark_E_S_Bernard

Twitter; @MESB_TechSecure LinkedIn; http://ca.linkedin.com/in/markesbernard

mark e.s. bernard incident handling and observe orientate decide act

Business

security events

security breach

effective security

effectiveness of security

security architecture

information security

security testing

information security