preparing for failure - best practise for incident response
DESCRIPTION
An overview of the steps you should consider when setting up your incident response function.TRANSCRIPT
Helping You Piece IT Together
http://www.bhconsulting.ie [email protected]
Preparing for Failure - What to do When Your Security is Breached
Infosec Professional Certainties
Why Care About Information Security?
Typical IT Security
But …
Controls Will be Bypassed
Traditional Incident Response
Adhoc & Unplanned
Deal with it as it happens
Prolonged Recovery Times
Damage to Company
Lack of Metrics
Legal Issues
Bad Guys/Gals Getting Away
You In Line Of Fire
Why Improve Incident Response?
Establish Team
Information Security Operations Human
Resources Legal Public Relations
Facilities Management
Set up Alerting Mechanisms
Identify Tools
Don’t Forget
Standard Operating Procedures
Agree Authority of IRT
Establish External Relationships
Practise Makes Perfect
Review & Measure
Continuous Improvement
Develop
IR Policy
Create IRT
Develop SOPsTEST
Update
Disclosure ??
Considerations
More information
CSIRT Handbookhttp://www.cert.org/archive/pdf/csirt-handbook.pdf
Forming an Incident Response Teamhttp://www.auscert.org.au/render.html?it=2252
Incident Response White Paper – BH Consulting
http://www.bhconsulting.ie/Incident%20Response%20White%20Paper.pdf
RFC2350: Expectations for Computer Security Incident Responsehttp://www.rfc-archive.org/getrfc.php?rfc=2350
Organisational Models for Computer Security Incident Response Teams
http://www.cert.org/archive/pdf/03hb001.pdf
The SANS Institute’s Reading Roomhttp://www.sans.org/reading_room
More Resources
Guidelines for Evidence Collection and Archiving (RFC 3227)
http://www.ietf.org/rfc/rfc3227.txt
Resources for Computer Security IncidentResponse Teams (CSIRTs)
http://www.cert.org/csirts/resources.html
RFC 2196: Site Security Handbookhttp://www.faqs.org/rfcs/rfc2196.html
ENISA Step by Step Guide for setting up CERTShttp://enisa.europa.eu/doc/pdf/deliverables/enisa_csirt_setting_up_guide.pdf
CSIRT Case Classification (Example for enterprise CSIRT)http://www.first.org/resources/guides/csirt_case_classification.html
Questions
www.twitter.com/brianhonanwww.bhconsulting.ie/securitywatch
Tel : +353 – 1 - 4404065