Your organization will be breached. It's a matter of when, not if. How you respond may be the difference between recovering and closing your doors.
This talk is designed to help small businesses or businesses with small IT organizations to develop a viable incident response program.
Presented at the 2013 ND IT Symposium on 5/1/2013.
2. Agenda
Definition of a breach
Background statistics on breaches
What a breach may look like
Preparing your response plan
Putting your plan into action
Links to resources
3. Key Assumptions
Small to medium-sized business (SMB)
25 – 500 employees
Few IT resources, few or none dedicated to IT security
4. What Is a Breach?
Breach means an intrusion into a computer system, i.e.
hacking or exposure of sensitive data
Causes of a breach:
crimes of opportunity
targeted attacks
viruses
web-delivered malware
malicious insiders
unintentional disclosures
5. Breach Statistics
55% of SMBs surveyed were breached in the last year, 53%
more than once – Ponemon Institute
Verizon 2012 DBIR found 71.5% of incidents studied were
in organizations of less than 100 employees
Up from 63% in 2011
2011 Symantec ISTR found 28% of targeted attacks were
against companies with less than 500 employees
6. Costs of a Breach
Average cost of reported
breach: $5.5 million
Average cost per stolen
record: $194
Symantec ISTR
Fines
Possible jail terms under
HIPAA
Loss of customer and
business partner
confidence
7. How Do I Know I’ve Been Breached?
www.digitaltrends.com
21. No obvious indicators
There may not be an obvious indicator of a breach
Detect through well-developed security intelligence
program
66% of breaches went undiscovered for several months or
longer
Verizon 2013 DBIR
22. Benefits of Adequate Preparation
Economic
Stop ongoing loss of data or business interruption
Reduce time to resolution after incident is discovered
Public Relations
PR plan helps reassure customers to prevent loss of confidence
Legal
Demonstrates due diligence
23. Preparation: Getting Started
Get management support!
Define your incident handling team members
Not just IT! IT, Security, Legal, HR, PR, Management, external IT
vendor
Designate an incident leader. This person needs to be calm under
fire
24. Preparation: Basics
Policies
Strong policies help enforce compliance and define roles and
responsibilities
Incident Handling policies provide legal authority to investigate,
“sniff” network traffic, monitor activities
Procedures
Clear, thorough, tested procedures help reduce confusion when
tensions are high
Checklists
Notification procedures – legal, PR, law enforcement
25. Preparation: Communications
Define a communications plan
Email and phone may be down or compromised; make sure you
have cell numbers
Identify alternate contacts
Don’t forget to include IT vendor, network provider, etc.
Test your calling tree at least annually
Keep paper copies and keep them up to date
26. Preparation: Testing and Practice
Perform incident handling
tabletop exercises
When problems are identified,
be sure to update procedures
27. Execution
Document all steps in a notebook
Helps to have one person working, another keeping notes
Measure twice, cut once… First, do no harm…
In other words, don’t be too hasty
Step back to see the forest
for the trees
28. Mistakes Happen
Success does not consist in never making mistakes, but in
never making the same one a second time.
– George Bernard Shaw
29. Lessons Learned
Be sure to hold a lessons learned session after breach
Hold within two weeks
Identify what failed and why
Implement fixes and update documentation
30. Resources
Local law enforcement, including FBI
Professional Security Organizations
ISSA
https://sites.google.com/site/northdakotaissa/
InfraGard
http://infragard-nd.org
SANS Reading Room
http://www.sans.org/reading_room/
SANS Incident Handling Forms
http://www.sans.org/score/incidentforms/
31. Summary
All sizes of organizations are being attacked
Vast majority of attacks are from outsiders – 92%
Verizon 2013 DBIR
Hacking constitutes the majority of attacks – 52%
Verizon 2013 DBIR
Incident response plans are key to recovery and limiting
liability
There is a vast array of resources available to help you build
your plan
32. Resources
An Incident Handling Process for Small and Medium Businesses
http://www.sans.org/reading_room/whitepapers/incident/incident-
handling-process-small-medium-businesses_1791
Creating a Computer Security Incident Response Team (CSIRT)
http://www.cert.org/csirts/Creating-A-CSIRT.html
NIST SP800-61 Rev. 2: Computer Security Incident Handling
Guide
http://crsc.nist.gov/publications/nistpubs/800-61rev2/SP800-
61rev2.pdf
Corporate Incident Response – Why You Can’t Afford to Ignore
It
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-
corp-incident-response.pdf
33. References
Ponemon Institute Survey for Hartford Steam Boiler
http://www.hsbwhistlestop.com/agents/express/2013/02/hsbSurvey.ph
p
Verizon 2013 Data Breach Investigations Report
http://www.verizonenterprise.com/DBIR/2013/
Verizon 2012 Data Breach Investigations Report
http://www.verizonenterprise.com/resources/reports/rp_data-breach-
investigations-report-2012_en_xg.pdf
Symantec 2011 Internet Security Threat Report
http://www.symantec.com/content/en/us/enterprise/other_resources/
b-istr_main_report_2011_21239364.en-us.pdf