You’ve been hacked, now what?
By Wild Wild West
Agenda
•
•
•
•
Overview
What we did do
Alternative Solutions
Best solution: CSIRT
What we did do…
• Technical Team
– Easy solution
– Patches/Updates
– Rebuilt
What we did do…
• Business Team
– Senior management, legal, public relation
– Report incident to law enforcement/government
agency
– Notify business partners and investors
– Decision
Downtime
• Cost per week (total $352,500) :
– 2 Acoustic Engineers (consultant): $15,000
– Management (5 people): $25,000
– Non IT Staff (30 people): $62,500
– Delay in launch: $250,000
Solution Alternatives
Alternatives Considered
1. Hire outside consultants
2. Technology-based HW/SW solution
3. Computer Security Incident Response Team
(CSIRT)
InfoSecurity Consulting Firm
• $20k - $200k+ depending on scope and
deliverables
• Forensics-only approach likely to be
inconclusive
• Expanded scope well beyond our budget
• Plus, likely to lead to further expenditures
Let Tech Solve the Problem?
• Another wide
spectrum of options…
Let Tech Solve the Problem?
• Another wide
spectrum of options…
A. Tier I enterprise class
solution?
Tier I
Let Tech Solve the Problem?
• Another wide
spectrum of options…
A. Tier I enterprise class
solution?
B. Homegrown
Approach?
Tier I
Open
Systems
Let Tech Solve the Problem?
• Another wide
spectrum of options…
A. Tier I enterprise class
solution?
B. Homegrown
Approach?
Tier I
Open
Systems
Let Tech Solve the Problem?
• Another wide
spectrum of options…
A. Tier I enterprise class
solution?
B. Homegrown
Approach?
C. Something in
between?
Tier I
Open
Systems
What We Did Decide…
• Conduct Nessus scan of our network
• Plug all high and medium risk firewall
vulnerabilities identified
• ADDED! open source IDS product for faster
recognition of attempted attacks or successful
exploits
What We Did Decide…
• Conduct Nessus scan of our network
• Plug all high and medium risk firewall
vulnerabilities identified
• ADDED! open source IDS product for faster
recognition of attempted attacks or successful
exploits
• But! We didn’t stop there…
Computer Security Incident
Response Team (CSIRT)
Disaster Recovery Style
Security Preparation
Prevention
Recovery
Computer Security Incident Response
Team
Purpose
After a Major Security Incident:
• To be able to quickly and efficiently make and
execute decisions that are the best for the
organization
Computer Security Incident Response
Team (CSIRT)
Roles
– Team manager and backup team manager
– Technical/Security expert
– Executive
– Legal expert
– PR specialist
– HR specialist
Computer Security Incident Response
Team (CSIRT)
Roles Example:
– Team manager and backup team manager
• (IT Director, Sys Admin)
– Technical/Security expert
• (IT Director, Sys Admin)
– Executive
• (CEO)
– Legal expert
• (CEO)
– PR specialist
• (Marketing Director)
– HR specialist
• (HR Director)
Computer Security Incident Response
Team (CSIRT)
Tasks
– Respond quickly to a Major Security Event.
– Analyze the incident
– Respond to the incident in the context of the
organization as a whole
•
•
•
•
•
Law enforcement
Communications to employees
Legal obligations
Upstream, downstream and third party communication
Forensics
Computer Security Incident Response
Team (CSIRT)
Benefits
– Monetary benefits
• Know the real cost of what happened
• Prevent wasted time/resources of employees
– (calculation here)
– Psychological benefits
• Keeps key players calmer
• Keeps you from making (the wrong) decision
• May help you save your job
Q&A