Scribd Logo
Upload

Welcome to Scribd!

  • CeCOS CSIRT Enterprise Ardita Final

    Uploaded by

    juan
    133 views20 pages
    Ardita

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Ardita

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    133 views20 pages

    CeCOS CSIRT Enterprise Ardita Final

    Uploaded by

    juan
    Ardita

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 20

    Creating the Enterprise CSIRT: Building

    the eCrime Response Platform

    Lic. Julio C. Ardita, CISM


    jardita@cybsec.com

    May 2010
    Counter-eCrime Operations Summit (CeCOS) IV
    Sao Paulo, Brasil
    Creating the Enterprise CSIRT: Building the eCrime Response Platform

    2010

    Agenda

    - Experiences in Incident Handling in Latinamerica

    - Reaction Time

    - Building of an Internal CSIRT in Latinamerican Companies

    2
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Experiences in Incident Handling in Latinamerica
    2010

    FT365 Incident Handling

    (*) Jan-Apr

    Operating areas: Argentina, Uruguay, Paraguay, Chile,


    Bolivia and Ecuador.
    3
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Experiences in Incident Handling in Latinamerica
    2010

    Internal CSIRT in LA companies

    Incident handling: The situation in Latinamerica (LA).

    We have observed internal CSIRTs in: banks, finance,


    insurance, retail and e-commerce companies.

    When an internal CSIRT is (or should be) created?

    Collaboration between internal CSIRTs and Government


    CSIRT.

    Cultural Impact: Planning, documentation, trust in people,


    communication, etc. 4
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Experiences in Incident Handling in Latinamerica
    2010

    Internal CSIRT in LA companies

    Limited knowledge about legal aspects, digital evidence


    management and forensic analysis.

    Types of incidents handled:


    - Theft of sensitive information
    - Theft and loss of notebooks with sensitive data
    - Denial of service due to virus and worms
    - Financial fraud
    - Corporate sabotage (trojan horses)
    - Threats and false accusations through fake e-mails
    - Phishing attacks to local banks and companies
    - Attacks to individuals (identity theft)
    5
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Experiences in Incident Handling in Latinamerica
    2010

    Internal CSIRT Maturity in LA

    Do nothing (85%)

    Incident management disorganized (8%)

    Formal incident management for the picture (meet audits) (4%)

    Formal incident management for real (2%)

    Internal CSIRT (<1%)

    6
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Experiences in Incident Handling in Latinamerica
    2010

    Current regulations
    - Colombia: Circ. Ext. 52/2007 Superintendencia Financiera.
    - Argentina: A4609 of BCRA.
    - Paraguay: MCIIEF of BCP.
    - Chile: SBIF regulations.
    - etc

    - PCI for processors, merchants, e-commerce, etc.

    7
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Experiences in Incident Handling in Latinamerica
    2010

    Current regulations
    - ISO 27001/2

    - OAS / OEA
    Help Member States establish national 24/7 "alert, watch, and warning" teams, also
    known as Computer Security Incident Response Teams (CSIRT) through technical
    assistance and training; build the capacity of CSIRT personnel in Member States to
    comply effectively with the requirements established in the OAS Comprehensive Inter-
    American Strategy to Combat Threats to Cyber Security, and facilitate the creation and
    maintenance of a hemispheric network of CSIRT to promote the sharing of information
    and best practices.

    8
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Experiences in Incident Handling in Latinamerica
    2010

    Which are the usual activities of an internal CSIRT


    in a LA company?

    9
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Reaction Time
    2010

    Reaction time during a security incident


    During the first hours of an incident we will have all the companys
    attention on us.
    Is essential to make the most of that momentum as attention will
    start to decline (very) quickly.

    Nivel de Atencin de la Gerencia durante un Incidente

    120

    100 0 hs
    % Nivel de Atencin

    80 12 hs

    60
    24 hs
    40

    20 48 hs
    72 hs
    0 96 hs
    Tiempo
    10
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Building of an Internal CSIRT in Latinamerican Companies
    2010

    Most of LA organizations do not have formal response


    teams for incident handling

    Since 2008 a growing number of companies have started


    to create internal CSIRTs.
    Key reasons are:
    - Companies had and still have serious incidents.
    - Regulation requires having incident response plans.
    - CSO proactively shows the need.

    11
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Building of an Internal CSIRT in Latinamerican Companies
    2010

    Most common issues

    Lack of knowledge of what a CSIRT is and does.

    No idea about incident handling issues until a serious


    incident happens.

    When a serious incident occurs, most organizations turn


    to external private information security companies and
    incidents rarely end up in Court.

    CSIRT maintenance over time within the organization.

    CSIRT is an evolution from Incident Management.


    12
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Building of an Internal CSIRT in Latinamerican Companies
    2010

    Experiences in building an internal CSIRT in LA

    Considerable coaching to explain the need and scope of


    an internal CSIRT.

    Development and adaptation of Incident Handling


    Policies and of a CSIRT Framework (no need to reinvent
    the wheel).

    Procedures development taking into account the


    organization.

    Training of all areas and levels involved.

    Operational testing.
    13
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Building of an Internal CSIRT in Latinamerican Companies
    2010

    Security Incident Handling Policies

    Topics to considerate:

    1. Detection and notification of Security Incidents


    2. Security Incident tracking
    3. Evidence gathering
    4. Recovery process of affected systems
    5. Disciplinary process

    14
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Building of an Internal CSIRT in Latinamerican Companies
    2010

    Internal Incident Management Procedure: flow diagram

    Responsibilities
    - Users
    - Internal Audit
    - Human Resources
    - Management
    - Legal Affairs
    - Phisical Security
    - Help Desk
    - System Administrator
    - Information Security
    - Others areas
    15
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Building of an Internal CSIRT in Latinamerican Companies
    2010

    Internal Incident Management Procedure: flow diagram

    16
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Building of an Internal CSIRT in Latinamerican Companies
    2010

    Action List for Developing a Computer Security


    Incident Response Team (CSIRT) (*)

    1) Identify stakeholders and participants.


    2) Obtain management support and sponsorship.
    3) Develop a CSIRT project plan.
    4) Gather information.
    5) Identify the CSIRT constituency.
    6) Define the CSIRT mission.
    7) Secure funding for CSIRT operations.
    8) Decide on the range and level of services the CSIRT will offer.
    9) Determine the CSIRT reporting structure, authority, and organizational model.
    10) Identify required resources such as staff, equipment, and infrastructure.

    17
    (*) http://www.cert.org/csirts/action_list.html
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Building of an Internal CSIRT in Latinamerican Companies
    2010

    Action List for Developing a Computer Security


    Incident Response Team (CSIRT) (*)

    11) Define interactions and interfaces.


    12) Define roles, responsibilities, and the corresponding authority.
    13) Document the workflow.
    14) Develop policies and corresponding procedures.
    15) Create an implementation plan and solicit feedback.
    16) Announce the CSIRT when it becomes operational.
    17) Define methods for evaluating the performance of the CSIRT.
    18) Have a backup plan for every element of the CSIRT.
    19) Be flexible.

    18
    (*) http://www.cert.org/csirts/action_list.html
    Creating the Enterprise CSIRT: Building the eCrime Response Platform
    Conclusions
    2010

    The creation of CSIRTs within private organizations is


    growing due to increasingly security incident occurance.

    Is key to take advantage of the moment in which an


    incident occurs within the organization to promote an
    internal CSIRT.

    CSO should be supported by regulations and create


    consciousness in senior management on Incident
    Handling.

    19
    Thank You!!! / Obrigado!!! / Gracias!!!

    Lic. Julio C. Ardita, CISM


    jardita@cybsec.com

    May 2010
    Counter-eCrime Operations Summit (CeCOS) IV
    Sao Paulo, Brasil

    You might also like