Incident Response and its role in Protecting Critical - PowerPoint PPT Presentation

Incident Response and its role in Protecting Critical Infrastructures Dr. Kaleem Ahmed Usmani Officer-In-Charge, Computer Emergency Response Team of Mauritius (CERT-MU)

Presentation Outline • What CERT-MU does? • Critical Infrastructures • Role of Incidence Response in Protecting Critical Infrastructure 2

Introduction • Computer Emergency Response Team of Mauritius (CERT-MU) operates under the aegis of the National Computer Board. – National CERT – Set-up in May 2008 to coordinate and handle information security issues at the National level. 3

4 CERT- MU’s Constituency Law Media Enforcement Agencies ICT Vendors Home Users International Academia CERTs - Govt. Sector Internet CERT-MU - Pvt. Sector Service - Critical infra. Providers providers 4

5 CERT- MU’s Services Reactive Services: • Incident Handling • Vulnerability Scanning and Penetration Testing 5

6 CERT- MU’s Services (Contd.) Proactive Services: • Dissemination of virus alerts, advisories, vulnerability notes on a daily basis • Awareness campaigns for corporates, youngsters and the public in general on information security • Organization of security events • Organization of professional trainings on information security areas • Publications (includes guidelines, e-security newsletters, brochures, booklets, flyers) and a dedicated cyber security portal ( http://cybersecurity.ncb.mu) 6

7 CERT- MU’s Services (Contd.) Security Quality Management Services: • Assistance to organisations for the implementation of Information Security Management System based on ISO 27001 • To conduct third party information security audits • To carry out technical security assessment of ICT infrastructure of organisations 7

CERT- MU’s Partners and Affiliations  International Organisations: ▫ CERT-IN, JPCERT/CC, AfricaCERT, KISA, US CERT, etc.. ▫ International Multilateral Partnership Against Cyber Threats (IMPACT) ▫ Anti-Phishing Working Group (APWG), Team Cymru ▫ Private security vendors such as Symantec, IBM, McAfee, SafeNet, CYBERARC etc..  Affiliations: ▫ Affiliated with CERT/CC ▫ Affiliated with Forum of Incident Response and Security Teams (FIRST) since 2012 8

Incident Statistics Reported to CERT-MU- 2015 9

Incident Statistics Reported to CERT-MU- Jan-Aug 2016 10

Incident Statistics Reported to CERT-MU- October 2016 11

Critical Infrastructures 12

Critical Information Infrastructures (CIIs) Countries devising CIIP Policy Framework: • To fight against cyber-attacks and to protect critical information infrastructures. AND • To plan an immediate action to strengthen the security and resilience of CIIs.

What is Critical Infrastructure? Critical infrastructures (CI) are generally considered as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security. ( definition by ITU )

Examples of CII Sectors Critical Sectors 1 Energy 2 ICT & Broadcasting 3 Financial Services 4 Transport & Logistics (inc. sea and air) 5 Tourism 6 Health 7 Government Services 8 Manufacturing 9 Water 10 Customs 11 Sugar

Main Goals of CIIP Policy – Facilitate the development of a national Critical Information Infrastructure Protection (CIIP) strategy; – Assist the owners and operators of critical infrastructure, both Government and private sector entities to mitigate their information risk; – Identify and understand sector issues and cross- sector dependencies; – Work with international CIP/CIIP organizations to establish regional and/or transnational solutions

Main Pillars of CIIP Policy – Leadership and Governance : Establish clear leadership and governance in information security risk management at national level and at level of organizations. – Risk Mitigation: Establish mandatory information security risk management policy for critical sector operators to protect against cyber security threats. – Awareness and Prevention: Promote the adoption of information security best practices and a culture of cybersecurity within critical sectors.

Leadership and Governance (Overview of CIIP Roles and Responsibilities)

Information Security Risk Management at national level • Assess the status of the implementation of the CIIP policy across the CIIs • Monitor incident response • Develop partnerships with among public and private sectors for co-ordination of information security incident resolution. • Host regular meetings or other events for information sharing about incidents and lessons learned among operators within and across critical sectors. • Develop national contingency plans and organise regular exercises for large scale networks security incident response and disaster recovery.

Information Security Risk Management Model

Incident Response 21

What is an Incident? WHAT TO KNOW FIRST: – An incident is an adverse event (or threat of an adverse event) in a computer system – Adverse events include the following general categories: • Compromise of Confidentiality • Compromise of Integrity • Denial of Resources • Intrusions • Misuse • Damage • Hoaxes 22

What is Incident Handling? INCIDENTS HAPPEN ALL AROUND US: – Incident Handling is actions taken to protect and restore the normal operating condition of computers and the information stored in them when an adverse event occurs. 23

Reasons for Incident Handling Incentives for efficient incident handling: – Economic – Protecting Proprietary / Classified / Sensitive Information – Operational / Business Continuity – Public Relations – Legal / Regulatory Compliance – Safety 24

Bottom Line Information security risks cause: – Direct Financial Loss – Unfavorable Media Exposure – Outages and Disruption – Fraud, Waste and Abuse – Loss of Valuable Information – Compromise of Proprietary / Sensitive / Classified Data and Information – Lawsuits 25

Incident Handling Methodology Why use an incident handling methodology? – Provides structure and organization – Improves efficiency – Facilitates understanding the process of responding – Helps dealing with the unexpected 26

Incident Response Plan ( Stage Process) Incident Response Plan ( Stage Process) Preparation Plan PRIOR to Incident Identification Determine what is/has happened Containment Limit incident Determine and remove Analysis & root cause Eradication Return operations Recovery to normal Process improvement: Follow up Plan for the future 27

High Level Preparation Your Direction: – Develop an incident response policy – Create procedures for dealing with incidents as efficiently as possible – Ensure that a suitable management infrastructure is in place – Implement a reasonable set of defenses for systems that are to be used in responding to incidents 28

Management’s Role – Management's responsibilities include ensuring that: • Policy and procedures for incident handling are written, well- distributed, and followed • Each person who handles incidents is adequately trained • Appropriate tasks are assigned to each person who performs incident response duties • Each person involved in handling incidents make suitable progress • Resources are available to ensure that necessary software tools, hardware and technical personnel are available • Contact lists are created and updated • Provide Support to Enable Evidence Acquisition 29

Incident Response Team Why FORM AN INCIDENT RESPOSNE TEAM: – Information security incidents are becoming increasingly complex--incident handling experts are needed – Better management of incidents – Efficiency – Proactive element 30

Incident Response Team Mock Incident Response Exercises: – Basic notion: execute incident handling procedures by simulating a computer security incident and having employees respond – Validation of procedures – “Practice makes perfect” – Enables you to gauge the magnitude and complexity of the process – Exercise benefits are greatly increased if there is an external objective observer to identify issues 31

Thank You for Your Attention! Contact Details: kusmani@cert.ncb.mu www.cert-mu.org.mu 32