Incident Response and its role in Protecting Critical - - PowerPoint PPT Presentation

Incident Response and its role in Protecting Critical Infrastructures

• Dr. Kaleem Ahmed Usmani

Officer-In-Charge, Computer Emergency Response Team of Mauritius (CERT-MU)

Presentation Outline

2

• What CERT-MU does?
• Critical Infrastructures
• Role of Incidence Response in Protecting

Critical Infrastructure

Introduction

3

• Computer

Emergency Response Team

• f

Mauritius (CERT-MU) operates under the aegis

• f the National Computer Board.

– National CERT – Set-up in May 2008 to coordinate and handle information security issues at the National level.

CERT-MU’s Constituency

CERT-MU

Internet Service Providers Academia ICT Vendors Media Law Enforcement Agencies Home Users International CERTs

• Govt. Sector
• Pvt. Sector
• Critical infra.

providers 4

4

CERT-MU’s Services

Reactive Services:

• Incident Handling
• Vulnerability Scanning and Penetration Testing

5

5

CERT-MU’s Services (Contd.)

Proactive Services:

• Dissemination of virus alerts, advisories, vulnerability

notes on a daily basis

• Awareness campaigns for corporates, youngsters and

the public in general on information security

• Organization of security events
• Organization of professional trainings on information

security areas

• Publications (includes guidelines, e-security newsletters,

brochures, booklets, flyers) and a dedicated cyber security portal ( http://cybersecurity.ncb.mu)

6

6

CERT-MU’s Services (Contd.)

Security Quality Management Services:

• Assistance to organisations for the implementation of

Information Security Management System based on ISO 27001

• To conduct third party information security audits
• To carry out technical security assessment of ICT

infrastructure of organisations

7

7

CERT-MU’s Partners and Affiliations

• International Organisations:

▫ CERT-IN, JPCERT/CC, AfricaCERT, KISA, US CERT,

etc..

▫ International Multilateral Partnership Against Cyber

Threats (IMPACT)

▫ Anti-Phishing Working Group (APWG), Team Cymru ▫ Private security vendors such as Symantec, IBM,

McAfee, SafeNet, CYBERARC etc..

• Affiliations:

▫ Affiliated with CERT/CC ▫ Affiliated with Forum of Incident Response and

Security Teams (FIRST) since 2012

8

Incident Statistics Reported to CERT-MU- 2015

9

Incident Statistics Reported to CERT-MU- Jan-Aug 2016

10

Incident Statistics Reported to CERT-MU- October 2016

11

12

Critical Infrastructures

Critical Information Infrastructures (CIIs)

Countries devising CIIP Policy Framework:

• To fight against cyber-attacks and to protect critical

information infrastructures. AND

• To plan an immediate action to strengthen the security

and resilience of CIIs.

What is Critical Infrastructure?

Critical infrastructures (CI) are generally considered as the key systems, services and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security. ( definition by ITU)

Examples of CII Sectors

Critical Sectors

1

Energy

2

ICT & Broadcasting

3

Financial Services

4

Transport & Logistics (inc. sea and air)

5

Tourism

6

Health

7

Government Services

8

Manufacturing

9

Water

10

Customs

11

Sugar

Main Goals of CIIP Policy

– Facilitate the development of a national Critical Information Infrastructure Protection (CIIP) strategy; – Assist the owners and operators of critical infrastructure, both Government and private sector entities to mitigate their information risk; – Identify and understand sector issues and cross- sector dependencies; – Work with international CIP/CIIP organizations to establish regional and/or transnational solutions

Main Pillars of CIIP Policy

– Leadership and Governance : Establish clear leadership and governance in information security risk management at national level and at level of

• rganizations.

– Risk Mitigation: Establish mandatory information security risk management policy for critical sector

• perators to protect against cyber security threats.

– Awareness and Prevention: Promote the adoption of information security best practices and a culture of cybersecurity within critical sectors.

Leadership and Governance (Overview of CIIP Roles and Responsibilities)

Information Security Risk Management at national level

• Assess the status of the implementation of the CIIP policy

across the CIIs

• Monitor incident response
• Develop partnerships with among public and private sectors

for co-ordination of information security incident resolution.

• Host regular meetings or other events for information sharing

about incidents and lessons learned among operators within and across critical sectors.

• Develop national contingency plans and organise regular

exercises for large scale networks security incident response and disaster recovery.

Information Security Risk Management Model

21

Incident Response

What is an Incident?

22

WHAT TO KNOW FIRST:

– An incident is an adverse event (or threat of an adverse event) in a computer system – Adverse events include the following general categories:

• Compromise of Confidentiality
• Compromise of Integrity
• Denial of Resources
• Intrusions
• Misuse
• Damage
• Hoaxes

What is Incident Handling?

23

INCIDENTS HAPPEN ALL AROUND US:

– Incident Handling is actions taken to protect and restore the normal operating condition of computers and the information stored in them when an adverse event occurs.

Reasons for Incident Handling

24

Incentives for efficient incident handling: – Economic – Protecting Proprietary / Classified / Sensitive Information – Operational / Business Continuity – Public Relations – Legal / Regulatory Compliance – Safety

Bottom Line

25

Information security risks cause:

– Direct Financial Loss – Unfavorable Media Exposure – Outages and Disruption – Fraud, Waste and Abuse – Loss of Valuable Information – Compromise of Proprietary / Sensitive / Classified Data and Information – Lawsuits

Incident Handling Methodology

26

Why use an incident handling methodology? – Provides structure and organization – Improves efficiency – Facilitates understanding the process of responding – Helps dealing with the unexpected

27

Incident Response Plan ( Stage Process)

Preparation Identification Containment Analysis & Eradication Recovery Follow up

Plan PRIOR to Incident Determine what is/has happened

Limit incident

Determine and remove root cause Return operations to normal Process improvement: Plan for the future

Incident Response Plan ( Stage Process)

High Level Preparation

28

Your Direction: – Develop an incident response policy – Create procedures for dealing with incidents as efficiently as possible – Ensure that a suitable management infrastructure is in place – Implement a reasonable set of defenses for systems that are to be used in responding to incidents

Management’s Role

29

– Management's responsibilities include ensuring that:

• Policy and procedures for incident handling are written, well-

distributed, and followed

• Each person who handles incidents is adequately trained
• Appropriate tasks are assigned to each person who performs

incident response duties

• Each person involved in handling incidents make suitable

progress

• Resources are available to ensure that necessary software

tools, hardware and technical personnel are available

• Contact lists are created and updated
• Provide Support to Enable Evidence Acquisition

Incident Response Team

30

Why FORM AN INCIDENT RESPOSNE TEAM:

– Information security incidents are becoming increasingly complex--incident handling experts are needed – Better management of incidents – Efficiency – Proactive element

Incident Response Team

31

Mock Incident Response Exercises: – Basic notion: execute incident handling procedures by simulating a computer security incident and having employees respond – Validation of procedures – “Practice makes perfect” – Enables you to gauge the magnitude and complexity

• f the process

– Exercise benefits are greatly increased if there is an external objective observer to identify issues

32

Thank You for Your Attention!

Contact Details:

kusmani@cert.ncb.mu www.cert-mu.org.mu