1 / 16

Staying Out of the Security Headlines

Staying Out of the Security Headlines. Educause Security Professionals Conference Track 4 Wednesday, April 12, 2006 10:00 a.m. - 11:00 a.m. Denver Ballroom 4 David Escalante, Director of Computer Policy & Security, Boston College

louie
Download Presentation

Staying Out of the Security Headlines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Staying Out of the Security Headlines Educause Security Professionals Conference Track 4 Wednesday, April 12, 2006 10:00 a.m. - 11:00 a.m. Denver Ballroom 4 David Escalante, Director of Computer Policy & Security, Boston College Cathy Hubbs, Information Technology Security Coordinator, George Mason University

  2. Introduction • Part I • Boston College, Anatomy of an Incident and Managing It • Part II • George Mason University, Refining Incident Response • NOTE: BC slides have been heavily edited and do not necessarily reflect content of original talk  • Let’s go over what happens…

  3. Know where your data is • “…as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know.” -- Don Rumsfeld, Secretary of Defense, 2002

  4. Different KIND of Incident • Recognize that a breach of confidential data covering many people is fundamentally different than your typical incident that affects one or more computers, but not thousands of peoples' lives. • There will be legal, notification, and other issues you will need help on, fast.

  5. The users know more than you • Where the data is, the “bodies are buried” • How the data got to its present state • Local operational procedures • Contacts with their vendors • How to interact with their particular customers • Ignore users at your peril -- there’s a difference between managing the incident from a computer perspective and stepping outside your comfort area and managing the whole thing

  6. Have a flexible incident response team • Also consider having a separate team for incidents of this magnitude • Escalante’s talk last year at this conference on incident response teams with Calvin Weeks covers flexible incident response in more detail, see http://www.educause.edu/LibraryDetailPage/666?ID=SPC0563

  7. Know how to do computer forensics • You will have to figure out what happened in order to formulate a response. • The press and public are not kind to those who delay in reporting these incidents, management will want to know what happened, and you won't have a lot of time to work through the forensics. • Alternately, have a pool of money and identified outside resources for rapid response. • Also, know how to keep operations running in the face of the investigation, or at least recover systems and operations quickly.

  8. Know your Lawyer/General Counsel • The General Counsel’s office will not be happy. • It’s much better to have an unhappy friend in this case than an unhappy stranger. • They should be able to tell you what to do and what to say to preserve evidence, not get the school in trouble, respond to outside parties who are being difficult, and many other contributions.

  9. Know Your Local Law Enforcement Officials • http://www.infragard.net/ • InfraGard is a Federal Bureau of Investigation (FBI) program that began in the Cleveland Field Office in 1996. It was a local effort to gain support from the information technology industry and academia for the FBIユs investigative efforts in the cyber arena. The program expanded to other FBI Field Offices, and in 1998 the FBI assigned national program responsibility for InfraGard to the former National Infrastructure Protection Center (NIPC) and to the Cyber Division in 2003. InfraGard and the FBI have developed a relationship of trust and credibility in the exchange of information concerning various terrorism, intelligence, criminal, and security matters • http://www.ectaskforce.org • The concept of task forces has been around for many years and has proven to be quite successful… The Secret Service developed a new approach to increase the resources, skills and vision by which local, state, and federal law enforcement team with prosecutors, private industry and academia to fully maximize what each has to offer in an effort to combat criminal activity. By forging new relationships with private sector entities and scholars, the task force opens itself up to a wealth of information and communication lines with limitless potential. The New York Electronic Crimes Task Force (NYECTF) was formed based on this concept and has been highly successful since its inception in 1995. On October 26, 2001, President Bush signed into law H.R. 3162, the PATRIOT Act. In drafting this particular legislation, Congress, recognized the Secret Service philosophy that our success resides in the ability to bring academia, law enforcement and private industry together to combat crime in the information age. As a result, the U.S. Secret Service was mandated by this Act to establish a nationwide network of Electronic Crimes Task Forces based upon the New York model that encompasses this philosophy.The Electronic Crimes Task Force has grown from a few dedicated individuals, to a group of hundreds of industry as well as local, state and federal law enforcement members throughout the country. At a recent meeting in New York, there were over 500 members in attendance.

  10. Figure Out How You'd Handle Extraordinary Volumes. • Mail • Phone • Inquiries • BC chose to outsource the mailing and keep the phone response in-house. • You will need a system to triage calls and other inquiries • You will have a lot of them. Some of them will be very important. Some won't. Some will want to speak to "the manager", some won't. In BC’s case, the affected department did a good job of handling the initial contact.

  11. The Letter • You need to communicate directly with the parties affected. • Usually you get one message, a letter or e-mail. So it had better be good. • Lots of people will want input on this communication • Public Affairs • General Counsel • Affected Department • …you get the idea • Editing the letter • Signing the letter • Editing the talking points.

  12. The Press • Know your Public Affairs staff and the local press who report on computer stories. • The press aren’t usually out to get you, they want to convey accurate information.

  13. The Vendors • Does “ambulance chaser” apply outside the legal field? • There are a lot of security vendors • They will all be able to help you • If you had their product, you wouldn’t have had a problem • Other parties, such as credit bureaus or banks, where you might expect to get some help, see you as a profit opportunity

  14. Keep Appropriate Parties Informed • Regardless of the fact that you're a security person, it is IMPERATIVE that you keep your management, university management, and other parties involved up to date -- you are most likely not the president or VP, not the owner of the data, and not in charge of the university's reputation. • Those people need • frequent updates • they need to give you guidance, and • they need specialized guidance from you on the technical issues. • In return, they will take a lot off your back

  15. After the Chaos Dies Down • …the real work begins • Culture change time • Data classification policy • Helps review data in field • Review relationships with third parties • Auditors, auditors, auditors

  16. Summary • Build key relationships in advance with legal, law enforcement, the press, and others • Have a forensics capability, in-house or outside • Work with others, possibly as part of Business Continuity Planning, on how to handle large-volume communications that have to be hands-on, where a web site is not sufficient • Drive some type of data classification that assigns explicit responsibility to operational departments of the school • Evaluate your third party and partner relationships with extreme care from a security perspective, and review what’s in any data feeds your central systems send out

More Related