improving incident response n.
Skip this Video
Loading SlideShow in 5 Seconds..
Improving Incident Response PowerPoint Presentation
Download Presentation
Improving Incident Response

Loading in 2 Seconds...

play fullscreen
1 / 28

Improving Incident Response - PowerPoint PPT Presentation

  • Uploaded on

Improving Incident Response. Incident Response Agenda. Why Incident Response is Important Threats, Numbers, Traditional Response What is an Incident State of Ohio Incident Response Guidance Ohio HB 104 ITP – B.7: Security Incident Response OIT IT Bulletin No: ITB-2007.02

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Improving Incident Response' - mufutau-frye

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
incident response agenda
Incident Response Agenda
  • Why Incident Response is Important
    • Threats, Numbers, Traditional Response
  • What is an Incident
  • State of Ohio Incident Response Guidance
    • Ohio HB 104
    • ITP – B.7: Security Incident Response
    • OIT IT Bulletin No: ITB-2007.02
    • Governor’s Memo on Illegal Activity & Serious Wrongdoing
  • Incident Response Roles
  • How To Report an Incident
  • Incident Response Management Guide
traditional threats
Traditional Threats
  • Viruses & Worms
  • Breaches in Acceptable Use Policy
  • Hacking for Fun
  • Fraud
  • Accessing Illegal Content
  • Website Defacement
new threat landscape
New Threat Landscape
  • Criminal Involvement
  • Profit $ $ $
  • Spyware
  • Botnets
  • DDOS Extortion
  • ID Theft
  • Intellectual Property Theft
  • Phishing
cybercrime by the numbers
  • $67.2 billion: FBI estimate of what U.S. businesses lose annually because of computer-related crimes.
  • $8 billion:Consumer Reports estimate of what U.S. consumers lost the past two years because of viruses, spyware and Internet scams.
  • 93.8 million: Privacy Rights Clearinghouse's count of personal records reported lost or stolen since February 2005.
  • 26,150: The Anti-Phishing Working Group's count of unique variations of phishing scams reported in August 2006.

Source: USA TODAY research

the good the bad the ugly
The Good The Bad The Ugly
  • 82% employ a CSO, CISO, or CPO
  • 93% have deployed firewalls
  • 72% encrypt some data
  • 40% of organizations do NOT know how many security incidents they have experienced
  • 45% do NOT know what type of attacks have occurred
  • 69% DO NOT keep an accurate inventory of user data
  • 33% of all enterprises are NOT in compliance with Sarbox, HIPAA, or state privacy laws

Source: CIO Magazine 2007

  • Traditional Focus on Prevention
    • Walls & Barriers
      • Policies
      • Firewalls
      • Anti-Virus Software
      • IDS
  • But what about response?
traditional response
Traditional Response
  • Reactive - Leads To:
      • Prolonged Incidents
      • Muddled communications
      • Senior Management learns of incident late
more security does not necessarily mean more secure
More Security Does NOT Necessarily Mean More Secure
  • Failure to Plan
    • Loss of Constituent Trust
    • Tarnished Image
    • Prolonged Recovery Times
    • Disclosure of Sensitive Data
    • Compromised Evidence
    • Financial Costs
    • Legal Issues
better incident management
Better Incident Management
  • Ensures Incidents are Detected, Recorded, and Managed
    • Planning, Coordination, and Reporting
    • Execution of Mitigation Strategies
    • Informed Outcomes
    • Strategic Process Improvement
what is an incident

E-mail viruses

E-mail harassment


Other malicious code

Denial of service attacks


Stolen hardware

Stolen sensitive data

Illegal activity

Serious wrongdoing

Network or system sabotage

Website defacements

Unauthorized access to files or systems

Loss of system availability

Misuse of service, systems or information

Physical damage to computer systems, networks, or storage media

What is an Incident?
quwy @
QUWY ##$@%&*

We’ve Been Hacked

What Now???

ohio law hb 104 breach notification
Ohio Law: HB 104 – Breach Notification

Applies to any state agency or entity doing business in Ohio that owns or licenses computerized data that includes personal information of a specified nature

Must give notice to any Ohio resident whose personal information was, or reasonably is believed to have been, accessed and acquired by an unauthorized person if the access and acquisition causes or reasonably is believed will cause a material risk of identity theft or other fraud

Personal info triggering notice: Name plus

SSN & Tax ID

DL number/State ID number, or

Employer identification number

Financial account number (ex: bank account; credit or debit card)

Applies to “unencrypted, computerized” data, and where the number in question is not truncated to the last four digits

Disclose, in the most expedient time possible generally not later than 45 days following discovery of any breach of the security of the system


state of ohio policy security incident response itp b7
State of Ohio Policy:Security Incident Response ITP-B7

Incident. A reported adverse event or group of adverse events that has

proven to be a verified information technology security breach. An

incident may also be an identified violation or imminent threat of

violation of information technology security policies, or a threat to the

security of system assets. Some examples of possible information

technology security incidents are:

  • Loss of confidentiality of information
  • Compromise of integrity of information
  • Loss of system or SERVICE availability
  • Denial of service
  • Misuse of service, systems or information
  • Damage to systems from malicious code attacks such as viruses, trojan horses or logic bombs
oit it bulletin no itb 2007 02
OIT IT Bulletin No: ITB-2007.02

Sensitive Data = An individual’s last name along with

  • First name or first initial,
  • In combination with any one or more of the following data elements:
      • Social security number;
      • Driver’s license number;
      • State identification card number;
      • Financial account number;
      • Credit card number;
      • Debit card number;
      • EFT (Electronic Funds Transfer) number;
      • Taxpayer identification number;
      • Medical information;
      • Other personal information required by law to be maintained in a secure manner.
governor s memo on wrongdoing or illegal activity
Governor’s Memo on Wrongdoing or Illegal Activity
  • “Illegal Activity”
    • includes fraud, theft, assault and other violations of local, state and/or federal law, including violations of state ethics laws, committed or in the process of being committed, by a state employee on any property owned or leased by the state or during the course of executing official duties.
governor s memo on wrongdoing or illegal activity1
Governor’s Memo on Wrongdoing or Illegal Activity
  • “Wrongdoing”
    • includes a serious act or omission, committed by a state employee on any property owned or leased by the state or during the course of executing official duties. Wrongdoing is conduct that is not in accordance with standards of proper governmental conduct and which tends to subvert the process of government, including, but not limited, to gross violations of departmental or agency policies and procedures, executive orders, and acts of mismanagement, serious abuses of time, and other serious misconduct. For purposes of this reporting procedure, wrongdoing does not include illegal or suspected illegal activity. Likewise, wrongdoing does not include activity that is most appropriately handled through the department’s human resources personnel.
governor s memo on wrongdoing or illegal activity2
Governor’s Memo on Wrongdoing or Illegal Activity
  • Procedure
    • Any state employee that becomes aware of suspected non-emergency illegal activity or wrongdoing shall immediately notify the Director or the Chief Legal Counsel of the department for which the reporting employee works.
    • When a Director or Chief Legal Counsel of a department is notified or becomes aware of suspected or alleged illegal activity by any employee, the Director or the Chief Legal Counsel of the department shall notify the Chief Legal Counsel to the Governor and the Director of the Ohio Department of Public Safety (only for illegal activity)
      • Any reporting employee may also contact the Inspector General and file a written complaint or file a complaint using the Inspector General’s anonymous hotline in the case of wrongdoing or nonemergency illegal activity.
      • If the a Department Director and/or Chief Legal Counsel, is suspected of illegal activity or wrongdoing, the Inspector General should be contacted directly.
suggested incident response team roles
Suggested - Incident Response Team Roles
  • Incident Coordinator
  • Program Incident Coordinator – PIC
  • Technical Incident Contact – TIC
  • Executive Team Contacts
  • Primary and Alternate Incident Response Contacts
incident coordinator ic
Incident Coordinator – IC
  • Single point of contact for overall coordination
  • Gather and communicate information about the incident and contact Program Incident Coordinators to obtain resources.
  • Assist with agency communications, archiving incident related documentation, and situation assessment
  • Communicate with the Executive Team should they need to be contacted.
  • Chair the post mortem meeting for closed incidents and be responsible for updating the incident ticket and ensuring that the incident is documented and the ticket is closed.
program incident coordinator pic
Program Incident Coordinator – PIC
  • Primary PIC is the Program Administrator and the Alternate PIC is someone who can act on behalf of the Primary PIC.
  • This role includes being the primary or alternate contact for an Agency Program Area.
  • The PIC is responsible for managing and coordinating communications and resources within their program area and between their area and other areas.
  • The PIC may be asked to provide resources from their area to other areas in order to assist in mitigation of an incident.
  • The PIC will assess situations and respond as needed, archive incident related documentation, and participate in post mortem meetings.
additional roles
Additional Roles
  • Technical Incident Contact – TIC – This person may be called by the IC or PIC to provide technical assistance in mitigating a critical incident.
  • Executive Team Contacts – The Executive Team Contacts will be notified by the Incident Coordinator on an as needed basis depending upon the severity and scope of the critical incident.
  • Agency Primary and Alternate Incident Response Contacts – AIRC -Each cabinet level agency has identified a Primary and an Alternate Incident Response Contact for OIT to work with in reporting an mitigating incidents.

Incident Coordinator determines if an Extended Team needs to be assembled, which includes the original Incident Response Team plus any of the following:

  • Legal
  • Service Manager
  • Program Area unit(s) representatives
  • Business Office
  • Communication’s Office
  • Policy Representative
  • Application owner
  • Impacted Customer(s).
  • Business Continuity Manager
  • Other individuals with expertise or relationship to the incident
how to report an incident 1
How to Report an Incident - 1
  • Employees should inform their supervisor or other management about suspicious activities or unusual events that might indicate an incident has occurred or is in progress.
  • Notify the Service Manager or Incident Coordinator (IC) of the service affected by the incident.
  • Determine whether there may be alleged illegal activityor serious wrongdoing
  • Determine whether sensitive data is missing
how to report an incident 2
How to Report an Incident - 2
  • The Incident Coordinator (IC) will contact the Agency Chief Legal Counsel regarding any alleged illegal activity, serious wrongdoing, or loss of sensitive data.
  • Agency Chief Legal Counsel is required to contact the Ohio Highway Patrol regarding any alleged illegal activity or loss of sensitive data.
how to report an incident 3
How to Report an Incident - 3
  • When a Service Manager or Incident Coordinator determines that an incident has occurred or is in progress, they are to notify the OIT Incident Coordinator (OIT IC) by calling 614-644-0701 or 800-644-0701 or sending an email to and logging a ticket. If the Service Manager or Incident Coordinator is not available then a Supervisor, Manager, or employee discovering the incident should log the ticket.
  • If an incident, per Ohio IT Policy ITP-B.7, Incident Response, is logged by an agency with the OIT Call Center (OCSSC) that requires OIT to respond to a request for technical assistance for an incident at an agency, the OIT Incident Coordinator (OIT IC) will also be notified by the OIT Call Center (OCSSC). The OIT IC will contact the agency Incident Coordinator to determine what assistance is required.
model incident management guide
Model Incident Management Guide

Customizable guide that includes:

  • How to respond to an incident
  • Critical Incident Response Flow Chart
  • Thought Starters for Determining Extended Team
  • Incident Team Contact Template
  • Template Activity Log
  • Template Containment and Communication Plan Log
  • Template Resolution Log
  • Production Incident Explanation (PIE)
  • Security Incident Response Policy Template
  • Incident Response Procedure Template

Online at the State of Ohio Privacy & Security Information Center: