7. More than Half of US Companies Rate Data Security As a Major Concern
- 12th annual Law and the Boardroom Study 2012
Cybersecurity has become the top global technological issue
Source: Deloitte 2012 Global Financial Services Industry Security Study
“IT security is no longer a trivial issue and is now becoming part of a company’s
boardroom discussion”
Source: IBM
Boardroom Agenda Item
28. Recognised Threat
“the cyber threat to our nation
is one of the most serious
economic and national
security challenges we face.”
"industrial-scale processes
involving many thousands of
people lying behind both state
sponsored cyber espionage and
organised cyber crime".
51. Increase in Targeted Attacks
Increase in DDOS Attacks
Increase in Activism
Ransomware Attacks
2012 – IRISSCERT Incidents
52. Root Cause
Poor Passwords
Missing Patches
Vulnerabilities
Web Platforms
Out of Data Anti-Virus Software
Lack of Monitoring
2012 – IRISSCERT Incidents
59. Continuous Cycle
Identify critical
information
and Systems
Conduct
Assessment
to Identify
Risks and
Threats
Implement
Security
Controls to
Manage Risks
& Threats
Monitor
Effectiveness
of Security
Controls
Analyze and
Identify
Improvements
to Security
Controls
99. CSIRT Handbook
http://www.cert.org/archive/pdf/csirt-handbook.pdf
Forming an Incident Response Team
http://www.auscert.org.au/render.html?it=2252
Incident Response White Paper
– BH Consulting
http://www.bhconsulting.ie/Incident%20Response%20White%20Paper.pdf
RFC2350: Expectations for Computer Security Incident Response
http://www.rfc-archive.org/getrfc.php?rfc=2350
Organisational Models for Computer Security Incident Response
Teams
http://www.cert.org/archive/pdf/03hb001.pdf
The SANS Institute’s Reading Room
http://www.sans.org/reading_room
Appendices
100. Guidelines for Evidence Collection
and Archiving (RFC 3227)
http://www.ietf.org/rfc/rfc3227.txt
Resources for Computer Security Incident
Response Teams (CSIRTs)
http://www.cert.org/csirts/resources.html
RFC 2196: Site Security Handbook
http://www.faqs.org/rfcs/rfc2196.html
ENISA Step by Step Guide for setting up CERTS
http://enisa.europa.eu/doc/pdf/deliverables/enisa_csirt_setting_up_guide.pdf
CSIRT Case Classification (Example for enterprise CSIRT)
http://www.first.org/resources/guides/csirt_case_classification.html
Appendices
101. ENISA Honeypot Paper
http://www.enisa.europa.eu/media/press-releases/new-report-by-eu-agency-enisa-
on-digital-trap-honeypots-to-detect-cyber-attacks
The HoneyNet Project
http://www.honeynet.org
Verizon DBIR
http://www.verizonenterprise.com/DBIR/2013/
BH Consulting Whitepaper on “Best Practises for Log Management”
http://bhconsulting.ie/Best%20Practises%20for%20Log%20Management.pdf
The SANS reading room
http://www.sans.org/rr/whitepapers/logging/
Event ID website given explanations to MS events
http://www.eventid.net/
Appendices
102. Local Logon Attempt Failures
Event IDs 529, 530, 531, 532, 533, 534 & 537.
Domain Logon Account Failures
Event IDs 675, 677
Account Misuse
Event IDs 530, 531, 532, 533
Account lockout
Event ID 539
Terminal Services
Event IDs 682, 683
Creation of a User Account
Event IDs 624, 626
User Account password Change
Event IDs 627, 628
User Account Status Change
Event IDs 626, 629, 630
Modification of Security Groups
Event IDs 632, 633, 636, 637
Modification of Security Log
Event IDs 612, 517
Policy Change
Event IDs 608, 609
Process Tracking
Event IDs 592, 593 (note due to volume of log entries only monitor process tracking during an investigation.)
Appendices