Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


The Breach: Preparedness and Response

No description

Ted Mueller

on 18 May 2017

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of The Breach: Preparedness and Response

Educate yourself:

Networking (ECTF, ISSA, NCTA); Conferences (RSA, Blackhat, Data Connectors); Online or traditional education
Educate your business unit leaders:
from C Suite to temp/seasonal @ every chance - share how an event can impact bottom lines
Find great partners to educate you and your population:

Trustwave, Rebyc, Coalfire, Bluecoat, Bit9, FireEye, Websense, Fortinet, Cisco, Wombat, KnowBe4, PhishMe, etc.
Educate your Partners:
set your expectations

Info Sec needs to closely work with traditional/physical security
Develop your Incident Management Team
Why is it important? Sponsorship and Ownership
Who to include? Sponsors from C-Suite, PR, Finance, Legal, IT, Security, Operations
How often to meet?
What to discuss?
Keep it going
The Inevitable? My Big 3

Get it out, it's natural, and it gets people moving and prioritizing the issue...but keep it internal and limited to your Incident Mgmt Team!

Break Out "Your Gear":

you have your plans and team in place, though your crisis probably doesn't exactly fit what you planned for, engage those assets you have for this exact scenario...if you don't have them in place well for shame, see "a framework" and get ready for some long nights.

Cleanup and Maintain:

Advanced Persistent Attacks remain resident on networks for an average of 260 days, so restoring a system from last week’s backup is not an option. It’s likely you’re looking at a full bare metal recovery of affected systems to ensure they’re really clean. Once you have great controls in place, don't lose focus, maintain your security processes, or get ready for step 1 again.

Testing and Simulation
End-User Training:

Mandatory annual (at least) training & mandatory training upon phishing failure or "event".
Tabletop drills:
Simulating what could happen in a safe environment for lessons learned, confidence building, empowerment, education, breaking down silos
The Setups
Planted thumb drive 'calls home' when connected, or worse
Virus - reaction and response
Physical Access Testing - "The New Guy"
Phishing services for Awareness

Be prepared and be informed
We read about incidents daily...in case you need a refresher:
Everything is online
Everything has a vulnerability
There are too many opportunities for criminals not to succeed
Technology is enabling the ease of theft or disruption

Incident Management Team
Management/Operations: President Property Svcs (If Out: CEO) Roles/responsibilities: legal/responsibilities; executive communications/backing

IT Management: CIO and VP Ops (If Out: Mgr of IS and Infrastructure) Roles/Responsibilities: Define Strategy and mobilize IT team; engage Trustwave or QSA; overall internal communications and direction for Incident Mgmt Team.

IT Security: Mgr of IS and Infrastructure (If Out: IT Mgr) Roles/Responsibility: Technical and Security Lead/Forensics, lead direction on maintaining operations while ensuring forensics are intact

Accounting: CFO or VP of Finance (If Out: Accounting Lead) Roles/responsibilities: Own communications with merchants, first level investigation on customer complaints and potential breaches. First call for hotel customers researching disputed/fraudulent charges. Internal communication delivery (with CIO) to hotels/outlets.

Security: Director of Security (If Out: Security Admin)
Roles/responsibilities: Primary contact with law enforcement (SS or CMPD), Physical security of locations/data/cameras. Incident reporting and trend analysis review.

Public Relations: VP of Marketing and Comm. (If out: Events Coordinateor) Roles/responsibilities: Internal and external communications, previous correspondence for review in quarterly meetings.
The Breach: Mapping Out Success
A Framework
1.) Consider a Breach Likely and Prepare Accordingly
Designate and empower an internal breach response team
Start and have regular ongoing security assessments
Identify and establish relationships with key vendors/partners
Develop and regularly update a breach response communication plan
2.) Be Accurate and Be Fast
Put yourself in your customer's shoes - what do they need to know? Has the "bleeding stopped"? Pre-prepared communications are nice to have...to avoid a scramble
Offer timetables: people want to know when - when it happened, when it will be fixed & how you will fix it.
It's OK to notify before you have all the facts, include caveats
Acknowledge that the situation may change
Make it a One-Day story - communicate clearly, honestly, early, and deliver on promises to avoid a PR nightmare - don't give the media a reason to dig or doubt you
3.) Be Open, Honest and Transparent
Be transparent in your activity and demonstrate that you are trying to get the word out
Follow your normal media routine
Avoid absolutes - people will try to poke holes and your credibility can be further damaged
Avoid misleading statements
Don't withhold details - if you're going to come clean, come all the way clean!
Stay focused and concise
4.) Be Accountable
Take Ownership - "Our fault, now here's what we're doing to fix it."
Don't play the victim - no 'our contractor...' excuses
Express regret
Put an executive face on the issue
5.) Get the Word Out - Be Thorough
Consider all audiences - cardholders, employees, shareholders, media, etc
Remind customers of zero liability
Take credit for your efforts - what have you done and are in-process of doing
If you're working with law enforcement, make it known and cooperate completely
Provide real customer-focused support - hotlines, credit monitoring, other? Differentiator?
Monitor all information sources - twitter, tripadvisor, yelp, you name it - and you may need help short term with this...

FBIs IC3: https://www.ic3.gov/crimeschemes.aspx

Report an issue:https://www.ic3.gov/complaint/default.aspx

Raise awareness around Phishing: http://isbuzz.wpengine.netdna-cdn.com/wp-content/uploads/Untitled135.jpg

and raise awarenews around Social Engineering: https://www.us-cert.gov/ncas/tips

Meet a partner in Ballantyne


Rebyc @rebycsecurity.com

Dimension Data @Dimensiondata.com

Internetwork Engineering @ineteng.com

Full transcript