Security Incident Management – How good is your strategy?

Jitender Arora5th November 2012

Disclaimer – It must be noted that views presented in this talk are entirely my personal views. These views and content presented here has no relation with my current or previous employers.

Why have an Incident Management strategy?

Typical Plan

Really…..

How can we be confident?

• Who?

• How?

• What?

• Again?

• Who does what?

• Speed

Let’s collaborate and discussLet’s assume all of us here are employees (in different roles) of a high end luxury retailer called ,“Darvey Hichols”, specialising in selling international luxury brand items targeting wealthy individuals giving them a personal shopping experience.

There are multiple stores across country at premium location with online channel and mobile channel to shop as well. This group takes pride in providing a world class shopping experience to their customers.

For simplicity, lets assume IT is outsourced to a MSP.

Monday Morning @ 8:30amRelationship manager at MSP sends a message to CIO

Dear CIO,

Good Morning, Hope you are well. I wanted to bring an urgent matter to your attention. We have observed some strange activities on few IT systems and we have a doubt that systems have been infiltrated. We are investigating and will update you as soon as we have more information.

Regards

Relationship Manager

Immediate Steps• Who needs to get involved?

• What should be done?

Monday Morning @ 9:00amEmail comes from website contact request form

Hi,

We would like to notify you that we have broken in to your systems and in possession of your customer database. If you want this data back, the cost is £1million. If you do not respond and agree to pay within next 4 hours, this data will be published online in public domain. If you agree, reply to this email and we will give further instructions. We are enclosing copy of your 15 customer records to prove authenticity of our claim.

Regardswerock@xyz.com

Immediate Steps• What are immediate priorities?

• Who needs to get involved at this point?

• Who needs to be informed?

• Who plays what role?

• Pay or Not Pay?

Monday Morning @ 11:00amMultiple employees receive calls from press and media to confirm this story.

By this time, chairman of the board has called CIO to provide an update at 11:30am.

•What update should be provided to the chairman?

Monday Morning @ 12:00pmThere is a news item on BBC news stating that they have heard from unknown sources that “Darvey Hichols” IT systems have been breached and their customer data is stolen. They have been trying to get in touch with the organisation to get their response but nobody has yet agreed to comment on this story.

This story is not becoming a hot news on Twitter and lot of celebrity who are “Darvey Hichols” customers are talking about this and this story has gone in to overdrive mode.

•What should be the response plan?•Should organisation talk to the press?•If yes, who should talk to the press?

Monday @ 1:00pmFirst set of customer data is published online on multiple forums with a promise that more data will be provided in different chunks.

Board has called crisis meeting and CIO is summoned to that meeting to provide an update.

•What should be the response plan?•What update should CIO provide to board?•CIO is asking you about facts that should be presented to the board?

Humble Request

Questions?

LinkedIn: http://uk.linkedin.com/in/jarora Twitter: @jee2uu