Incident Response and 2012 Cyber Threats & Security

Incident Response and 2012 Cyber Threats & Security

September 11, 2012 2:00 pm

(Save to cal)


Online Tech hosted an interactive webinar on cyber threats, security and incident response on Tuesday, September 11 with Darek Dabbs, VP of Information Security at Sera-Brynn and April Sage, Director of Healthcare Vertical and Marketing at Online Tech.

When: September 11, 2012 @ 2 P.M. ET
Where: Online
Who: Darek Dabbs, VP of Information Security at Sera-Brynn and April Sage, Director of Healthcare Vertical and Marketing at Online Tech
What: Incident Response and 2012 Cyber Threats & Security
Description: Join Online Tech and Darek Dabbs, CISSP/PCI-QSA, VP of Information Security at Sera-Brynn for a discussion on the latest known security threats and incident response methods. Sera-Bynn is PCI certified, cyber security company staffed with members from the National Intelligence and Military Information Security communities. This webinar will feature the expertise of top technical security and compliance leaders with a chance to answer questions after the presentation.




View slides (PDF).

April: Hi, everyone and thanks so much for joining us today for another Tuesday at Two webinar. Today, we have a timely topic, talking about incident response and cyber threats and security.

To give us some expertise on the subject, we're happy to welcome Derek Dabbs, Vice President of Information Security at Sera-Brynn. Derek is a certified PCI, qualified security assessors and a Certified Information System Security Professional or CISSP. With no further a due, Derek, I'm going to turn things over to you. Welcome and thanks for coming today.

Derek: Thank you. Thank you for having me. My name is Derek Dabbs with Sera-Brynn. Today, we're going to be talking about some Cyber Security Threats and Incident Response.

In the introduction here, a couple of really foundational quotes ... "The loss of industrial information and intellectual property through cyber espionage constitutes the greatest transfer of wealth in history." You take that in comparison back to the Manhattan project at Word Ward II where they're developing a nuclear bomb, the transfer of wealth when the Russians had acquired that technology, the new cyber threats are of no comparison of what can be taken these days. The monetary loss is so high.

Again, every major company in United States has most likely already been breached as well. You just don't know about it, because the attackers are that good of what they're doing. They cover their tracks; they hide everything that they do.

Without the proper planning and processes behind that, organizations can set themselves up to be continuously breached and never know about it.

A little bit about myself. I spent the majority of my career supporting the Department for the Defense Intelligence Agency and a couple of the other three letter agencies in the government sector in the world.

Some of my highlights include working on multi-classification domains that are specifically air gaped apart from each other. Additionally, I also supported the world's largest information surveillance and reconnaissance event. What that means in layman's speak is all of the technologist who developed the cutting edge intelligence and surveillance activities and technologies for the Depart. of Defense come to an annual exercise to showcase all of their cutting edge stuff.

For example, all of the unmanned aerial vehicle of technologies, they come to this event to showcase what they can and can't do to the military and other coalition forces who are present there.

The biggest difference between that is that when this event is set up, most organizations only have about 90 to 120 days to prepare for the entire event. Why that is significant is that I was able to take all of those unique and desperate capabilities that are attending that event and ensure that they all met and complied with information security requirements. Needless to say, when you're putting on the world's largest events of this nature, you get a lot of activity from other organizations who want to hack to find out what's going on, and to collect their own espionage and information to determine what's going on.

April: Couldn't be a better target.

Derek: Absolutely. It's probably one of the world's largest targets for State's sponsor to tax.

The Worldwide Cyber Risk ... the biggest thing with cyber risk is that it's a worldwide threat. Anybody can be attacking you from any place in the world. Majority of the attacks that we noticed these days are coming from Eastern Europe and believe it or not Southwest Asia or the Middle East now.

These are not just attacks on U.S. but these are global attacks. The historical thinking of nobody will ever touch me is not the case anymore. Just as easy as it is to send an email to anybody across the world, it's equally as easy for that same person on the other end to attack or hack your computer and your network.

The different protection mechanisms, most everybody is familiar with physical security, senses, doors, magnetic locks, bag swipe access mechanisms. A lot of those are still very handy with the protection of cyber information. However, it does not stop the global threat. Your physical controls will only stop your local threats to your environment.

Logical protections for this would include firewalls, intrusion detection systems, and a couple of other different web application filters that will help protect your environment from exposure on the web.

Why do they do it? Why are people attacking right now? Majority of it is monetary money. Right now, the cyber risks and the threats in the entire world, bring in more money than the entire drug trade of marijuana, cocaine, heroin and methamphetamine combined. When you're reading the newspaper about the "United States Coastguard" ceasing 200 tons of cocaine - that's a drop in the bucket compared to the actual cyber money that's being stolen across the electronic wire.

Given that the cyber threats, they're that profitable and vulnerability is that profitable. All of your South American and other drug cartels and even mafia are really starting to pursue cyber hacking, being at the ... some of their biggest targets is credit card information.

Right now, it's costing organizations worldwide cumulatively over 338 billion a year which is a very large number. Not only is it the illegal trade going on with the cyber attacks, it also has state sponsored attacks. You have countries such as China, Iran, Israel that are suspected in alleged act creating and launching specific cyber attacks against individual infrastructures and corporations.

The key point with that is that if you're a commercial entity and you have a manufacturing or a research and development laboratory, you can guarantee that you have either been hacked by China or you're about to be. They are taking manufacturing schematics left and right with their global trade capabilities.

Additionally, every second that goes by 19 people fall victim to some form of an online crime whether it's data fest or social networking, email hacks, anything. It's just constant. Even today, I have a server that I've put online just yesterday, unknown, brand new IP address, the whole nine yards. By today, at 10 AM, I've noticed five different unique attacks that people have attempted to put on the server. This machine is only been on for about 12 hours. The threats are out there, and they're coming all the time ... keep going on.

April: You know, we really talked about the price associated with maybe someone's credit card number or their Social Security number, or maybe their healthcare record. That's gives a whole new perspective that this is potentially the most highly incentivized area of theft right now.

Derek: Correct. It definitely is. A key aspect to that theft is how do they get away with it? How do they do it?

When a state or a country detects and identifies the potential hacks that are happening, they'll shut down their financial assets, commercial banking, credit card processing, and similar instance was back in November 10. I'm assuming that everybody has heard of Julian Assange, and the whole WikiLeaks, the buckle that's been in the news for probably the last two years.

April: Sure.

Derek: Key thing with that is the state sponsored governments had shut down all of his financial assets, every bank account that they could reach out to, they shut it down. All of his card processing and donation capabilities ... coalition governments had shut that down, so what does Julian Assange do with WikiLeaks? He starts using a technology called BitCoins. It's a cyber monetary money system that is completely and utterly immune to political pressure and the monetary censorship. Meaning that once somebody transitions a dollar into a BitCoin, the BitCoin is a cipher encrypted string of ones and zeros on a computer that once you transmit it, it has a valuation as a real world currency. It's completely encrypted and untrackable by all law enforcement organizations.

There's no tracking mechanism to it. It's from the gray hat and the black hat hacking communities. This is what they do to fund everything. From a National Intelligence perspective, I would not be surprised if terrorism and narco efforts are also utilizing BitCoins as their funding source simply because it's completely untraceable and untouchable.

In relation to that, here's a small graph of the amount of volume in dollars that BitCoins is currently responsible for processing. You can see back in December 11th ... December 2011 ahead I believe, a very large spike in the assets of that. If you go back to your National Headlines on your USH days, around those time lines, you can notice that that is approximately when WikiLeaks was getting shut down with all of their bank accounts and card processing techniques.

You can see that small trend in the analysis of all the donations that that particularly organization had received through this BitCoin vector in financial gain.

April: Whole new currency.

Derek: Yes, totally new cyber currency. In relation to that also, some of you may have heard of a 3D Avatar game called "Second Life." A lot of universities utilize this as an online meeting place. People get little Avatars, they can walk around in a virtual world and converse and communicate with other people. Universities sometimes use it for actual lecturing and as part of their college curriculum. I know Harvard uses it pretty exclusively as well.

Within that "Second Life" game, they have what is called "Linden Dollars." Those same Linden Dollars is a virtual currency that has a translatable monetary value to non-virtual money, where as I believe last I checked it was like five Linden dollars with equal one U.S. dollar.

What this could be is a possible money laundering, money hiding type of environment. The days of requiring off-shore bank accounts to evade the law are basically gone in my opinion. Now, everybody who has large tons of money, who's trying to hide it from the authorities, they'll be using virtual currencies simply because of the direct control that they have on the funds.

April: I wonder how long it will take the IRS to go techy then.

Derek: That's a good question. Not entirely sure on that because everything right now is completely untraceable. An IRS would have to prove the income before they could even go after it, but if everything is paid in cash, and it goes straight digital, there's no trace.

I’d like to go into actual cyber threats now. Back in 2008, this is a specific Department of Defense attack that occurred. It was known by those whom the community is operation Buckshot Yankee which was a reaction to a thumb drive initiated malware.    

What happens there is right back in early part of 2008, over in the war field of Afghanistan, a foreign intelligence service had allegedly dropped a thumb drive in a cyber cafe that was frequented by U.S. Service members.

A U.S. Service member then allegedly picked that up and put it into governmental classified computers. No one has ever seen that before at the time, and it took them I believe about 90 days before it was even detected, that it was operated on their network. The significance to that is that once this is on a computer, it opens a backdoor connection and it starts sending data that it has collected from those classified networks in those environments.

The big deal of that, that I'm trying to hit home with, is that all of the protections for this Buckshot Yankee was in a reactive measure. There was no expectation or no thought of any protection to limit or disable the utilization of thumb drives.

A lot of times, you can relate it to your home computers. Whenever you put a CD into the CD tray, it auto runs. Same thing when you put a thumb drive into a home computer, it auto runs. It comes up and it asks, "What would you like to do with this new found device?"

The malware that was used within the AG and BTZ of Buckshot Yankee, whenever Windows would attempt to auto-run based on that infected thumb drive, that's how it would put the software on the machine. At the time, virtually undetectable.

April: Wow.

Derek: Then, moving on after that, another very large activity that a lot of people heard about is the Stuxnet computer run that predominantly affected the Iranian nuclear facilities.

It affected the Siemens Programmable Logic Controllers, which are the robots and machines that manage and control the nuclear facilities. These aren't your typical home computer running Windows or Linux units or Windows Operating Systems on those.

It's a big deal because it was a specific attack to only affect those Siemens industrial tools and capabilities. I hit with that because if your organization has specific and unique environments, you're not exempt from being attacked with this.

Now and the future though, go moving past the Stuxnet, what is today as the Flame Malware. It is very similar and has a lot of the same characteristics as the original Stuxnet that was going after the nuclear facilities, except for now, it has been retailored to attack everybody -- everybody with the Windows Operating System, and it still operates on the same auto-run in sector, and it utilizes a privilege escalation exploit as well.

As soon as it's on your thumb drive, or on your computer, your machine is now owned. It's still spread via the same USB malware, zero the exploits as well. What's interesting on that is moving back, Stuxnet happened back in 2010, but now, here we are in 2012, why is that same USB auto-run zero-day vulnerability still out there?

Simple part is because the existing auto-run utility is very handy to have. You don't want to disable something that you can use frequently.

April: Price for convenience.

Derek: The organizations who become paranoid to that on why ... "Am I at risk to this?" That's where policies and procedures and technical controls can come into place such as corporate policies to disable the use of individually-owned USB drives or media.    

There's also tattle tale audit software that can be installed in a corporate infrastructure to disable unknown USB devices from actually running inside of their corporate environment.

April: That would be a combination of both the technologies, but also awareness and knowing what stuff to take so that you can be as secure as possible. I mean, does anyone ever get to the point being a 100% secure?

Derek: Yes, the only way that you can become 100% secure from the online environment is to unplug from the internet. That's the only way you can be 100% secure. Therefore, everybody has to have a minimum level of risk acceptance. You have to know and understand the risks and then either accept them or mitigate them or unplug from the internet.

I like to open it up to the panel, the attendees if there's any questions on the threats that I just mentioned.

April: Feel free to type them in to the chat window or the questions window and if we aren't able to get to all of your questions, we will certainly circle back with you or if a question comes to mind in the latter half of the presentation here, we'll stop again at the end to follow up.

You want to comment, Derek on anything about the GoDaddy issue yesterday? Where does that fall with the spectrum of ...

Derek: Yes, certainly. I did a little bit of limited research this morning on the GoDaddy attack. I saw that the anonymous group hsa potentially claimed credit for that attack.

The significant thing that I've learned from that is that the level and the type of attack that actually occurred with GoDaddy, I've discovered that it appears that the attackers utilized a distributed denial of service to attack a certain segment of the GoDaddy servers.

There's really not a whole lot an organization can do to protect themselves from a global denial of service attack. That is traditionally one of the absolute last tricks in a hacker's toolbox to take an organization down.

All of your compliance mechanisms, all of your policies and your procedures, you can be running at 110% success on those, but you can't stop a denial of service attack.

It's like your internet connection is the size of a garden hose, but when a denial of service attack hits you, somebody is trying to attack you with a fire hose worth of information. What happens when you put a fire hoe connected to a garden hose? When the fire hose is pushing a heck of a lot more data or water through, then the garden hose would do. In thus creating a denial of service, it does not allow any data that come in or out of GoDaddy's infrastructure.

Another piece of denial of service attacks that I'd like to comment on is the Secure Socket Layer, SSL. A lot of you will see that in your web browsers with the little padlock icon.

Whenever you go to make a connection in your web browser using SSL, your computer itself might use rough estimate of about three to five percent of its CPU power, but the receiving and that server that you're connecting to will use approximately five times that amount of processing power to initiate and authenticate an SSL session to a server.

What that means is, if GoDaddy has a SSL server, and if CPU cycles respond the SSL requests at five times the power of the actual machine that's sending it, if you have a thousand machines all attempting to connect via SSL at the same time, you're not going to touch those distributed computers and their processing power, but that server you're going at to after is going to completely hang up, and it completely die trying to answer all of those distributed SSL request at the same time.

It's just one of those vulnerabilities that hits me as a significant vulnerability, but at this time, there's no real technological work around to prevent that level of an attack.

April: We've got some other questions ... Derek?

Derek: There's different tips and ... I'm sorry. Go ahead.

April: We have a couple of good questions here. Let me share these with you. One is, in addition to a Firewall, intrusion detection, and staff education, what are other suggestions for protecting private medical records?

Derek: Private medical records ... electronic health records. Be very cautious of bring your own devices. I notice a lot of the healthcare professionals are now being allowed to bring their iPads, iPhones, Android devices into an organization.

When those individuals bring those into an organization, and they start accessing corporate sensitive data, how are organizations stopping the Apple iCloud backup service from backing up that corporate data that is now on that iPad or iPhone from being backed up to an unsecured cloud.

That's still a technology that's being worked on right now. Some of my immediate fixes would be very strong Firewall access control list, prevent outgoing traffic for those devices.

Create a successful segmented network. You're not allowed ... your mobile devices, bring your own devices to be part of the same subnets as your corporate servers.

Yes, I say that because then you could take that specific subnet of employee-owned devices, and you can then specifically create a Firewall rule set to that subdomain.

April: That makes a lot of sense, separating the network, so there's not as much potential of unauthorized access. There is something on that mobile device that is intrusive.

Derek: Mm-hmm. (Affirmative).

April: Another question was what is a denial of service attack exactly? I know you shared the example of the fire hose where a data coming out a garden hose, but what are the exact mechanics of a denial of service attacks?

Derek: A couple of different attack vectors of a denial of service, but the entire goal of a denial of service is to send so much internet traffic at a single server or router, a firewall to where it overwhelms that server firewall router's capability of handling all of that information.

Let's relate a server to a person's mailbox ... the good old U.S. snail mail. Your mailbox can only hold so many different letters until you walk out to the street and you pick up that mail. Same thing with the computer server router, or firewall.

They can only hold so much data before it can pass it on the next source. If that mailman or if that attacker slams that mailbox full of mail, and then everything else, all of a sudden you're in an denial of service because the mailman cannot put your bills in the mailbox, because it's full of junk mail and spam and everything else.

April: That's a great metaphor, Derek. Thanks.

Another question, are you any safer on a Mac for the PC, or maybe a Linux box or are you ever really safe regardless of what Operating System you use?

Derek: Good question. In regards to the Mac and the Linux, we'll just go back and say, "Everything but Microsoft is at less risk." Microsoft being probably the largest Operating System proliferated in the world, therefore what are attackers going to go after? The most popular, most prevalently used Operating Systems.

That being said, in comparison of viruses and Malware that are designed for Windows Operating Systems, thousands times more frequently and more different, and more types of viruses are created for Windows.

Macintosh, Linux, are there still viruses and Malware that are created for that? Sure. Are they as prevalent and are you as at a high risk as running a Microsoft Operating System? Today, not as much risk, but you're not safe either way unless you practice smart computing and protect yourself.

April: Okay. Great. That's all the questions we have so far, and I know you've got some more tips for us regarding how to be prepared and protect systems.

Derek: Correct. Great. All right. I'd like to move on to ... in protecting yourself and your organization, I'd recommend that everybody write down that link at the bottom, and you can dive deeper into all of these Sans Critical Controls. These are originally developed by the heads of the government, Department of Homeland Security, National Security Agency, and a couple of other large CTOs within the Information Security Community.

You can see there's 20 core focus areas or different disciplines to protect your corporate environment. What I'm going to be focusing on today is number 18, the incident response capabilities.

Incident Response is a synonym for forensics capability in the computer world. In relation to Local Law Enforcement Activities, when law enforcement response to an incident, what do they do? How do they react to the bank getting robbed around the corner? How do they know what to do? Because they planned out their entire evolution and efforts on how to respond to those type of events.

Every organization should have a capability to respond to that, however limited they may have. It could be something similar -- small as having assistant administrator, shutting a system down as a response. Every organization is going to be unique with their own incident response and forensics planning.

I'm going to go through a few of the highlights and a little bit, not too deep into the weeds on how to set your organization up to be better, capable of reacting and potentially preventing incidents from occurring.

April: Great.

Derek: Some of the things that you want to know in your organization is who should be involved with the incident response and the forensics parts -- events at your organization?

Organizations should decide which parties will take care of the tasks based on skills, abilities, cost, response time, and data sensitivity. That's important because if an organization just got hacked and they lost healthcare records, who do they have to notify if they lost records or if they suspected records? Do they contact their Law Department? Do they contact Human Resources, etcetera, etcetera?

Those kind of response plans of who's going to be involved in that should be clearly identified. All the analysts and the system administrators and the technical control personnel that are going to be involved with that, they should have the knowledge and the resources to respond to that.

Again, this goes into a little bit more on the forensic capabilities. You should always, if you can have more than one user, or one administrator being assigned to those tasks. The hands on exercises and forensic training courses can be helpful ability in maintaining the schools or the tools and the technologies.

April: Derek, wait. A quick question here. If you're an independent consultant handling PHI, what's the minimum you should do to a Sans incident?

Derek: If you're an individual consultant, I'd have to ask are you an incident that occurred to your single workstation or to a customer-client organization that was identified. That would be totally different responses.

April: Okay, so it probably depends a lot on the client and their impact to data that you're dealing with.

Derek: Yes, exactly. Typically, as a consultant or a third party looking in, they are not the data owner, so traditionally, if there's a suspected data breach, the first thing you want to do if you are not the information owner is to notify the owner of the information or those data or those records.

From there, the owner of that data should have an established response plan to that. The key thing is don't be afraid to report it. The worst thing you can do is to not report it. That's when the security individuals and the corporations get very antsy. If you don't report it, we potentially lose the opportunity to conduct forensics, as well to determine where the attack came from and how it occurred.

Very part of the forensics, everybody needs to know what their roles and responsibilities are and how to do that. One of that key things is when an IT administrator or any user on a corporate environment identifies a potential data breach or something is just not acting right on my computer, what do they do? Who do they call? What is the contact tree for an exercise or an event that occurs of that nature?

Those are good things to have, so everybody knows who to call. Key point on that is if you have a significant loss of electronic healthcare records of a billion dollar healthcare organization, do you want your level one system administrator calling to report that incident to the CEO or the CTO of the organization, or you want to go to the lead supervisor of the IT department to validate and verify that, that data was actually lost or suspected as being lost.

Have an appropriate contact tree to verify and validate that the proper information and reporting within the organization is getting to the decision makers.

April: It probably makes sense to have a few test run through than advance of something actually happening.

Derek: You're absolutely right. I may comment on that as well in another slide or two I believe, which is a very key. If you have all the policies and procedures in place, what good are they if you never test them or evaluate them? Even something simple as just doing a dry run is a great way of testing and evaluating that your procedures are going to work.

Another key area is having a documented rules of engagement for your response team. Meaning that, if your assistant administrator comes in and just carte blanche just powers everything down the improper way. There are improper ways than to just poking a machine in the eye to take the power down or purely unplugging it from the back of the wall.

When improper techniques like that occur, you run the risk of losing significant audit data that could be wrapped around its particular attack or data loss, because a properly configured computer will have tattle tale reports in system logs that will tell forensics teams, "What happened? Where did it come from? What time did it happen, and potentially what data was accessed and or transferred?"

If you turned the machine off the wrong way, or if your rules of engagement or your administrators are not property developed, you run the risk of losing the incident response battle before it even starts.

April: That's a really interesting point. I'm sure in an incident situation, the biggest panic point will be making it stop no matter what, but if you lose the ability to figure out what happens, and how to stop the next attack, then it's really not going to do you a lot of good just to stop today's attack if it just needs that tomorrow, you're on to the same threat.

Derek: Exactly. You're exactly right. In addition to that can be internal corporate policies, do your administrators have full blown data access to the research and development part of the business? Have all of your administrators or personnel on that response team than fully vetted in deem trustworthy to have access to everything in the organization? Because what the hackers are going for is the most sensitive data of an organization.

Make sure that your staff is trustworthy to be able to work on that environment and to provide those response techniques.

Again, address the inadvertent disclosures and long-term storage of sensitive information captured by the forensics tools. After the event has happened and your administrators, your response team has collected the data, wrapped around that incident, what are your privacy laws on that? Those administrators collected protected health information, or if they collected the forbidden PCI credit card data, or any other type of very sensitive data deem by an organization. What are the privacy rules and data retention policies wrapped around that? Just because an incident happened does not mean you want to put your guard down on pursuing the response and the forensics of that environment.

Address the monitoring and networks, as well requiring warning banners on systems that indicate activity might be monitored. Most organizations that I've seen have been implementing log in banners these days. This computer is monitored for blah, blah, blah, blah, blah. On the same side of that is commercial, civil rights users have an expectation to reasonable privacy.

However, you want to make sure that your organizational policies notify your users either through user agreements, log in banners, corporate human resources, policies that all of the users are aware that they can be tracked, traced, that they do not own the corporate computer, they are just a user on that computer.

Who owns the data? The data owners are what's most important.

Step by step procedures should explain how to perform the routine tasks. When you have an incident response plan, you want to have a definable and repeatable process that can reoccur for 90 to 95% of all attacks. Things earlier are those processes as the contact tree, how is it reported? How is it validated or verified?

A lot of those rudimentary steps can be identified in a definable and repeatable process in procedures. Make sure of your evidence handling procedures. If you're an organization that would have desire of pursuing law enforcement against -- or legal proceedings from an incident, everybody is watching CSI or Law and Order. They hear the word "Chain of custody." It's no different here.

Cyber data, electronic data can easily be manipulated to however you feel. Therefore, during the incident response, you have to make sure that your chain of custody is absolutely bullet proof if you intend to pursue legal proceedings.

Again, always regularly view your processes and procedures because what works today may not work tomorrow or six months from now. It's one of those things that it's never assented and forget it response. You always had to be planning ahead for the next event.

The fun stuff, the actual technical response for an incident ... I recommend that all of the analysts or the system administrators who are charged with actually conducting the forensics or the technical aspect of an incident response, they should always have some type of forensics tool kit for data collection.

I know Linux has a couple of different security distributions that are capable of being loaded or booted off of a CD or a USB drive of types. The key things that you need to have in your forensics tool kit is the ability to collect and examine a volatile and non-volatile data.

The difference between those two is non-volatile data does not disappear when you turn the computer off. That's traditionally the information that's held in your hard drive or your floppy disk. Any type of physical media at hold the stored data. The volatile memory or also you may see in some of the computers are your Random Access Memory, how much RAM does your computer have?

When you turn your computer on and off, everything that was in RAM disappears completely. Again, proper shutdown procedures are important and with the technical preparation your analysts need to have the capability to collect that volatile data that could be present within RAM.

A lot of attacks utilize that to their advantage knowing that they can put their virus or their malware inside of your computer's RAM, and it runs and it runs, you never know, and then all of a sudden things go bad, you panic, you reboot the computer. All of a sudden you've lost potentially all of your forensic capability from that particular malware or virus.

You want your toolkit to also have the capability to do quick reviews of data, quick validation and verification that the suspected attack was validated or verified. This is the kind of thing that you want to be able to get a quick answer within 30 to 60 minutes.

On the flip side, in regards to quick reviews, you also want to be able to do the very long and in depth, drawn out review of all the data.

Network administrators. Preventing and providing adequate storage for network activity. How many organizations know how many Megabytes of traffic that they actually transmit in and out of their organization throughout the business day? What is the trend of how much data comes through on a Monday versus a Friday?

Having those type of metrics and data collection on your environment would drastically increase your threat detection, because if all of a sudden you're used to having a one Gigabyte of data traffic on a Monday, and then all of a sudden, your organization is transmitting a hundred times that amount of data. There's an anomaly there that you might want to take a look at and pursue.

April: That's a great point. Sounds like it's really wise to know your own backyard, so that if there's some random wild animal wandering around through your network, at least you have a better chance of recognizing it.

Derek: Absolutely. That's exactly right. In closing, the forensics is a consistent process. You want to ... First, once you have been reported that an incident has been reported, it then goes into collection of the data. That's usually the immediate responses. What do we need to do to collect the data in order to perform a forensics investigation?

After your data is collected, everybody would then go into an examination. You got the data, let's examine it and see if that attack or that threat was really occurred. Did it occur or did not? You've got the analysis piece on that as well.

Finally, is the reporting aspect. Different organizations and different businesses have unique compliance and reporting requirements. If you're a DOD or a governmental organization, you have mandatory reporting requirements to the government.

Some States in local governments are also requiring mandatory reporting of any incidents that occur. I can speak to the State of Virginia right now. I believe it was last year, our district attorney for the entire State of Virginia made it mandatory for commercial entities to report all suspected data breaches to his office.

Be aware, all of you.

April: Wow, and I know ... Yes, those in healthcare or any other compliant or regulated market have got their own respected agencies that they're required to report to and knowing what information you have to collect and what steps you have to take and the timeframe that you have to make those reports is all background work that have to happen before a breach happens. It's part of doing your homework.

Derek: My strong opinion also on the reporting is share the information. How are you going to protect yourself? How are other organizations going to protect themselves from a similar threat?

Some of you may not care if other organizations get attacked. I sometimes feel the same way, but if everybody is sharing information, everybody can protect themselves, because everyone has the same common enemy, and that is data loss and being data breached. Nobody wants that to happen.

April: Great point.

Derek: Part of the data collection ... you want your analyst to collect real data, the proper data, standard processes ... I discussed the volatile data where it's stuck in RAM, making sure that it's addressed and acquired properly. Proper shutdown methods, and preserve and verify file integrity.

That's important when you're doing the chain of custody type events, where data can be changed by say a road inside threat of your organization, and you never know that's why you got to preserve and verify that integrity in the chain of custody.

The examination and analysis, if there's to be a dynamic step of incident response, this is the area where it's going to be the most dynamic and different almost every time.

I briefed that it's a methodical approach just studying the data. Without a pure umbrella of attack knowledge or a hacker knowledge, the analysts are going to be fairly limited right here on examination in analysis.

There's so many different threats that are out there, and every single one of them is slightly different. This is where I reach back to, in sharing the data, I'm reporting the threats and the potential breaches to your required organizations.

By reporting and sharing it, it brings everybody's knowledge of cyber security to the top.

Here's back to reporting in closing as well. Make sure it's done right. Make sure you know who you need to report it to. If I was to list everybody's unique environment here, it would be extremely long. Everybody's got different requirements for reporting and processing and who they report to.

Healthcare has a hypo requirements, how trust does. We've been there as well. Anybody's processing credit cards or payment cards, they also have mandatory reporting procedures and policies as well. Same with government state local and federal level.

Typically, the old saying goes as "Everybody has a boss." Same thing, everybody has to report to somebody. There is no high authority.

Is there ... some of my Sera-Brynn colleagues in the points of contact ... anybody has further questions after this brief ... This is some points of contact, you can reach out to, to ask questions to generally talk to us about your environment.

April: Super, Derek. This was a great overview, very timely. Greatly appreciate it. With your permission, you can let us know which of this contact info you'd like posted along with the slides.

For those of you, if we did not get to your question during the time allotted today, I will forward your question on to Derek and get him an opportunity to answer you directly.    

Let me just do a quick recap on the upcoming events. For those of you who are locals to the Ann Arbor area, feel free to join us this Friday for Fall Into IT Seminar. We're also going to be experimenting with our first live streaming of the event, so if you're willing to be a guinea pig and give us some feedback, go ahead and register for Friday and you can check out our live stream.

On Tuesday and Wednesday, September 25th and 26th, we'll be in Novi, Michigan for the Michigan HIMSS event, for those of you who are in the healthcare space in Michigan.

On Tuesday at two, October 2nd, we'll be giving a webinar with Dr. Marie Michelle Strauss about Mobile Security.

We'll be in Des Moines, Iowa in November for the Midwest HIMSS conference, and then down in the DC area, December 3rd and 5th for the mHealth Summit.

Come party with us to New Orleans in March. We'll be down there for HIMSS 2013. Thanks again, Derek. Wonderful presentation. Thanks to everyone who joined us today and I'm sure we'll see you online or in person soon.

Derek: All right. Thanks for having me.

April: Thanks, Derek. We'll be in touch soon. Take care, everyone.

Derek: All right. Goodbye.

April: Bye.

darek-dabbsDarek Dabbs, CISSP/PCI-QSA is the VP of Information Security

Darek Dabbs, CISSP/PCI-QSA is the VP of Information Security at, a Premiere Cyber Security company located in South East Virginia. He has over 15 years’ experience supporting multi-tiered and highly-classified information security efforts in both the Government and Private Sectors.


april sageApril Sage, CPHIMS, Director Healthcare Vertical, Online Tech

April Sage has been involved in the IT industry for over two decades, initially founding a technology vocational program. In 2000, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems.

Since then, April has been involved in the development and implementation of online business plans and integrated marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Director Healthcare Vertical of Online Tech.


Webinars    |    Online

Get started now. Exceptional service awaits.