TSCPA Expo
CLAconnect.com
Michael Nyman, CPA, CISA, CISSP, CRISC, CIITP
CliftonLarsonAllen LLP
Information Security Services
©2014 CliftonLarsonAllen LLP
©2014 CliftonLarsonAllen LLP
Incident Response and
Forensic Preparedness
CliftonLarsonAllen
©2014 CliftonLarsonAllen LLP
Our perspective…
– Started in 1953 with a goal of total
client service
– Today, industry specialized CPA and
Advisory firm ranked in the top 10 in
the U.S.
2
• Cyber Crime Trends
©2014 CliftonLarsonAllen LLP
Agenda
• Incident Response components
• Common mistakes
3
At the end of this session, you will be able to:
1. Recognize the current risk environment
2. Obtain an understanding of the fundamentals of responding
to a computer security incident
3. Obtain an understanding of types of data that may be
critical to investigating an incident
4. Understand some common mistakes that organization’s
make
©2014 CliftonLarsonAllen LLP
Learning Objectives
4
©2014 CliftonLarsonAllen LLP
Security is a Business Issue, Not a Technical Issue
Definition of a Secure System:
“A secure system is one we can depend on to
behave as we expect.”
Source: “Web Security and Commerce”
by Simson Garfinkel with Gene Spafford
Rules
People
•
•
•
Confidentiality
Integrity
Availability
`
Tools
5
• Mike Nyman
–
–
–
–
–
Alphabet Soup
IT Controls / Security
Softball
Scoutmaster
Dad
©2014 CliftonLarsonAllen LLP
CliftonLarsonAllen – Mike Nyman
• Boy Scouts
©2014 CliftonLarsonAllen LLP
Boy Scouts, IT Professionals, & Incident Handling
– Be Prepared
– Mountain Man
Rendezvous Trip
Preparation
– Road Trip!!!
7
• Mountain Man Rendezvous
©2014 CliftonLarsonAllen LLP
Boy Scouts, IT Professionals, & Incident Handling
– R BAR C Scout Ranch
– Daily Routine
– Business as Usual…
8
• Boy Scouts
©2014 CliftonLarsonAllen LLP
Boy Scouts, IT Professionals, & Incident Handling
– Knife
9
©2014 CliftonLarsonAllen LLP
©2014 CliftonLarsonAllen LLP
Cyber Crime
Trends
CLAconnect.com
•
•
•
•
•
•
•
•
•
City finance office
Mining company
Small CU ( ~$120M)
Catholic church parish
Rural hospital
Health care trade association
Collection agency
Main Street newspaper stand
Large CU (~$1.8B)
©2014 CliftonLarsonAllen LLP
What do the following have in common?
• On and on and on and
on……………..
1
1
©2014 CliftonLarsonAllen LLP
Three Reasons Why We Should Care
• Organized Crime
– Wholesale theft of personal financial information
• Payment Fraud – Corporate Account Takeover
– Use of online credentials for ACH, CC and wire fraud
• Hackers are targeting you!
– A variety of cash out schemes
12
•
•
•
•
Norton/Symantec Corp.
Cost of global cybercrime: $114 billion annually.
Time lost due to cybercrime an additional $274 billion.
Cybercrime costs the world significantly more than the
global black market in marijuana, cocaine and heroin
combined ($288 billion).
©2014 CliftonLarsonAllen LLP
Norton/Symantec Corp – The Cost
 Hackers go for the “easy money”
 Credit union members are much easier targets than the
banks themselves
13
• Opportunistic Attacks
©2014 CliftonLarsonAllen LLP
Hackers, Fraudsters, and Victims
• Targeted Attacks
14
• Objectives…
©2014 CliftonLarsonAllen LLP
Hackers and Fraudsters
– Identity Theft and Account Hijacking
◊ Phishing
◊ ACH fraud
 Identity theft and fraudulent credit
 Corporate Account Take over's
– Targeted Attacks
◊ Internal access for privilege escalation (“control systems”)
◊ Corporate/Government Espionage - Mass data theft
◊ Access to Intellectual Property (IP) or Financial Information
◊ Targeted “Corporate Account Take Over”
– System Access for “Processing Power”
◊ Bot Nets
15
•
•
•
•
•
Church
Public School District
County Hospital System
Trade Association
Manufacturing Company
($29,000 and $32,000)
($110,000)
($150,000)
($1,088,000)
($348,000)
©2014 CliftonLarsonAllen LLP
Phishing and ACH – Examples
Security Breach
• Credit Union
• Credit Union
Heartbleed
Member “cash out”
16
©2014 CliftonLarsonAllen LLP
©2014 CliftonLarsonAllen LLP
Incident
Response
CLAconnect.com
• What is an incident
©2014 CliftonLarsonAllen LLP
Defining an Incident
– NIST 800-61 Rev2 - “A computer security incident is a
violation or imminent threat of violation of computer
security policies, acceptable use policies, or standard
security practices.”
• How does your response plan define an incident?
18
• External
–
–
–
–
©2014 CliftonLarsonAllen LLP
Types of Incidents
Email Phishing
Malicious Website
Website hacking
Social Engineering
• Internal
–
–
–
–
Malicious Insider
Rouge IT employee
Issues with vendors/service providers
External party physically intruding
19
©2014 CliftonLarsonAllen LLP
Case Study 1 - Church
20
• Background:
©2014 CliftonLarsonAllen LLP
Case Study 1
– A Church’s internal network and internet banking account
was breached
– $30,000 fraudulent ACH payroll transaction was submitted
via online banking and processed by the bank
– The organization’s workstation was infected with the Zbot
Trojan through a “DocuSign” phishing email appearing to
come from administrator@<organization>.org
21
• Lessons learned
– No incident response plan
©2014 CliftonLarsonAllen LLP
Case Study 1
– No communication protocol
– Lack of employee awareness
– Lacking Segregation of Duties/Excessive Access
22
• Lessons learned
©2014 CliftonLarsonAllen LLP
Case Study 1
– Weak network controls
◊ Shut down system – lost running memory
◊ Server logging was not enabled
◊ No formal IT support
◊ Excessive spam containing malicious attachments and
links
◊ No web content filtering system
• Don’t panic! Assess the situation first and maintain
documentation!
23
• Develop an incident response policy and plan
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
– Management should support the mission
– Consider and define the following:
◊ Scope of the policy and plan
◊ Computer security incidents
◊ Roles and responsibilities
◊ Prioritization (tie back to BIA)
◊ Performance measures
◊ Reporting and contact forms
24
• Develop incident response procedures
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
– Establish lines of communication with internal and
external sources
◊ Staff
◊ Board
◊ Examiners/Regulators
◊ Law enforcement
◊ Media
◊ Vendors
◊ ISP
25
• Develop incident response procedures
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
– Define and develop a team
◊ Determine capabilities of team members
– Consider other supporting groups
◊ Legal
◊ Human Resources
◊ Media Relations
◊ Outside (consulting) support
26
• Develop incident response procedures cont…
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
– Documentation requirements
– Post incident response review – what can we improve on?
– Perform incident response procedure testing
◊ Table top exercises
◊ Simulations
– Establish a training program for IR team and employees
27
Incident Handler Communications and Facilities
• Contact information for team members and others within
and outside the organization (primary and backup contacts)
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
• On-call information for other teams within the organization,
including escalation information
• Incident reporting mechanisms, how to report incidents; at
least one mechanism should permit people to report
incidents anonymously
• Issue tracking system for tracking incident information,
status, etc.
28
Incident Handler Communications and Facilities
• Smartphones to be carried by team members for off-hour
support and onsite communications
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
• Encryption software to be used for communications among
team members, within the organization and with external
parties; for Federal agencies, software must use a FIPSvalidated encryption algorithm20
• War room for central communication and coordination;
• Secure storage facility for securing evidence and other
sensitive materials
29
• Digital forensic workstations and/or backup devices to
create disk images, preserve log files, and save other relevant
incident data
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
Incident Analysis Hardware and Software:
• Laptops for activities such as analyzing data, sniffing packets,
and writing reports
• Spare workstations, servers, and networking equipment, or
the virtualized equivalents, which may be used for many
purposes, such as restoring backups and trying out malware
30
Incident Analysis Hardware and Software:
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
• Blank removable media
• Portable printer to print copies of log files and other evidence
from non-networked systems
• Packet sniffers and protocol analyzers to capture and analyze
network traffic
• Digital forensic software to analyze disk images
31
Incident Analysis Hardware and Software:
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
• Removable media with trusted versions of programs to be
used to gather evidence from systems
• Evidence gathering accessories, including hard-bound
notebooks, digital cameras, audio recorders, chain of custody
forms, evidence storage bags and tags, and evidence tape, to
preserve evidence for possible legal actions
32
Incident Analysis Resources
©2014 CliftonLarsonAllen LLP
Incident Response Fundamentals – NIST 800-61
• Port lists, including commonly used ports and Trojan horse
ports
• Documentation for OSs, applications, protocols, and intrusion
detection and antivirus products
• Network diagrams and lists of critical assets, such as
database servers
• Current baselines of expected network, system, and
application activity
• Cryptographic hashes of critical files22 to speed incident
analysis, verification, and eradication
33
• Documentation…
©2014 CliftonLarsonAllen LLP
Be Prepared
– Network diagrams
– Application diagrams
and flow charts
– System inventories
– Locations and types of
event logs available for
analysis
34
©2014 CliftonLarsonAllen LLP
Case Study 2 – Public School District
http:// mytimeufa.ru/images/nacha_paychange[.]html
35
• Employee clicked on a phishing email appearing to
come from the National Automated Clearing House
Association (NACHA)
©2014 CliftonLarsonAllen LLP
Case Study 2
– Embedded link resolves to a Russian IP address
• Employee’s internet banking credentials were
compromised
• Employee’s browser was injected with malicious
HTML asking for additional confidential information
when they visited the internet banking site
– Employee also received a call from supporting actor in the
attack
36
• Attacker initiated approximately $125,000 in
fraudulent ACH transactions
©2014 CliftonLarsonAllen LLP
Case Study 2
• The “weird call” prompted the employee to call the
bank and transactions were stopped
• Additional information:
– Employee indicated to IT that anti virus logs were
reporting malicious activity the day before the malicious
transaction activity
37
• Lessons Learned
– No incident response plan (trend?)
– Lack of employee awareness (trend?)
– Lacking segregation of duties/excessive
access (trend?)
– IT indicated the employees system was
“clean” – this was not the case
– Lack of log retention
– System was powered off
©2014 CliftonLarsonAllen LLP
Case Study 2
38
• System’s directly impacted
©2014 CliftonLarsonAllen LLP
Critical Data in an Incident
– Employee indicated they clicked on email
– AV logs indicate malicious files
– Weird activity
• Logs
–
–
–
–
–
–
Server and workstation logs
Internet banking logs – detail is key!
Firewall
AV logs
IDS/IPS logs
Network packet capture
39
• System memory
©2014 CliftonLarsonAllen LLP
Critical Data in an Incident
– In both cases described above, the system was powered
off…critical evidence was lost
– Think before you pull the plug, don’t panic
◊ Why are we pulling the plug?
◊ What data may be lost?
– Train employees on what to do if they think they have
malware on their system
• Journaling – write everything down in detail
• Other
– Video surveillance
– Alarm and door logs
40
• Vendor systems - critical data may reside here!
©2014 CliftonLarsonAllen LLP
Critical Data in an Incident
– Inventory where your data resides
◊ What data do vendors store, process, transmit?
◊ What systems are used for wires, ACH, bill pay, etc…?
◊ What happens if the data on those sites are compromised or
fraudulent transfers are approved?
◊ What does the contract say?
– Do the vendor systems that control your data or money
log ALL activity?
41
©2014 CliftonLarsonAllen LLP
©2014 CliftonLarsonAllen LLP
Common
Mistakes
CLAconnect.com
• Finance person is phished
• Employee’s internet banking credentials were
compromised
• Fraudulent ACH payroll files totaling over $150,000
are sent
Law enforcement
Independent investigations (two of them…)
Problems with investigation…
Closing call to compare investigations
©2014 CliftonLarsonAllen LLP
Case Study 3 - Hospital
43
• Finance person receives “2000 spam
messages”
• Later in the day, fraudsters make three
ACH transfers all within 30 minutes:
©2014 CliftonLarsonAllen LLP
Case Study 4 – Trade Association
– $8,000 to Houston
– Two transfers for $540,000 each to Romania
• In this case, business insists the following
controls were not followed:
– Dollar limit/thresholds were exceeded
– Call back verification did not occur
• Lessons learned…
44
•
•
•
•
•
Malware on the network
Windows domain credentials created
Core application credentials hijacked
Member accounts modified
“Cash” deposit at branch
©2014 CliftonLarsonAllen LLP
Case Study 5 – Credit Union (Last Week)
– After close of business
– Associated w/ employee who was not working that day
• $ Mule attempts to withdraw funds the next day
45
• NIST 800-61: Computer Security Incident Handling Guide
©2014 CliftonLarsonAllen LLP
Sources for Standards and Guidelines
http://www.nist.gov/customcf/get_pdf.cfm?pub_id=911736
• PCI Requirements
https://www.pcisecuritystandards.org/documents/PFI_Program_Guide.pdf
• SANS/GIAC Certified Incident Handler
http://www.giac.org/certification/certified-incident-handler-gcih
• State laws:
http://www.privacyrights.org/data-breach#10
46
• Develop a mentality of:
©2014 CliftonLarsonAllen LLP
Conclusion
– “If (and when) this happens to us, we’ll be ready to
respond…”
Not:
– “This will never happen to us…because <fill in the blank>”
• Practice…
47
Hang on, it’s going to be a
wild ride!!
Mike Nyman, Senior
Manager
Information Security
Services Group
Michael.nyman@claconnect.com
***
(602)604-3524
©2014 CliftonLarsonAllen LLP
Questions?
CLAconnect.com
Michael Nyman, CPA, CISA, CISSP, CRISC, CIITP
CliftonLarsonAllen LLP
Information Security Services
©2014 CliftonLarsonAllen LLP
©2014 CliftonLarsonAllen LLP
Thank you!
• NIST SP800-61
– http://csrc.nist.gov/publications/drafts/800-61-rev2/draftsp800-61rev2.pdf
• FFIEC Cybersecurity Guidance
– https://www.fdic.gov/news/news/financial/2014/fil14021.html
• Verizon Breach Analysis Reports
– http://www.verizonenterprise.com/DBIR/2014/
©2014 CliftonLarsonAllen LLP
References
Supporting Forensics in the Information System Life Cycle
©2014 CliftonLarsonAllen LLP
NIST 800-86
• Performing regular backups of systems and maintaining previous
backups for a specific period of time
• Enabling auditing on workstations, servers, and network devices
• Forwarding audit records to secure centralized log servers (SIEM)
• Configuring mission-critical applications to perform auditing,
including recording all authentication attempts
51
©2014 CliftonLarsonAllen LLP
NIST 800-86
Supporting Forensics in the Information System Life Cycle
• Maintaining a database of file hashes for the files of common OS
and application deployments
• Using file integrity checking software on particularly important
assets
• Maintaining records (e.g., baselines) of network and system
configurations
52