More Related Content Similar to Computer Fraud - Eric Vanderburg - China Resource Network Conference (20) More from Eric Vanderburg (20) Computer Fraud - Eric Vanderburg - China Resource Network Conference2. Who Are We?
JurInnov works with organizations that want to
more effectively manage matters involving
“Electronically Stored Information” (ESI).
–
–
–
–
Information Security
Electronic Discovery
Computer Forensics
Document and Case Management
1
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
5. Case Study
3. Fake response
through open relay
2. Email
read &
deleted
1. US sends
email
?
4. Fake email
with alternate
address
4
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
6. Detection
• Separation of duties
– Approve requests for information
– Validate changes in procedure
– Divide sensitive tasks between multiple persons and
roles
• Awareness
– Suspicious activity
– Social engineering
• Audit
5
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
7. Indicators
•
•
•
•
•
•
•
•
•
•
Use of dormant accounts •
Log alteration
Presence of malicious code •
Notification by partner or •
peer
•
Notification by hacker
•
Loss of availability
•
Corrupt files
Data breach
Violation of policy
Violation of law
Activity at unexpected
times
Unusual email traffic
Presence of hacker tools
Unknown accounts
Unusual consumption of
computing resources
Unusual network activity
6
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
8. Incident Response
• Validate incident authenticity
• Determine scope and severity
– Users, data and equipment impacted
• Notify team
7
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
9. Preservation of evidence
• Volatile data
–
–
–
–
Contents of RAM
Current network connections
Logon sessions
Open files
• Non-volatile data
– Hard drives
– Network device startup configurations
• Chain of custody
8
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
11. Post-incident activities
• Refine plans and processes
• Create new IRPs
• Debrief (After-action review)
10
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
12. Debrief
•
•
•
•
•
•
•
•
Rankless discussion
What was the goal?
Were goals achievable?
Successes
Pitfalls
Lessons learned
Action items and responsibilities
Positive summary (high note)
11
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
13. Prevention
• Perform background checks on key personnel,
suppliers and partners
• Conduct periodic awareness training
• Document and follow procedures
12
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
15. Incident Response Plans
• Document procedures for likely incidents
• Document steps for a non-specific incident
• Prepare resources
– Human
– Technical
•
•
•
•
•
Is geographic diversity needed?
Determine notification procedure
Roles and responsibilities
Simulation
Review and maintenance
14
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL
16. Action Items
• Obtain an overview of information security
posture (Security Snapshot)
• Consider incident response and create IRPs
• Conduct security awareness training
• Conduct risk assessment to identify appropriate
security controls
• Baseline systems to understand normal activity
15
© 2012 JurInnov Ltd. All Rights Reserved.
PROPRIETARY AND CONFIDENTIAL