In this lesson, I'll talk about incidents. And what if you have an incident? What do you need to do? The objectives of this lesson are I want you to understand and be able to tell me back what external resources you need to get involved and discuss the methods of dealing with incidents as well. If you have an incident, and it's inevitable. Every organization out there suffers some kind of security incident. Doesn't matter if it's just a simple ransomware attack, which could actually be blown up into a much much more complicated attack, denial of service, password compromises, whatever. You're going to have an incident as an organization. We've had it happen many, many times. Let me tell you; I don't even have enough fingers to tell you how many incidents, or how many people have fallen for phishing that we need to change their account, their password. That's within probably the last month. Just because you have users in your organization, they are human. They're going to fall for things that they shouldn't fall for. Phishing, ransomware, clicking on things that they shouldn't. So, it is inevitable that you're going to have some kind of security incident in your organization. The best thing that you can do is prepare for it. Maybe you're attacked for fun, or curiosity, revenge, whatever it is. Maybe there's hacktivists out there that want to disrupt your organization because they don't like what you're telling people. Who do you turn to in that instance? We'll talk about a denial of service attack here, several years ago. And I like to use this example because it turns out this is a great example of incident management process. How do you turn to other organizations when you are completely crippled as an organization? We don't know why the- whoever that it was attacked us, but it was very clear that they wanted to take down our systems in some way. But we turned to other people. When you have an incident, you have a couple of options. Where do you turn to in this case? First of all, turn to your security department. They usually have an incident response plan that they're going to follow. Number two, auditors. Your auditors are usually your friends. The reason why is because they're able to do- they're able to tell upper management that, "hey, this is a problem. You need to do something about x, y and z." So if you identify risk for example, in your systems or you're under attack and you say, this has been a problem. Your auditors are usually the ones saying, "hey, you need to do something about this and we've told you you need to do something about this." Upper management. Management understands the business process for your organization. Get them involved early. Let them know what is going on so they can respond accordingly. Involve your information technology department. Your information technology department can have resources for the rest of the organization. If you're under attack, perhaps they can devise other ways of getting access to information that could be compromised. Get your attorneys involved right away. Let them know what's going on and what you are doing to make sure that you're mitigating the incident. And then finally, get your public relations team involved as well. All these plans should be in your incident response plan. Should detail out when you're going to get each of these individuals involved, especially the attorneys and public relations to say, "here's every step of the process where we need to tell these people so they can tell other people. Your public relations are the front of your company, telling people what they need to know without really fear of what's happening at the moment. Get external support involved. Law enforcement, forensic investigators, information sharing centers, your ISP. If you're under a denial of service attack, your ISP can start to leverage their technology to block some of that attack, and other agencies as well. Like we used when we had a denial of service attack, we reached out to TeamCmryu which was able to analyze some of the attack and start to offload some of the attack for us. But law enforcement, this is your local law enforcement, this is perhaps the FBI, Homeland Security. Just depends on what country you're in. For the U.S., the FBI will generally not touch anything under $100,000 loss. So, if you're under a denial of service attack, it depends on the size of your business. How much you're losing. Whether or not that you're going to get them involved, but you should let them know. So, this denial of service attack that we suffered back in February of 2010, it crippled our network. So, who did we turn to? The very first thing that we did is we got law enforcement. We got our local police department involved and that's campus police who reached out to the Colorado Bureau of Investigation, who then in turn reached out to the Colorado Incident Response Team. And I can't remember off the top of my head what that actually is. But then we also- because I'm a member of ISACs, and we have a large information sharing community here in Colorado Springs, I emailed my local Homeland Security contact and he looked into it from a government point of view if there's been any threats against the University. And then the FBI; I have a local FBI contact as well. InfraGard, I N F R A G U A R D, is a- or is it A R D? Anyway, it's a- It's the public FBI facing organization. So, you can go to FBI meetings with your InfraGard contacts and you have to not have a clearance but you have to get a background check pass before you can join, but they're going to share information with you. Technology. We've got our ISP involved right away saying, "what are you seeing coming down in part of this attack? We're completely crippled. Can you start to offload the attack?" We got- and like I said, TeamCmryu involved as well, to start offloading some of the attack, to look at and do the analysis of the overall denial of service attack. We also reached out to REN-ISAC, to see if they were able to help offer suggestions of how to mitigate the net denial of service attack. Typically when there is a denial of service attack, it's very difficult to recover from while you're being attacked. And internally, we followed our incident response plan, we got the attorneys involved right away. We got security, help-desk, all kinds of internal organizations. But after the incident was over, after that denial service attack had stopped and we mitigated the attack, where did we turn? We turned to human resources and we turned to institutional research. And said, "okay, here is the length of the attack and here's how many people suffered because of the attack. Let's look at how much this attack actually cost us." And we were able to put a dollar amount on the downtime that it took us because we had those other internal departments involved. So, what I want you to understand from this lesson is get people involved during an incident. Don't just have your small team involved, and make sure that you're following your incident response process.
