10-Point Agenda for a Post-Anthem Data Breach War Room

February 17, 2015 10:57 AM

Advice from the Experts

Secure Digital Solutions, which offers workshops and risk assessments to help companies gauge the strength of their information security postureand sell the need for investments to senior managementlays out what needs to be done to boost security and who should do it. (Photo: Fotolia)

Define Scope and Team

Identify systems that have access to sensitive data, e.g., databases, servers, and devices. Identify any users (human or service credentials) that have access to these systems. Identify representatives of in-scope systems to support the exercise.Who does it: Operations management (e.g., CMDB owner) and integration architects, IAM operations (IDP, entitlement management). (Photo: Fotolia)

Review System Activity

Include local logs, remote logs, current connections, current processes, etc. Look for failed and successful attempts to connect alike. Review firewall, gateway, proxy, and DNS logs. Review current activity both internally and outbound. Look for unusually large or lengthy sessions. Look for systems-to-system connections that no one can explain. Include batch and other non-web-based systems that handle large amounts of data. These systems tend to get less attention than web and mobile related environments even though the scope of data often dwarfs any other systems.Who does it: Administrators (sys admin, DBAs), SIEM team, anyone who can interpret the logs (e.g. integration architects), network operations team, network architects, network engineers, batch process owners. (Photo: Fotolia)

Perform Firewall Reality Check

Review firewall rules. Test what host systems can actually reach. (Later, consider how to reduce network access to minimum necessary.)Who does it: Network operations team, network architects, network engineers, admins, integration architects. (Photo: Fotolia)

Check Behavioral Activity

Review security monitoring tools (e.g., packet captures, behavioral logs, security gateways/proxies).Who does it: Security operations. (Photo: Fotolia)

Explain Whats Found

Review currently running and all installed applications on production systems. Can everyone explain what is running and why the application exists? (Later, consider how to reduce this to minimum necessary. E.g., do we really need a compiler on a production system?)Who does it: Operations, admins. (Photo: Fotolia)

Get Current Scans

Scan the environment for vulnerabilities, perform baseline assessments (configuration, versions, etc.). Look for zero day vulnerabilities in particular. Patch systems and isolate systems that cannot be patched.Who does it: Security operations, IT operations, admins. (Photo: Fotolia)

Perform Attack Surface Reality Check

Inventory admin consoles. Often these are not given a lot of attention, including during pen testing. Assume they are on every externally facing endpoint until its proven they are not. Document how they are used and by whom. Consider closing off external access. Perform pen testing on those that are found. (Later, analyze all admin consoles, including internal and create policy and guidelines specifically focused on their design and deployment.)Who does it: Operations, application owners, application architects, application support, developers. (Photo: Fotolia)

Check Critical Credentials

Review current service credential configurations. Review service credential processes. Are they managed and rotated routinely? Consider rotating credentials for critical systems as part of the exercise.Who does it: Admins, IAM team, operations. (Photo: Fotolia)

Inventory Encryption Usage

Review any clear-text transmissions (e.g., ftp, http, telnet, jdbc/odbc, etc.). Disable any externally facing clear-text protocols. Review encryption at-rest usage. (Later, enable encryption in-transit everywhere, internal and external.)Who does it: Network operations, admins, batch operations, application operations. (Photo: Fotolia)

Practice Breach Impact Analysis

Identify attack patterns/scenarios similar to what is known about the breach in the spotlight. Generate system activity reports similar to what would be required when an attack has been uncovered. Can we show who accessed what data when and from where? If we had the IP of an attacker, could we show the scope of activity related to this IP? Can IP be traced all the way back to data access, or is the trail lost? (Later, get serious about log correlation, monitoring, and alerting. Dont just toss logs over the wall to the SIEM team.)Who does it: All from operations to IAM, from application admins to DBAs, from firewall to sys admin, from junior to senior leadership, SIEM team. (Photo: Fotolia)