Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mitigation starts now

Presentation from the Jisc security conference 2016

www.jisc.ac.uk

  • Login to see the comments

  • Be the first to like this

Mitigation starts now

  1. 1. Mitigation starts now DI Daniel Lawrence, NPCC National Cyber PROTECT Coordinator 1/11/2016
  2. 2. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Mitigation starts now DI Daniel Lawrence NPCC National Cyber PROTECT Coordinator
  3. 3. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Objectives • Incident Handling – Are you ready? • Reporting Cyber Incidents • Assessment of the Incident (who takes precedence)
  4. 4. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Incident Handling – Are you ready?
  5. 5. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Cyber breaches and attacks over the past year: • 65% of large firms • 1 in 4 of all businesses What is at risk? • Your money • Your data (e.g. customer details, intellectual property, confidential emails) • Your day-today operations (e.g. customer website, internal systems) • Your business’ reputation The cyber threat: are you a target?
  6. 6. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Things to think about • Tell the organisations that can help • Ensure you have a business continuity plan for when things go bad • Think about messaging, both internally and externally • Know your network and what normal looks like • Do you know what information you are holding and how quickly you can find out what has gone?
  7. 7. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Not just a problem for the IT department Will require a response from staff across teams: • Legal • HR • Communications/Media • C-level staff • Business Continuity
  8. 8. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Incident Handling Model
  9. 9. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk • Understand the risks facing your business • Assemble the correct team • Understand your network topology • Develop and test an incident handling plan • Establish effective forensic readiness
  10. 10. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk • Ensure you have key points of contact • Agree a decision log format • Exercise the incident handling team • Drive user awareness • Agree internal and external communications & reporting structures
  11. 11. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk • Detect events as they happen • Use data feeds to provide context • Understand the affected asset • Make proportionate response recommendations
  12. 12. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk • Understand the attack • Preserve evidence • Consider appropriate clean-up actions • Initiate internal communications
  13. 13. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk • Activity will depend on the nature of the incident • Implement alongside your Business Continuity Plan • Ensure full visibility and agreement of system owner • Ensure shared understanding on briefings • Establish a feedback loop
  14. 14. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk • Maintain the feedback loop • Identify when systems can be reintroduced • Focus on preventing a recurrence • Maintain communications • Ensure a shared understanding of the end state
  15. 15. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk • Treat incidents as learning opportunities • Complete relevant documentation • Learning lessons is an ongoing process • Consider implications for all elements of your business • Share what you have learned – on CiSP!
  16. 16. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Reporting Cyber Incidents & Cyber Crime
  17. 17. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Historic / incident that has passed • Action Fraud – actionfraud.police.uk • 0300 123 2040 Crime in Action • 101 / 999 Local to National * * *
  18. 18. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Information Sharing and CiSP Need to Know → Need to Share
  19. 19. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
  20. 20. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk  CiSP is a joint government and industry initiative to share cyber threat information, hosted by CERT-UK  Free to join – funded by UK government  Current membership stands at over 6500 individuals and under 2500 organisations  The ‘Fusion Cell’ stimulates discussion and sharing on the platform and provides all source assessment  Sharing is based on Traffic Light Protocol  CiSP produces a range of products/outputs including alerts and analysis papers for organisations
  21. 21. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Different products for differing cyber maturity
  22. 22. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk CiSP Homepage
  23. 23. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk All groups are private (members only) but their existence is public. Only members can view content in a private group. Secret groups are private but invisible to non-members. Restriction either by membership (group) or by subject (space) Open to every member with no restrictions CiSP Environment Group Private Secret Space
  24. 24. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Spaces and Groups
  25. 25. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk You can be anonymous… …but think carefully if you need to be.
  26. 26. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Discuss – Disseminate – Analyse
  27. 27. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Structured Incident Reports Future developments
  28. 28. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Enhanced 2FA
  29. 29. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk A New Homepage
  30. 30. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk From the board to the frontline…
  31. 31. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk Evoke behaviour change Cannot be done in isolation End user / employee awareness is not the panacea…. Board level responsibility There needs to be technical solutions as the most educated will still ‘click the link’ or ‘open the attachment’… Top to bottom review of processes is key Role of PROTECT is to raise awareness to those identified as being most vulnerable to exploitation.
  32. 32. This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk dlawrence@cert.gov.uk

×