SESSION 610
Thursday, May 11, 4:00pm - 5:00pm Track: Service Desk Masters
The Service Desk on the Frontline of Cyber Resilience Bob Rice Director, Solutions3 LLC [email protected]
Session Description Don’t be the next news headline! Recent thefts of business-critical information have occurred when the service desk granted cyber-crooks access to internal servers. Expensive technology didn’t stop the breach, so the question is, how could this happen? Are there best practices to provide guidance to develop robust cyber-protection? The answer is yes, and this session will explore those best practices and the role the service desk plays in response and cyber-resilience.
Speaker Background Bob Rice is the director of professional services at Solutions3 LLC. He is an ITIL Expert who has mentored and led organizations in the delivery and support of IT services within commercial and federal classified projects. He’s an ITIL courseware author and reviewer, and he was one of the first to earn the RESILIA Foundation and Practitioner certifications. Bob has also spoken at FUSION and LIG conferences, at PMI events, and on BrightTalk webinars.
The Service Desk on the Front Lines of Cyber-Resilience
Bob Rice
Agenda
• Setting the Stage
• Risks and Challenges
• What Is Cyber Resilience?
• The Service Desk
• Call To Action
• Q&A
SETTING THE STAGEThe Service Desk on the Front Lines of Cyber-Resilience
• FBI and DHS Breach (2/7/2016) – teenagers arrested, access provided by a help
desk agent
• Home Depot - 53 Million
• Target - 40 Million
• JP Morgan - 76 Million households / 8 Million small businesses
• Anthem – 1 in 3 Americans info stolen
• Office of Personnel Management - 21.5 Million SF86 forms stolen, 5.6 Million
fingerprint cards stolen
• Sony – Stolen IP (Movies, videos, etc.)
Breaches In The News
Actual Scenario – A Targeted Attack
You are working on something that will potentially revolutionize an industry
• You include employer info on your social media pages and post photos and updates from victories at Tuesday night trivia at the local sports bar
• One night at the bar, you strike up a conversation with a new “friend” and talk about technology. The new “friend” lets it slip that they work for IBM.
• The new “friend” gives you a business card with the iconic blue IBM logo and offers some “swag” they have in their car, including an IBM coffee mug, T-shirt, mouse pad and 8-gig flash drive.
• The next morning at work you push the thumb drive into your computer.
• Within seconds, the company's entire email network is compromised, and hackers begin work scraping messages, documents, attachments and images.
• Service desk is flooded with incidents
Is your Service Desk ready to handle this?
Actual Scenario – Cyber Security Review
• A small company is very proud of the work it has done protecting their “data center”
• A consulting company recommends a security assessment
• CIO says that they don’t need an assessment, they are well protected
• The consultant suggests that the CIO allow him to check, and bets that he can be in the system in minutes
• The CIO agrees, and the consultant is in the network in 20 minutes by exploiting known vulnerabilities
• The CIO agrees to the security assessment and hires the consulting firm to assess and build a roadmap for improvement
Would your Service Desk know how to recognize incidents
that impact these vulnerabilities?
Actual Scenario – Official Sounding Email
Email from someone I don’t know…
We are currently upgrading all Webmail email outlook access to the newly launched IT WEBMAIL 3GB Unlimited. In order to restore your full email access with the new version HTK4S anti-virus 2016, you need to click below to fill the re-activation form.
CLICK HERE
System Helpdesk.
Could your Service Desk advise the user?
What if the user called after clicking on the link?
RISKS AND CHALLENGESThe Service Desk on the Front Lines of Cyber-Resilience
Potential Attack Vectors• Smartphones
• Tablets
• Laptops
• Fitness devices
• Watches (Laptop->Connected to Email-
>Exchange Server)
• Social Media / Marketing
• Easy to compromise with a portable
Point of Sale device
• Humans
• Starbucks
• IoT
• Near Field Communication (NFC)
devices
Risks and Challenges
• People are our strongest asset, but…
• Threats and bad actors are constantly adapting
• Threats are more targeted
• Compliance does not equal security
• There are only 2 types of companies – those that know they have been breached
and those that don’t know they have been breached. – US Army Cyber Command
• It’s not a matter of if, but rather when… FBI
WHAT IS CYBER RESILIENCE?(AND WHERE CAN I GET SOME?)
The Service Desk on the Front Lines of Cyber-Resilience
Cyber Resilience References
• RESILIATM Cyber Resilience Best Practices
• NIST Framework for Improving Critical Infrastructure Cybersecurity (PDF)
• NIST Special Publication 800-39 Managing Information Security Risk
• ISO27001
• ITIL®
• M_o_R (AXELOS – Management of Risk)
What is Cyber Resilience?
• “The ability to prevent, detect and recover from any impact that incidents have on
the information required to do business.”
• Cyber Resilience extends Cyber Security throughout the organization…
• Resilience is the ability of a system or component to resist an unplanned
disturbance or failure, and to recover in a timely manner following any unplanned
disturbance or failure.
The Service Desk is key to detecting and recovery!
APPLYING CYBER-RESILIENCE TO THE SERVICE DESK
The Service Desk on the Front Lines of Cyber-Resilience
Setting The Service Desk Up For Success
• Security is not someone’s job – it’s everyone’s job!
• Quick and effective response to cyber incidents
• Effective design and engagement of cyber resilience plans
• Security plan testing
• Security incident escalation
• Incident information capture at point of occurrence
• Initial implementation of risk mitigation plan
• Security incident response planning
• Must have Security Incident Models!
Service Desk in Action – Policies
• Service Desk responsibilities (e.g. preparation, planning, response teams)
• Required Cyber Security training for all business staff
• Required Cyber Security training for all IT staff
• Defined Information Security Policy stating responsibilities and expectations
• Service Desk integration with the Business/IT Security team
• Handling of Security Breaches
• Employee Cyber Security Performance (e.g. human error)
• Information Asset Classification
Service Desk in Action – Planning
• Expect Cyber Security incidents
–Classify critical information assets (e.g. PII; IP; legal documents, etc.)
– Flag critical information assets in the CMDB
–Establish a business and security team SPOCs for escalation
• Have a plan to respond
–Based on classification of critical information asset
–Define formal response teams
–Major incident?
–Have a pre-defined security incident model with communication plan
–Determine resources required for investigation and forensic analysis
Service Desk in Action – Detecting
• Security incident models MUST be defined with Standard Operating Procedures
• Identify “finger prints” of typical security incidents
• Update tools to include analysis points for potential security incidents
• Have a single focal point for managing security incidents
• Triage all suspected security incidents to validate and identify proper escalation
• Security incidents must be responded to quickly
• Consistency in response is important
• When in doubt, “don’t open it / do it”!
Service Desk in Action – Evidence
• Defined in the Security Incident Model
• During the incident, evidence must be collected for potential legal responses
• Defined procedures to preserve evidence must be included in the planning for
security incidents
• The Chain of Custody of the evidence is critical to the use of the evidence in any legal
action
Service Desk in Action – Response
• Containment
–The immediate objective during a security incident response team
–This stops the “pain” from spreading and allows for subsequent decisions
–Allows for further evidence to be collected
• Response
– Identify the required actions to eradicate the cause of the incident
– If a recovery is required, determine how to recover
Service Desk in Action – Improve
• Threats are always evolving, so our security must too
• Conduct post incident review of each security incident
• Some security incidents will be major breaches (e.g. major incidents)
• Escalate to problem management to identify root cause and determine how to
prevent future occurrences
• Test your plans and improve them
• Review the information assets involved and determine additional security planning
needed
• Update tool instrumentation and workflow configuration
• Update security incident models
Service Desk in Action – Anticipate
• Establish the “Human Firewall”
• Anticipate Attack Vectors and plan for them
• Train users what to expect
• Warn users when suspicious activity is identified
• Provide regular security awareness through service desk interaction
• Hackers Spend 200+ Days Inside Systems Before Discovery (205 days)
Be Vigilant!
Phishing Spear-Phishing Trojans Viruses
Social Engineering Malware Hijacking Ransomware
Hacking DoS DDoS Infection
Spyware Keystroke Loggers Pre-Texting
Service Desk in Action – Ongoing Effort
• Stay Prepared and Informed (Stay Vigilant!)
• Interact with the business and IT security teams
• Check security sites for potential and active threats
• Broadcast of potential and active threats to the service desk and users
• Expect/Anticipate Security Incidents
• Check out suspicious issues reported by users
–http://www.snopes.com/
–https://www.us-cert.gov/
–http://www.symantec.com/security_response/landing/threats.jsp
Service Desk in Action – Education and Training
• Service Desk Training
–RESILIA™
–Training on internal security policies
–Updates on scripts and procedures
– Service Management tool updates and training
• User Training / Awareness
–Basic information at Anti-virus vendor pages
–Custom enterprise security training
–Weekly email updates
–Updates to internal webpages
CALL TO ACTION
The Service Desk on the Front Lines of Cyber-Resilience
• Realize that the Service Desk is on the front lines of Cyber Resilience
• Ensure the Service Desk is prepared to identify and respond to cyber incidents
• Define and implement security incident models
• Be suspicious and be vigilant!
• Ensure Information Security policies are well understood
• Ensure ongoing training and awareness
• Test, test and test your Service Desk
• Design a purposeful and effective cyber incident response and recovery
• Encourage a cyber smart workforce
• Proactively identify threats and communicate them
Call to Action
Q & A
Thank you for attending this session.
Please complete the short evaluation for this session on your mobile device. It is available in your email or
through the conference app.