IT Security Response to Major Incident (Lessons Learned from the Sandusky Scandal) (237155315)

7/27/2019 IT Security Response to Major Incident (Lessons Learned from the Sandusky Scandal) (237155315)

http://slidepdf.com/reader/full/it-security-response-to-major-incident-lessons-learned-from-the-sandusky-scandal 1/14

IT SecurityResponse to aMajor Incident

Lessons Learned from theSandusky Investigation

May 8, 2014



Introduction –John Corro

> The Pennsylvania State University

> ITS – Security Operations & Services

> IT Security since „96, Forensics since ‟98

May 8, 2014



Penn State – We are…

> A single University, widely distributed

> IT Infrastructure is distributed and complex

> Central services provide core services

> Units handle “unit-specific services”

May 8, 2014



ITS - Security Operations and Services

> SOS is a team of 24 people

> IT Security for the entire university

> Forensics & E-discovery Team

> Tools – EnCase, Cellebrite Tableau

May 8, 2014



A Significant Investigation

> What do I mean by “Significant”

> A noticeable or measurable effect> Boss is in the hospital

> Administration is under investigation

> You do your job.

May 8, 2014




> Two bits of Advice

> This is a marathon, not a sprint.

> CIO (Kevin Morooney)

> Just do the right thing.

> CISO (Kathleen Kimball)

May 8, 2014




> Six Months of data collection for multiple

investigations

> Stages: Initial and On-going

> Chain of Custody is as important as data

May 8, 2014




> 2.5 years later

> We are still responding to requests

> Subpoena, deposition,

> “Marathon, not a sprint”

May 8, 2014




> What did I learn?

> Business Continuity Plan for investigations

> Get one. Test it.

> Example: Game Films

May 8, 2014



Communication is the Key: Language

> Legal Language> 18 U.S.C. § 1657 : US Code - Section 1657: Corruption of seamen and

confederating with pirates> Whoever attempts to corrupt any commander, master, officer, or mariner to yield up or to run away

with any vessel, or any goods, wares, or merchandise, or to turn pirate or to go over to or confederate

with pirates, or in any wise to trade with any pirate, knowing him to be such; or Whoever furnishes

such pirate with any ammunition, stores, or provisions of any kind; or Whoever fits out any vesselknowingly and, with a design to trade with, supply, or correspond with any pirate or robber upon the

seas; or Whoever consults, combines, confederates, or corresponds with any pirate or robber upon

the seas, knowing him to be guilty of any piracy or robbery; or Whoever, being a seaman, confines the

master of any vessel - Shall be fined under this title or imprisoned not more than three years, or both. -

See more at: http://codes.lp.findlaw.com/uscode/18/I/81/1657#sthash.6eUl3kAH.dpuf

> Technical Language:> bit, byte, kilobyte, megabyte, gigabyte,….

May 8, 2014



Good Communications

> Be very clear in your communication

> Investigators do not understand

> Do not forget Pronunciation!

> Terror-byte verses terabyte

May 8, 2014



Be Careful What They Ask For

> Investigators wanted copy of All Emails

> Did I mentions Big? Distributed?

> If they do not know what they want

> Help them…

May 8, 2014



Ask for Help

> Borrow, rent, hire external help

> Have in place before the investigation

> PA Attorney General lent us equipment

> Reclamere – extra forensic muscle

May 8, 2014



Summary

> Clear Communications

>

Maintain Relationships> Trust the people - Delegate

> Moment of Zen – let go of attachments

> There is no winning, just survival.

May 8, 2014

Documents

IT Security Response to Major Incident (Lessons Learned from the Sandusky Scandal) (237155315)