Upload
eswin-angel
View
220
Download
0
Embed Size (px)
Citation preview
7/29/2019 Planning for Continuity in Information security
1/41
Planning for Continuity
Chapter 7
7/29/2019 Planning for Continuity in Information security
2/41
Principles of Information Security - Chapter 7 Slide 2
7/29/2019 Planning for Continuity in Information security
3/41
Principles of Information Security - Chapter 7 Slide 3
Continuity Strategy
Managers must provide strategic planning toassure continuous information systems
availability ready to use when an attack occurs
Plans for events of this type are referred to in a
number of ways: Business Continuity Plans (BCPs)
Disaster Recovery Plans (DRPs)
Incident Response Plans (IRPs)
Contingency Plans
Large organizations may have many types of
plans, small organizations may have one simple
plan, but most have inadequate planning
7/29/2019 Planning for Continuity in Information security
4/41
Principles of Information Security - Chapter 7 Slide 4
Contingency Planning Contingency Planning (CP):
Incident Response Planning (IRP)
Disaster Recovery Planning (DRP)
Business Continuity Planning (BCP)
The primary functions of these three planning types:
IRP focuses on immediate response, but if the attack escalates
or is disastrous the process changes to disaster recovery and
BCP
DRP typically focuses on restoring systems after disasters
occur, and as such is closely associated with BCP
BCP occurs concurrently with DRP when the damage is major
or long term, requiring more than simple restoration of
information and information resources
7/29/2019 Planning for Continuity in Information security
5/41
Principles of Information Security - Chapter 7 Slide 5
Contingency Planning Team Before any planning can begin, a team has to
plan the effort and prepare the resultingdocuments
Champion - A high-level manager to support,promote, and endorse the findings of the project
Project Manager - Leads the project and makessure a sound project planning process is used,a complete and useful project plan is developed,and project resources are prudently managed
Team Members - Should be the managers ortheir representatives from the variouscommunities of interest: Business, IT, and
Information Security
7/29/2019 Planning for Continuity in Information security
6/41
Principles of Information Security - Chapter 7 Slide 6
Figure 7-2 Contingency Plans
7/29/2019 Planning for Continuity in Information security
7/41Principles of Information Security - Chapter 7 Slide 7
Figure 7-3 Contingency
Timeline
7/29/2019 Planning for Continuity in Information security
8/41Principles of Information Security - Chapter 7 Slide 8
Figure 7-4 Major Steps in
Contingency Planning
7/29/2019 Planning for Continuity in Information security
9/41Principles of Information Security - Chapter 7 Slide 9
Business Impact Analysis
Begin with Business Impact Analysis (BIA)if the attack succeeds, whatdo we do then?
The CP team conducts the BIA in the
following stages:
1.Threat attack identification
2.Business unit analysis
3.Attack success scenarios
4.Potential damage assessment
5.Subordinate plan classification
7/29/2019 Planning for Continuity in Information security
10/41Principles of Information Security - Chapter 7 Slide 10
Threat Attack Identification and
Prioritization
Update threat list with latest developmentsand add the attack profile
The attack profile is the detailed
description of activities during an attackMust be developed for every serious
threat the organization faces
Used to determine the extent of damagethat could result to a business unit if the
attack were successful
7/29/2019 Planning for Continuity in Information security
11/41Principles of Information Security - Chapter 7 Slide 11
Table 7-1 Attack Profile
7/29/2019 Planning for Continuity in Information security
12/41Principles of Information Security - Chapter 7 Slide 12
Business Unit Analysis
The second major task within the BIA isthe analysis and prioritization of business
functions within the organization
Identify the functional areas of the
organization and prioritize them as to
which are most vital
Focus on a prioritized list of the various
functions the organization performs
7/29/2019 Planning for Continuity in Information security
13/41Principles of Information Security - Chapter 7 Slide 13
Attack Success Scenario
Development
Next create a series of scenarios depicting theimpact a successful attack from each threat couldhave on each prioritized functional area with:
details on the method of attack the indicators of attack
the broad consequences
Attack success scenarios details are added to the
attack profile including: Best case
Worst case
Most likely alternate outcomes
7/29/2019 Planning for Continuity in Information security
14/41Principles of Information Security - Chapter 7 Slide 14
Potential Damage
AssessmentFrom the attack success scenarios
developed, the BIA planning team must
estimate the cost of the best, worst, and
most likely casesCosts include actions of the response
team
This final result is referred to as an attackscenario end case
7/29/2019 Planning for Continuity in Information security
15/41Principles of Information Security - Chapter 7 Slide 15
Subordinate Plan
ClassificationOnce potential damage has been assessed, a
subordinate plan must be developed oridentified
Subordinate plans will take into account theidentification of, reaction to, and recovery fromeach attack scenario
An attack scenario end case is categorized asdisastrous or not
The qualifying difference is whether or not anorganization is able to take effective actionduring the event to combat the effect of theattack
7/29/2019 Planning for Continuity in Information security
16/41Principles of Information Security - Chapter 7 Slide 16
Incident Response Planning Incident response planning covers the identification of,
classification of, and response to an incident An incident is an attack against an information asset that
poses a clear threat to the confidentiality, integrity, oravailability of information resources
Attacks are only classified as incidents if they have the
following characteristics: Are directed against information assets
Have a realistic chance of success
Could threaten the confidentiality, integrity, or availability ofinformation resources
IR is more reactive, than proactive, with the exception ofthe planning that must occur to prepare the IR teams to
be ready to react to an incident
7/29/2019 Planning for Continuity in Information security
17/41Principles of Information Security - Chapter 7 Slide 17
Incident Planning The pre-defined responses enable the organization to
react quickly and effectively to the detected incident This assumes two things:
first, the organization has an IR team
second, the organization can detect the incident
The IR team consists of those individuals needed tohandle the systems as incident takes place
The military process of planned team responses can beused in an incident response
The planners should develop a set of documents thatguide the actions of each involved individual reacting toand recovering from the incident
These plans must be properly organized and stored
7/29/2019 Planning for Continuity in Information security
18/41Principles of Information Security - Chapter 7 Slide 18
Incident Response Plan Format and Content
The plan must be organized to support quick andeasy access to the information needed
Storage The plan should be protected as sensitive information
On the other hand, the organization needs thisinformation readily available
Testing An untested plan is not a useful plan. The levels of
testing strategies can vary: Checklist
Structured walk-through
Simulation
Parallel
Full-interruption
7/29/2019 Planning for Continuity in Information security
19/41Principles of Information Security - Chapter 7 Slide 19
Incident Detection The most common occurrence is a complaint about
technology support, often delivered to the help desk
Possible detections:
intrusion detection systems, both host-based and network-
based
virus detection software systems administrators
end users
Only through careful training can the organization hope
to quickly identify and classify an incident Once an attack is properly identified, the organization
can respond
7/29/2019 Planning for Continuity in Information security
20/41Principles of Information Security - Chapter 7 Slide 20
Incident IndicatorsPossible indicators of
incidents: Presence of unfamiliar files
Unknown programs or
processes
Unusual consumption of
computing resources
Unusual system crashes
Probable indicators of
incidents:
Activities at unexpected times Presence of new accounts
Reported attacks
Notification from IDS
Definite indicators of
incidents: Use of dormant accounts
Changes to logs
Presence of hacker tools
Notifications by partner or
peer Notification by hacker
Predefined situations thatsignal an automaticincident:
Loss of availability Loss of integrity
Loss of confidentiality
Violation of policy
Violation of law
7/29/2019 Planning for Continuity in Information security
21/41Principles of Information Security - Chapter 7 Slide 21
Incident or Disaster
When Does an Incident Become aDisaster?
the organization is unable to mitigate the
impact of an incident during the incident
the level of damage or destruction is so
severe the organization is unable to quickly
recover
It is up to the organization to decide whichincidents are to be classified as disasters and
thus receive the appropriate level of response
7/29/2019 Planning for Continuity in Information security
22/41
Principles of Information Security - Chapter 7 Slide 22
Incident Reaction Incident reaction consists of actions that
guide the organization to stop the incident,mitigate the impact of the incident, andprovide information for the recovery from
the incident In reacting to the incident there are a
number of actions that must occur quicklyincluding:
notification of key personnel
assignment of tasks
documentation of the incident
7/29/2019 Planning for Continuity in Information security
23/41
Principles of Information Security - Chapter 7 Slide 23
Notification of Key Personnel Most organizations maintain alert rosters for
emergencies. An alert roster contains contactinformation for the individuals to be notified in an
incident
Two ways to activate an alert roster:
A sequential roster is activated as a contact person calls eachand every person on the roster
A hierarchical roster is activated as the first person calls a few
other people on the roster, who in turn call a few other people,
and so on
The alert message is a scripted description of the
incident, just enough information so that everyone
knows what part of the IRP to implement
7/29/2019 Planning for Continuity in Information security
24/41
Principles of Information Security - Chapter 7 Slide 24
Documenting an IncidentDocumenting the event is important:
First, it is important to ensure that the event is
recorded for the organizations records, to know what
happened, and how it happened, and what actions
were taken. The documentation should record the
who, what, when, where, why, and how of the even
Second, it is important to prove, should it ever be
questioned, that the organization did everything
possible to prevent the spread of the incident
Finally, the recorded incident can also be used as asimulation in future training sessions
C
7/29/2019 Planning for Continuity in Information security
25/41
Principles of Information Security - Chapter 7 Slide 25
Incident Containment
Strategies
Before an incident can be contained, the affected areas ofthe information and information systems must bedetermined
The organization can stop the incident and attempt to
recover control through a number of strategies including: severing the affected circuits
disabling accounts
reconfiguring a firewall
The ultimate containment option, reserved for only the most drastic
of scenarios, involves a full stop of all computers and networkdevices in the organization
7/29/2019 Planning for Continuity in Information security
26/41
Principles of Information Security - Chapter 7 Slide 26
Incident RecoveryOnce the incident has been contained, and
control of the systems regained, the next stage
is recovery
The first task is to identify the human resources
needed and launch them into action The full extent of the damage must be assessed
The organization repairs vulnerabilities,
addresses any shortcomings in safeguards, and
restores the data and services of the systems
7/29/2019 Planning for Continuity in Information security
27/41
Principles of Information Security - Chapter 7 Slide 27
Damage Assessment There are several sources of information:
including system logs
intrusion detection logs
configuration logs and documents
documentation from the incident response
results of a detailed assessment of systems and datastorage
Computer evidence must be carefully collected,documented, and maintained to be acceptable
in formal proceedings Individuals assessing damage need special
training
7/29/2019 Planning for Continuity in Information security
28/41
Principles of Information Security - Chapter 7 Slide 28
RecoveryIn the recovery process:
Identify the vulnerabilities that allowed the incident to occur and
spread and resolve them
Address the safeguards that failed to stop or limit the incident,
or were missing from the system in the first place. Install,
replace or upgrade them
Evaluate monitoring capabilities. Improve their detection and
reporting methods, or simply install new monitoring capabilities
Restore the data from backups
Restore the services and processes in use
Continuously monitor the system Restore the confidence of the members of the organizations
communities of interest
Conduct an after-action review
7/29/2019 Planning for Continuity in Information security
29/41
Principles of Information Security - Chapter 7 Slide 29
Automated ResponseNew systems can respond to incidents
autonomously Trap and trace uses a combination of resources
to detect intrusion then trace back to source
Trapping may involve honeypots or honeynets
Entrapment is luring an individual into committinga crime to get a conviction
Enticement is legal and ethical, while entrapmentis not
7/29/2019 Planning for Continuity in Information security
30/41
Principles of Information Security - Chapter 7 Slide 30
Disaster Recovery PlanningDisaster recovery planning (DRP) is planning
the preparation for and recovery from a disaster
The contingency planning team must decidewhich actions constitute disasters and whichconstitute incidents
When situations are classified as disastersplans change as to how to respond - take actionto secure the most valuable assets to preservevalue for the longer term even at the risk ofmore disruption
DRP strives to reestablish operations at theprimary site
7/29/2019 Planning for Continuity in Information security
31/41
Principles of Information Security - Chapter 7 Slide 31
DRP Steps There must be a clear establishment of priorities
There must be a clear delegation of roles and
responsibilities
Someone must initiate the alert roster and notify
key personnel Someone must be tasked with the
documentation of the disaster
If and only if it is possible, some attempts mustbe made to mitigate the impact of the disaster
on the operations of the organization
7/29/2019 Planning for Continuity in Information security
32/41
Principles of Information Security - Chapter 7 Slide 32
Crisis ManagementCrisis management is actions taken during and
after a disaster focusing on the people involvedand addressing the viability of the business
The crisis management team is responsible formanaging the event from an enterpriseperspective and covers: Supporting personnel and families during the crisis
Determining impact on normal business operationsand, if necessary, making a disaster declaration
Keeping the public informed Communicating with major customers, suppliers,
partners, regulatory agencies, industry organizations,the media, and other interested parties
7/29/2019 Planning for Continuity in Information security
33/41
Principles of Information Security - Chapter 7 Slide 33
Disaster Recovery Planning
Establish a command center to supportcommunications
Includes individuals from all functionalareas of the organization to facilitate
communications and cooperationSome key areas of crisis management
include:
Verifying personnel head count Checking the alert roster
Checking emergency information cards
7/29/2019 Planning for Continuity in Information security
34/41
Principles of Information Security - Chapter 7 Slide 34
DRP Structure Similar to the IRP, DRP is organized by
disaster, and provides procedures to executeduring and after a disaster
Provides details on the roles and responsibilitiesfor those involved in the effort, and identifies the
personnel and agencies that must be notified
Just as the IRP must be tested, so must theDRP, using the same testing mechanisms
Each organization must examine its scenarios,developed during the initial contingencyplanning, to determine how to respond to thevarious disasters
7/29/2019 Planning for Continuity in Information security
35/41
Principles of Information Security - Chapter 7 Slide 35
Business Continuity Planning
Business continuity planning outlines
reestablishment of critical business
operations during a disaster that impacts
operations
If a disaster has rendered the business
unusable for continued operations, there
must be a plan to allow the business to
continue to function
7/29/2019 Planning for Continuity in Information security
36/41
Principles of Information Security - Chapter 7 Slide 36
Continuity Strategies There are a number of strategies for planning
for business continuity The determining factor in selection between
these options is usually cost
In general there are three exclusive options: hot sites
warm sites
cold sites
And three shared functions: timeshare
service bureaus
mutual agreements
7/29/2019 Planning for Continuity in Information security
37/41
Principles of Information Security - Chapter 7 Slide 37
Off-Site Disaster Data Storage To get these types of sites up and running
quickly, the organization must have the ability to
port data into the new sites systems
These include:
Electronic vaulting - The bulk batch-transfer of datato an off-site facility.
Remote Journaling - The transfer of live transactions
to an off-site facility; only transactions are transferred
not archived data, and the transfer is real-time. Database shadowing - Not only processing duplicate
real-time data storage, but also duplicates the
databases at the remote site to multiple servers.
7/29/2019 Planning for Continuity in Information security
38/41
Principles of Information Security - Chapter 7 Slide 38
Model for IR/DR/BC PlanThe single document set approach
supports concise planning and
encourages smaller organizations to
develop, test, and use IR/DR plans
The model presented is based on
analyses of disaster recovery and incident
response plans of dozens of organizations
7/29/2019 Planning for Continuity in Information security
39/41
Principles of Information Security - Chapter 7 Slide 39
The Planning Document1. Establish responsibility for managing the
document, typically the security administrator2. Appoint a secretary to document the activities
and results of the planning session(s)
3. Independent incident response and disaster
recovery teams are formed, with a commonplanning committee
4. Outline the roles and responsibilities for eachteam member
5. Develop the alert roster and lists of criticalagencies
6. Identify and prioritize threats to theorganizations information and informationsystems
7/29/2019 Planning for Continuity in Information security
40/41
Principles of Information Security - Chapter 7 Slide 40
The Planning ProcessThere are six steps in the ContingencyPlanning process:
1. Identifying the mission- or business-criticalfunctions
2. Identifying the resources that support thecritical functions
3. Anticipating potential contingencies ordisasters
4. Selecting contingency planning strategies5. Implementing the contingency strategies
6. Testing and revising the strategy
7/29/2019 Planning for Continuity in Information security
41/41
Using the PlanDuring the incident
After the incident
Before the incident