Management of Information Security CYBR 3300 - Chapter 10 Planning for Contingencies

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Predefining incident responses

What enables the organization to react to a detected incident quickly and effectively, without confusion or wasted time and effort

crisis management team

Who is responsible for managing the event from an enterprise perspective and performs the following roles: •Supporting personnel and their loved ones during the crisis •Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise •Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties

A senior IT or Infosec manager working closely with the CSIRT and DR team leads

Who makes the reclassification from incident to disaster?

contingency planning (CP)

*The overall process of preparing for unexpected adverse events.* The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis. *Business Impact Analysis *Incident Response Plan *Disaster Recovery Plan *Business Continuity Plan

The elements required to begin the CP process are

1. A planning methodology 2. A policy environment to enable the planning process 3. An understanding of the causes and effects of core precursor activities (the BIA) 4. Access to financial and other resources, as outlined in the planning budget

Five stages of CSF

1. Identify--relates to RM and governance 2. Protect--Relates to implementation of effective sec controls 3. Detect--Identification of adverse events 4. Respond--Reacting to an incident 5. Recover--Putting things as they were before

electronic vaulting

A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections.

database shadowing

A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations

service bureau

A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.

mutual agreement

A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster.

rolling mobile site

A continuity strategy that involves contracting with an organization to provide specialized facilities configured in the payload area of a tractor-trailer

digital malfeasance

A crime against or using digital media, computer technology, or related components; in other words, a computer is the source of a crime or the object of a crime.

Alert Message

A description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process

after-action review

A detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery.

Alert Roster

A document that contains contact information for people to be notified in the event of an incident

warm site

A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications Warm sites are used for BC operations

cold site

A facility that provides only rudimentary services, with no computer hardware or peripherals Used for BC operations

talk-through

A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization

continuous process improvement (CPI)

A formal implementation of the "iteration results in improvement" methodology is a process known as •Each time the plan is rehearsed it should be improved •Constant evaluation and improvement leads to an improved outcome

hot site

A fully configured facility that includes all services, communications links, and physical plant operations Used for BC operation

business process

A task performed by an organization or one of its units in support of the organization's overall mission AKA Mission/business process

evidentiary material (EM)

Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect.

computer security incident response team (CSIRT)

An IR team composed of technical IT, managerial IT, and InfoSec professionals who are prepared to detect, react to, and recover from an incident. The CSIRT may include members of the IRPT.

incident

An adverse event that could result in a loss of information assets, but does not threaten the viability of the entire organization When an adverse event begins to manifest as a real threat to information, it becomes

adverse event

An event with negative consequences that could threaten the organization's information assets or operations When those events represent the potential for loss, AKA incident candidate

business impact analysis (BIA)

An investigation and assessment of the various adverse events that can affect the organization conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and recovery priorities. The first major component of the CP process Scope, Plan, Balance, Objective, Follow-Up Crucial foundation for the initial planning stages serves as an investigation and assessment of the impact that various adverse events can have on the organization

crisis management (CM)

An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster

BC policy

BCP begins with the development of the Reflects the organization's philosophy on the conduct of BC operations Serves as the guiding document for the development of the BCP

Flexibility

CPMT should incorporate a degree of what into the plan?

incident response procedures (IR procedures)

Detailed, step-by-step methods of preparing,detecting, reacting to, and recovering from an incident

slow-onset disasters

Disasters that occur over time and gradually degrade the capacity of an organization to withstand their effects. Examples include droughts, famines, environmental degradation, desertification, deforestation, and pest infestation

possible probable definite

Donald Pipkin has identified three categories of incident indicators

Preservation of human life

During a disaster response, the first priority is always the what?

DR Plan

Focuses on restoring operations at the primary site

IR plan

Focuses on the immediate response to an incident

•the organization is unable to contain or control the impact of an incident the level of damage or destruction from an incident is so severe the organization is unable to quickly recover

In general, an incident is a disaster when

set of policies, procedures, technologies, people, and data put in place to prevent, detect, react to, and recover from an incident that could potentially damage the organization's information

In other, more formal implementations, the CSIRT is a

•stopping the incident •recovering control of the affected systems

Incident containment strategies focus on two tasks

3-2-1 rule

Industry recommendation for data backup three copies of important data on at least two different media, with at least one copy stored off-site, and daily on-site backups

improvement

Iteration results in

•Clear delegation of roles and responsibilities •Execution of the alert roster and notification of key personnel •Clear establishment of priorities •Documentation of the disaster •Action steps to mitigate the impact •Alternative implementations for the various systems components

Key elements in the DR plan

•Purpose •Scope •Roles and responsibilities •Resource requirements •Training requirements •Exercise and testing schedules •Plan maintenance schedule •Special considerations

Key elements of the DR policy

Simple DR plan

Means of collecting the info needed to construct a functional DR plan Nine major sections

1.Form the BC Team 2.Develop the BC planning policy statement 3.Review the BIA 4.Identify preventive controls 5.Create relocation strategies 6.Develop the BC plan 7.Ensure BC plan testing, training and exercises 8.Ensure BC plan Maintenance

NIST SP 800-34, Rev. 1 methodology can also be adapted to BC

Recovery process

Once the extent of the damage has been determined, this begins

incident recovery phase

Once the incident has been contained, and system control regained, what can begin? the first task is to inform the appropriate human resources •Almost simultaneously, the CSIRT must assess the full extent of the damage so as to determine what must be done to restore the systems

•After the incident

One of the sets of incident-handling procedures After drafting the procedures, planners develop and document the procedures that must be performed after the incident has ceased

•Before the incident

One of the sets of incident-handling procedures Planners draft third set of procedures; those tasks to be performed to prepare for the incident - data backup schedules - DR prep - training schedules - testing plans - copies of service agreements - BC plans, if any -- just additional material on a service bureau

•During the incident

One of the sets of incident-handling procedures The planners develop and document the procedures that must be performed during the incident Procedures are grouped and assigned to individuals

detailed understanding of the information systems and the threats they face

Planning for an incident and the responses to it requires a

BIA

Preparatory activity common to both CP and risk management Helps orgs determine which business functions and info systems are the most critical to the success of the organization Provides the data used to develop the IR plan

incident candidate

See adverse event

affidavit

Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place. The facts, the items, and the place must be specified in this document

structured walk-through

The CP testing strategy in which all involved individuals walk through and discuss the steps they would take during an actual CP event, either as an actual on- site walk- through or as more of a conference room talk- through

full-interruption testing

The CP testing strategy in which the all team members follow each and every IR/DR/BC procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.

simulation

The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts

the participation and cooperation of individuals throughout the organization

The CSIRT's success depends on

disaster recovery planning (DRP)

The actions taken by senior management to develop and implement the DR policy, plan, and recovery teams

business resumption planning (BRP)

The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams.

business continuity planning (BCP)

The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams

crisis management planning (CMP)

The actions taken by senior management to develop and implement the CM policy, plan, and response teams.

work recovery time (WRT)

The amount of effort (expressed as elapsed time) that is necessary to get the business function operational after the technology element is recovered as identified with RTO typically involves the addition of nontechnical tasks required for the organization to make the info asset usable again for its intended function can be added to the RTO to determine the realistic amount of time elapsed required before a business function is back in useful service

remote journaling

The backup of data to an off-site facility in close to real time based on transactions as they occur.

forensics

The coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting. Forensics allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental

cost

The determining factor in choosing from several strategies in CP and BC planning is

policy; planning

The first step in all contingency efforts is the development of ______ The next step is ________

contingency planning management team (CPMT)

The group of senior managers and project members organized to conduct and lead all CP efforts.

incident detection

The identification and classification of an adverse event as an incident, accompanied by the CSIRT's notification and the implementation of the IR reaction phase.

e-discovery

The identification and preservation of evidentiary material related to a specific legal action.

incident damage assessment

The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets Can take weeks or days Search system logs, intrusion detection logs, configuration logs, and other documents Using this info, the CSIRT can assess the curent state of the information and systems and compares it to a known state Those who document the damage must be trained to collect and preserve evidence

•Identify the vulnerabilities that allowed the incident to occur and spread and resolve them •Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place and install, replace or upgrade them •Evaluate monitoring capabilities (if present) •Restore the data from backups as needed •Restore the services and processes in use •Continuously monitor the system •Restore the confidence of the communities of interest

The incident recovery process includes

crisis management planning team (CMPT)

The individuals from various functional areas of the organization assigned to develop and implement the CM plan

CPMT

The initial assignments to the FR team, including the team lead, will likely be performed by which team?

recovery time objective (RTO)

The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the MTD. important for selecting appropriate techs that are best suited for meeting the MTD reducing this requires mechanisms to shorten the startup time or provisiont o make data available online at a failover site

Traditional data backups

The organization can use a combo of on-site and off-site tape-dirve and backup methods Recent data is potentially lost Most common: random array of independent disks (RAID) or disk-to-disk-to-tape methods

apprehend and prosecute

The organizational CP philosophy that focuses on an attacker's identification and prosecution, the defense of information assets, and preventing reoccurrence. Also known as "pursue and prosecute."

protect and forget

The organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker's identification and prosecution. Also known as "patch and proceed."

the CIO Head of InfoSec Local infosec officer other IR teams system owners

The parties most commonly notified for an incident report are

disaster classification

The process of examining an adverse event or incident and determining whether it constitutes an actual disaster.

business continuity planning team (BCPT)

The team responsible for designing and managing the BC plan of relocating the organization and establishing primary operations at an alternate site until the disaster recovery planning team can recover the primary site or establish a new location

Scenario development and impact analysis

To plan for disasters, the CPMT engages in What two things are used to categorize the level of threat of each potential disaster?

•Natural disasters •Man-made disasters (most incidents)

Two classifications of disasters

weighted analysis table

can be useful in evaluating business functions and resolving the issue of what business functions are most critical CPMT can use this by first identifying crucial characteristics of each business function--the criteria The team then allocates relative weights to each criteria

The identification of critical business functions and the resources to support them

cornerstone of the BC plan

BIA questionnaire

instrument used to collect relevant business impact information for the required analysis

Shorter RTO means what kind of solutions?

more expensive to design and use require fully redundant alternative processing sites

BC plan

occurs concurrently with the DR plan if operations at the primary site cannot be quickly restored Enables the business to continue at an alternate site, until the org is able to resume operations at its primary site or select a new primary location

The essential task of IR

stop the incident and contain its scope or impact

The BIA begins with

the prioritized list of threats and vulnerabilities identified in the risk management process enhances the list by adding the information needed to respond to the adversity

•Mission •Strategies and goals •Senior management approval •Organizational approach to incident response •How the incident response team will communicate •Metrics for measuring incident response capability and effectiveness •Roadmap for maturing incident response capability •How the program fits into the overall organization

•According to NIST SP 800-61, Rev. 2, the IR plan includes:

•Probable Indicators

•Activities at unexpected times •Presence of new accounts •Reported attacks •Notification from IDS

a loose or informal association of IT and InfoSec staffers who would be called up if an attack was detected on the organization's information assets

•In some organizations, the CSIRT may simply be

1.Detection 2.Reaction 3.Recovery

•Incident response actions can be organized into three basic phases:

reactive

•It is important to understand that IR is a _____ measure, not a preventative one, although most IR plans include preventative recommendations

Definite Indicators

•Use of dormant accounts •Changes to logs •Presence of hacker tools •Notifications by partner or peer •Notification by hacker

Protect and forget Apprehend and prosecute

•one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement

rapid-onset disasters

Disasters that occur suddenly, with little warning, taking people's lives and destroying the means of production. Examples include earthquakes, floods, storm winds, tornadoes, and mud flows.

1. Personal emergency info - who to notify - medical conditions - form of ID 2. Instruction on what to do in case of an emergency - snapshot of DR plan - hotline number - emergency services number - evacuation locations - name and number of DR coordinator - any other needed info

Each employee should have what two types of emergency info cards in his or her possession at all times?

Digital Forensics

Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. Like traditional forensics, digital forensics follows clear, well-defined methodologies but still tends to be as much art as science

Reaction phase

Once an actual incident has been confirmed and properly classified, the IR plan moves from the detection phase to the in this phase, a number of action steps taken by the CSIRT and others must occur quickly and may occur concurrently Other key personnel must be notified of the incident (general mgt) - members of legal, comms, and HR

cross-training

One often-neglected aspect of training is this In some cass, alternate people must perform the duties of personnel who have been incapacitated The testing process should train people to take over in the event that a team leader of integral member is unavailable

search warrant

Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination. An affidavit becomes a search warrant when signed by an approving authority

general business management IT community InfoSec community

Planning for an unexpected adverse event usually involves managers from They collectively analyze and assess the entire technological infrastructure of the organization using the mission statement and currently organization objs to drive their planning activities

NIST SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems

Professional practice in the area of contingency planning continues to revolve as reflected in the "It is critical that identified services provided by these systems are able to operate effectively without excessive interruption. Contingency Planning supports this requirement by establishing thorough plans, procedures, and technical measures that can enable a system to be recovered as quickly and effectively as possible following a service disruption"

desk check

The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster, with each individual reviewing the plan and creating a list of correct and incorrect components.

incident response planning (IRP)

The actions taken by senior management to specify the organization's processes and procedures to anticipate, detect, and mitigate the effects of an incident is the preparation IR is performed by the IRP team (IRPT)

crisis management plan (CM plan)

The document product of crisis management planning; a plan that shows an organization's intended efforts to protect its personnel and respond to safety threats

business continuity plan (BC plan):

The documented product of business continuity planning; a plan that shows the organization's intended efforts to continue critical functions when operations at the primary site are not feasible.

disaster recovery plan (DR plan)

The documented product of disaster recovery planning; a plan that shows the organization's intended efforts in the event of a disaster.

incident response plan (IR plan)

The documented product of incident response planning; a plan that shows the organization's intended efforts in the event of an incident. usually activated when the organization detects an incident that affects it, regardless of how minor the effect is

recovery point objective (RPO)

The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data. Not considered part of MTD Factor of how much data loss the process can tolerate Reducing this requires mechanisms to increase the syncing of data replication

incident response policy (IR policy)

The policy document that guides the development and implementation of IR plans and the formulation and performance of IR teams. NIST 800-61 Rev 2

business continuity policy (BC policy)

The policy document that guides the development and implementation of BC plans and the formulation and performance of BC teams

crisis management policy (CM policy)

The policy document that guides the development and implementation of CM plans and the formulation and performance of CM teams.

disaster recovery policy (DR policy)

The policy document that guides the development and implementation of DR plans and the formulation and performance of DR teams.

evidentiary material policy (EM policy)

The policy document that guides the development and implementation of EM procedures regarding the collection, handling, and storage of items of potential evidentiary value, as well as the organization and conduct of EM collection teams.

incident classification

The process of examining an incident candidate and determining whether it constitutes an actual incident.

Provide direction and guidance for all DR operation

The purpose of the DR program is to what?

the CISO, or an IT manager with security responsibilities

The responsibility for creating an organization's IR plan usually falls to Should select members from each CoI to form an independent IR team which executes the IR plan

disaster recovery planning team (DRPT)

The team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recover from disaster, including reestablishment of business operations at the primary site after the disaster

incident response planning team (IRPT)

The team responsible for designing and managing the IR plan by specifying the organization's preparation, reaction, and recovery from incidents

maximum tolerable downtime (MTD)

The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption includes all impact considerations.

•Remote journaling

Transfer live transactions to an offsite facility Transfer takes place online and is much closer to real time Only transactions are transferred, not archived data Involves online activities on a systems level where data is written to two locations simultaneously

Analyze the incident data Determine the impact of the incident Act appropriately to limit the damage to the organization Restore normal services

What do the incident handlers do?

people

When generating a DR scenario, start with the most important asset

defining how to reestablish operations at the location where the organization is usually located (primary site) Prepare to reestablish operations at the organization's primary location after a disaster or to establish operations at a new location if the primary site is no longer viable

key role of a DR Plan

Contingency Planning Policies

provide guidance on the structure of the subordinate teams and the philosophy of the organization,

•During the incident •After the incident •Before the incident

•For every incident scenario, the CP team creates three sets of incident-handling procedures:

•When undertaking the BIA, the organization should consider:

•Scope - which business units to cover - which systems to include - nature of risk being evaluated •Plan - assure proper data is collected •Balance - weigh the info available - facts vs. opinions •Objective - identify decision-making requirements - structure BIA to bring needed info •Follow-up - communicate to ensure support

•It is directed against information assets •It has a realistic chance of success •It threatens the confidentiality, integrity, or availability of information resources and assets

•When a threat becomes a valid adverse event, it is classified as an InfoSec incident if what three things are true?

timeshare

A continuity strategy in which an organization co-leases facilities with a business partner or sister organization A timeshare allows the organization to have a BC option while reducing its overall costs

•Appoint a clear chain of command with a specified individual in charge •Establish a central operations center •"Know their enemy" •Develop a comprehensive IR plan with containment strategies •Record IR activities at all phases •Document the events as they occur in a timeline •Distinguish incident containment from incident remediation (as part of reaction) •Secure and monitor networks and network devices •Establish and manage system and network logging •Establish and support effective anti-virus and antimalware solutions"

According to McAfee, CSIRTS commonly fail to

business continuity

An organization's set of efforts to ensure its long-term viability when a disaster precludes normal operations at the primary site. The organization temporarily establishes critical operations at an alternate site until it can resume operations at the primary site or select and occupy a new primary site.

disaster recovery (DR)

An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from a disaster

incident response (IR)

An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident Most organizations have experience detecting, reacting to, and recovering from attacks, employee errors, service outages, and small-scale natural disasters, and are thus performing this What must be carefully planned and coordinated because organizations heavily depend on the quick and efficient containment and resolution of incidents?

•Verifying personnel status •Activating the alert roster Coordinating with emergency services

CMPT three primary responsibilities

•Business impact analysis (BIA) •Incident response plan (IR plan) •Disaster recovery plan (DR plan) •Business continuity plan (BC plan)

CP consists of four major components

CP policy

CPMT must receive guidance from executive management through this Defines the scope of the CP operations and establishes managerial intent Stipulates the responsibility for the development and operations of the CPMT in general May provide specifics on the constituencies of all CP-related teams

•Recover information assets that are salvageable from the primary facility after the disaster •Purchase or otherwise acquire replacement information assets from appropriate sources •Reestablish functional information assets at the primary site if possible or at a new primary site, if necessary

DRPT and DRRT responsibilities

effective backup strategies flexible hardware configurations

Data recovery requires what two things?


Kaugnay na mga set ng pag-aaral

Beyond basic Java -- Java Implementations/Servlets/JSPs/JDBC/JavaDocs

View Set

Ch 29 Management of Patients with Nonmalignant Hematologic Disorders

View Set

Psych Nursing Anxiety Disorders PrepU

View Set

Unit 3: Boolean Expression and if Statements Quizzes

View Set

Contracts - GA Salesperson Exam Prep Edge: National & State Portions

View Set

Section 5.1 Pure Substances and MIxtures

View Set

Psych Videbeck Chapter 20: Eating Disorders

View Set