Chapter 14
The RAID advisory board defines
RAID levels, numbered from 0 to 6, where each level corresponds to a specific type of fault tolerance.
Volume Shadow Copy Service (VSS)
In Windows, snapshots are provided for on NTFS volumes by the
Risk management You can think of this process as being performed over five phases:
1. Identify mission essential functions— 2. Identify vulnerabilities— 3. Identify threats— 4. Analyze business impacts— 5. Identify risk response—
If the sites are too close together
(within about 500km), they could both be affected by the same disaster. For example, the entire Southeastern United States is susceptible to hurricane season. To avoid a disaster resulting from a hurricane, an organization with a primary site in Florida may choose to keep a recovery site in a different part of the country.
In very general terms, the order of restoration will be as follows:
1. Enable and test power delivery systems (grid power, Power Distribution Units (PDUs), UPS, secondary generators, and so on). 2. Enable and test switch infrastructure, then routing appliances and systems. 3. Enable and test network security appliances (firewalls, IDS, proxies). 4. Enable and test critical network servers (DHCP, DNS, NTP, and directory services). 5. Enable and test backend and middleware (databases and business logic). Verify data integrity. 6. Enable and test front-end applications. 7. Enable client workstations and devices and client browser access.
Privacy Impact Assessment (PIA)
A detailed study to assess the risks associated with storing, processing, and disclosing PII. The study should identify vulnerabilities that may lead to data breach and evaluate controls mitigating those risks.
System of Records Notice (SORN)
A formal document listing PII maintained by a federal agency of the US government.
IMPACTS ON PROPERTY
Again, risks whose impacts affect property (premises) mostly arise due to natural disaster, war/terrorism, and fire.
New files and files modified since the last backup
All data modified since the last full backup
Full
All selected data regardless of when it was previously backed up. backup includes all files changed since the last full backup
Privacy Threshold Analysis (PTA)
An initial audit to determine whether a computer system or workflow collects, stores, or processes PII to a degree where a PIA must be performed. PTAs must be repeated every three years.
Availability 99.9999% 99.999% 99.99% 99.9% 99.0%
Annual Downtime (hh:mm:ss) 00:00:32 00:05:15 00:52:34 08:45:36 87:36:00
configuration validation
Another important process in automating resiliency strategies is to provide configuration validation. This process ensures that a recovery solution is working at each layer (hardware, network connectivity, data replication, and application). An automation solution for incident and disaster recovery will have a dashboard of key indicators and may be able to evaluate metrics such as compliance with RPO and RTO from observed data.
IMPACTS ON PRIVACY
Another important source of risk is the unauthorized disclosure of personally identifiable information (PII). The theft or loss of PII can have an enormous impact on an individual because of the risk of identity theft and because once disclosed, the PII cannot easily be changed or recovered.
reciprocal arrangements
Another option is for businesses to enter into reciprocal arrangements to provide mutual support. This is cost effective but complex to plan and set up.
high availability
Availability is the percentage of time that the system is online, measured over the defined period (typically one year). For a critical system, availability will be described as "two-nines" (99%) up to five- or six-nines (99.9999%).
data visualization tools
Big data analysis software often includes ________ tools. Visualization is a very powerful analysis technique for identifying trends or unusual activity. For example, a graph of network activity will reveal unusually high activity from a particular host much more easily than analysis of the raw data packets. A "tag cloud" (a visual representation of how frequently words or phrases appear in a data store) of the information on a hard drive might reveal clues about malicious behavior that could not be found by examining each file individually.
Coordinated Universal Time (UTC)
Different OS and different file systems use different methods to identify the time at which something occurred. The benchmark time is __________, which is essentially the time at the Greenwich meridian.
Level 6
Double parity or level 5 with an additional parity stripe. This allows the volume to continue when two disks have been lost.
RAID Level Level 0
Fault Tolerance Striping without parity (no fault tolerance). This means that data is written in blocks across several disks simultaneously. This can improve performance, but if one disk fails, so does the whole volume and data on it will be corrupted.
Work Recovery Time (WRT).
Following systems recovery, there may be additional work to reintegrate different systems, test overall functionality, and brief system users on any changes or different working practices so that the business function is again fully supported.
business process analysis (BPA)
For mission essential functions, it is important to reduce the number of dependencies between components. Dependencies are identified by performing a _______________ for each function.
risk deterrence (or reduction)
If you deploy a countermeasure that reduces exposure to a threat or vulnerability that is
order of restoration
If an alternate processing site is not available, then the main site must be brought back online as quickly as possible to minimize service disruption. This does not mean that the process can be rushed, however. A complex facility such as a data center or campus network must be reconstituted according to a carefully designed _____________. If systems are brought back online in an uncontrolled way, there is the serious risk of causing additional power problems or of causing problems in the network, OS, or application layers because dependencies between different appliances and servers have not been met.
Request for Change (RFC)
In a formal change management process, the need for change and the procedure for implementing the change is captured in a ____________document and submitted for approval
to implement changes in a planned and controlled way
In order to reduce the risk that changes to configuration items will cause service disruption, a documented change management process can be used to
timeline
It is vital that the evidence collected at the crime scene conform to a valid __________. Digital information is susceptible to tampering, so access to the evidence must be tightly controlled.
electronically stored information (ESI)
Like DNA or fingerprints, digital evidence—often referred to as _________________—is mostly latent. Latent means that the evidence cannot be seen with the naked eye; rather, it must be interpreted using a machine or process. Forensic investigations are most likely to be launched against crimes arising from insider threats, notably fraud or misuse of equipment (to download or store obscene material, for instance).
Change Advisory Board (CAB)
Major or significant changes might be managed as a separate project and require approval through a
Some of the main KPIs relating to service availability are as follows:
Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF) • Mean Time to Repair (MTTR)
Level 1
Mirroring—Data is written to two disks simultaneously, providing redundancy (if one disk fails, there is a copy of data on the other). The main drawback is that storage efficiency is only 50%
Nested (0+1, 1+0, or 5+0)
Nesting RAID sets generally improves performance or redundancy (for example, some nested RAID solutions can support the failure of more than one disk).
Incremental
New files and files modified since the last backup. backup only includes files changed during that day
IMAGING UTILITIES
Once the target disk has been safely attached to the forensics workstation and verified by generating a cryptographic hash of the contents, the next task is to use an imaging utility to obtain a sector-by-sector copy of the disk contents (a forensic duplicate). Forensic procedures are assisted by having an appropriate software toolkit. These are programs that provide secure drive imaging, encryption, and data analysis. There are commercial toolkits, such as EnCase (https://www.guidancesoftware.com/encase-forensic) and AccessData's Forensic Toolkit (FTK) (https://accessdata.com/products-services/forensic-toolkit-ftk), plus free software, such as Autopsy/The Sleuth Kit (https://www.sleuthkit.org/autopsy).
single points of failure (SPoF)
Reducing dependencies makes it easier to provision redundant systems to allow the function to failover to a backup system smoothly. This means the system design can more easily eliminate the sort of weakness that comes from having single _________________ that can disrupt the function.
Level 5
Striping with parity—Data is written across three or more disks, but additional information (parity) is calculated. This allows the volume to continue if one disk is lost. This solution has better storage efficiency than RAID 1.
Single Loss Expectancy (SLE)
The amount that would be lost in a single occurrence of the risk factor. This is determined by multiplying the value of the asset by an Exposure Factor (EF). EF is the percentage of the asset value that would be lost.
Annual Loss Expectancy (ALE)
The amount that would be lost over the course of a year. This is determined by multiplying the SLE by the Annual Rate of Occurrence (ARO).
IMPACTS ON LIFE AND SAFETY
The most critical type of impact is one that could lead to loss of life or critical injury. The most obvious risks to life and safety come from natural disasters, man-made disasters, and accidents (such as fire).
reactive
The need to change is often described either as ________, where the change is forced on the organization
write blocker
To obtain a forensically sound image from non-volatile storage, you need to ensure that nothing you do alters data or metadata (properties) on the source disk or file system. A ______________assures this process by preventing any data on the disk or volume from being changed by filtering write commands at the driver and OS level. Mounting a drive as read-only is insufficient.
IT Contingency Planning (ITCP)
To perform IT ___________________, think of all the things that could fail, determine whether the result would be a critical loss of service, and whether this is unacceptable. Then identify strategies to make the system resilient. How resilient a system is can be determined by measuring or evaluating several properties.
identification of critical systems
To support the resiliency of mission essential and primary business functions, it is crucial for an organization to perform the _______________ This means compiling an inventory of its business processes and its tangible and intangible assets and resources.
Tangible assets can be identified using
a barcode label or Radio Frequency ID (RFID) tag attached to the device (or more simply, using an identification number). An RFID tag is a chip programmed with asset data. When in range of a scanner, the chip activates and signals the scanner. The scanner alerts management software to update the device's location. As well as asset tracking, this allows the management software to track the location of the device, making theft more difficult.
A write blocker can be implemented as
a hardware device or as software running on the forensics workstation. For example, the CRU Forensic UltraDock write blocker appliance supports ports for all main host and drive adapter types. It can securely interrogate hard disks to recover file system data, firmware status information, and data written to Host Protected Areas (HPA) and Device Configuration Overlay (DCO) areas.
Quantitative risk assessment
aims to assign concrete values to each risk factor. • Single Loss Expectancy (SLE)— • Annual Loss Expectancy (ALE)—
Snapshots
are a means of getting around the problem of open files. If the data that you're considering backing up is part of a database, such as SQL data or a messaging system, such as Exchange, then the data is probably being used all the time. Often copy-based mechanisms will be unable to back up open files. Short of closing the files, and so too the database, a copy-based system will not work.
Recovery sites
are referred to as being hot, warm, or cold.
Qualitative risk assessment
avoids the complexity of the quantitative approach and is focused on identifying significant risk factors. The qualitative approach seeks out people's opinions of which risk factors are significant. Assets and risks may be placed in simple categories.
An asset management database
can be configured to store as much or as little information as is deemed necessary, though typical data would be type, model, serial number, asset ID, location, user(s), value, and service information.
hot site
can failover almost immediately. It generally means that the site is already within the organization's ownership and is ready to deploy.
A resilient system does not just need to be able to cope with faults and outages, but it must also be able to cope with
changing demand levels. These properties are measured as scalability and elasticity:
A snapshot is a point-in-time
copy of data maintained by the file system. A backup program can use the snapshot rather than the live data to perform the backup.
warm site
could be similar, but with the requirement that the latest data set will need to be loaded.
disaster recovery plans (DRPs)
describe the specific procedures to follow to recover a system or site to a working state. A disaster could be anything from a loss of power or failure of a minor component to man-made or natural disasters, such as fires, earthquakes, or acts of terrorism.
Another issue is that creating a duplicate of anything
doubles the complexity of securing that resource properly. The same security procedures must apply to redundant sites, spare systems, and backup data as apply to the main copy.
Threat awareness must consider threats posed by
events such as natural disasters, accidents, and by legal liabilities:
Identify vulnerabilities
for each function or workflow (starting with the most critical), analyze systems and assets to discover and list any vulnerabilities or weaknesses to which they may be susceptible. Vulnerability refers to a specific flaw or weakness that could be exploited to overcome a security system.
Identify threats
for each function or workflow, identify the threats that may take advantage of or exploit or accidentally trigger vulnerabilities. Threat refers to the sources or motivations of people and things that could cause loss or damage.
Identify risk response
for each risk, identify possible countermeasures and assess the cost of deploying additional security controls. Most risks require some sort of mitigation, but other types of response might be more appropriate for certain types and level of risks.
The calculation for MTTF
for the same test is the total time divided by the number of devices, so (10*50)/10, with the result being 50 hours/failure.
MTD and RPO help to determine which business
help to determine which business functions are critical and also to specify appropriate risk countermeasures. For example, if your RPO is measured in days, then a simple tape backup system should suffice; if RPO is zero or measured in minutes or seconds, a more expensive server cluster backup and redundancy solution will be required.
Locating the alternate site a short distance from the primary site
in the same city, for example—makes it easier for personnel at the primary site to resume operations at the recovery site, or to physically transfer data from the backup site to the primary site.
Manmade disaster
intentional man-made threats such as terrorism, war, or vandalism/arson or unintentional threats, such as user error or information disclosure through social media platforms.
risk register
is a document showing the results of risk assessments in a comprehensible format. The register may resemble the "traffic light" grid shown earlier with columns for impact and likelihood ratings, date of identification, description, countermeasures, owner/route for escalation, and status. Risk registers are also commonly depicted as scatterplot graphs, where impact and likelihood are each an axis, and the plot point is associated with a legend that includes more information about the nature of the plotted risk.
eDiscovery
is a means of filtering the relevant evidence produced from all the data gathered by a forensic examination and storing it in a database in a format such that it can be used as evidence in a trial. eDiscovery software tools have been produced to assist this process
Mean Time to Repair (MTTR)
is a measure of the time taken to correct a fault so that the system is restored to full operation. This can also be described as mean time to "replace" or "recover." This metric is important in determining the overall Recovery Time Objective (RTO).
Risk management
is a process for identifying, assessing, and mitigating vulnerabilities and threats to the essential functions that a business must perform to serve its customers.
supply chain
is a series of companies involved in fulfilling a product. Assessing a supply chain involves determining whether each link in the chain is sufficiently robust. Each supplier in the chain may have their own suppliers, and assessing "robustness" means obtaining extremely privileged company information. Consequently, assessing the whole chain is an extremely complex process and is an option only available to the largest companies. Most businesses will try to identify alternative sources for supplies so that the disruption to a primary supplier does not represent a single point of failure.
Due process
is a term used in US and UK common law to require that people only be convicted of crimes following the fair application of the laws of the land. More generally, due process can be understood to mean having a set of procedural safeguards to ensure fairness. This principle is central to forensic investigation. If a forensic investigation is launched (or if one is a possibility), it is important that technicians and managers are aware of the processes that the investigation will use.
The corollary of availability
is downtime (that is, the percentage or amount of time during which the system is unavailable). The maximum tolerable downtime (MTD) metric states the requirement for a particular business function.
mission essential function (MEF)
is one that cannot be deferred. This means that the organization must be able to perform the function as close to continually as possible, and if there is any service disruption, the mission essential functions must be restored first.
archive attribute
is set whenever a file is modified. This allows backup software to determine which files have been changed and therefore need to be copied.
Retrospective Network Analysis (RNA)
solution provides the means to record network events at either a packet header or payload level.
The problem with quantitative risk assessment is
is that the process of determining and assigning these values is complex and time consuming. The accuracy of the values assigned is also difficult to determine without historical data (often, it has to be based on subjective guesswork). However, over time and with experience, this approach can yield a detailed and sophisticated description of assets and risks and provide a sound basis for justifying and prioritizing security expenditure.
Recovery Point Objective (RPO)
is the amount of data loss that a system can sustain, measured in time. That is, if a database is destroyed by a virus, an RPO of 24 hours means that the data can be recovered (from a backup copy) to a point not more than 24 hours before the database was infected. For example, a customer leads database might be able to sustain the loss of a few hours' or days' worth of data (the salespeople will generally be able to remember who they have contacted and re-key the data manually). Conversely, order processing may be considered more critical, as any loss will represent lost orders and it may be impossible to recapture web orders or other processes initiated only through the computer system, such as linked records to accounting and fulfilment.
Maximum tolerable downtime (MTD)
is the longest period of time that a business function outage may occur for without causing irrecoverable business failure. Each business process can have its own MTD, such as a range of minutes to hours for critical functions, 24 hours for urgent functions, 7 days for normal functions, and so on.
Recovery time objective (RTO)
is the period following a disaster that an individual IT system may remain offline. This represents the amount of time it takes to identify that there is a problem and then perform recovery (restore from backup or switch in an alternative system, for instance).
Business impact analysis (BIA)
is the process of assessing what losses might occur for each threat scenario. For instance, if a roadway bridge crossing a local river is washed out by a flood and employees are unable to reach a business facility for five days, estimated costs to the organization need to be assessed for lost manpower and production. Impacts can be categorized in several ways.
Image acquisition
is the process of obtaining a forensically clean copy of data from a device held as evidence. An image can be acquired from either volatile or non-volatile storage.
The calculation for MTBF
is the total time divided by the number of failures. For example, if you have 10 devices that run for 50 hours and two of them fail, the MTBF is 250 hours/failure (10*50)/2.
vulnerable business processes
it could result in disclosure, modification, loss, destruction, or interruption of critical data or it could lead to loss of service to customers.
Threat assessment
means compiling a prioritized list of probable and possible threats. Some of these can be derived from the list of assets (that is, threats that are specific to your organization); others may be non-specific to your particular organization.
Non-persistence
means that any given instance is completely static in terms of processing function. Data is separated from the instance so that it can be swapped out for an "as new" copy without suffering any configuration problems.
Identify mission essential functions
mitigating risk can involve a large amount of expenditure, so it is important to focus efforts. Part of risk management is to analyze workflows and identify the mission essential functions that could cause the whole business to fail if they are not performed. Part of this process also involves identifying critical systems and assets that support these functions.
RTO+WRT must not
must not exceed MTD!
After-Action Report (AAR)
or "lessons learned" report is a process to determine how effective COOP and DR planning and resources were. An AAR would be commissioned after DR exercises or after an actual incident.
asset management
process takes inventory of and tracks all the organization's critical systems, components, devices, and other objects of value. It also involves collecting and analyzing information about these assets so that personnel can make more informed changes or otherwise work with assets to achieve business goals. There are many software suites and associated hardware solutions available for tracking and managing assets (or inventory).
The need to change is often described either as
reactive, or as proactive
Distributive allocation
refers to the ability to switch between available processing and data resources to meet service requests. This is typically achieved using load balancing services during normal operations or automated failover during a disaster.
Elasticity
refers to the system's ability to handle changes in demand in real time. A system with high elasticity will not experience loss of service or performance if demand suddenly doubles (or triples, or quadruples). Conversely, it may be important for the system to be able to reduce costs when demand is low. Elasticity is a common selling point for cloud services. Instead of running a cloud resource for 24 hours a day, 7 days a week, that resource can diminish in power or shut down completely when demand for that resource is low. When demand picks up again, the resource will grow in power to the level required. This results in cost-effective operations.
Mean Time to Failure (MTTF) and Mean Time Between Failures (MTBF)
represent the expected lifetime of a product. MTTF should be used for non-repairable assets. For example, a hard drive may be described with an MTTF, while a server (which could be repaired by replacing the hard drive) would be described with an MTBF. You will often see MTBF used indiscriminately, however. For most devices, failure is more likely early and late in life, producing the so-called "bathtub curve." • The calculation for MTBF is the total time divided by the number of failures. For example, if you have 10 devices that run for 50 hours and two of them fail, the MTBF is 250 hours/failure (10*50)/2. • The calculation for MTTF for the same test is the total time divided by the number of devices, so (10*50)/10, with the result being 50 hours/failure.
Legal and commercial
some examples include: • Downloading or distributing obscene material. • Defamatory comments published on social networking sites. • Hijacked mail or web servers used for spam or phishing attacks. • Third-party liability for theft or damage of personal data. • Accounting and regulatory liability to preserve accurate records. These cases are often complex, but even if there is no legal liability, the damage done to the organization's reputation could be just as serious.
cold site
takes longer to set up (up to a week), and a warm site is something between the two. For example, a hot site could consist of a building with operational computer equipment that is kept updated with a live data set. may be an empty building with a lease agreement in place to install whatever equipment is required when necessary.
The farther apart the sites are
the costlier replication will be. Replication is the process of duplicating data between different servers or sites. RAID mirroring and server clustering are examples of disk-to-disk and server-to-server replication. Replication can either be synchronous or asynchronous. Synchronous replication means that the data must be written at both sites before it can be considered committed. Asynchronous replication means that data is mirrored from a primary site to a secondary site. Disk-to-disk and server-to-server replication are relatively simple to accomplish as they can use direct access RAID or local network technologies. Site-to-site replication is considerably harder and more expensive as it relies on Wide Area Network technologies. Synchronous replication is particularly sensitive to distance, as the longer the communications pathway, the greater the latency of the link. Latency can be mitigated by provisioning fiber optic links.
Analyze business impacts
the likelihood of a vulnerability being activated as a security incident by a threat and the impact of that incident on critical systems give factors for evaluating risks. There are quantitative and qualitative methods of analyzing impacts.
a suitable location for a data processing center, you must also consider the distance between
the primary site and the secondary (alternate or recovery) site.
Downtime is calculated from
the sum of scheduled service intervals (Agreed Service Time) plus unplanned outages over the period.
Changes can also be categorized according to
their impact and level of risk (major, significant, minor, or normal, for instance).
Environmental
those caused by some sort of failure in the surrounding environment. These could include power or telecoms failure, pollution, or accidental damage (including fire).
Natural disaster
threat sources such as river or sea floods, earthquakes, storms, and so on. Natural disasters may be quite predictable (as is the case with areas prone to flooding or storm damage) or unexpected, and therefore difficult to plan for.
The first phase of a forensic investigation is
to document the scene. The crime scene must be thoroughly documented using photographs and ideally audio and video. Investigators must record every action they take in identifying, collecting, and handling evidence.
FIPS 199 (https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf) discusses how to apply Security Categorizations (SC)
to information systems based on the impact that a breach of confidentiality, integrity, or availability would have on the organization as a whole. Potential impacts can be classified as: • Low—minor damage or loss to an asset or loss of performance (though essential functions remain operational). • Moderate—significant damage or loss to assets or performance. • High—major damage or loss or the inability to perform one or more essential functions.
proactive
where the need for change is initiated internally
alternate business practice
will allow the information flow to resume to at least some extent. A typical fallback plan is to handle transactions using pen-and-paper systems. This type of fallback can work only if it is well planned, though. Staff must know how to use the alternate system—what information must be captured (supply standard forms) and to whom it should be submitted (and how, if there are no means of electronic delivery).
Follow these guidelines when developing a Continuity of Operations Plan (COOP):
• Be aware of the different ways your business could be threatened. • Implement an overall business continuity process in response to real events. • Ensure the continuity planning is comprehensive and addresses all critical dimensions of the organization. • Draft an IT contingency plan to ensure that IT procedures continue after an adverse event. • Ensure that IT personnel are trained on this plan. • Incorporate failover techniques into continuity planning. • Ensure that systems are highly available and meet an adequate level of performance. • Ensure that critical systems have redundancy to mitigate loss of data and resources due to adverse events. • Ensure that critical systems are fault tolerant so that service disruption is minimized in the event of failure or compromise. • Ensure that systems are adequately scalable and can meet the long-term increase in demand as the business grows. • Ensure that systems are elastic and can meet the short-term increase and decrease in resource demands. • Consider consolidating multiple storage devices in a RAID for redundancy and fault tolerance. • Choose the RAID level that provides the appropriate level of redundancy and fault tolerance for your business needs. • Supplement manual security processes with automated processes in order to increase efficiency and accuracy. • Consider incorporating non-persistent virtual infrastructure to more easily maintain baseline security.
The general principle is to capture evidence in the order of volatility, from more volatile to less volatile. RFC 3227 sets out the general order as follows:
• CPU registers and cache memory (including cache on disk controllers, GPUs, and so on). • Routing table, arp cache, process table, kernel statistics. • Memory (RAM). • Temporary file systems. • Disk. • Remote logging and monitoring data. • Physical configuration and network topology. • Archival media.
Follow these guidelines for investigating security incidents:
• Develop or adopt a consistent process for handling and preserving forensic data. • Determine if outside expertise is needed, such as a consultant firm. • Notify local law enforcement, if needed. • Secure the scene, so that the hardware is contained. • Collect all the necessary evidence, which may be electronic data, hardware components, or telephony system components. • Observe the order of volatility as you gather electronic data from various media. • Interview personnel to collect additional information pertaining to the crime. • Report the investigation's findings to the required people.
It is also important to realize that asset management procedures can easily go astray—assets get mislabeled, new assets are not recorded, and so on. In these cases, some troubleshooting tactics can include:
• Ensure that all relevant assets are participating in a tracking system like barcodes or passive radio frequency IDs (RFIDs). • Ensure that there is a process in place for tagging newly acquired or developed assets. • Ensure that there is a process in place for removing obsolete assets from the system. • Check to see if any assets have conflicting IDs. • Check to see if any assets have inaccurate metadata. • Ensure that asset management software can correctly read and interpret tracking tags. • Update asset management software to fix any bugs or security issues.
risk response options can be identified and prioritized. For example, you might focus on the following systems:
• High value asset, regardless of the likelihood of the threat(s). • Threats with high likelihood (that is, high ARO). • Procedures, equipment, or software that increase the likelihood of threats (for example, legacy applications, lack of user training, old software versions, unpatched software, running unnecessary services, not having auditing procedures in place, and so on).
Some of the functions of eDiscovery suites are:
• Identify and de-duplicate files and metadata—many files on a computer system are "standard" installed files or copies of the same file. eDiscovery filters these types of files, reducing the volume of data that must be analyzed. • Search—allow investigators to locate files of interest to the case. As well as keyword search, software might support semantic search. Semantic search matches keywords if they correspond to a particular context. • Security—at all points evidence must be shown to have been stored, transmitted, and analyzed without tampering. • Disclosure—an important part of trial procedure is that the same evidence be made available to both plaintiff and defendant. eDiscovery can fulfill this requirement. Recent court cases have required parties to a court case to provide searchable ESI rather than paper records.
Follow these guidelines when putting risk management processes in place:
• Identify mission-essential functions and the critical systems within each function. • Identify those assets supporting business functions and critical systems, and determine their values. • Calculate MTD, RPO, RTO, MTTF, MTTR, and MTBF for functions and assets. • Look for possible vulnerabilities that, if exploited, could adversely affect each function or system. • Determine potential threats to functions and systems. • Determine the probability or likelihood of a threat exploiting a vulnerability. • Determine the impact of the potential threat, whether it be recovery from a failed system or the implementation of security controls that will reduce or eliminate risk. • Identify impact scenarios that put your business operations at risk. • Identify the risk analysis method that is most appropriate for your organization. For quantitative and semi-quantitative risk analysis, calculate SLE and ARO for each threat, and then calculate the ALE. • Identify potential countermeasures, ensuring that they are cost-effective and perform as expected. For example, identify single points of failure and, where possible, establish redundant or alternative systems and solutions. • Clearly document all findings discovered and decisions made during the assessment in a risk register.
The DRP should accomplish the following:
• Identify scenarios for natural and non-natural disaster and options for protecting systems. Plans need to account for risk (a combination of the likelihood the disaster will occur and the possible impact on the organization) and cost. • There is no point implementing disaster recovery plans that financially cripple the organization. The business case is made by comparing the cost of recovery measures against the cost of downtime. Downtime cost is calculated from lost revenues and ongoing costs (principally salary). The recovery plan should not generally exceed the downtime cost. Of course, downtime will include indefinable costs, such as loss of customer goodwill, restitution for not meeting service contracts, and so on. • Identify tasks, resources, and responsibilities for responding to a disaster. • Who is responsible for doing what? How can they be contacted? What happens if they are not available? • Which functions are most critical? Where should effort first be concentrated? • What resources are available? Should they be pre-purchased and held in stock? Will the disaster affect availability of supplies? • Which functions are most critical? Where should effort first be concentrated? • What resources are available? Should they be pre-purchased and held in stock? Will the disaster affect availability of supplies? • What are the timescales for resumption of normal operations? • Train staff in the disaster planning procedures and how to react well to change.
Data retention needs to be considered in the short and long term:
• In the short term, files that change frequently might need retaining for version control. Short-term retention is also important in recovering from malware infection. Consider the scenario where a backup is made on Monday, a file is infected with a virus on Tuesday, and when that file is backed up later on Tuesday, the copy made on Monday is overwritten. This means that there is no good means of restoring the uninfected version of the file. Short term retention is determined by how often the youngest media sets are overwritten. • In the long term, data may need to be stored to meet legal requirements or to comply with company policies or industry standards. Any data that must be retained in a particular version past the oldest sets should be moved to archive storage.
The BPA should identify the following factors:
• Inputs—the sources of information for performing the function (including the impact if these are delayed or out of sequence). • Hardware—the particular server or data center that performs the processing. • Staff and other resources supporting the function. • Outputs—the data or resources produced by the function. • Process flow—a step-by-step description of how the function is performed.
Calculating risk is complex, but the two main variables are likelihood and impact:
• Likelihood is the probability of the threat being realized. • Impact is the severity of the risk if realized as a security incident. This may be determined by factors such as the value of the asset or the cost of disruption if the asset is compromised.
Determining the optimum distance between two replicating sites depends on evaluating competing factors:
• Locating the alternate site a short distance from the primary site— • If the sites are too close together • The farther apart the sites are
the automation system may use one of two types of mastering instructions:
• Master image—this is the "gold" copy of a server instance, with the OS, applications, and patches all installed and configured. This is faster than using a template, but keeping the image up to date can involve more work than updating a template. • Template—similar to a master image, this is the build instructions for an instance. Rather than storing a master image, the software may build and provision an instance according to the template instructions.
Analysis of mission essential functions is generally governed by four main metrics:
• Maximum tolerable downtime (MTD) • Recovery time objective (RTO) • Work Recovery Time (WRT). • Recovery Point Objective (RPO)
These could include:
• People (employees, visitors, and suppliers). • Tangible assets (buildings, furniture, equipment and machinery (plant), ICT equipment, electronic data files, and paper documents). • Intangible assets (ideas, commercial reputation, brand, and so on). • Procedures (supply chains, critical procedures, standard operating procedures).
Organizations should perform regular audits to assess whether PII is processed securely. These may be modelled on formal audit documents mandated by US laws, notably The Privacy Act and the Federal Information Security Management Act (FISMA):
• Privacy Threshold Analysis (PTA)— • Privacy Impact Assessment (PIA)— • System of Records Notice (SORN)—
Consider (for instance) the impact on business processes of the following:
• Public infrastructure (transport, utilities, law and order). • Supplier contracts (security of supply chain). • Customer's security (the sudden failure of important customers due to their own security vulnerabilities can be as damaging as an attack on your own organization). • Epidemic disease.
Examples of devices and solutions that provide fault tolerance include the following:
• Redundant components (power supplies, network cards, drives (RAID), and cooling fans) provide protection against hardware failures. Hot swappable components allow for easy replacement (without having to shut down the server). • Uninterruptible Power Supplies (UPS) and Standby Power Supplies. • Backup strategies—provide protection for data. • Cluster services are a means of ensuring that the total failure of a server does not disrupt services generally.
There are various mechanisms for ensuring non-persistence:
• Snapshot/revert to known state—This is a saved system state that can be reapplied to the instance. • Rollback to known configuration—A physical instance might not support snapshots but has an "internal" mechanism for restoring the baseline system configuration, such as Windows System Restore. • Live boot media—another option is to use an instance that boots from read-only storage to memory rather than being installed on a local read/write hard disk.
It is necessary to test disaster recovery procedures. There are four means of doing this:
• Walkthroughs, workshops, and orientation seminars • Tabletop exercises— • Functional exercises • Full-scale exercises