Management of Information Security CYBR 3300 - Chapter 10 Planning for Contingencies
Predefining incident responses
What enables the organization to react to a detected incident quickly and effectively, without confusion or wasted time and effort
crisis management team
Who is responsible for managing the event from an enterprise perspective and performs the following roles: •Supporting personnel and their loved ones during the crisis •Keeping the public informed about the event and the actions being taken to ensure the recovery of personnel and the enterprise •Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties
A senior IT or Infosec manager working closely with the CSIRT and DR team leads
Who makes the reclassification from incident to disaster?
contingency planning (CP)
*The overall process of preparing for unexpected adverse events.* The actions taken by senior management to specify the organization's efforts and actions if an adverse event becomes an incident or disaster. This planning includes incident response, disaster recovery, and business continuity efforts, as well as preparatory business impact analysis. *Business Impact Analysis *Incident Response Plan *Disaster Recovery Plan *Business Continuity Plan
The elements required to begin the CP process are
1. A planning methodology 2. A policy environment to enable the planning process 3. An understanding of the causes and effects of core precursor activities (the BIA) 4. Access to financial and other resources, as outlined in the planning budget
Five stages of CSF
1. Identify--relates to RM and governance 2. Protect--Relates to implementation of effective sec controls 3. Detect--Identification of adverse events 4. Respond--Reacting to an incident 5. Recover--Putting things as they were before
electronic vaulting
A backup method that uses bulk batch transfer of data to an off-site facility; this transfer is usually conducted via leased lines or secure Internet connections.
database shadowing
A backup strategy to store duplicate online transaction data along with duplicate databases at the remote site on a redundant server. This server combines electronic vaulting with remote journaling by writing multiple copies of the database simultaneously to two locations
service bureau
A continuity strategy in which an organization contracts with a service agency to provide a BC facility for a fee.
mutual agreement
A continuity strategy in which two organizations sign a contract to assist the other in a disaster by providing BC facilities, resources, and services until the organization in need can recover from the disaster.
rolling mobile site
A continuity strategy that involves contracting with an organization to provide specialized facilities configured in the payload area of a tractor-trailer
digital malfeasance
A crime against or using digital media, computer technology, or related components; in other words, a computer is the source of a crime or the object of a crime.
Alert Message
A description of the incident or disaster that usually contains just enough information so that each person knows what portion of the IR or DR plan to implement without slowing down the notification process
after-action review
A detailed examination and discussion of the events that occurred during an incident or disaster, from first detection to final recovery.
Alert Roster
A document that contains contact information for people to be notified in the event of an incident
warm site
A facility that provides many of the same services and options as a hot site, but typically without installed and configured software applications Warm sites are used for BC operations
cold site
A facility that provides only rudimentary services, with no computer hardware or peripherals Used for BC operations
talk-through
A form of structured walk-through in which individuals meet in a conference room and discuss a CP plan rather than walking around the organization
continuous process improvement (CPI)
A formal implementation of the "iteration results in improvement" methodology is a process known as •Each time the plan is rehearsed it should be improved •Constant evaluation and improvement leads to an improved outcome
hot site
A fully configured facility that includes all services, communications links, and physical plant operations Used for BC operation
business process
A task performed by an organization or one of its units in support of the organization's overall mission AKA Mission/business process
evidentiary material (EM)
Also known as "items of potential evidentiary value," any information that could potentially support the organization's legal or policy-based case against a suspect.
computer security incident response team (CSIRT)
An IR team composed of technical IT, managerial IT, and InfoSec professionals who are prepared to detect, react to, and recover from an incident. The CSIRT may include members of the IRPT.
incident
An adverse event that could result in a loss of information assets, but does not threaten the viability of the entire organization When an adverse event begins to manifest as a real threat to information, it becomes
adverse event
An event with negative consequences that could threaten the organization's information assets or operations When those events represent the potential for loss, AKA incident candidate
business impact analysis (BIA)
An investigation and assessment of the various adverse events that can affect the organization conducted as a preliminary phase of the contingency planning process, which includes a determination of how critical a system or set of information is to the organization's core processes and recovery priorities. The first major component of the CP process Scope, Plan, Balance, Objective, Follow-Up Crucial foundation for the initial planning stages serves as an investigation and assessment of the impact that various adverse events can have on the organization
crisis management (CM)
An organization's set of planning and preparation efforts for dealing with potential human injury, emotional trauma, or loss of life as a result of a disaster
BC policy
BCP begins with the development of the Reflects the organization's philosophy on the conduct of BC operations Serves as the guiding document for the development of the BCP
Flexibility
CPMT should incorporate a degree of what into the plan?
incident response procedures (IR procedures)
Detailed, step-by-step methods of preparing,detecting, reacting to, and recovering from an incident
slow-onset disasters
Disasters that occur over time and gradually degrade the capacity of an organization to withstand their effects. Examples include droughts, famines, environmental degradation, desertification, deforestation, and pest infestation
possible probable definite
Donald Pipkin has identified three categories of incident indicators
Preservation of human life
During a disaster response, the first priority is always the what?
DR Plan
Focuses on restoring operations at the primary site
IR plan
Focuses on the immediate response to an incident
•the organization is unable to contain or control the impact of an incident the level of damage or destruction from an incident is so severe the organization is unable to quickly recover
In general, an incident is a disaster when
set of policies, procedures, technologies, people, and data put in place to prevent, detect, react to, and recover from an incident that could potentially damage the organization's information
In other, more formal implementations, the CSIRT is a
•stopping the incident •recovering control of the affected systems
Incident containment strategies focus on two tasks
3-2-1 rule
Industry recommendation for data backup three copies of important data on at least two different media, with at least one copy stored off-site, and daily on-site backups
improvement
Iteration results in
•Clear delegation of roles and responsibilities •Execution of the alert roster and notification of key personnel •Clear establishment of priorities •Documentation of the disaster •Action steps to mitigate the impact •Alternative implementations for the various systems components
Key elements in the DR plan
•Purpose •Scope •Roles and responsibilities •Resource requirements •Training requirements •Exercise and testing schedules •Plan maintenance schedule •Special considerations
Key elements of the DR policy
Simple DR plan
Means of collecting the info needed to construct a functional DR plan Nine major sections
1.Form the BC Team 2.Develop the BC planning policy statement 3.Review the BIA 4.Identify preventive controls 5.Create relocation strategies 6.Develop the BC plan 7.Ensure BC plan testing, training and exercises 8.Ensure BC plan Maintenance
NIST SP 800-34, Rev. 1 methodology can also be adapted to BC
Recovery process
Once the extent of the damage has been determined, this begins
incident recovery phase
Once the incident has been contained, and system control regained, what can begin? the first task is to inform the appropriate human resources •Almost simultaneously, the CSIRT must assess the full extent of the damage so as to determine what must be done to restore the systems
•After the incident
One of the sets of incident-handling procedures After drafting the procedures, planners develop and document the procedures that must be performed after the incident has ceased
•Before the incident
One of the sets of incident-handling procedures Planners draft third set of procedures; those tasks to be performed to prepare for the incident - data backup schedules - DR prep - training schedules - testing plans - copies of service agreements - BC plans, if any -- just additional material on a service bureau
•During the incident
One of the sets of incident-handling procedures The planners develop and document the procedures that must be performed during the incident Procedures are grouped and assigned to individuals
detailed understanding of the information systems and the threats they face
Planning for an incident and the responses to it requires a
BIA
Preparatory activity common to both CP and risk management Helps orgs determine which business functions and info systems are the most critical to the success of the organization Provides the data used to develop the IR plan
incident candidate
See adverse event
affidavit
Sworn testimony that certain facts are in the possession of the investigating officer and that they warrant the examination of specific items located at a specific place. The facts, the items, and the place must be specified in this document
structured walk-through
The CP testing strategy in which all involved individuals walk through and discuss the steps they would take during an actual CP event, either as an actual on- site walk- through or as more of a conference room talk- through
full-interruption testing
The CP testing strategy in which the all team members follow each and every IR/DR/BC procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.
simulation
The CP testing strategy in which the organization conducts a role-playing exercise as if an actual incident or disaster had occurred. The CP team is presented with a scenario in which all members must specify how they would react and communicate their efforts
the participation and cooperation of individuals throughout the organization
The CSIRT's success depends on
disaster recovery planning (DRP)
The actions taken by senior management to develop and implement the DR policy, plan, and recovery teams
business resumption planning (BRP)
The actions taken by senior management to develop and implement a combined DR and BC policy, plan, and set of recovery teams.
business continuity planning (BCP)
The actions taken by senior management to develop and implement the BC policy, plan, and continuity teams
crisis management planning (CMP)
The actions taken by senior management to develop and implement the CM policy, plan, and response teams.
work recovery time (WRT)
The amount of effort (expressed as elapsed time) that is necessary to get the business function operational after the technology element is recovered as identified with RTO typically involves the addition of nontechnical tasks required for the organization to make the info asset usable again for its intended function can be added to the RTO to determine the realistic amount of time elapsed required before a business function is back in useful service
remote journaling
The backup of data to an off-site facility in close to real time based on transactions as they occur.
forensics
The coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting. Forensics allows investigators to determine what happened by examining the results of an event—criminal, natural, intentional, or accidental
cost
The determining factor in choosing from several strategies in CP and BC planning is
policy; planning
The first step in all contingency efforts is the development of ______ The next step is ________
contingency planning management team (CPMT)
The group of senior managers and project members organized to conduct and lead all CP efforts.
incident detection
The identification and classification of an adverse event as an incident, accompanied by the CSIRT's notification and the implementation of the IR reaction phase.
e-discovery
The identification and preservation of evidentiary material related to a specific legal action.
incident damage assessment
The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets Can take weeks or days Search system logs, intrusion detection logs, configuration logs, and other documents Using this info, the CSIRT can assess the curent state of the information and systems and compares it to a known state Those who document the damage must be trained to collect and preserve evidence
•Identify the vulnerabilities that allowed the incident to occur and spread and resolve them •Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place and install, replace or upgrade them •Evaluate monitoring capabilities (if present) •Restore the data from backups as needed •Restore the services and processes in use •Continuously monitor the system •Restore the confidence of the communities of interest
The incident recovery process includes
crisis management planning team (CMPT)
The individuals from various functional areas of the organization assigned to develop and implement the CM plan
CPMT
The initial assignments to the FR team, including the team lead, will likely be performed by which team?
recovery time objective (RTO)
The maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported business processes, and the MTD. important for selecting appropriate techs that are best suited for meeting the MTD reducing this requires mechanisms to shorten the startup time or provisiont o make data available online at a failover site
Traditional data backups
The organization can use a combo of on-site and off-site tape-dirve and backup methods Recent data is potentially lost Most common: random array of independent disks (RAID) or disk-to-disk-to-tape methods
apprehend and prosecute
The organizational CP philosophy that focuses on an attacker's identification and prosecution, the defense of information assets, and preventing reoccurrence. Also known as "pursue and prosecute."
protect and forget
The organizational CP philosophy that focuses on the defense of information assets and preventing reoccurrence rather than the attacker's identification and prosecution. Also known as "patch and proceed."
the CIO Head of InfoSec Local infosec officer other IR teams system owners
The parties most commonly notified for an incident report are
disaster classification
The process of examining an adverse event or incident and determining whether it constitutes an actual disaster.
business continuity planning team (BCPT)
The team responsible for designing and managing the BC plan of relocating the organization and establishing primary operations at an alternate site until the disaster recovery planning team can recover the primary site or establish a new location
Scenario development and impact analysis
To plan for disasters, the CPMT engages in What two things are used to categorize the level of threat of each potential disaster?
•Natural disasters •Man-made disasters (most incidents)
Two classifications of disasters
weighted analysis table
can be useful in evaluating business functions and resolving the issue of what business functions are most critical CPMT can use this by first identifying crucial characteristics of each business function--the criteria The team then allocates relative weights to each criteria
The identification of critical business functions and the resources to support them
cornerstone of the BC plan
BIA questionnaire
instrument used to collect relevant business impact information for the required analysis
Shorter RTO means what kind of solutions?
more expensive to design and use require fully redundant alternative processing sites
BC plan
occurs concurrently with the DR plan if operations at the primary site cannot be quickly restored Enables the business to continue at an alternate site, until the org is able to resume operations at its primary site or select a new primary location
The essential task of IR
stop the incident and contain its scope or impact
The BIA begins with
the prioritized list of threats and vulnerabilities identified in the risk management process enhances the list by adding the information needed to respond to the adversity
•Mission •Strategies and goals •Senior management approval •Organizational approach to incident response •How the incident response team will communicate •Metrics for measuring incident response capability and effectiveness •Roadmap for maturing incident response capability •How the program fits into the overall organization
•According to NIST SP 800-61, Rev. 2, the IR plan includes:
•Probable Indicators
•Activities at unexpected times •Presence of new accounts •Reported attacks •Notification from IDS
a loose or informal association of IT and InfoSec staffers who would be called up if an attack was detected on the organization's information assets
•In some organizations, the CSIRT may simply be
1.Detection 2.Reaction 3.Recovery
•Incident response actions can be organized into three basic phases:
reactive
•It is important to understand that IR is a _____ measure, not a preventative one, although most IR plans include preventative recommendations
Definite Indicators
•Use of dormant accounts •Changes to logs •Presence of hacker tools •Notifications by partner or peer •Notification by hacker
Protect and forget Apprehend and prosecute
•one of two philosophies that will affect its approach to IR and DR as well as subsequent involvement of digital forensics and law enforcement
rapid-onset disasters
Disasters that occur suddenly, with little warning, taking people's lives and destroying the means of production. Examples include earthquakes, floods, storm winds, tornadoes, and mud flows.
1. Personal emergency info - who to notify - medical conditions - form of ID 2. Instruction on what to do in case of an emergency - snapshot of DR plan - hotline number - emergency services number - evacuation locations - name and number of DR coordinator - any other needed info
Each employee should have what two types of emergency info cards in his or her possession at all times?
Digital Forensics
Investigations involving the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis. Like traditional forensics, digital forensics follows clear, well-defined methodologies but still tends to be as much art as science
Reaction phase
Once an actual incident has been confirmed and properly classified, the IR plan moves from the detection phase to the in this phase, a number of action steps taken by the CSIRT and others must occur quickly and may occur concurrently Other key personnel must be notified of the incident (general mgt) - members of legal, comms, and HR
cross-training
One often-neglected aspect of training is this In some cass, alternate people must perform the duties of personnel who have been incapacitated The testing process should train people to take over in the event that a team leader of integral member is unavailable
search warrant
Permission to search for evidentiary material at a specified location and/or to seize items to return to the investigator's lab for examination. An affidavit becomes a search warrant when signed by an approving authority
general business management IT community InfoSec community
Planning for an unexpected adverse event usually involves managers from They collectively analyze and assess the entire technological infrastructure of the organization using the mission statement and currently organization objs to drive their planning activities
NIST SP 800-34, Rev. 1: Contingency Planning Guide for Federal Information Systems
Professional practice in the area of contingency planning continues to revolve as reflected in the "It is critical that identified services provided by these systems are able to operate effectively without excessive interruption. Contingency Planning supports this requirement by establishing thorough plans, procedures, and technical measures that can enable a system to be recovered as quickly and effectively as possible following a service disruption"
desk check
The CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster, with each individual reviewing the plan and creating a list of correct and incorrect components.
incident response planning (IRP)
The actions taken by senior management to specify the organization's processes and procedures to anticipate, detect, and mitigate the effects of an incident is the preparation IR is performed by the IRP team (IRPT)
crisis management plan (CM plan)
The document product of crisis management planning; a plan that shows an organization's intended efforts to protect its personnel and respond to safety threats
business continuity plan (BC plan):
The documented product of business continuity planning; a plan that shows the organization's intended efforts to continue critical functions when operations at the primary site are not feasible.
disaster recovery plan (DR plan)
The documented product of disaster recovery planning; a plan that shows the organization's intended efforts in the event of a disaster.
incident response plan (IR plan)
The documented product of incident response planning; a plan that shows the organization's intended efforts in the event of an incident. usually activated when the organization detects an incident that affects it, regardless of how minor the effect is
recovery point objective (RPO)
The point in time before a disruption or system outage to which business process data can be recovered after an outage, given the most recent backup copy of the data. Not considered part of MTD Factor of how much data loss the process can tolerate Reducing this requires mechanisms to increase the syncing of data replication
incident response policy (IR policy)
The policy document that guides the development and implementation of IR plans and the formulation and performance of IR teams. NIST 800-61 Rev 2
business continuity policy (BC policy)
The policy document that guides the development and implementation of BC plans and the formulation and performance of BC teams
crisis management policy (CM policy)
The policy document that guides the development and implementation of CM plans and the formulation and performance of CM teams.
disaster recovery policy (DR policy)
The policy document that guides the development and implementation of DR plans and the formulation and performance of DR teams.
evidentiary material policy (EM policy)
The policy document that guides the development and implementation of EM procedures regarding the collection, handling, and storage of items of potential evidentiary value, as well as the organization and conduct of EM collection teams.
incident classification
The process of examining an incident candidate and determining whether it constitutes an actual incident.
Provide direction and guidance for all DR operation
The purpose of the DR program is to what?
the CISO, or an IT manager with security responsibilities
The responsibility for creating an organization's IR plan usually falls to Should select members from each CoI to form an independent IR team which executes the IR plan
disaster recovery planning team (DRPT)
The team responsible for designing and managing the DR plan by specifying the organization's preparation, response, and recover from disaster, including reestablishment of business operations at the primary site after the disaster
incident response planning team (IRPT)
The team responsible for designing and managing the IR plan by specifying the organization's preparation, reaction, and recovery from incidents
maximum tolerable downtime (MTD)
The total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption includes all impact considerations.
•Remote journaling
Transfer live transactions to an offsite facility Transfer takes place online and is much closer to real time Only transactions are transferred, not archived data Involves online activities on a systems level where data is written to two locations simultaneously
Analyze the incident data Determine the impact of the incident Act appropriately to limit the damage to the organization Restore normal services
What do the incident handlers do?
people
When generating a DR scenario, start with the most important asset
defining how to reestablish operations at the location where the organization is usually located (primary site) Prepare to reestablish operations at the organization's primary location after a disaster or to establish operations at a new location if the primary site is no longer viable
key role of a DR Plan
Contingency Planning Policies
provide guidance on the structure of the subordinate teams and the philosophy of the organization,
•During the incident •After the incident •Before the incident
•For every incident scenario, the CP team creates three sets of incident-handling procedures:
•When undertaking the BIA, the organization should consider:
•Scope - which business units to cover - which systems to include - nature of risk being evaluated •Plan - assure proper data is collected •Balance - weigh the info available - facts vs. opinions •Objective - identify decision-making requirements - structure BIA to bring needed info •Follow-up - communicate to ensure support
•It is directed against information assets •It has a realistic chance of success •It threatens the confidentiality, integrity, or availability of information resources and assets
•When a threat becomes a valid adverse event, it is classified as an InfoSec incident if what three things are true?
timeshare
A continuity strategy in which an organization co-leases facilities with a business partner or sister organization A timeshare allows the organization to have a BC option while reducing its overall costs
•Appoint a clear chain of command with a specified individual in charge •Establish a central operations center •"Know their enemy" •Develop a comprehensive IR plan with containment strategies •Record IR activities at all phases •Document the events as they occur in a timeline •Distinguish incident containment from incident remediation (as part of reaction) •Secure and monitor networks and network devices •Establish and manage system and network logging •Establish and support effective anti-virus and antimalware solutions"
According to McAfee, CSIRTS commonly fail to
business continuity
An organization's set of efforts to ensure its long-term viability when a disaster precludes normal operations at the primary site. The organization temporarily establishes critical operations at an alternate site until it can resume operations at the primary site or select and occupy a new primary site.
disaster recovery (DR)
An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from a disaster
incident response (IR)
An organization's set of planning and preparation efforts for detecting, reacting to, and recovering from an incident Most organizations have experience detecting, reacting to, and recovering from attacks, employee errors, service outages, and small-scale natural disasters, and are thus performing this What must be carefully planned and coordinated because organizations heavily depend on the quick and efficient containment and resolution of incidents?
•Verifying personnel status •Activating the alert roster Coordinating with emergency services
CMPT three primary responsibilities
•Business impact analysis (BIA) •Incident response plan (IR plan) •Disaster recovery plan (DR plan) •Business continuity plan (BC plan)
CP consists of four major components
CP policy
CPMT must receive guidance from executive management through this Defines the scope of the CP operations and establishes managerial intent Stipulates the responsibility for the development and operations of the CPMT in general May provide specifics on the constituencies of all CP-related teams
•Recover information assets that are salvageable from the primary facility after the disaster •Purchase or otherwise acquire replacement information assets from appropriate sources •Reestablish functional information assets at the primary site if possible or at a new primary site, if necessary
DRPT and DRRT responsibilities
effective backup strategies flexible hardware configurations
Data recovery requires what two things?
