MIST5770 Quest2- chapter8 risk, response and recovery

Recovery Alternatives

A dedicated site operated by the business, such as a secondary processing center A commercially leased facility, such as a hot site or mobile facility An agreement with an internal or external facility

Monitor and Control Risk Response

What problem is this countermeasure designed to solve? 他要解决的问题是什么呢？ Does this countermeasure solve this problem? Countermeasures might pose new risk to the organization 可能会带了一些 Perform certification and accreditation of countermeasure programs Follow best practices and exercise due diligence

Access risks

quantitative - describe risk in financial terms and put a dollar value on each risk qualitative - ranks risks based on their probability of occurrence and impact on business operations

Countermeasure

Counters or addresses a specific threat

Calculating Quantified Risk

1. Calculate the asset value(AV) : It could tangible( buildings) or intangible(like reputation, loss of productivity) 2. Calculate the exposure factor(EF) :就是当事故发生的时候， the percentage of the asset value that will be lost 3. Calculate the single loss expectancy. : 就是相当于预测单个事故发生时候， 公司需要赔偿多少钱出去. like EF is 20%, car's value is 20000. The the total amount is 4000 for each car. 4. Determine how often a loss is likely to occur every year: 5. Determine annualized loss expectancy (ALE): 简单来说，就是一年可能发生的概率 X 平均一次会发生的损失.

risk register

1. 描述risk 2. 如果event发生，期待会发生什么样的影响 3. 一个event 发生的可能 4. 用来mitigate the risk steps 5. steps to take should the event occur 6. rank of the risk

Recovery from a Disaster

A disaster recovery plan (DRP): Establishes an emergency operations center (EOC) as an alternate location from which the BCP/DRP will be coordinated and implemented Names an EOC manager Determines when that manager should declare an incident a disaster

Event

A measurable occurrence that has an impact on the business

Safeguard

Addresses gaps or weaknesses in controls that could lead to a realized threat 任何一个可能导致可意识到的威胁

Implement the Risk Response Plan

Administrative controls Manage the activity phase of security—the things people do 管理方面，activity phase of security Activity phase controls Either administrative or technical Correspond to the life cycle of a security program Detective controls Preventive controls Corrective controls Deterrent controls Compensating controls

Incident

Any event that violates or threatens to violate your security policy 任何可能会对你的安全policy造成一定程度影响的event

Business Continuity Management (BCM)

Business continuity plan (BCP) Contains the actions needed to keep critical business processes running after a disruption

Terminology BIA CBF MTD RTO RPO EOC

Business impact analysis (BIA): An analysis of the business to determine what kinds of events will have an impact on what systems. 就是分析决定哪一种event会对系统产生影响. Critical business function (CBF): Once the BIA has identified the business systems that an incident will affect, you must rank the systems from most to least critical. That ranking determines whether the business can survive—and for how long—in the absence of a critical function. 一旦找出了所有的威胁就要对他进行排序，那些会严重印象到公司business正常运行的 应该得到更多的关注. Maximum tolerable downtime (MTD): The most time a business can survive without a particular critical system. A major disruption is any event that makes a CBF unavailable for longer than its MTD. Each of the disaster-planning and mitigation solutions must be able to recover CBFs within their MTDs. Systems and functions with the shortest MTDs are often the most critical. The next section covers this topic in more detail. 也就是说系统要, 整个business能够撑下去多长时间 Recovery time objective (RTO): The timeframe for restoring a CBF. RTO must be shorter than or equal to the MTD. Recovery point objective (RPO): Incidents can cause loss of data. You must calculate the amount of tolerable data loss for each business function. Recovery procedures must be able to meet the minimums defined here. If the business can afford to lose up to one day's data, then nightly backups might an acceptable solution. However, if the business must prevent all data loss, a redundant server or storage solution will be required. 要确保数据不会全部都丢失了. 要知道自己的公司能够经历几天的数据丢失. Emergency operations center (EOC): 就是当重大的事故发生了的时候，要有一个地方对所以发生的东西进行一个修复. The EOC is the place where the recovery team will meet and work during a disruption. Many businesses have more than one emergency operations center. One might be nearby—for use in the event of a building fire, for example. Another might be a significant distance away—for example, for use in the event of an earthquake or regional power outage. Any component that, if it fails, could interrupt business processing is called a single point of failure (SPoF). Deploying two or more components that are capable of providing the same service, called redundancy, helps increase an organization's ability to avoid downtime (which also called fault tolerance ). 就是能够提供多个服务器能够提供相同的服务， 这个不行了，另外一个可以接着上.

Disaster recovery plan (DRP)

Details the steps to recover from a disruption and restore the infrastructure necessary for normal business operations Disruptions include extreme weather, criminal activity, civil unrest/terrorist acts, operational, and application failure disruptions

Identify Risks

Develop scenarios for each threat to assess the threats Popular risk identification methods include: Brainstorming Surveys Interviews Working groups Checklists Historical information

Primary Steps to Disaster Recovery

Ensure the safety of individuals Contain the damage Assess damage and begin recovery operations according to the DRP and BCP

Positive risks

Exploit (exploitation) Share (sharing) Enhance (enhancement) Accept (acceptance) 这种risk可以为理解为，好的东西造成的影响。You web server was not ready for sign up by 5k users. So, it crashes.

Types of Backups Full Incremental Differential

Full backup: As its name implies, this backup copies everything to a backup media. It is usually tape, but is sometimes CD, DVD, or disk. Differential backup: With this type of backup, you start by making a full backup, perhaps on Sunday, when network traffic is lightest. On Monday through Saturday, you back up changes made since Sunday's full backup on a daily basis. As the week progresses, each night's backup (the differential) takes a little longer. Incremental backup: Again, you start with a full backup when network traffic is light. Then, each night, you back up only that day's changes. As the week progresses, the nightly (incremental) backup takes about the same amount of time.

Purpose of Risk Management

Identify Risks: Before they lead to an incident. In time to enable you to plan and begin risk-handling activities(Controls and countermeasures)

Review and Test the Plan

Important to review and update BCP regularly Tests for a BCP and DRP Checklist Structured walk-through Simulation Parallel Full interruption

Controls

Includes both safeguards （安全）and countermeasures ( 反措施）

Restoring Damaged Systems

Know where to get configuration charts, inventory lists, and backup applications and data Have access control lists to make sure that the system allows only legitimate users on it Update the operating systems and applications with the most current patches Make sure the operating systems and applications are current and secure Activate the access control rules, directories, and remote access systems to permit users to get on the new systems

Backing Up Data and Applications

Plans must include dealing with: Backup storage media Location Access Backups provide extra copies of needed resources, such as: Data Documentation Equipment

Plan a risk response Negative risks

Reduce (reduction/mitigation) Transfer (transference/assignment) Accept (acceptance) Avoid (avoidance) 对于会产生负面影响的风险： 减少， 转移， 接受， 避免

Business Impact Analysis

Security pro should ask two questions: What can affect the business? How will it affect the business? Conduct a BIA for these reasons: Set value of each business unit or resource as it relates to how the entire organization operates Identify critical needs to develop a business recovery plan Set order or priority for restoring the organization's functions after a disruption

Risk Managment and Information Security

Seek e balance between the utility and cost of various risk management options 要在成本和使用性上面找一个平衡

Assessing the Impact of Downtime

• People: How will you notify them of the incident and its impact? How will you evacuate, transport, and care for employees (including, for example, paying them)? Who will step in if key personnel are incapacitated or unavailable? (This is called succession planning.) 你如何告诉你的employee,然后要对他们采取什么样的措施. • Systems: What portions of your computing and telecommunications infrastructure must you duplicate immediately? How long do you have—a minute, an hour, a day? • Data: What data are critical to running your business? How will you recover critical data that are lost? 那些重要的部分需要进行复制 • Property: What items are essential to your business? Things like tools, supplies, and special forms all must be recoverable or easily replaced. 什么东西对于你的公司来说非常的重要.

Selecting Countermeasures (A measure or action taken to counter or offset another one. )就是用来平衡另外一种方法，但是有可能会照成其他的影响

Fix known exploitable software flaws 用固定的方法找出软件的漏洞 Develop and enforce operational procedures and access controls (data and system) Provide encryption capability （提供保密的能力） Improve physical security Disconnect unreliable networks 提高physical security 和不稳定的网络断开连接

The risk management process

Identify risks: The first step to managing risk is identifying risks. What could go wrong? Answers can include fire, flood, earthquake, lightning strike, loss of electricity or other utility, labor strikes, and transportation unavailability. You must develop scenarios for each threat to assess the threats. 第一步：尽可能的找出所有的风险 • Assess risks: Some risks pose a greater possibility of loss than others. Furthermore, not all risks apply to all businesses in all locations. For example, businesses in Montana or Moscow don't need to worry about hurricanes. Of the risks that are possible, impact will be more or less severe depending on the scenario and location. Assessing risk is about determining which risks are the most serious ones. 第二步： 因为每个公司，地方可能都有不同的情况，所以就评估风险而言也要去仔细的观察是否适合他们. • Plan risk response: Starting with the highest-priority risks, explore potential responses to each one. With direction from your organization's upper management, determine the responses to each risk that provide the best value. 第三步:从风险最高的开始然后进行评估，每个风险应该如何进行回应. • Implement risk responses: Take action to implement the chosen responses to each risk from the previous step. 第四步： 具体的对每一个risk进行评估 • Monitor and control risk responses: Monitor and measure each risk response to ensure that it is performing as expected. This step can include passive monitoring and logging as well as active testing to see how a control behaves. 对implementing risk 进行评估，然后对其进行检测， 去看是否和我们想象 一样

Activating the Disaster Recovery Plan

Restore business operations Return operations to their original state before the disaster

Operating in a Reduced/Modified Environment

Suspend normal processes Identify minimum recovery resources as part of the recovery needs Combine services that were on different hardware platforms onto common servers Continue to make backups of data and systems

Impact

The amount of harm a threat exploiting a vulnerability can cause

Detective controls Preventive controls Corrective controls Deterrent controls Compensating controls

• Detective controls identify that a threat has landed in your system. An intrusion detection system (IDS) is an example of a detective control. 找出系统里面的威胁. • Preventive controls stop threats from coming in contact with a vulnerability. An example of a preventive control is an intrusion prevention system (IPS). 阻止和vulnerability 有关的威胁 • Corrective controls reduce the effects of a threat. When you reload an operating system after it is infected with malware, you are using a corrective control . Forensics and incident response are other examples of corrective controls. （ 改进方面的控制，减少threat来的威胁） • Deterrent controls deter an action that could result in a violation. There is a fine line between deterrent controls and preventative controls. Deterrent controls merely attempt to suggest that a subject not take some action, whereas preventative controls do not allow the action to occur. Deterrent controls are valuable when a knowledgeable user needs the ability to perform some action that involves risk. A deterrent control would allow the action after a warning, whereas a preventative control would not allow the action. In short, the decision to choose between a preventative and deterrent control is often a balance between utility and security. 简单的来说的话, 就是允许knowledgeable users 可以采取一些行动 • Compensating controls are designed to address a threat in place of a preferred control that is too expensive or difficult to implement. 就是找一个便宜的方法来对待.