Chapter 8: Risk, Response, and Recovery

Administrative control

A control involved in the process of developing & ensuring compliance with policy & procedures.

Technical control

A control that is carried out or managed by a computer system.

Compensating controls

A control that is designed to address a threat in place of a preferred control that is too expensive or difficult to implement.

Corrective controls

A control that mitigates or lessens the effect of the threat.

Preventive controls

A control that stops an action before it occurs. Include locked doors, firewall rules, & user passwords.

Deterrent controls

A controls that warns the user that completing a requested action result in a violation or threat.

Redundancy

Feature of network design that ensures the existence of multiple pathways of communication. The purpose is to prevent or avoid single point of failure.

Recovery point objective RPO

The maximum acceptable level of data loss after a disaster.

Emergency operations center EOC

The place in which the recovery team will meet & work during a disaster.

Threats to internal or external users of virtualization

Violation of virtualization barriers; lack of access controls for outsource resources; reliability of services; cloud service provider lock-in; insecure application interfaces; malicious insiders; account hijacking

Parallel test

The same as a full-interruption test, except that processing does not stop at the primary site.

Event

Any observable occurrence within a computer or network.

Risk register

A list of identified risks that results from the risk-identification process.

Countermeasures

A measure installed to counter or address a specific threat.

Simulation test

A method of testing a BCP or DRP in which a business interruption is simulated, & the responds as if the situation were real.

Business continuity plan BCP

A plan for how to handle outages to IT systems, applications, & data access in order to maintain business operations.

Business impact analysis BIA

A prerequisite analysis for a business continuity plan that prioritizes business operations & functions & their associated IT systems, applications, & data & the impact of an outage or downtime.

Service bureau

A service provider that has sufficient capacity to offer outsourced wholesale services to smaller customers.

Checklist test

A simple review of the plan by managers & the business continuity team to make sure that contact numbers are current & that the plan reflects the company's priorities & structure.

Disruption

A sudden unplanned event. Upsets an organization's ability to provide critical business functions & causes great damage or loss.

Quantitative risk assessment

A type of risk assessment that assigns a numerical value, generally a cost value, to each risk, making risk impact comparisons more objective.

Qualitative risk assessment

A type of risk assessment that describes risks & then ranks their relative potential impact on business operations. Scenario-based

Disaster recovery plan DRP

A written plan for how to handle major disasters or outages & recover mission-critical systems, applications, & data.

Restoring damaged systems

Administrator updates operating systems & applications. Restore data to RPO. Activate access control rules, directories, & remote access systems.

Interim or alternate processing strategies

Alternate processing center or mirrored site-most expensive. Hot site takes operations quickly- company owned & dedicated. Warm site- IT, communications, power, & HVAC- retrieve & load data. Cold site- empty data center with HVAC & power- least expensive.

Mutual aid

An agreement between organizations able to help each other by relocating IT processing in time of need from disaster.

Incident

An event that results in violating your security policy, or poses an imminent threat to your security policy.

Controls

Any mechanism of action that prevents, detects, or addresses an attack.

Total risk

Combine risk to all business assets. Risk - mitigation controls = residual risk

Gaming consoles

Computers optimized to handle graphics applications efficiently. Connecting to the Internet & are routinely exposed to new threats.

Contingency

Consider maintenance fees & activities on time. Check whether the carriers, especially communications carriers, share the same cable or routing paths.

Supervisory Control and Data Acquisition

Control & monitor physical devices, such as manufacturing & facility environment controls.

Full backup

Copies everything to a backup media. Usually tape, but is sometimes CD, DVD, or disk.

Reciprocal centers

Data centers of businesses that do the same type of work but are not direct competitors & can be used as alternate processing sites in the case of a disaster.

3 choices usually considered if business has moved for recovery:

Dedicated site operated by business; commercially leased facility; agreement with internal or external facility.

Specific security responsibilities

Delete redundant/guest accounts; train system administrators; train everyone; install virus-scanning software; install IDS/IPS & network-scanning tools.

Detective controls

Detects when an action has occurred. Include smoke detectors, log monitors, & system audits.

Generators

Ensure all fuel is fresh & contracts are in place to guarantee supply of fuel in crisis. Routine maintenance, ready to operate.

Disaster recovery plan does 3 things

Establish emergency operations center as alternate location. Names EOC manager. Determine when manager declare an incident a disaster.

Reentry

Examine damaged site using people qualified to determine whether it's safe for humans to reenter.

Examples of major disruptions

Extreme weather, criminal activity, civil unrest/terrorist acts, operational, application failure.

Mainframes

Handle large-scale data processing & are expensive to maintain. Dos time is expensive & discouraged.

Annualized rate of occurrence ARO

How often a loss is likely to occur every year, also called likelihood. Annualized loss expectancy is the product of this rate & the single loss expectancy.

Purpose of risk management

Identify possible problems before something bad happens.

Differential backup

Make full backup when network traffic is lightest. You back up changes made early on on a daily basis.

Using the Cloud

Makes maintaining disaster recovery sites more affordable. Exist as cold, warm, & hot sites.

Examples of emerging threats

New technology, changes in organization or environment culture; unauthorized use of technology; changes in regulations, laws, & business practices.

Structured walkthrough test

Present plan portion to other teams; review goals for completeness & correctness; affirm scope & any assumptions; look for overlaps/gaps; review organization structure; evaluate testing, maintenance, & training structures.

Safety of damaged site

Protect primary/damaged site from further damage or looting.

Transportation of equipment and backups

Provide safe transportation of people, equipment, & backup data to & from the alternate site.

Communications and networks

Regular telephone service often fails in crisis. Might need alternate method of communication, especially among key team members.

Business impact analysis for three key reasons

Set value of each business unit or resource; identify the critical needs to develop a BRP; set order or priority for restoring organization's functions after disruption.

Embedded systems

Small computers that are contained in a larger device. Computer components enclosed in a chassis that houses the rest of the device. Include other hardware & mechanical parts.

Safeguards

Something built-in or used in a system to address gaps or weaknesses in the controls that could otherwise lead to an exploit.

Sandboxes

Spin up VM images as isolated servers to conduct testing that shouldn't affect operations.

Incremental backup

Start with full backup when network traffic is light. Each night, back up only that day's changes. Nightly/incremental backup takes about the same amount of time.

Fault tolerance

The ability to encounter a fault, or error, of some type & still support critical operations.

Recovery time objective RTO

A defined metric for how long it must take to recover an IT system, application, & data access.

Some purposes of countermeasures

Fix known exploitable software flaws; develop operational procedures & access controls; provide encryption capability; improve physical security; disconnect unreliable networks.

Vehicle systems

Increasing numbers of vehicles contain computing systems that monitor conditions, provide connectivity to Internet, provide real-time routing, & control vehicle's operation.

Critical dependencies

Information processing, personnel, communications, equipment, facilities, other organizational functions, vendors, supplies

Critical business function CBF

Once the BIA has identified the business systems that an incident will affect, you must rank the systems from most to least critical. That ranking determines whether the business can survive in the absence of critical function.

Activating DRP

Restores business operations; build network from available backup data. Return operations to their original state before the disaster.

Risk management and information security

Risk management is a central concern of info security. Attention to risk management can mean difference between a successful business & failing business.

Residual risk

Risk that remains after you have installed countermeasures & controls.

Activity phase controls

Security controls that can be either technical or administrative. Preventative, detective, & corrective.

Operating a redundant/modified environment

Suspend normal processes, separation of duties or spending limits. More technical support or guidance on how to use alternate systems or access. Combine services on different hardware platforms onto common servers. Continue to make backups.

Mobile devices

System patches & upgrades are available & easy to apply, not all users update their devices. Bad prior upgrade experiences may prevent users from applying needed patches.

Succession planning

The act of planning who will step in if key personnel are incapacitated or unavailable.

Loss expectancy

The amount of money that is lost as a result of an IT asset failure.

Maximum tolerance downtime MTD

The amount of time that critical business processes & resources can be offline before an organization begins to experience irreparable business harm.

Consortium agreement

The legal definition for how members of a group will interact with one another.

Likelihood

The probability that a potential vulnerability might be exercised within the construct of an associated threat environment.