CE 303 1
Disaster Recovery & Business Continuity
Slides based on Whitman, M. and Mattord, H., Principles of Information Security; Thomson Course Technology 2003
CE 303 2
Learning ObjectivesUpon completion of this lesson the student should be able to:
– Describe what contingency planning is and how incident response planning, disaster recovery planning, and business continuity plans are related to contingency planning.
– Discuss the elements that comprise a business impact analysis and the information that is collected for the attack profile.
– Recognize the components of an incident response plan.
CE 303 3
Learning ObjectivesUpon completion of this lesson the student should be able to:
– Explain the steps involved in incident reaction and incident recovery.
– Define the disaster recovery plan and its parts.
– Define the business continuity plan and its parts.
– Discuss the reasons for and against involving law enforcement officials in incident responses and when may be required.
CE 303 4
Introduction - So far we have: Identified the following the problems
facing the organization Assessed a value for the organization’s
information assets Analyzed the threats in the organization’s
environment Identified potential vulnerabilities Assessed the risks associated with current
levels of the organization’s exposure
CE 303 5
Introduction - So far we have: Prepared solid business reasons to
support the risk strategy the organization should adopt for each information asset
Begun to develop a security blueprint for future actions
Outlined information security architecture or the necessary policies and technologies to guide the organization’s next steps.
The next step is to examine the topic of contingency planning within the information security context
CE 303 6FIGURE 7-
1Contingency Planning and the
SecSDLCContingency Planning and the
SecSDLC
Contingency Planning
Design:planning for continuty
Chapter 7
Investigate
Analyze
Implement
Maintain
Physical Design
Design:blueprint for security
Chapter 6
CE 303 7
Continuity Strategy Managers must provide strategic
planning to assure continuous information systems availability ready to use when an attack occurs
Plans for events of this type are referred to in a number of ways: – Business Continuity Plans (BCPs)– Disaster Recovery Plans (DRPs)– Incident Response Plans (IRPs)– Contingency Plans
Large organizations may have many types of plans, small organizations may have one simple plan, but most have inadequate planning
CE 303 8
Contingency Planning Contingency Planning (CP):
– Incident Response Planning (IRP) – Disaster Recovery Planning (DRP) – Business Continuity Planning (BCP)
The primary functions of these three planning types: – IRP focuses on immediate response, but if the attack
escalates or is disastrous the process changes to disaster recovery and BCP
– DRP typically focuses on restoring systems after disasters occur, and as such is closely associated with BCP
– BCP occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources
CE 303 9
Continuity Strategy Primary functions of these three types of
planning: – IRP: immediate response
• If attack escalates or is disastrous, process changes to disaster recovery and BCP
– DRP: restoring systems after disasters occur• Closely associated with BCP
– BCP: occurs concurrently with DRP when damage is major or long term
• For events requiring more than simple restoration of information and information resources
CE 303 10
Contingency Planning TeamBefore any planning can begin, a
team has to plan the effort and prepare the resulting documents
Champion - A high-level manager to support, promote, and endorse the findings of the project
CE 303 11
Contingency Planning Team Project Manager - Leads the project
and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed
Team Members - Should be the managers or their representatives from the various communities of interest: Business, IT, and Information Security
CE 303 12
Contingency Planning Hierarchy
ContingencyContingencyPlanningPlanning
DisasterDisasterRecoveryRecovery
IncidentIncidentResponseResponse
BusinessBusinessContinuityContinuity
FIGURE 7-2
Contingency Planning Hierarchy
CE 303 13
Contingency Planning Timeline
FIGURE 7-3
Contingency Planning Timeline
Incident Response (IRP)Incident Response (IRP)Disaster Recovery Planning (DRP)Disaster Recovery Planning (DRP)
Business Continuity (BCP)Business Continuity (BCP)
Attack Post Attack(hours)
Post Attack(days)
CE 303 14
Major Steps in Contingency Planning
Identification of Identification of threats and attacksthreats and attacks
Business unit analysisBusiness unit analysis
Scenarios of Scenarios of successful attackssuccessful attacks
Assessment of Assessment of potential damagespotential damages
Classification of Classification of subordinate planssubordinate plans
Incident Incident planningplanning
Incident Incident detectiondetection
Incident Incident reactionreaction
Incident Incident recoveryrecovery
Plan for Plan for disasterdisaster
recovery recovery
CrisisCrisisManagementManagement
RecoveryRecoveryoperationsoperations
EstablishEstablishContinuityContinuitystrategystrategy
Plan for Plan for continuity ofcontinuity ofoperations operations
Continuity Continuity managementmanagement
Incident responseplanning
Business impactanalysis (BIA)
Disasterrecoveryplanning
Businesscontinuityplanning
FIGURE 7-4
Major Steps in Contingency Planning
CE 303 15
Business Impact AnalysisBegin with Business Impact Analysis
(BIA)if the attack succeeds, what do we do then?
The CP team conducts the BIA in the following stages:1.Threat attack identification2.Business unit analysis3.Attack success scenarios4.Potential damage assessment5.Subordinate plan classification
CE 303 16
Threat Attack Identification & Prioritization Update threat list with latest
developments and add the attack profile The attack profile is the detailed
description of activities during an attack Must be developed for every serious
threat the organization faces Used to determine the extent of damage
that could result to a business unit if the attack were successful
CE 303 17
Table 7-1 – Attack ProfileDate of AnalysisDate of AnalysisAttack name & descriptionAttack name & descriptionThreat & probable threat agentThreat & probable threat agentKnown or possible vulnerabilitiesKnown or possible vulnerabilitiesLikely precursor activities or indicatorsLikely precursor activities or indicatorsLikely attack activities or indicators of Likely attack activities or indicators of attack in progressattack in progressInformation assets or risk from this attackInformation assets or risk from this attackDamage or loss to information assets Damage or loss to information assets likely from this attacklikely from this attackOther assets at risk from this attackOther assets at risk from this attackDamage or loss to other assets likely Damage or loss to other assets likely from this attackfrom this attackTABLE 7-1 Attack Profile
CE 303 18
Business Unit AnalysisSecond major task within BIA is
analysis and prioritization of business functions within the organization
Identify functional areas of the organization and prioritize them as to which are most vital
Focus on a prioritized list of various functions the organization performs
CE 303 19
Attack Success Scenario Development Next create a series of scenarios
depicting the impact a successful attack from each threat could have on each prioritized functional area with:– details on the method of attack – the indicators of attack – the broad consequences
Attack success scenarios details are added to the attack profile including:– Best case– Worst case– Most likely alternate outcomes
CE 303 20
Potential Damage AssessmentFrom attack success scenarios
developed, the BIA planning team must estimate costs of the best, worst, and most likely cases
Costs include actions of the response team
This final result is referred to as an attack scenario end case
CE 303 21
Subordinate Plan Classification Once potential damage has been
assessed, a subordinate plan must be developed or identified
Subordinate plans will take into account the identification of, reaction to, and recovery from each attack scenario
An attack scenario end case is categorized as disastrous or not
The qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack
CE 303 22
Incident Response Planning Incident response planning covers identification of,
classification of, and response to an incident An incident is an attack against an information asset
that poses a clear threat to the confidentiality, integrity, or availability of information resources
Attacks are only classified as incidents if they have the following characteristics:– Are directed against information assets– Have a realistic chance of success– Could threaten the confidentiality, integrity, or availability of
information resources IR is more reactive than proactive, with the exception
of the planning that must occur to prepare the IR teams to be ready to react to an incident
CE 303 23
Incident PlanningPre-defined responses enable the
organization to react quickly and effectively to the detected incident
Two assumptions for good IR: – 1) The organization has an IR team– 2) The organization can detect the
incidentIR team consists of individuals needed
to handle systems as the incident takes place
CE 303 24
Incident Planning IR teams act to verify the threat, determine
the appropriate response, and coordinate the actions necessary to deal with the situation
Military process of planned team responses can be used in an incident response
Planners must develop a set of documents guiding the actions of each involved individual reacting to and recovering from the incident– Plans must be properly organized and stored
CE 303 25
Incident Response Plan Format and Content
– Plan must be organized to support quick and easy access to required information
– Accomplished through a number of measures– Simplest is to create a directory of possible
incidents with tabbed sections for each incident
– When someone needs to respond to an incident, they simply open the binder, flip to the appropriate section, and follow the clearly outlined procedures for an assigned role
CE 303 26
Incident Response Plan Storage
– Plan should be protected as sensitive information
– On the other hand, the organization needs this information readily available
Testing– An untested plan is not a useful plan. The
levels of testing strategies can vary:– Checklist– Structured walk-through– Simulation– Parallel– Full-interruption
CE 303 27
Incident Detection The most common occurrence is a complaint about
technology support, often delivered to the help desk Possible detections:
– intrusion detection systems, both host-based and network-based
– virus detection software – systems administrators – end users
Only through careful training can the organization hope to quickly identify and classify an incident
Once an attack is properly identified, the organization can respond
CE 303 28
Incident IndicatorsPossible indicators of
incidents: – Presence of unfamiliar
files– Unknown programs or
processes– Unusual consumption of
computing resources– Unusual system crashes
Probable indicators of incidents:– Activities at unexpected
times– Presence of new
accounts– Reported attacks– Notification from IDS
Definite indicators of incidents:– Use of dormant accounts– Changes to logs– Presence of hacker tools– Notifications by partner
or peer– Notification by hacker
Predefined situations that signal an automatic incident: – Loss of availability– Loss of integrity– Loss of confidentiality– Violation of policy– Violation of law
CE 303 29
Incident or DisasterWhen Does an Incident Become a
Disaster?– The organization is unable to mitigate the
impact of an incident during the incident– The level of damage or destruction is so
severe the organization is unable to quickly recover
– It is up to the organization to decide which incidents are to be classified as disasters and thus receive the appropriate level of response
CE 303 30
Incident Reaction Incident reaction consists of actions that
guide the organization to stop the incident, mitigate the impact of the incident, and provide information for the recovery from the incident
In reacting to the incident a number of actions must occur quickly including:– notification of key personnel – assignment of tasks– documentation of the incident
CE 303 31
Notification of Key Personnel Most organizations maintain alert rosters for
emergencies– Alert roster contains contact information for individuals to
be notified in an incident Two ways to activate an alert roster:
– A sequential roster is activated as a contact person calls each and every person on the roster [safer & better]
– A hierarchical roster is activated as the first person calls a few other people on the roster, who in turn call a few other people, and so on (commonly called a calling tree) [faster]
The alert message is a scripted description of the incident, just enough information so that everyone knows what part of the IRP to implement
CE 303 32
Incident Documentation Documenting the event is important:
– First, ensure that the event is recorded for the organization’s records
• What happened• How it happened• What actions were take• Record who, what, when, where, why, & how
– Second, be able to prove, should it ever be questioned, that the organization did everything possible to prevent the spread of the incident
– Finally, a good incident record can be used as a simulation in future training sessions
CE 303 33
Incident Containment Strategies
Before an incident can be contained, the affected areas of the information and information systems must be determined
The organization can stop the incident and attempt to recover control through a number of strategies including:– severing the affected circuits– disabling accounts– reconfiguring a firewall– ultimate containment option (reserved for
only the most drastic of scenarios) involves a full stop of all computers and network devices in the organization
CE 303 34
Incident Recovery Once the incident has been contained,
and control of the systems regained, the next stage is recovery
First task: identify human resources needed and launch them into action
Full extent of damage must be assessed The organization repairs vulnerabilities,
addresses any shortcomings in safeguards, and restores data and services of the systems
CE 303 35
Damage Assessment Incident damage assessment is
immediate determination of the scope of the breach of CIA of information and assets after an incident
Sources of information include:– system logs– intrusion detection logs– configuration logs and documents– documentation from the incident response– results of a detailed assessment of systems
and data storage
CE 303 36
Computer Forensics Related to incident damage assessment
is the field of computer forensics This is the process of collecting,
analyzing, and preserving computer-related evidence– Evidence may prove action or intent
Computer evidence must be carefully collected, documented, and maintained to be acceptable in formal proceedings
Individuals assessing damage need special training
CE 303 37
RecoveryIn the recovery process:
– Identify vulnerabilities that allowed the incident to occur and spread and resolve them
– Address safeguards that failed to stop or limit the incident, or were missing from the system in the first place
• Install, replace or upgrade them– Evaluate monitoring capabilities
• Improve their detection and reporting methods, or simply install new monitoring capabilities
– Restore data from backups– Restore services and processes in use– Continuously monitor the system– Restore confidence of the members of the
organization’s communities of interest– Conduct an after-action review
CE 303 38
Automated Response New systems can respond to incidents
autonomously Trap and trace uses a combination of
resources to detect intrusion then trace back to source– Trapping may involve honeypots or honeynets
Enticement is the process of attracting attention to a system by placing tantalizing bits of information in key locations
Entrapment is luring an individual into committing a crime to get a conviction– Enticement is legal and ethical, while
entrapment is not
CE 303 39
Disaster Recovery Planning Disaster recovery planning (DRP) is planning the
preparation for and recovery from a disaster The contingency planning team must decide
which actions constitute disasters and which constitute incidents
When situations are classified as disasters plans change as to how to respond may occur - take action to secure the most valuable assets to preserve value for the longer term even at the risk of more disruption
DRP strives to reestablish operations at the ‘primary’ site
CE 303 40
DRP Steps Clearly establish priorities Clearly delegate roles and responsibilities Initiate the alert roster and notify key
personnel Task someone with documentation of the
disaster If (and only if) it is possible, make some
attempts to mitigate impact of the disaster on the operations of the organization
CE 303 41
Crisis Management Crisis management is actions taken during and
after a disaster focusing on the people involved and addressing the viability of the business
The crisis management team is responsible for managing the event from an enterprise perspective and covers: – Supporting personnel and families during the crisis – Determining impact on normal business operations
and, if necessary, making a disaster declaration– Keeping the public informed– Communicating with major customers, suppliers,
partners, regulatory agencies, industry organizations, the media, and other interested parties
CE 303 42
Disaster Recovery Planning Establish a command center to support
communications Include individuals from all functional
areas of the organization to facilitate communications and cooperation
Some key areas of crisis management include:– Verifying personnel head count– Checking the alert roster– Checking emergency information cards
CE 303 43
DRP Structure Similar to the IRP, DRP is organized by
disaster, and provides procedures to execute during and after a disaster
Provides details on the roles and responsibilities for those involved in the effort, and identifies the personnel and agencies that must be notified
Just as the IRP must be tested, so must the DRP, using the same testing mechanisms
Each organization must examine its scenarios, developed during the initial contingency planning, to determine how to respond to the various disasters
CE 303 44
Business Continuity PlanningBusiness continuity planning
outlines reestablishment of critical business operations during a disaster that impacts operations
If a disaster has rendered the business unusable for continued operations, there must be a plan to allow the business to continue to function
CE 303 45
Developing Continuity Programs (BCPs) A business continuity program, as
documented in the BCP, is a function of contingency planning
Once incident response plans and disaster recovery plans are in place, the organization needs to address the possibility of finding temporary facilities to support the continued viability of the business
BCP consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions
CE 303 46
Developing Continuity Programs (BCPs) First part of the BCP is performed when
joint DRP/BCP plan is developed Cornerstone of BCP is identification of
critical business functions & resources needed to support them
Contingency planning team needs to appoint a team to evaluate/compare various alternatives available and recommend which strategy should be selected and implemented
Strategy selected usually involves an off-site facility, which should be inspected, configured, secured and tested on a periodic basis
CE 303 47
Continuity Strategies There are a number of strategies for
planning for business continuity Determining factor in selection between
these options is usually cost In general, three exclusive options exist:
– hot sites– warm sites– cold sites
And three shared functions: – timeshare– service bureaus– mutual agreements
CE 303 48
Off-Site Disaster Data Storage To get these types of sites up and running
quickly, the organization must have the ability to port data into the new site’s systems
These include: – Electronic vaulting - bulk batch-transfer of data to an
off-site facility– Remote Journaling - transfer of live transactions to an
off-site facility; only transactions are transferred not archived data; transfer is real-time
– Database shadowing - Not only processing duplicate real-time data storage, but also duplicates databases at the remote site to multiple servers
CE 303 49
Model for IR/DR/BC PlanThe single document set approach
supports concise planning and encourages smaller organizations to develop, test, and use IR/DR plans
The model presented is based on analyses of disaster recovery and incident response plans of dozens of organizations
CE 303 50
The Planning Document1. Establish responsibility for managing the
document, typically the security administrator2. Appoint a secretary to document the activities and
results of the planning session(s)3. Independent incident response and disaster
recovery teams are formed, with a common planning committee
4. Outline the roles and responsibilities for each team member
5. Develop the alert roster and lists of critical agencies
6. Identify and prioritize threats to the organization’s information and information systems
CE 303 51
The Planning ProcessSix steps of the Contingency Planning process:
1. Identify mission- or business-critical functions2. Identify resources that support critical
functions3. Anticipate potential contingencies or disasters4. Select contingency planning strategies5. Implement contingency strategies6. Test and revise the strategy
CE 303 52
Using the Plan During the incident
– Develop and document procedures that must be performed during the incident
– Group procedures and assign to individuals– Each member of the planning committee
begins to draft a set of function-specific procedures
After the incident– Develop procedures that must be performed
immediately after the incident has ceased– Again, separate functional areas may develop
different procedures
CE 303 53
Using the PlanBefore the incident
– Draft tasks that must be performed to prepare for the incident
– These are details of:• Data backup schedules• Disaster recovery preparation• Training schedules• Testing plans• Copies of service agreements• Business continuity plans if any.
CE 303 54
The Planning Document Finally assemble the IR portion of the plan
– Sections detailing the organization’s DRP and BCP efforts are placed after the incident response sections
Critical information as outlined in these planning sections are recorded, including information on alternate sites, etc. as indicated in the “before the incident” section, applicable to the disaster recovery and business continuity efforts
Multiple copies for each functional area are created, cataloged, and signed out to responsible individuals
CE 303 55
Contingency Plan
CE 303 56
Law Enforcement Involvement When the incident at hand constitutes a
violation of law the organization may determine that involving law enforcement is necessary
There are several questions which must then be answered:– When should the organization get law enforcement
involved? – What level of law enforcement agency should be
involved: local, state, or federal? – What will happen when the law enforcement agency is
involved? Some of these questions are best answered by
the organization’s legal department
CE 303 57
Local, State, or Federal Authorities Selecting the level of law enforcement
depends on the level and type of crime discovered:– The Federal Bureau of Investigation deals
with many computer crimes that are categorized as felonies
– The US Secret Service works with crimes involving US currency, counterfeiting, credit cards, identity theft, and other crimes
– The US Treasury Department has a bank fraud investigation unit and the Securities and Exchange Commission has investigation and fraud control units as well
CE 303 58
State Investigative Services Each state has its own version of the FBI
(except Illinois! – interesting story why not) These state agencies arrest individuals,
serve warrants, and generally enforce laws on property that is owned by the state or any state agency
In Illinois, computer crime is the responsibility of the State of Illinois High Tech Crime Bureau, part of the Attorney General’s Office
CE 303 59
Local Law Enforcement Local agencies enforce all local and state
laws and handle suspects and security crime scenes for state and federal cases
Local law enforcement agencies seldom have a computer crimes task force, but most investigative (detective) units are capable of processing crime scenes, and handling most common criminal activities and the apprehension and processing of suspects of computer related crimes
CE 303 60
Benefits of Law Enforcement Involvement
Involving law enforcement agencies has advantages:– Agencies may be much better equipped at
processing evidence than private organizations– Unless the organization has staff trained in
forensics they may less effective in convicting suspects
– Law enforcement agencies are also prepared to handle the warrants and subpoenas needed
– Law enforcement skilled at obtaining statements from witnesses, completing affidavits, and other information collection
CE 303 61
Drawbacks to Law Enforcement Involvement
Involving law enforcement agencies has disadvantages:– On the downside, once a law enforcement
agency takes over a case, the organization loses complete control over the chain of events
– The organization may not hear about the case for weeks or even months
– Equipment vital to the organization’s business may be tagged as evidence, to be removed, stored, and preserved until it can be examined for possible support for the criminal case
– However, if the organization detects a criminal act, it is a legal obligation to involve the appropriate law enforcement officials
CE 303 62
The End…
Questions?Discussion!