Incident Response: A Standards-Based Approachmydlc.com/pmi-mn/PRES/2005D0217.pdfIncident Response: A...

1JBW Group Inc. – Information Security Consulting © 2005

Incident Response:Incident Response:A StandardsA Standards--Based Based

ApproachApproach

Project Management InstituteProject Management InstituteMinnesota Chapter Minnesota Chapter

John B. Weaver John B. Weaver -- JBW Group IncJBW Group IncInformation Security ConsultingInformation Security Consulting

February 17, 2005February 17, 2005


““Immature strategy is Immature strategy is the cause of grief.the cause of grief.””-- Miyamoto Miyamoto MusashiMusashi (1584(1584--1645)1645)


Incident ResponseIncident Response

AgendaAgenda•• BackgroundBackground•• Information SecurityInformation Security•• Business EnvironmentBusiness Environment•• A StandardsA Standards--based Approachbased Approach•• Incident ResponseIncident Response•• Project Management of Incident ResponseProject Management of Incident Response•• ProactiveProactive•• ReactiveReactive•• ReferencesReferences


BackgroundBackground

•• Over 15 Years Experience in Information Over 15 Years Experience in Information SecuritySecurity•• JBW Group Inc JBW Group Inc –– International Information International Information Security ConsultancySecurity Consultancy•• Worked with Clients in Healthcare, Financial, Worked with Clients in Healthcare, Financial, Telecommunications, Energy verticalsTelecommunications, Energy verticals•• BS7799/ISO17799 EvangelistBS7799/ISO17799 Evangelist•• BSIBSI--Qualified BS7799 Audit and ImplementationQualified BS7799 Audit and Implementation•• InfraGardInfraGard Executive BoardExecutive Board•• ISCISC22, ISACA, ASIS, ISSA, IISFA, ISACA, ASIS, ISSA, IISFA


Information SecurityInformation Security

“Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”

BS ISO/IEC 17799:2000


Information SecurityInformation Security

Information Assets

Integrity

Confidentiality Availability


Business EnvironmentBusiness Environment•• Internet connectivity is necessary to Internet connectivity is necessary to compete in the marketplace compete in the marketplace •• InternetInternet--connected businesses and connected businesses and government agenciesgovernment agencies•• Expanded infrastructure Expanded infrastructure •• Vendor partners and regulatory Vendor partners and regulatory organizations are requiring internet organizations are requiring internet connectivity connectivity •• Outsourcing of critical functionsOutsourcing of critical functions•• OffOff--shore developmentshore development


Business Environment Business Environment (continued)(continued)

•• SarbanesSarbanes--Oxley (SOX)Oxley (SOX)•• GrammGramm--LeachLeach--Bliley Act (GLBA)Bliley Act (GLBA)•• Health Insurance Portability and Health Insurance Portability and

Accountability Act (HIPAA)Accountability Act (HIPAA)•• California SB1386California SB1386•• New Basel Capital Accord (BaselNew Basel Capital Accord (Basel--II)II)•• Digital Millennium Copyright Act (DMCA)Digital Millennium Copyright Act (DMCA)•• Business Software Alliance (BSA)Business Software Alliance (BSA)•• IndustryIndustry--specific Requirementspecific Requirement


BS7799 ISO/IEC17799BS7799 ISO/IEC17799•• Internationally recognized Information Security Internationally recognized Information Security standardstandard•• Process driven, business orientedProcess driven, business oriented•• Measurable Measurable –– Valuation of assets and scaling of riskValuation of assets and scaling of risk•• Repeatable Repeatable –– Formal approach, structured processesFormal approach, structured processes•• Scalable Scalable –– Facilitates prototyping, adaptableFacilitates prototyping, adaptable•• Defensible Defensible –– Articulates level of assuranceArticulates level of assurance•• Recognizes information in all forms Recognizes information in all forms •• Meets requirements of HIPAA, GLBA (and others)Meets requirements of HIPAA, GLBA (and others)•• Requires governance (management buyRequires governance (management buy--in)in)•• Utilizes Utilizes ““best practicesbest practices””•• Promotes security awareness throughout organizationPromotes security awareness throughout organization•• Reflects Total Quality Management (continuous Reflects Total Quality Management (continuous improvement)improvement)


Incident TypesIncident Types

•• Natural DisasterNatural Disaster•• Physical Security Breach Physical Security Breach •• Viruses and WormsViruses and Worms•• TrojansTrojans•• Employee MisconductEmployee Misconduct•• Accidental or Inadvertent IncidentsAccidental or Inadvertent Incidents•• Labor and Trade Union ActionLabor and Trade Union Action•• Terrorism and CyberTerrorism and Cyber--Terrorism Terrorism

•• System or Network Security BreachSystem or Network Security Breach•• CGI ExploitsCGI Exploits•• Distributed Denial of ServicesDistributed Denial of Services•• HoaxesHoaxes•• Theft of Proprietary Data (IP)Theft of Proprietary Data (IP)•• Router CompromiseRouter Compromise•• System Compromise System Compromise


StandardsStandards--Based Incident ResponseBased Incident Response

BS7799/ISO17799 Components of Incident Response;BS7799/ISO17799 Components of Incident Response;•• Management Oversight (Governance)Management Oversight (Governance)•• Policy for Incident ResponsePolicy for Incident Response•• Documented Risk Assessment ProcessDocumented Risk Assessment Process•• Incident Response PlanningIncident Response Planning

•• Disaster RecoveryDisaster Recovery•• Business ContinuityBusiness Continuity•• Security IncidentsSecurity Incidents•• Employee AwarenessEmployee Awareness•• TrainingTraining

•• Quality Management/Continuous ImprovementQuality Management/Continuous Improvement


Risk ManagementRisk ManagementKey element of ISO17799 is the Key element of ISO17799 is the

Degree of Assurance determined by;Degree of Assurance determined by;

Level ofRisk

Risk TreatmentProcess

ResidualRisk

Risk AssessmentProcess

Output

Input

Output

Degree of Assurance


Incident ResponseIncident ResponseIncident Response Strategy is comprised of Incident Response Strategy is comprised of several process steps that comprise two several process steps that comprise two components;components;Proactive StrategyProactive Strategy

•• PlanningPlanning•• TestingTesting•• Monitoring and DetectionMonitoring and Detection

Reactive StrategyReactive Strategy•• AnalysisAnalysis•• IsolationIsolation•• ContainmentContainment•• InvestigationInvestigation•• MitigationMitigation•• After Action Analysis (TQM)After Action Analysis (TQM)


““Incident Response as Managed ProjectIncident Response as Managed Project””There are obvious project management components in There are obvious project management components in the proactive strategy;the proactive strategy;

•• Developing, deploying & testing Developing, deploying & testing •• Disaster response plansDisaster response plans•• Business continuity plansBusiness continuity plans•• Incident response plansIncident response plans

•• Continuous improvementContinuous improvementProject Management can play a vital role in the reactive Project Management can play a vital role in the reactive strategy;strategy;

•• CommunicationsCommunications•• LogisticsLogistics•• MetricsMetrics•• After action analysis and reportingAfter action analysis and reporting


Incident Response Project Management Incident Response Project Management (Continued)(Continued)

Proactive Plan Components;Proactive Plan Components;•• Senior Management CommitmentSenior Management Commitment•• Constituency is DefinedConstituency is Defined•• Risk Assessment/Impact AnalysisRisk Assessment/Impact Analysis•• Policy is Documented and EndorsedPolicy is Documented and Endorsed•• Incident Response Team MembershipIncident Response Team Membership•• Defined Roles and ResponsibilitiesDefined Roles and Responsibilities•• Well Documented Processes and ProceduresWell Documented Processes and Procedures•• Identified Measurement Points (Metrics)Identified Measurement Points (Metrics)•• Services are DefinedServices are Defined•• Linkages to Other Teams/Organizations are Linkages to Other Teams/Organizations are Established and MaintainedEstablished and Maintained


Incident Response TeamIncident Response Team

Incident Response Core Team membership is Incident Response Core Team membership is predefined and static. The roles for the core predefined and static. The roles for the core team are;team are;

•• ManagementManagement

•• Technical LeadTechnical Lead•• EngineeringEngineering•• LogisticsLogistics

Other team members are brought in and Other team members are brought in and ““deputizeddeputized”” on an as needed basis. on an as needed basis.


Avoiding Immature StrategyAvoiding Immature Strategy

The most important part is preparationThe most important part is preparation•• Adequate planning is critical to successAdequate planning is critical to success•• Anticipate as many logistical needs as Anticipate as many logistical needs as possiblepossible•• Regular testing of the plan is criticalRegular testing of the plan is critical•• Build in points in the plan for taking Build in points in the plan for taking measurement for developing metricsmeasurement for developing metrics•• Encourage management/sponsor review Encourage management/sponsor review (governance)(governance)•• Analyze for areas of improvementAnalyze for areas of improvement


Incident Response MetricsIncident Response Metrics


Reactive ResponseReactive Response

•• Analysis Analysis –– Systematic review of dataSystematic review of data•• Isolation Isolation –– separation from the environmentseparation from the environment•• Containment Containment –– Keep it isolatedKeep it isolated•• Investigation Investigation –– Cause and affectCause and affect•• Mitigation Mitigation –– Fix, diminish or otherwise dealFix, diminish or otherwise deal•• After Action Analysis (TQM) After Action Analysis (TQM) –– includes root includes root cause and recommended solutionscause and recommended solutions


PDCA Model Applied to ISMSPDCA Model Applied to ISMS

Interested Parties

Interested Parties

Development,maintenance and

improvementcycle

Establish the ISMS

Maintain and improve the

ISMS

Implement and operate the ISMS

Monitor and review the ISMS

Information security

requirements and

expectations

Managed information

security

Plan

Check

ActDo

Source: BSI Americas © 2003


Continuous ImprovementContinuous Improvement

After Action ReportingAfter Action Reporting•• Include Incident Response team world viewInclude Incident Response team world view•• Describe incident environmentDescribe incident environment•• Describe response methodologyDescribe response methodology•• Report response metricsReport response metrics•• Document results of after action analysisDocument results of after action analysis•• Recommend opportunities for improvementRecommend opportunities for improvement


Continuous Improvement Continuous Improvement (continued)(continued)

Recommend areas of improvement as Recommend areas of improvement as goals and objectives;goals and objectives;

•• Ranked by urgencyRanked by urgency•• ““Low hanging fruitLow hanging fruit””•• Greatest cost/benefit ratioGreatest cost/benefit ratio•• Legal or regulatory requirementsLegal or regulatory requirements•• Input to Policy DevelopmentInput to Policy Development


Mature StrategyMature Strategy

Successful Incident Response Successful Incident Response •• Incident response is guided by a well understood frameworkIncident response is guided by a well understood framework•• Mandated by management Mandated by management -- GovernanceGovernance•• Focused by risk assessment and impact analysisFocused by risk assessment and impact analysis•• Supported by clear policy and guidelinesSupported by clear policy and guidelines•• Well documented and frequently exercised incident response Well documented and frequently exercised incident response processes (mature IR plan)processes (mature IR plan)•• Vested incident response teamVested incident response team•• Team members understand roles, responsibilities and Team members understand roles, responsibilities and constituencyconstituency•• Develop metrics to understand impact to the business and Develop metrics to understand impact to the business and effectiveness of IR processeffectiveness of IR process•• Utilize knowledge gained from after action analysis and Utilize knowledge gained from after action analysis and reporting to continually improve the environment and the IR reporting to continually improve the environment and the IR processprocess


ReferencesReferences• A Book of Five Rings – The Classic Guide to Strategy, by Miyamoto MusashiTranslated by Victor Harris, Published by Overlook Press, Woodstock, NY• Incident Response, by Kenneth R. van Wyk and Richard Forno• British Standard BS7799-2:2002 Information Security Management Systems –Specification with guidance for use• BS ISOIEC17799:2000 BS7799-1:2000 Information Technology – Code of practice for information security management• ISO/IEC TR 13335 Information Technology – Guidelines for Management of IT Security (GMITS)• The Computer Emergency Response Team (CERTtm) – Carnegie Mellon University www.cert.org•ISO17799 Information Security Management System (ISMS) Users Group –www.xisec.com• International Organization for Standardization (ISO) www.iso.org• National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) csrc.nist.gov• The Committee of Sponsoring Organizations of the Treadway Commission (COSO) www.coso.org• International Register of Certificated Auditors (IRCA) www.irca.org• United Kingdom Accreditation Service (UKAS) www.ukas.org• BSI Americas – www.bsiamericas.com


JBW Group IncJBW Group IncInformation Security ConsultingInformation Security Consulting

Contact Information:Contact Information:John B. Weaver John B. Weaver –– CISSP, CISA, CISM, CPPCISSP, CISA, CISM, CPPPresident and CEO, Principle ConsultantPresident and CEO, Principle ConsultantJBW Group IncJBW Group IncPO Box 19393PO Box 19393Minneapolis, MN 55419Minneapolis, MN 55419612.719.2663612.719.2663

[email protected]

Date post:	15-Apr-2018
Category:	Documents
Upload:	trinhliem
View:	215 times
Download:	1 times

Incident Response: A Standards-Based Approachmydlc.com/pmi-mn/PRES/2005D0217.pdfIncident Response: A...

Documents