Planning for Continuity in Information security

7/29/2019 Planning for Continuity in Information security

1/41

Planning for Continuity

Chapter 7


2/41

Principles of Information Security - Chapter 7 Slide 2


3/41


Continuity Strategy

Managers must provide strategic planning toassure continuous information systems

availability ready to use when an attack occurs

Plans for events of this type are referred to in a

number of ways: Business Continuity Plans (BCPs)

Disaster Recovery Plans (DRPs)

Incident Response Plans (IRPs)

Contingency Plans

Large organizations may have many types of

plans, small organizations may have one simple

plan, but most have inadequate planning


4/41


Contingency Planning Contingency Planning (CP):

Incident Response Planning (IRP)

Disaster Recovery Planning (DRP)

Business Continuity Planning (BCP)

The primary functions of these three planning types:

IRP focuses on immediate response, but if the attack escalates

or is disastrous the process changes to disaster recovery and

BCP

DRP typically focuses on restoring systems after disasters

occur, and as such is closely associated with BCP

BCP occurs concurrently with DRP when the damage is major

or long term, requiring more than simple restoration of

information and information resources


5/41


Contingency Planning Team Before any planning can begin, a team has to

plan the effort and prepare the resultingdocuments

Champion - A high-level manager to support,promote, and endorse the findings of the project

Project Manager - Leads the project and makessure a sound project planning process is used,a complete and useful project plan is developed,and project resources are prudently managed

Team Members - Should be the managers ortheir representatives from the variouscommunities of interest: Business, IT, and

Information Security


6/41


Figure 7-2 Contingency Plans


7/41Principles of Information Security - Chapter 7 Slide 7

Figure 7-3 Contingency

Timeline



Figure 7-4 Major Steps in

Contingency Planning



Business Impact Analysis

Begin with Business Impact Analysis (BIA)if the attack succeeds, whatdo we do then?

The CP team conducts the BIA in the

following stages:

1.Threat attack identification

2.Business unit analysis

3.Attack success scenarios

4.Potential damage assessment

5.Subordinate plan classification



Threat Attack Identification and

Prioritization

Update threat list with latest developmentsand add the attack profile

The attack profile is the detailed

description of activities during an attackMust be developed for every serious

threat the organization faces

Used to determine the extent of damagethat could result to a business unit if the

attack were successful



Table 7-1 Attack Profile



Business Unit Analysis

The second major task within the BIA isthe analysis and prioritization of business

functions within the organization

Identify the functional areas of the

organization and prioritize them as to

which are most vital

Focus on a prioritized list of the various

functions the organization performs



Attack Success Scenario

Development

Next create a series of scenarios depicting theimpact a successful attack from each threat couldhave on each prioritized functional area with:

details on the method of attack the indicators of attack

the broad consequences

Attack success scenarios details are added to the

attack profile including: Best case

Worst case

Most likely alternate outcomes



Potential Damage

AssessmentFrom the attack success scenarios

developed, the BIA planning team must

estimate the cost of the best, worst, and

most likely casesCosts include actions of the response

team

This final result is referred to as an attackscenario end case



Subordinate Plan

ClassificationOnce potential damage has been assessed, a

subordinate plan must be developed oridentified

Subordinate plans will take into account theidentification of, reaction to, and recovery fromeach attack scenario

An attack scenario end case is categorized asdisastrous or not

The qualifying difference is whether or not anorganization is able to take effective actionduring the event to combat the effect of theattack



Incident Response Planning Incident response planning covers the identification of,

classification of, and response to an incident An incident is an attack against an information asset that

poses a clear threat to the confidentiality, integrity, oravailability of information resources

Attacks are only classified as incidents if they have the

following characteristics: Are directed against information assets

Have a realistic chance of success

Could threaten the confidentiality, integrity, or availability ofinformation resources

IR is more reactive, than proactive, with the exception ofthe planning that must occur to prepare the IR teams to

be ready to react to an incident



Incident Planning The pre-defined responses enable the organization to

react quickly and effectively to the detected incident This assumes two things:

first, the organization has an IR team

second, the organization can detect the incident

The IR team consists of those individuals needed tohandle the systems as incident takes place

The military process of planned team responses can beused in an incident response

The planners should develop a set of documents thatguide the actions of each involved individual reacting toand recovering from the incident

These plans must be properly organized and stored



Incident Response Plan Format and Content

The plan must be organized to support quick andeasy access to the information needed

Storage The plan should be protected as sensitive information

On the other hand, the organization needs thisinformation readily available

Testing An untested plan is not a useful plan. The levels of

testing strategies can vary: Checklist

Structured walk-through

Simulation

Parallel

Full-interruption



Incident Detection The most common occurrence is a complaint about

technology support, often delivered to the help desk

Possible detections:

intrusion detection systems, both host-based and network-

based

virus detection software systems administrators

end users

Only through careful training can the organization hope

to quickly identify and classify an incident Once an attack is properly identified, the organization

can respond



Incident IndicatorsPossible indicators of

incidents: Presence of unfamiliar files

Unknown programs or

processes

Unusual consumption of

computing resources

Unusual system crashes

Probable indicators of

incidents:

Activities at unexpected times Presence of new accounts

Reported attacks

Notification from IDS

Definite indicators of

incidents: Use of dormant accounts

Changes to logs

Presence of hacker tools

Notifications by partner or

peer Notification by hacker

Predefined situations thatsignal an automaticincident:

Loss of availability Loss of integrity

Loss of confidentiality

Violation of policy

Violation of law



Incident or Disaster

When Does an Incident Become aDisaster?

the organization is unable to mitigate the

impact of an incident during the incident

the level of damage or destruction is so

severe the organization is unable to quickly

recover

It is up to the organization to decide whichincidents are to be classified as disasters and

thus receive the appropriate level of response


22/41


Incident Reaction Incident reaction consists of actions that

guide the organization to stop the incident,mitigate the impact of the incident, andprovide information for the recovery from

the incident In reacting to the incident there are a

number of actions that must occur quicklyincluding:

notification of key personnel

assignment of tasks

documentation of the incident


23/41


Notification of Key Personnel Most organizations maintain alert rosters for

emergencies. An alert roster contains contactinformation for the individuals to be notified in an

incident

Two ways to activate an alert roster:

A sequential roster is activated as a contact person calls eachand every person on the roster

A hierarchical roster is activated as the first person calls a few

other people on the roster, who in turn call a few other people,

and so on

The alert message is a scripted description of the

incident, just enough information so that everyone

knows what part of the IRP to implement


24/41


Documenting an IncidentDocumenting the event is important:

First, it is important to ensure that the event is

recorded for the organizations records, to know what

happened, and how it happened, and what actions

were taken. The documentation should record the

who, what, when, where, why, and how of the even

Second, it is important to prove, should it ever be

questioned, that the organization did everything

possible to prevent the spread of the incident

Finally, the recorded incident can also be used as asimulation in future training sessions

C


25/41


Incident Containment

Strategies

Before an incident can be contained, the affected areas ofthe information and information systems must bedetermined

The organization can stop the incident and attempt to

recover control through a number of strategies including: severing the affected circuits

disabling accounts

reconfiguring a firewall

The ultimate containment option, reserved for only the most drastic

of scenarios, involves a full stop of all computers and networkdevices in the organization


26/41


Incident RecoveryOnce the incident has been contained, and

control of the systems regained, the next stage

is recovery

The first task is to identify the human resources

needed and launch them into action The full extent of the damage must be assessed

The organization repairs vulnerabilities,

addresses any shortcomings in safeguards, and

restores the data and services of the systems


27/41


Damage Assessment There are several sources of information:

including system logs

intrusion detection logs

configuration logs and documents

documentation from the incident response

results of a detailed assessment of systems and datastorage

Computer evidence must be carefully collected,documented, and maintained to be acceptable

in formal proceedings Individuals assessing damage need special

training


28/41


RecoveryIn the recovery process:

Identify the vulnerabilities that allowed the incident to occur and

spread and resolve them

Address the safeguards that failed to stop or limit the incident,

or were missing from the system in the first place. Install,

replace or upgrade them

Evaluate monitoring capabilities. Improve their detection and

reporting methods, or simply install new monitoring capabilities

Restore the data from backups

Restore the services and processes in use

Continuously monitor the system Restore the confidence of the members of the organizations

communities of interest

Conduct an after-action review


29/41


Automated ResponseNew systems can respond to incidents

autonomously Trap and trace uses a combination of resources

to detect intrusion then trace back to source

Trapping may involve honeypots or honeynets

Entrapment is luring an individual into committinga crime to get a conviction

Enticement is legal and ethical, while entrapmentis not


30/41


Disaster Recovery PlanningDisaster recovery planning (DRP) is planning

the preparation for and recovery from a disaster

The contingency planning team must decidewhich actions constitute disasters and whichconstitute incidents

When situations are classified as disastersplans change as to how to respond - take actionto secure the most valuable assets to preservevalue for the longer term even at the risk ofmore disruption

DRP strives to reestablish operations at theprimary site


31/41


DRP Steps There must be a clear establishment of priorities

There must be a clear delegation of roles and

responsibilities

Someone must initiate the alert roster and notify

key personnel Someone must be tasked with the

documentation of the disaster

If and only if it is possible, some attempts mustbe made to mitigate the impact of the disaster

on the operations of the organization


32/41


Crisis ManagementCrisis management is actions taken during and

after a disaster focusing on the people involvedand addressing the viability of the business

The crisis management team is responsible formanaging the event from an enterpriseperspective and covers: Supporting personnel and families during the crisis

Determining impact on normal business operationsand, if necessary, making a disaster declaration

Keeping the public informed Communicating with major customers, suppliers,

partners, regulatory agencies, industry organizations,the media, and other interested parties


33/41


Disaster Recovery Planning

Establish a command center to supportcommunications

Includes individuals from all functionalareas of the organization to facilitate

communications and cooperationSome key areas of crisis management

include:

Verifying personnel head count Checking the alert roster

Checking emergency information cards


34/41


DRP Structure Similar to the IRP, DRP is organized by

disaster, and provides procedures to executeduring and after a disaster

Provides details on the roles and responsibilitiesfor those involved in the effort, and identifies the

personnel and agencies that must be notified

Just as the IRP must be tested, so must theDRP, using the same testing mechanisms

Each organization must examine its scenarios,developed during the initial contingencyplanning, to determine how to respond to thevarious disasters


35/41


Business Continuity Planning

Business continuity planning outlines

reestablishment of critical business

operations during a disaster that impacts

operations

If a disaster has rendered the business

unusable for continued operations, there

must be a plan to allow the business to

continue to function


36/41


Continuity Strategies There are a number of strategies for planning

for business continuity The determining factor in selection between

these options is usually cost

In general there are three exclusive options: hot sites

warm sites

cold sites

And three shared functions: timeshare

service bureaus

mutual agreements


37/41


Off-Site Disaster Data Storage To get these types of sites up and running

quickly, the organization must have the ability to

port data into the new sites systems

These include:

Electronic vaulting - The bulk batch-transfer of datato an off-site facility.

Remote Journaling - The transfer of live transactions

to an off-site facility; only transactions are transferred

not archived data, and the transfer is real-time. Database shadowing - Not only processing duplicate

real-time data storage, but also duplicates the

databases at the remote site to multiple servers.


38/41


Model for IR/DR/BC PlanThe single document set approach

supports concise planning and

encourages smaller organizations to

develop, test, and use IR/DR plans

The model presented is based on

analyses of disaster recovery and incident

response plans of dozens of organizations


39/41


The Planning Document1. Establish responsibility for managing the

document, typically the security administrator2. Appoint a secretary to document the activities

and results of the planning session(s)

3. Independent incident response and disaster

recovery teams are formed, with a commonplanning committee

4. Outline the roles and responsibilities for eachteam member

5. Develop the alert roster and lists of criticalagencies

6. Identify and prioritize threats to theorganizations information and informationsystems


40/41


The Planning ProcessThere are six steps in the ContingencyPlanning process:

1. Identifying the mission- or business-criticalfunctions

2. Identifying the resources that support thecritical functions

3. Anticipating potential contingencies ordisasters

4. Selecting contingency planning strategies5. Implementing the contingency strategies

6. Testing and revising the strategy


41/41

Using the PlanDuring the incident

After the incident

Before the incident

Date post:	14-Apr-2018
Category:	Documents
Upload:	eswin-angel
View:	219 times
Download:	0 times

Planning for Continuity in Information security

Documents