Planning for Continuity Chapter 7

Principles of Information Security - Chapter 7

Slide 2

Continuity Strategy
Managers must provide strategic planning to assure continuous information systems availability ready to use when an attack occurs Plans for events of this type are referred to in a number of ways:
Business Continuity Plans (BCPs) Disaster Recovery Plans (DRPs) Incident Response Plans (IRPs) Contingency Plans

Large organizations may have many types of plans, small organizations may have one simple plan, but most have inadequate planning
Principles of Information Security - Chapter 7 Slide 3

Contingency Planning
Contingency Planning (CP):
Incident Response Planning (IRP) Disaster Recovery Planning (DRP) Business Continuity Planning (BCP)

The primary functions of these three planning types:

IRP focuses on immediate response, but if the attack escalates or is disastrous the process changes to disaster recovery and BCP DRP typically focuses on restoring systems after disasters occur, and as such is closely associated with BCP BCP occurs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources

Principles of Information Security - Chapter 7

Slide 4

Contingency Planning Team

Before any planning can begin, a team has to plan the effort and prepare the resulting documents Champion - A high-level manager to support, promote, and endorse the findings of the project Project Manager - Leads the project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed Team Members - Should be the managers or their representatives from the various communities of interest: Business, IT, and Information Security
Principles of Information Security - Chapter 7 Slide 5

Figure 7-2 Contingency Plans

Principles of Information Security - Chapter 7

Slide 6

Figure 7-3 Contingency Timeline

Principles of Information Security - Chapter 7

Slide 7

Figure 7-4 Major Steps in Contingency Planning

Principles of Information Security - Chapter 7

Slide 8

Business Impact Analysis

Begin with Business Impact Analysis (BIA)
if the attack succeeds, what do we do then?

The CP team conducts the BIA in the following stages:

1.Threat attack identification 2.Business unit analysis 3.Attack success scenarios 4.Potential damage assessment 5.Subordinate plan classification

Principles of Information Security - Chapter 7

Slide 9

Threat Attack Identification and Prioritization

Update threat list with latest developments and add the attack profile The attack profile is the detailed description of activities during an attack Must be developed for every serious threat the organization faces Used to determine the extent of damage that could result to a business unit if the attack were successful
Principles of Information Security - Chapter 7 Slide 10

Table 7-1 Attack Profile

Principles of Information Security - Chapter 7

Slide 11

Business Unit Analysis

The second major task within the BIA is the analysis and prioritization of business functions within the organization Identify the functional areas of the organization and prioritize them as to which are most vital Focus on a prioritized list of the various functions the organization performs

Principles of Information Security - Chapter 7

Slide 12

Attack Success Scenario Development

Next create a series of scenarios depicting the impact a successful attack from each threat could have on each prioritized functional area with:
details on the method of attack the indicators of attack the broad consequences

Attack success scenarios details are added to the attack profile including:
Best case Worst case Most likely alternate outcomes
Principles of Information Security - Chapter 7 Slide 13

Potential Damage Assessment

From the attack success scenarios developed, the BIA planning team must estimate the cost of the best, worst, and most likely cases Costs include actions of the response team This final result is referred to as an attack scenario end case

Principles of Information Security - Chapter 7

Slide 14

Subordinate Plan Classification

Once potential damage has been assessed, a subordinate plan must be developed or identified Subordinate plans will take into account the identification of, reaction to, and recovery from each attack scenario An attack scenario end case is categorized as disastrous or not The qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack
Principles of Information Security - Chapter 7 Slide 15

Incident Response Planning

Incident response planning covers the identification of, classification of, and response to an incident An incident is an attack against an information asset that poses a clear threat to the confidentiality, integrity, or availability of information resources Attacks are only classified as incidents if they have the following characteristics:
Are directed against information assets Have a realistic chance of success Could threaten the confidentiality, integrity, or availability of information resources

IR is more reactive, than proactive, with the exception of the planning that must occur to prepare the IR teams to be ready to react to an incident

Principles of Information Security - Chapter 7

Slide 16

Incident Planning
The pre-defined responses enable the organization to react quickly and effectively to the detected incident This assumes two things:
first, the organization has an IR team second, the organization can detect the incident

The IR team consists of those individuals needed to handle the systems as incident takes place The military process of planned team responses can be used in an incident response The planners should develop a set of documents that guide the actions of each involved individual reacting to and recovering from the incident These plans must be properly organized and stored

Principles of Information Security - Chapter 7

Slide 17

Incident Response Plan

Format and Content
The plan must be organized to support quick and easy access to the information needed

Storage
The plan should be protected as sensitive information On the other hand, the organization needs this information readily available

Testing
An untested plan is not a useful plan. The levels of testing strategies can vary:
Checklist Structured walk-through Simulation Parallel Full-interruption
Slide 18

Principles of Information Security - Chapter 7

Incident Detection
The most common occurrence is a complaint about technology support, often delivered to the help desk Possible detections:
intrusion detection systems, both host-based and networkbased virus detection software systems administrators end users

Only through careful training can the organization hope to quickly identify and classify an incident Once an attack is properly identified, the organization can respond

Principles of Information Security - Chapter 7

Slide 19

Incident Indicators
Possible indicators of incidents:
Presence of unfamiliar files Unknown programs or processes Unusual consumption of computing resources Unusual system crashes

Definite indicators of incidents:

Use of dormant accounts Changes to logs Presence of hacker tools Notifications by partner or peer Notification by hacker

Probable indicators of incidents:

Activities at unexpected times Presence of new accounts Reported attacks Notification from IDS

Predefined situations that signal an automatic incident:

Loss of availability Loss of integrity Loss of confidentiality Violation of policy Violation of law
Slide 20

Principles of Information Security - Chapter 7

Incident or Disaster
When Does an Incident Become a Disaster?
the organization is unable to mitigate the impact of an incident during the incident the level of damage or destruction is so severe the organization is unable to quickly recover It is up to the organization to decide which incidents are to be classified as disasters and thus receive the appropriate level of response
Principles of Information Security - Chapter 7 Slide 21

Incident Reaction
Incident reaction consists of actions that guide the organization to stop the incident, mitigate the impact of the incident, and provide information for the recovery from the incident In reacting to the incident there are a number of actions that must occur quickly including:
notification of key personnel assignment of tasks documentation of the incident
Principles of Information Security - Chapter 7 Slide 22

Notification of Key Personnel

Most organizations maintain alert rosters for emergencies. An alert roster contains contact information for the individuals to be notified in an incident Two ways to activate an alert roster:
A sequential roster is activated as a contact person calls each and every person on the roster A hierarchical roster is activated as the first person calls a few other people on the roster, who in turn call a few other people, and so on

The alert message is a scripted description of the incident, just enough information so that everyone knows what part of the IRP to implement
Principles of Information Security - Chapter 7 Slide 23

Documenting an Incident
Documenting the event is important:
First, it is important to ensure that the event is recorded for the organizations records, to know what happened, and how it happened, and what actions were taken. The documentation should record the who, what, when, where, why, and how of the even Second, it is important to prove, should it ever be questioned, that the organization did everything possible to prevent the spread of the incident Finally, the recorded incident can also be used as a simulation in future training sessions

Principles of Information Security - Chapter 7

Slide 24

Incident Containment Strategies

Before an incident can be contained, the affected areas of the information and information systems must be determined The organization can stop the incident and attempt to recover control through a number of strategies including:
severing the affected circuits disabling accounts reconfiguring a firewall The ultimate containment option, reserved for only the most drastic of scenarios, involves a full stop of all computers and network devices in the organization

Principles of Information Security - Chapter 7

Slide 25

Incident Recovery
Once the incident has been contained, and control of the systems regained, the next stage is recovery The first task is to identify the human resources needed and launch them into action The full extent of the damage must be assessed The organization repairs vulnerabilities, addresses any shortcomings in safeguards, and restores the data and services of the systems

Principles of Information Security - Chapter 7

Slide 26

Damage Assessment
There are several sources of information:
including system logs intrusion detection logs configuration logs and documents documentation from the incident response results of a detailed assessment of systems and data storage

Computer evidence must be carefully collected, documented, and maintained to be acceptable in formal proceedings Individuals assessing damage need special training
Principles of Information Security - Chapter 7 Slide 27

Recovery
In the recovery process:
Identify the vulnerabilities that allowed the incident to occur and spread and resolve them Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace or upgrade them Evaluate monitoring capabilities. Improve their detection and reporting methods, or simply install new monitoring capabilities Restore the data from backups Restore the services and processes in use Continuously monitor the system Restore the confidence of the members of the organizations communities of interest Conduct an after-action review
Principles of Information Security - Chapter 7 Slide 28

Automated Response
New systems can respond to incidents autonomously Trap and trace uses a combination of resources to detect intrusion then trace back to source Trapping may involve honeypots or honeynets Entrapment is luring an individual into committing a crime to get a conviction Enticement is legal and ethical, while entrapment is not

Principles of Information Security - Chapter 7

Slide 29

Disaster Recovery Planning

Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster The contingency planning team must decide which actions constitute disasters and which constitute incidents When situations are classified as disasters plans change as to how to respond - take action to secure the most valuable assets to preserve value for the longer term even at the risk of more disruption DRP strives to reestablish operations at the primary site
Principles of Information Security - Chapter 7 Slide 30

DRP Steps
There must be a clear establishment of priorities There must be a clear delegation of roles and responsibilities Someone must initiate the alert roster and notify key personnel Someone must be tasked with the documentation of the disaster If and only if it is possible, some attempts must be made to mitigate the impact of the disaster on the operations of the organization
Principles of Information Security - Chapter 7 Slide 31

Crisis Management
Crisis management is actions taken during and after a disaster focusing on the people involved and addressing the viability of the business The crisis management team is responsible for managing the event from an enterprise perspective and covers:
Supporting personnel and families during the crisis Determining impact on normal business operations and, if necessary, making a disaster declaration Keeping the public informed Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties
Principles of Information Security - Chapter 7 Slide 32

Disaster Recovery Planning

Establish a command center to support communications Includes individuals from all functional areas of the organization to facilitate communications and cooperation Some key areas of crisis management include:
Verifying personnel head count Checking the alert roster Checking emergency information cards
Principles of Information Security - Chapter 7 Slide 33

DRP Structure
Similar to the IRP, DRP is organized by disaster, and provides procedures to execute during and after a disaster Provides details on the roles and responsibilities for those involved in the effort, and identifies the personnel and agencies that must be notified Just as the IRP must be tested, so must the DRP, using the same testing mechanisms Each organization must examine its scenarios, developed during the initial contingency planning, to determine how to respond to the various disasters
Principles of Information Security - Chapter 7 Slide 34

Business Continuity Planning

Business continuity planning outlines reestablishment of critical business operations during a disaster that impacts operations If a disaster has rendered the business unusable for continued operations, there must be a plan to allow the business to continue to function

Principles of Information Security - Chapter 7

Slide 35

Continuity Strategies
There are a number of strategies for planning for business continuity The determining factor in selection between these options is usually cost In general there are three exclusive options:
hot sites warm sites cold sites

And three shared functions:

timeshare service bureaus mutual agreements
Principles of Information Security - Chapter 7 Slide 36

Off-Site Disaster Data Storage

To get these types of sites up and running quickly, the organization must have the ability to port data into the new sites systems These include:
Electronic vaulting - The bulk batch-transfer of data to an off-site facility. Remote Journaling - The transfer of live transactions to an off-site facility; only transactions are transferred not archived data, and the transfer is real-time. Database shadowing - Not only processing duplicate real-time data storage, but also duplicates the databases at the remote site to multiple servers.
Principles of Information Security - Chapter 7 Slide 37

Model for IR/DR/BC Plan

The single document set approach supports concise planning and encourages smaller organizations to develop, test, and use IR/DR plans The model presented is based on analyses of disaster recovery and incident response plans of dozens of organizations

Principles of Information Security - Chapter 7

Slide 38

The Planning Document

1. Establish responsibility for managing the document, typically the security administrator 2. Appoint a secretary to document the activities and results of the planning session(s) 3. Independent incident response and disaster recovery teams are formed, with a common planning committee 4. Outline the roles and responsibilities for each team member 5. Develop the alert roster and lists of critical agencies 6. Identify and prioritize threats to the organizations information and information systems
Principles of Information Security - Chapter 7 Slide 39

The Planning Process

There are six steps in the Contingency Planning process:
1. Identifying the mission- or business-critical functions 2. Identifying the resources that support the critical functions 3. Anticipating potential contingencies or disasters 4. Selecting contingency planning strategies 5. Implementing the contingency strategies 6. Testing and revising the strategy
Principles of Information Security - Chapter 7 Slide 40

Using the Plan

During the incident After the incident Before the incident

Principles of Information Security - Chapter 7

Slide 41