Beruflich Dokumente
Kultur Dokumente
Slide 2
Continuity Strategy
Managers must provide strategic planning to assure continuous information systems availability ready to use when an attack occurs Plans for events of this type are referred to in a number of ways:
Business Continuity Plans (BCPs) Disaster Recovery Plans (DRPs) Incident Response Plans (IRPs) Contingency Plans
Large organizations may have many types of plans, small organizations may have one simple plan, but most have inadequate planning
Principles of Information Security - Chapter 7 Slide 3
Contingency Planning
Contingency Planning (CP):
Incident Response Planning (IRP) Disaster Recovery Planning (DRP) Business Continuity Planning (BCP)
Slide 4
Slide 6
Slide 7
Slide 8
Slide 9
Slide 11
Slide 12
Attack success scenarios details are added to the attack profile including:
Best case Worst case Most likely alternate outcomes
Principles of Information Security - Chapter 7 Slide 13
Slide 14
IR is more reactive, than proactive, with the exception of the planning that must occur to prepare the IR teams to be ready to react to an incident
Slide 16
Incident Planning
The pre-defined responses enable the organization to react quickly and effectively to the detected incident This assumes two things:
first, the organization has an IR team second, the organization can detect the incident
The IR team consists of those individuals needed to handle the systems as incident takes place The military process of planned team responses can be used in an incident response The planners should develop a set of documents that guide the actions of each involved individual reacting to and recovering from the incident These plans must be properly organized and stored
Slide 17
Storage
The plan should be protected as sensitive information On the other hand, the organization needs this information readily available
Testing
An untested plan is not a useful plan. The levels of testing strategies can vary:
Checklist Structured walk-through Simulation Parallel Full-interruption
Slide 18
Incident Detection
The most common occurrence is a complaint about technology support, often delivered to the help desk Possible detections:
intrusion detection systems, both host-based and networkbased virus detection software systems administrators end users
Only through careful training can the organization hope to quickly identify and classify an incident Once an attack is properly identified, the organization can respond
Slide 19
Incident Indicators
Possible indicators of incidents:
Presence of unfamiliar files Unknown programs or processes Unusual consumption of computing resources Unusual system crashes
Incident or Disaster
When Does an Incident Become a Disaster?
the organization is unable to mitigate the impact of an incident during the incident the level of damage or destruction is so severe the organization is unable to quickly recover It is up to the organization to decide which incidents are to be classified as disasters and thus receive the appropriate level of response
Principles of Information Security - Chapter 7 Slide 21
Incident Reaction
Incident reaction consists of actions that guide the organization to stop the incident, mitigate the impact of the incident, and provide information for the recovery from the incident In reacting to the incident there are a number of actions that must occur quickly including:
notification of key personnel assignment of tasks documentation of the incident
Principles of Information Security - Chapter 7 Slide 22
The alert message is a scripted description of the incident, just enough information so that everyone knows what part of the IRP to implement
Principles of Information Security - Chapter 7 Slide 23
Documenting an Incident
Documenting the event is important:
First, it is important to ensure that the event is recorded for the organizations records, to know what happened, and how it happened, and what actions were taken. The documentation should record the who, what, when, where, why, and how of the even Second, it is important to prove, should it ever be questioned, that the organization did everything possible to prevent the spread of the incident Finally, the recorded incident can also be used as a simulation in future training sessions
Slide 24
Slide 25
Incident Recovery
Once the incident has been contained, and control of the systems regained, the next stage is recovery The first task is to identify the human resources needed and launch them into action The full extent of the damage must be assessed The organization repairs vulnerabilities, addresses any shortcomings in safeguards, and restores the data and services of the systems
Slide 26
Damage Assessment
There are several sources of information:
including system logs intrusion detection logs configuration logs and documents documentation from the incident response results of a detailed assessment of systems and data storage
Computer evidence must be carefully collected, documented, and maintained to be acceptable in formal proceedings Individuals assessing damage need special training
Principles of Information Security - Chapter 7 Slide 27
Recovery
In the recovery process:
Identify the vulnerabilities that allowed the incident to occur and spread and resolve them Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place. Install, replace or upgrade them Evaluate monitoring capabilities. Improve their detection and reporting methods, or simply install new monitoring capabilities Restore the data from backups Restore the services and processes in use Continuously monitor the system Restore the confidence of the members of the organizations communities of interest Conduct an after-action review
Principles of Information Security - Chapter 7 Slide 28
Automated Response
New systems can respond to incidents autonomously Trap and trace uses a combination of resources to detect intrusion then trace back to source Trapping may involve honeypots or honeynets Entrapment is luring an individual into committing a crime to get a conviction Enticement is legal and ethical, while entrapment is not
Slide 29
DRP Steps
There must be a clear establishment of priorities There must be a clear delegation of roles and responsibilities Someone must initiate the alert roster and notify key personnel Someone must be tasked with the documentation of the disaster If and only if it is possible, some attempts must be made to mitigate the impact of the disaster on the operations of the organization
Principles of Information Security - Chapter 7 Slide 31
Crisis Management
Crisis management is actions taken during and after a disaster focusing on the people involved and addressing the viability of the business The crisis management team is responsible for managing the event from an enterprise perspective and covers:
Supporting personnel and families during the crisis Determining impact on normal business operations and, if necessary, making a disaster declaration Keeping the public informed Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties
Principles of Information Security - Chapter 7 Slide 32
DRP Structure
Similar to the IRP, DRP is organized by disaster, and provides procedures to execute during and after a disaster Provides details on the roles and responsibilities for those involved in the effort, and identifies the personnel and agencies that must be notified Just as the IRP must be tested, so must the DRP, using the same testing mechanisms Each organization must examine its scenarios, developed during the initial contingency planning, to determine how to respond to the various disasters
Principles of Information Security - Chapter 7 Slide 34
Slide 35
Continuity Strategies
There are a number of strategies for planning for business continuity The determining factor in selection between these options is usually cost In general there are three exclusive options:
hot sites warm sites cold sites
Slide 38
Slide 41