© 2015 Pearson Education LTD

Chapter 10
© 2015 Pearson Education Ltd.

 Explain the basics of disaster response.
 Describe the incident response process for major
incidents.
 Describe legal considerations.
 Explain the necessity of backup.
 Describe the functions and types of intrusion detection
systems (IDSs).
 Explain the importance of education, certification, and
awareness.
 Describe business continuity planning.
 List the advantages of data centers.
 Know the IT disaster recovery process.
10-2
10-3
 In previous chapters, we looked at threats,
planning, and protections
 In Chapter 10, we complete the discussion of
the plan-protect-respond cycle
 Response planning is necessary because
defenses can never stop all attacks.
Companies must respond appropriately when
attacks happen or natural disasters occur.
10-4
10.1 Introduction
10.2 Incident Response Process
10.3 Intrusion Detection Systems
10.4 Business Continuity Planning
10.5 IT Disaster Recovery
10-5
 The Situation
◦ Hurricane Katrina devastated New Orleans in 2005
 Followed shortly by Hurricane Rita
◦ The U.S. Federal Emergency Management
Administration (FEMA) botched the relief effort
10-6
 Walmart Is the Largest Retailer in the U.S.
◦ Supplied $20 million in cash
◦ Supplied 100,000 free meals
◦ 1,900 truckloads full of diapers, toothbrushes, other
emergency supplies
 45 trucks were rolling before the hurricane hit
land
◦ Provided police and relief workers with flashlights,
batteries, ammunition, protective gear, and meals
10-7
 What Was Walmart’s Process?
 Walmart Business Continuity Center
◦ A permanent department with a small core staff
◦ Activated two days before Katrina hit
◦ Soon, 50 managers and specialists were at work in
the center
10-8
 Walmart Business Continuity Center
◦ Before computer network went down, sent detailed
orders to its distribution center in Mississippi
◦ Recovery merchandise for stores: bleach, mops, etc.
◦ 40 power generators to supply stores with backup
power
◦ Sent loss-prevention employees to secure stores
10-9
 Communication
◦ Network communication failed
◦ Relied on telephone to contact its stores and other
key constituencies
 Response
◦ Stores came back to business within days
◦ Engaged local law enforcement to preserve order in
lines to get into stores
10-10
 Preparation
◦ Full-time director of business continuity
◦ Detailed business continuity plans
◦ Clear lines of responsibility
 Multitasking
◦ During all of this, also monitored a hurricane off
Japan
10-11
 Incidents Happen
◦ Protections inevitably break down, occasionally
◦ Successful attacks are called security incidents,
breaches, or compromises
 Incident Severity
◦ False alarms
 Apparent compromises are not real compromises
 Also called false positives
 Handled by the on-duty staff
 Wastes time and may dull vigilance
10-12
◦ Major incidents
 Beyond the capabilities of the on-duty staff
 Must convene a Computer Security Incident
Response Team (CSIRT)
 CSIRT needs participation beyond IT security
10-13
◦ Disasters
 Fires, floods, hurricanes, major terrorist attacks
 Must assure business continuity
 Maintaining the day-to-day operations of the firm
 Requires a business continuity group headed by a
senior manager
 Core permanent staff will facilitate activities
 IT disaster response is restoring IT services
 May be a subset of business continuity
 May be a stand-alone IT disaster
10-14
 Speed and Accuracy Are Essential
◦ Speed of response can reduce damage
 Attacker will have less time to do damage
 The attacker cannot burrow as deeply into the
system and become very difficult to detect
 Speed is also necessary in recovery
10-15
 Speed and Accuracy Are Essential
◦ Accuracy is equally important
 Common mistake is to act on incorrect
assumptions
 If problem is misdiagnosed or the wrong
approach is taken, can make things much worse
 Take your time quickly
10-16
 Planning Before an Incident or Disaster
◦ Decide what to do ahead of time
◦ Time to consider matters thoroughly and without
the time pressure of a crisis
◦ During an attack, human decision-making skills
degrade
◦ Incident response is reacting to incidents according
to plan
◦ Must have flexibility within the plan to adapt
◦ Best to adapt within a plan than to improvise
completely
10-17
 Team Members Must Rehearse the Plan
◦ Rehearsals find mistakes in the plan
◦ Practice builds speed
 Types of Rehearsals
◦ Walkthroughs (table-top exercises)
◦ Live tests (actually doing planned actions) can find
subtle problems, but are expensive
10-18
10.1 Introduction
10-19
 Process for Major Incidents
 Detection, Analysis, and Escalation
◦ Must detect through technology or people
 Need good intrusion detection technology
 All employees must know how to report incidents
◦ Must analyze the incident enough to guide
subsequent actions
 Confirm that the incident is real
 Determine its scope: Who is attacking; what are
they doing; how sophisticated they are, etc.
10-20
 Detection, Analysis, and Escalation
◦ If deemed severe enough, escalate to a major
incident
 Pass to the CSIRT, the disaster response team, or
the business continuity team
10-21
 Containment
◦ Disconnection of the system from the site network
or the site network from the Internet (damaging)
 Harmful, so must be done only with proper
authorization
 This is a business decision, not a technical
decision
10-22
 Containment
◦ Black holing the attacker (only works for a short
time)
◦ Continue to collect data to understand the situation
(allows harm to continue)
 Especially necessary if prosecution is desired
10-23
 Recovery
◦ Repair during continuing server operation
 Avoids lack of availability
 No loss of data
 Possibility of a rootkit not having been removed,
etc.
10-24
 Recovery
◦ Data
 Restoration from
backup tapes
 Loses data since last
trusted backup
10-25
 Recovery
◦ Software
 Total software reinstallation of operating system
and applications may be necessary for the system
to be trusted
 Manual reinstallation of software
 Need installation media and product activation keys
 Must have good configuration documentation before the
incident
 Reinstallation from a disk image
 Can greatly reduce time and effort
 Requires a recent disk image
10-26
 Apology
◦ Acknowledge responsibility and harm without
evasion or weasel words
◦ Explain potential inconvenience and harm in detail
◦ Explain what actions will be taken to compensate
victims, if any
10-27
 Punishment
◦ Punishing employees is usually fairly easy
 Most employees are at-will employees
 Companies usually have wide discretion in firing
at-will employees
 This varies internationally
 Union agreements may limit sanctions or at least
require more detailed processes
10-28
 Punishment
◦ The decision to pursue criminal prosecution
 Must consider cost and effort
 Must consider probable success if pursued
(attackers are often minors or foreign nationals)
 Loss of reputation because the incident becomes
public
10-29
 Punishment
◦ Collecting and managing evidence
 Forensics: Courts have strict rules for admitting
evidence in court
 Call the authorities and a forensics expert for help
10-30
 Punishment
◦ Collecting and managing evidence
 Protecting evidence
 Pull the plug on a server if possible
 This is a business decision, not an IT decision
 Document the chain of custody

 Who held the evidence at all times
 What they did to protect it
 Document the chain of custody
10-31
 Post-mortem Evaluation
◦ What should we do differently next time?
10-32
 Organization of the CSIRT
◦ Should be led by a senior manager
◦ Should have members from affected line operations
◦ IT security staff may manage the CSIRT’s operations on a
day-to-day basis
◦ Might need to communicate with the media; only do so
via public relations
◦ Corporate legal counsel must be involved to address
legal issues
◦ Human resources is necessary, especially if there will be
sanctions against employees
10-33
Dimension Criminal Law Civil Law
Deals with Violations of criminal Interpretations of rights
statutes and duties that companies
or individuals have relative
to each other
Penalties Jail time and fines Monetary penalties and
orders to parties to take or
not take certain actions
Cases brought by Prosecutors Plaintiff is one of two
parties
Criterion for verdict Beyond a reasonable Preponderance of the
doubt evidence (usually)
Requires mens rea (guilty Usually Rarely, although may affect
mind) the imposed penalty
Applicable to IT security Yes, to prosecute Yes, to avoid or minimize
attackers and avoid civil trials and judgments
breaking the law
10-34
 Cyberlaw
◦ Cyberlaw is any law dealing with information
technology
 Jurisdictions
◦ Areas of responsibility within which government
bodies can make and enforce law, but beyond
which they cannot
10-35
 The United States Federal Judicial System
◦ U.S. District Courts
 94 in the United States
 Decisions in trials are only binding to the litigants
10-36
◦ U.S. Circuit Courts of Appeal
 13 in the United States
 Do not conduct trials
 Review district court decisions
 Decisions are precedents only for the district
courts under the circuit court of appeals making a
decision
10-37
10-38
◦ U.S. Supreme Court
 Final arbiter of U.S. Federal law
 Only hears about 100 cases per year
 Usually only reviews cases that involve conflicts
between appellate court precedents or important
constitutional issues
10-39
 U.S. State and Local Law
◦ In the United States, many powers are reserved for
the states
◦ This typically includes the prosecution of crimes
taking place within a state or that do not affect
interstate commerce
◦ For most cybercrimes committed within a state,
state law applies
◦ State cybercrime laws vary widely
◦ Local police usually investigate crimes under both
local and state laws
10-40
 International Law
◦ Differences are wide and rapidly changing
(generally improving)
◦ Important to multinational firms
◦ Also important to purely domestic firms
 Suppliers and buyers may be in other countries
 Attackers may be in other countries
◦ Several treaties exist to harmonize laws and
facilitate cross-border prosecution
 Generally immature
10-41
10-42
 Admissibility of Evidence
◦ Unreliable evidence may be kept from juries
◦ Belief that juries cannot evaluate unreliable
evidence properly
◦ Example: Hearsay evidence
 Federal Rules of Civil Procedure
◦ Guide U.S. courts
◦ Now have strong rules for evaluating the
admissibility of electronic evidence
10-43
 Computer Forensics Experts
◦ Professionals trained to collect and evaluate
computer evidence in ways that are likely to be
admissible in court
◦ Meet with them before there is a need because the
initial moments of an intrusion require correct
action
10-44
10-45
 Expert Witnesses
◦ Normally, witnesses can only testify regarding facts,
not interpretations
◦ Expert witnesses may interpret facts to make them
comprehensible to the jury in situations where
juries are likely to have a difficult time evaluating
the evidence themselves
10-46
 18 U.S.C. § 1030
◦ United States Code Title 18, Part I (Crimes) Section
1030
◦ Actions prohibited
 Hacking
 Malware
 Denial of service
10-47
 18 U.S.C. § 1030
◦ Protected computers
 Applicability is limited to protected computers
 Includes “government computers, financial
institution computers, and any computer which is
used in interstate or foreign commerce or
communications”
◦ Often requires damage threshold for prosecution
 The FBI may require even higher damages to
prosecute
10-48
 18 U.S.C. § 2511
◦ Prohibits the interception of electronic messages,
both en route and after the message is received and
stored
◦ Allows e-mail service providers to read the content
of e-mails
 A company can read employee e-mail if it owns
the e-mail system
10-49
 Other Federal Laws
◦ Many traditional federal criminal laws may apply in
individual cases
◦ Examples include fraud, extortion, and the theft of
trade secrets
◦ These laws often have far harsher consequences
than cybercrime laws
10-50
10.1 Introduction
10-51
 Event logging for suspicious events
 Sometimes send alarms
 A detective control, not a preventative or
restorative control
10-52
10-53
10-54
 Network IDSs (NIDSs)
◦ Stand-alone device or built into a switch or router
◦ Can see and filter all packets passing through them
◦ Switch or router NIDSs can collect data on all ports
◦ Collects data for only its portion of the network
 Blind spots in network where no NIDS data is
collected
◦ Cannot filter encrypted packets
10-55
 Host IDSs (HIDSs)
◦ Attractions
 Provide highly detailed information for the
specific host
◦ Weaknesses
 Limited viewpoint; only one host
 Can be attacked and disabled
10-56
◦ Operating System Monitors
 Collect data on operating system events
 Multiple failed logins
 Creating new accounts
 Adding new executables (programs—may be
attack programs)
10-57
◦ Operating System Monitors
 Modifying executables (installing Trojan horses
does this)
 Adding registry keys (changes how system works)
 Changing or deleting system logs and audit files
 Changing system audit policies
 User accessing critical system files
 User accessing unusual files
 Changing the OS monitor itself
10-58
 Log Files
◦ Flat files of time-stamped events
◦ Individual logs for single NIDS or HIDS
◦ Integrated logs
 Aggregation of event logs from multiple IDS
agents (next two slides)
 Difficult to create because of format
incompatibilities
 Time synchronization of IDS event logs is crucial
(Network Time Protocol)
10-59
 Event Correlation (Figure 10-19)
◦ Suspicious patterns in a series of events across
multiple devices
◦ Difficult because the relevant events exist in much
larger event streams that are logged
◦ Usually requires many analyses of the integrated
log file data
10-60
Sample Log File
10-61 (Many irrelevant log entries not shown)
 Tuning for Precision
◦ Too many false positives
 False alarms
 Can overwhelm administrators, dull vigilance
◦ False negatives allow attacks to proceed unseen
10-62
 Tuning for Precision
◦ Tuning for false positives turns off unnecessary
rules, reduces alarm levels of unlikely rules
 For instance, alarms for attacks against Solaris
operating systems can be deleted if a firm has no
Sun Microsystems servers
 Tuning requires a great deal of expensive labor
 Even after tuning, most alerts will be false
positives
10-63
 Updates
◦ Program, attack signatures must be updated
frequently
 Processing Performance
◦ If processing speed cannot keep up with network
traffic, some packets will not be examined
◦ This can make some IDSs useless during attacks
that increase the traffic load
10-64
 Storage
◦ Limited disk storage for log files
◦ When log files reach storage limits, they must be
archived
◦ Event correlation is difficult across multiple backup
tapes
◦ Adding more disk capacity reduces the problem but
never eliminates it
10-65
 Honeypot
◦ A fake server or entire network segment with
multiple clients and servers
◦ Legitimate users should never try to reach
resources on the honeypot
◦ Primarily used by researchers studying attacker
behavior by recording everything a visitor does
10-66
10-67
10.1 Introduction
10-68
 Business Continuity Planning
◦ A business continuity plan specifies how a
company plans to restore or maintain core
business operations when disasters occur
◦ Disaster response is restoring IT services
10-69
10-70
 Principles of Business Continuity Management
◦ Protect people first
 Evacuation plans and drills
 Never allow staff members back into unsafe
environments
 Must have a systematic way to account for all
employees and notify loved ones
 Counseling afterwards
10-71
◦ People have reduced capacity in decision making
during a crisis
 Planning and rehearsal are critical
◦ Avoid rigidity
 Unexpected situations will arise
 Communication will break down and information
will be unreliable
 Decision makers must have the flexibility to act
10-72
◦ Communication
 Try to compensate for inevitable breakdowns
 Have a backup communication system
 Communicate constantly to keep everybody “in
the loop”
10-73
 Business Process Analysis
◦ Identification of business processes and their
interrelationships
◦ Prioritization of business processes
 Downtime tolerance (in the extreme, mean time to
belly-up)
 Importance to the firm
 Required by higher-importance processes
◦ Resource needs (must be shifted during crises)
 Cannot restore all business processes
immediately
10-74
 Testing the Plan
◦ Difficult because of the scope of disasters
◦ Difficult because of the number of people involved
10-75
 Updating the Plan
◦ Must be updated frequently
◦ Business conditions change and businesses
reorganize constantly
◦ People who must execute the plan also change jobs
constantly
◦ Telephone numbers and other contact information
must be updated far more frequently than the plan
as a whole
◦ Should have a small, permanent staff
10-76
10.1 Introduction
10-77
 IT Disaster Recovery
◦ Looks specifically at the technical aspects of how a
company can get its IT back into operation using
backup facilities
◦ A subset of business continuity or for disasters that
only affect IT
◦ All decisions are business decisions and should not
be made by IT or IT security staff
10-78
 Types of Backup Facilities
◦ Hot sites
 Ready to run (e.g., power, HVAC, computers) -
just add data
 Considerations: Rapid readiness at high cost
 Must be careful to have the software at the hot
site up-to-date in terms of configuration
10-79
◦ Cold sites
 Building facilities, power, HVAC, communication
to outside world only
 No computer equipment
 Less expensive but usually take too long to get
operating
10-80
◦ Site sharing
 Site sharing among a firm’s sites (problem of
equipment compatibility and data
synchronization)
 Continuous data protection needed to allow rapid
recovery
10-81
 Office Computers
◦ Hold much of a corporation’s data and analysis
capability
◦ Will need new computers if old computers are
destroyed or unavailable
 Will need new software
 Well-synchronized data backup is critical
◦ People will need a place to work
10-82
 Restoration of Data and Programs
◦ Restoration from backup tapes; need backup tapes
at the remote recovery site
◦ May be impossible during a disaster
 Testing the IT Disaster Recovery Plan

◦ Difficult and expensive
◦ Necessary
10-83
All rights reserved. No part of this publication may be reproduced, stored in a
retrieval system, or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise without the prior written
permission of the publisher.

© 2015 Pearson Education LTD

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

© 2015 Pearson Education LTD

Hochgeladen von

Copyright:

Verfügbare Formate

Chapter 10

© 2015 Pearson Education Ltd.

 Document the chain of custody

 Testing the IT Disaster Recovery Plan

© 2015 Pearson Education Ltd.

Das könnte Ihnen auch gefallen