Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Contingency Planning and Networking Incident

Guide to Network Security
1st Edition
Chapter Eleven
Contingency Planning and Networking
Incident Response
Objectives
• Explain the need for contingency planning
• List the major components of contingency planning
• Create a simple set of contingency plans, using
business impact analysis
• Prepare and execute a test of contingency plans
• Explain the network incident response process
• Explain the need for sound backup and recovery
practices and what they consist of
© 2013 Course Technology/Cengage Learning. All Rights Reserved
2
Introduction
• Threats to network systems
–
–
–
–
Deliberate attacks from hostile parties
Outside events
Internal failures
Unintended actions of friendly parties
• Network disruption may bring business operations
to a standstill
• Organizations should prepare for the unexpected
© 2013 Course Technology/Cengage Learning. All Rights Reserved
3
What Is Contingency Planning?
• Contingency planning (CP)
– Process of positioning an organization to prepare
for, detect, react to, and recover from man-made or
natural threats to information security assets
– Main goal: restore normal operations following
disruptive event
• Four components of CP
–
–
–
–
Business impact analysis (BIA)
Incident response plan (IR plan)
Disaster recovery plan (DR plan)
Business continuity plan (BC plan)
© 2013 Course Technology/Cengage Learning. All Rights Reserved
4
What Is Contingency Planning?
(cont’d.)
• Contingency planning teams
– CP Management Team (CPMT)
• Manages the overall process
• Develops master plan for CP operations
• Collects information about threats to information
systems
• Conducts the BIA
• Staffs the leadership of the subordinate teams
• Provides guidance to and integrates work of
subordinate teams
© 2013 Course Technology/Cengage Learning. All Rights Reserved
5
What Is Contingency Planning?
(cont’d.)
• Contingency planning teams (cont’d.)
– Incident response (IR) team
• Develops, tests, manages, and executes the IR plan
• Detects, evaluates, and responds to incidents
– Disaster recovery (DR) team
• Develops, tests, manages, and executes the DR plan
• Responsible for re-establishing operations at the
primary business site
– Business continuity (BC) team
• Responsible for setting up and starting off-site
operations after an incident or a disaster
© 2013 Course Technology/Cengage Learning. All Rights Reserved
6
What Is Contingency Planning?
(cont’d.)
• Incident response
– Focus is on small-scale events
– Examples: hacking attempts, malware, or misuse of
corporate assets
• Incident may escalate into a disaster
– IR plan may give way to the DR and BC plans
• Business resumption plan
– Used by some organizations as combination of DR
and BC plans
© 2013 Course Technology/Cengage Learning. All Rights Reserved
7
Figure 11-1 An incident turns into a disaster
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
8
Figure 11-2 Move from disaster recovery to business continuity
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
9
Stages and Components of
Contingency Planning
• Major steps from NIST Special Publication 800-34
Rev. 1 Contingency Planning Guide for Federal
Information Systems
1.
2.
3.
4.
5.
6.
7.
Form the CPMT
Develop the CP policy statement
Conduct the BIA
Form subordinate planning teams
Develop subordinate planning policies
Integrate the BIA
Identify preventive controls
© 2013 Course Technology/Cengage Learning. All Rights Reserved
10
Stages and Components of
Contingency Planning (cont’d.)
• Major steps (cont’d.)
8. Organize response teams
9. Create contingency strategies
10. Develop subordinate plans
11. Ensure plan testing, training, and exercises
12. Ensure plan maintenance
© 2013 Course Technology/Cengage Learning. All Rights Reserved
11
Figure 11-3 Incident response, disaster recovery,
and business continuity workflow
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
12
Figure 11-4 Contingency planning life cycle
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
13
Stages and Components of
Contingency Planning (cont’d.)
• Business impact analysis
– First major component of the CP process
– Provides CPMT with information about systems and
threats they face
• Three major steps of the BIA
– Determine mission/business processes and recovery
criticality
– Identify resource requirements
– Identify recovery priorities for system resources
© 2013 Course Technology/Cengage Learning. All Rights Reserved
14
Figure 11-5 Business impact analysis process
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
15
Stages and Components of
Contingency Planning (cont’d.)
• Incident response plan
– Documents actions organization should take while
an incident is in progress
• Absence of well-defined procedures can lead to:
– Extensive damage to data, systems, and networks
– Intrusions affecting multiple systems both inside and
outside the organization
– Negative exposure in the news media
– Legal liability for attacks against others using
organization’s systems
© 2013 Course Technology/Cengage Learning. All Rights Reserved
16
Stages and Components of
Contingency Planning (cont’d.)
• Disaster recovery plan
– Entails preparation for and recovery from a disaster
• Criteria for a disaster
– Organization is unable to gain control of impact of
the incident
– Organization cannot quickly recover because level of
damage is so severe
• DR plan documents whether an event is classified
as an incident or a disaster
© 2013 Course Technology/Cengage Learning. All Rights Reserved
17
Stages and Components of
Contingency Planning (cont’d.)
• Business continuity plan
– Ensures critical business functions continue if a
disaster occurs
– Managed by the CEO of an organization
– Activated and executed concurrently with the DR
plan:
• When disaster is major or long-term
– Involves re-establishing business functions at an
alternate site
© 2013 Course Technology/Cengage Learning. All Rights Reserved
18
Stages and Components of
Contingency Planning (cont’d.)
• CP disruption phases
– Defines actions that occur when an event becomes
an incident or disaster
– Phase 1: activation/notification phase
• Activate the plan based on outage impacts
• Notify recovery personnel
– Phase 2: recovery phase
• Recovery teams restore system operations using
alternate site
– Phase 3: reconstitution phase
• Return the system to normal operating conditions
© 2013 Course Technology/Cengage Learning. All Rights Reserved
19
Data and Application Resumption
• Data backup and management methods
– Disk backup
– Tape backup
• Data files and critical system files should be
backed up daily
– Nonessential files backed up weekly
• Data retention plan
– Laws govern how long data must be stored
• Full backups of entire systems should be stored in
a secure location
© 2013 Course Technology/Cengage Learning. All Rights Reserved
20
Disk-to-Disk-to-Tape
• Cost of storage media continues to decrease
– Disk backups more convenient than tape
• Storage area networks
– Used to store information in arrays of independent,
large-capacity disk drives
• Secondary data disk series should be periodically
backed up to tape or other removable media
© 2013 Course Technology/Cengage Learning. All Rights Reserved
21
Backup Strategies
• Types of backups
– Full
• Complete backup of the entire system
– Differential
• Stores all new files and files modified since last full
backup
– Incremental
• Stores data modified since last backup of any type
• Requires less space and time than differential backup
• Multiple backups needed to restore full system
© 2013 Course Technology/Cengage Learning. All Rights Reserved
22
Backup Strategies (cont’d.)
• General guidelines
–
–
–
–
Secure on-site and off-site storage
Provide a controlled environment for the media
Clearly label and write-protect each media unit
Retire media units prior to reaching end of useful life
• Tape backup and recovery
– Common types of tape media
•
•
•
•
Digital audio tapes (DATs)
Quarter-inch cartridge drives (QIC)
8 mm tape
Digital linear tape (DLT) and Linear Tape Open (LTO)
© 2013 Course Technology/Cengage Learning. All Rights Reserved
23
Backup Strategies (cont’d.)
• Classic methods for selecting files to back up
– Six tape rotation
– Grandfather-Father-Son method
– Towers of Hanoi
• Online backups and the cloud
– Online backup to a third-party storage vendor
• Cloud computing forms
– Software as a Service (SaaS)
– Platform as a Service (PaaS)
– Infrastructure as a Service (IaaS)
© 2013 Course Technology/Cengage Learning. All Rights Reserved
24
Table 11-1 Selecting the best rotation method
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
25
Backup Strategies (cont’d.)
• Cloud ownership
– Public
• Most common implementation
• Third party makes services available over the Internet
– Community
• Collaboration between a few entities for their sole use
– Private
• Parent company creates a cloud for its own use and
that of subordinate organizations
• Theoretical implementation
© 2013 Course Technology/Cengage Learning. All Rights Reserved
26
Threats to Stored Information
• Processes to prevent accidental loss of backup
media
–
–
–
–
Careful processes
Use of professional couriers
Tape encryption
Erase backup tapes before returning to “scratch
pool” for reuse
• Backup and recovery elapsed time
– Usually requires twice as much time to restore
information as to produce the backup
© 2013 Course Technology/Cengage Learning. All Rights Reserved
27
Threats to Stored Information (cont’d.)
• Redundant array of independent disks (RAID)
– Method for ensuring data is not lost
– Does not replace backup and recovery processes
• Most common RAID configurations (levels)
– RAID Level 0
• Creates one larger logical volume across several
physical hard disk drives
• Stores data in segments called stripes
© 2013 Course Technology/Cengage Learning. All Rights Reserved
28
Threats to Stored Information (cont’d.)
• Most common RAID configurations (cont’d.)
– RAID Level 1
• Data is written to two drives simultaneously
• Disk mirroring
– RAID Level 2
• Specialized form of disk striping with parity
• Not commonly used
– RAID Levels 3 and 4
• Byte and block-level striping of data
• Parity information stored on a separate drive
© 2013 Course Technology/Cengage Learning. All Rights Reserved
29
Threats to Stored Information (cont’d.)
• Most common RAID configurations (cont’d.)
– RAID Level 5
• Similar to RAID 3 and 4 without a dedicated parity
drive
• Data segments interleaved with parity data
– RAID Level 6
• Similar to RAID 5 with two blocks of parity data striped
across the drives
– RAID Level 7
• Proprietary variation on RAID 5
• Array works as a single virtual drive
© 2013 Course Technology/Cengage Learning. All Rights Reserved
30
Threats to Stored Information (cont’d.)
• Most common RAID configurations (cont’d.)
– RAID Level 10
• Combines benefits of RAID 0 and RAID 1
© 2013 Course Technology/Cengage Learning. All Rights Reserved
31
Figure 11-6 Samples of RAID implementations
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
32
Database Backups
• Databases require special backup and recovery
procedures
– May or may not be able to back up database with
server operating system utilities
• System backup procedures may interrupt use of
the database
• Administrators need to know whether database
uses special journal file systems
– Files must be backed-up properly
© 2013 Course Technology/Cengage Learning. All Rights Reserved
33
Application Backups
• Some applications use file systems in ways that
invalidate customary backup methods
– Ensure advance planning and inclusion of
application support team members
• Real-time protection; server recovery and
application recovery
– Use of mirroring provides real-time protection
– One implementation method: using hot, warm, and
cold servers
© 2013 Course Technology/Cengage Learning. All Rights Reserved
34
Application Backups (cont’d.)
• Bare metal recovery technologies
– Designed to replace operating systems and services
when they fail
• Server clustering
– Active/passive clustering
• Two identically configured servers share access to the
application data storage
• Passive server takes control if active server fails
– Active/active clustering
• All members of a cluster simultaneously provide
application services
© 2013 Course Technology/Cengage Learning. All Rights Reserved
35
Application Backups (cont’d.)
• Electronic vaulting
–
–
–
–
–
–
Bulk transfer of data in batches to an off-site facility
Usually conducted over dedicated network links
Criteria: cost of the service and required bandwidth
More expensive than tape backup
Slower than data mirroring
Data must be encrypted while in transit
© 2013 Course Technology/Cengage Learning. All Rights Reserved
36
Figure 11-7 Electronic vaulting architecture
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
37
Application Backups (cont’d.)
• Remote journaling
– Transfer of live transactions to an off-site facility
– Only transaction data is transferred, not archived
data
– Transfer is performed online and closer to real-time
© 2013 Course Technology/Cengage Learning. All Rights Reserved
38
Figure 11-8 Remote journaling architecture
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
39
Application Backups (cont’d.)
• Database shadowing
– Propagation of transactions to a remote copy of the
database
– Combines electronic vaulting with remote journaling
• Applying transactions to the database simultaneously
in two separate locations
© 2013 Course Technology/Cengage Learning. All Rights Reserved
40
Figure 11-9 Database shadowing architecture
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
41
Network-Attached Storage and
Storage Area Networks
• Network-attached storage (NAS)
– Single device or server that attaches to the network
– Provides online storage
– Configured to allow users or groups of users to
access data storage
– Does not work well with real-time applications
• Storage area networks (SANs)
– Uses fibre-channel or iSCSI connections
© 2013 Course Technology/Cengage Learning. All Rights Reserved
42
Figure 11-10 SAN and NAS architectures
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
43
Table 11-2 NAS versus SAN
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
44
Service Level Agreements (SLAs)
• Contractual documents guaranteeing certain
minimum levels of service provided by vendors
• Service levels commonly measured as series of
nines
– Example: three nines availability − 99.9 percent
uptime or better
© 2013 Course Technology/Cengage Learning. All Rights Reserved
45
Incident Response Plan
• Incident response
– Set of procedures that commences when an incident
is detected
– Must be carefully planned and coordinated
Figure 11-11 NIST incident response process
© Cengage Learning 2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
46
Form IR Planning Team
• First step in the incident response planning process
• Example stakeholder groups represented in the IR
team
–
–
–
–
–
–
–
General management
IT management
Information security management
Operations
Legal affairs
Public relations
Customer support
© 2013 Course Technology/Cengage Learning. All Rights Reserved
47
Develop IR Planning Policy
• Structural overview of a typical IR policy
–
–
–
–
–
–
–
–
Statement of management commitment
Purpose and objectives of the policy
Scope of the policy
Definition of information security incidents and
consequences
Definition of roles and responsibilities
Prioritization of incidents
Performance measures
Reporting and contact forms
© 2013 Course Technology/Cengage Learning. All Rights Reserved
48
Integrate the Business Impact Analysis
(BIA)
• Identify potentially successful attacks and
understand possible outcomes
• Three-stage process
– Threat attack identification and prioritization
– Attack success scenario development
– Potential damage assessment
© 2013 Course Technology/Cengage Learning. All Rights Reserved
49
Identify Preventive Controls Unique to
IR
• Identify preventative controls currently in place
– Involves asset inventory and prioritization
• Determine whether controls are effective
• Some assets protect organizations against
incidents and disaster
– Example: fire suppression equipment
© 2013 Course Technology/Cengage Learning. All Rights Reserved
50
Organize the Computer Security
Incident Response Team (CSIRT)
• Computer Security Incident Response Team
– Group of individuals who will respond to an incident
– Select personnel based on skills and access
privileges
– Different CSIRT subteams can be formed based on
scope and type of incident
• Training members can occur in various ways
– National training programs and conferences
– Mentoring-type training
© 2013 Course Technology/Cengage Learning. All Rights Reserved
51
Create IR Contingency Strategies
• Plan exactly how to respond to various incidents
• Strategies vary greatly
– Single IR strategy
– Several optional plans to handle different
circumstances
• General categories of strategies
– Protect and forget
– Apprehend and prosecute
© 2013 Course Technology/Cengage Learning. All Rights Reserved
52
Table 11-3 Key steps
in reaction strategies
© Cengage Learning
2013
© 2013 Course Technology/Cengage Learning. All Rights Reserved
53
Develop the Incident Response (IR)
Plan
• General sections of the incident response plan
–
–
–
–
Identification
Response
Containment and eradication
Recovery
• Incident classification
– Process of evaluating organizational events
• Possible indicators of an incident
– Presence of unfamiliar files
© 2013 Course Technology/Cengage Learning. All Rights Reserved
54
Develop the Incident Response (IR)
Plan (cont’d.)
• Possible indicators of an incident (cont’d.)
– Presence of unknown programs or processes
– Unusual consumption of computing resources
– Unusual system crashes
• Probable indicators of an incident
–
–
–
–
Activities at unexpected times
Presence of new accounts
Reported attacks
Notification from IDS
© 2013 Course Technology/Cengage Learning. All Rights Reserved
55
Develop the Incident Response (IR)
Plan (cont’d.)
• Definite indicators of an incident
–
–
–
–
–
Use of dormant accounts
Modified or missing logs
Presence of hacker tools
Notifications by a partner or peer
Notification by hacker
• Response actions
– Notification
– Documenting the incident
• Interview individuals involved
© 2013 Course Technology/Cengage Learning. All Rights Reserved
56
Develop the Incident Response (IR)
Plan (cont’d.)
• Containment/eradication
– First step: identify the affected area
• Containment strategies
–
–
–
–
–
Disable compromised user accounts
Reconfigure firewall to block problem traffic
Temporarily disable compromised process or service
Take down the conduit application or server
Stopping all computers and network devices
© 2013 Course Technology/Cengage Learning. All Rights Reserved
57
Develop the Incident Response (IR)
Plan (cont’d.)
• Recovery
– Inform appropriate human resources
– Assess full extent of the damage
– Begin recovery operations based on appropriate
section of the IR plan
– Steps
•
•
•
•
•
Identify and resolve vulnerabilities
Restore data
Restore services and processes
Restore confidence across the organization
After-action review
© 2013 Course Technology/Cengage Learning. All Rights Reserved
58
Ensure Plan Testing, Training, and
Exercises
• Five strategies to test contingency plans
–
–
–
–
–
–
Desk check
Structured walk-through
Simulation
Parallel testing
Full interruption
War gaming
© 2013 Course Technology/Cengage Learning. All Rights Reserved
59
IR Plan Maintenance
• Plan should be periodically reviewed
– Every one year or less
– Shortcomings should be noted
• Deficiencies may come to light based on:
–
–
–
–
AARs
Use of plan for actual incidents
Use of plan for simulated incidents
Review during periodic maintenance
• Revise plan to correct deficiencies
© 2013 Course Technology/Cengage Learning. All Rights Reserved
60
Summary
• Contingency planning (CP)
– Process of positioning an organization to prepare,
detect, react to, and recover from events that
threaten information security assets
• CP has 12 stages
• BIA provides the CP team with information about
systems and the threats they face
• IR plan documents actions an organization should
take while an incident is in progress
© 2013 Course Technology/Cengage Learning. All Rights Reserved
61
Summary (cont’d.)
• Business continuity planning (BCP) ensures that
business-critical functions can continue when a
disaster occurs
• Two general IR strategies include “protect and
forget” and “apprehend and prosecute”
• Stopping the incident or containing its impact is a
critical component of incident response
• Ongoing maintenance of the IR plan includes afteraction reviews (AARs)
© 2013 Course Technology/Cengage Learning. All Rights Reserved
62
Related documents
MARKETING MANAGEMENT
MARKETING MANAGEMENT
Student User Guide – Access Code Registration
Student User Guide – Access Code Registration
CHAPTER 15 Long Reports Parts of a Long Report Front Matter Text
CHAPTER 15 Long Reports Parts of a Long Report Front Matter Text
Textbooks and Resource Materials
Textbooks and Resource Materials
Download