Security in Practice Enterprise Security Business Continuity • Ability of an organization to maintain its operations and services in the face of a disruptive event – Computer attack – Natural disaster • Many organizations are either unprepared or have not tested their plans • Common elements – Redundancy planning – Disaster recovery procedures – Incident response procedures 2 Redundancy Planning • Building excess capacity in order to protect against failures • Servers – Protect against single point of failure – Redundant servers or parts • May take too long to get back online – Server cluster • Design the network infrastructure so that multiple servers are incorporated into the network • Types: asymmetric and symmetric 3 Redundancy Planning (cont’d.) Server cluster 4 Redundancy Planning (cont’d.) • Storage – Hard disk drives often are the first component of a system to fail – Implement RAID (Redundant Array of Independent Drives) technology • Uses multiple hard disk drives for increased reliability and performance 5 Redundancy Planning (cont’d.) • Networks – Redundant network ensures that network services are always accessible – Virtually all network components can also be duplicated 6 Redundancy Planning (cont’d.) • Power – Uninterruptible power supply (UPS) • Device that maintains power to equipment in the event of an interruption in the primary electrical power source • On-line • Off-line – Backup generator 7 Redundancy Planning (cont’d.) • Sites – Hot site • Run by a commercial disaster recovery service • Allows a business to continue computer and network operations to maintain business continuity – Cold site • Provides office space • Customer must provide and install all the equipment needed to continue operations 8 Redundancy Planning (cont’d.) – Warm site • All of the equipment installed • Does not have active Internet or telecommunications facilities • Does not have current backups of data 9 Disaster Recovery Procedures • Procedures and processes for restoring an organization’s operations following a disaster • Focuses on restoring computing and technology resources to their former state • Planning – Disaster recovery plan (DRP) • Written document • Details the process for restoring computer and technology resources 10 Disaster Recovery Procedures (cont’d.) • Common features of DRP – – – – – Purpose and scope Recovery team Preparing for a disaster Emergency procedures Restoration procedures 11 Disaster Recovery Procedures (cont’d.) Sample from a DRP 12 Disaster Recovery Procedures (cont’d.) • Disaster exercises – Test the effectiveness of the DRP – Objectives • Test the efficiency of interdepartmental planning and coordination in managing a disaster • Test current procedures of the DRP • Determine the strengths and weaknesses in disaster responses 13 Disaster Recovery Procedures (cont’d.) • Enterprise data backups – Significantly different than those for a home user – Disk to disk (D2D) – Continuous data protection (CDP) 14 Incident Response Procedures • What is forensics? – Forensics • Application of science to questions that are of interest to the legal profession – Computer forensics • Attempt to retrieve information that can be used in the pursuit of the attacker or criminal • Importance of computer forensics is due in part to – High amount of digital evidence – Increased scrutiny by the legal profession – Higher level of computer skill by criminals 15 Incident Response Procedures (cont’d.) • Responding to a computer forensics incident – Secure the crime scene • • • • Response team must be contacted immediately Document physical surroundings Take custody of computer Interview users and document information – Preserve the evidence • First capture any volatile data – Random access memory (RAM) • Mirror image backup or bit-stream backup 16 Incident Response Procedures (cont’d.) – Establish the chain of custody • Documents that the evidence was under strict control at all times • No unauthorized person was given the opportunity to corrupt the evidence – Examine the evidence • Mirror image is examined to reveal evidence • Mine and expose hidden clues – Windows page file – Slack – Metadata 17 Slack 18 Security Policies • Plans and policies must be established by the organization – To ensure that people correctly use the hardware and software defenses • Organizational security policy 19 What Is a Security Policy? • Document that outlines the protections that should be enacted • Functions – Communicates organization’s information security culture and acceptable information security behavior – Detail specific risks and how to address them – Help to create a security-aware organizational culture – Ensure that employee behavior is directed and monitored to ensure compliance with security requirements 20 Balancing Trust and Control • Approaches to trust – Trust everyone all of the time – Trust no one at any time – Trust some people some of the time • Deciding on the level of control for a specific policy is not always clear • Not all users have positive attitudes toward security policies 21 Balancing Trust and Control (cont’d.) Possible negative attitudes toward security 22 Designing a Security Policy • Definition of a policy – Characteristics • • • • Communicate a consensus of judgment Define appropriate behavior for users. Identify what tools and procedures are needed Provide directives for Human Resource action in response to inappropriate behavior • May be helpful in the event that it is necessary to prosecute violators 23 Designing a Security Policy (cont’d.) • Due care – Obligations imposed on owners and operators of assets – Exercise reasonable care of the assets and take necessary precautions to protect them – Care that a reasonable person would exercise under the circumstances – Examples 24 Designing a Security Policy (cont’d.) • The security policy cycle – Three-phase cycle • Performing a risk management study – Asset identification – Threat identification – Vulnerability appraisal – Risk assessment – Risk mitigation • Creating a security policy based on the information from the risk management study • Reviewing the policy for compliance 25 Designing a Security Policy (cont’d.) Security policy cycle 26 Types of Security Policies • Acceptable use policy (AUP) – Defines the actions users may perform while accessing systems and networking equipment – Unacceptable use may also be outlined by the AUP • Security-related human resource policy – Include statements regarding how an employee’s information technology resources will be addressed – Presented at an orientation session when the employee is hired – May contain due process statement 27 Types of security policies 28 Types of Security Policies (cont’d.) • Personally identifiable information (PII) policy – Outlines how the organization uses personal information it collects • Disposal and destruction policy – Addresses the disposal of resources that are considered confidential 29 Types of Security Policies (cont’d.) Sample PII (privacy) policy 30 Types of Security Policies (cont’d.) • Ethics policy – Refocus attention on ethics in the enterprise – Written code of conduct – Central guide and reference for employees in support of day-to-day decision making 31 Summary • Redundancy planning – Building excess capacity in order to protect against failures • Disaster recovery – Procedures and processes for restoring an organization’s operations following a disaster • Forensic science – Application of science to questions that are of interest to the legal profession 32 Summary (cont’d.) • Security policy – Written document that states how an organization plans to protect the company’s information technology assets 33