Planning for Contingencies EECS 711: Security Management and Audit Philip Mein "Prakash" Pallavur Sankaranaraynan Annette Tetmeyer 1 EECS 711 Spring 2008 Chapter 3 Outline • • • • • • • • • • What is Contingency Planning? Components of Contingency Planning Business Impact Analysis Incident Response Plan Disaster Recovery Plan Business Continuity Plan Timing and Sequence of CP Elements Business Resumption Planning Testing Contingency Plans Contingency Planning: Final Thoughts 2 EECS 711 Spring 2008 Chapter 3 What is Contingency Planning? • The overall process of preparing for unexpected events • Prepare for, detect, react to, recover from these events “many organization contingency plans are woefully inadequate…” 3 EECS 711 Spring 2008 Chapter 3 What is Contingency Planning? Communities of Interest Information Technolog y Information Security Prepare for, detect, react to and recover from unexpected events Natural 4 Human Environmental EECS 711 Spring 2008 Chapter 3 Components of Contingency Planning 5 EECS 711 Spring 2008 Chapter 3 Components of Contingency Planning • Business Impact Analysis (BIA) – Determine critical business functions and information systems • Incident Response Plan (IR) – Immediate response to an incident • Disaster Recovery Plan (DR) – Focus on restoring operations at the primary site • Business Continuity Plan (BC) – Enables business to continue at an alternate site – Occurs concurrently with DR Plan 6 EECS 711 Spring 2008 Chapter 3 Major Tasks 7 EECS 711 Spring 2008 Chapter 3 Developing the CP Plan • Unified plan – Smaller organizations • Four plans with interlocking procedures – Larger, complex organizations • Should involve high level administrators and key personnel – CIO, CISO, IT and business managers, system administrators 8 EECS 711 Spring 2008 Chapter 3 CP Team Personnel • Champion: provides strategic vision and access to organizational support • Project Manager • Team Members: from communities of interest 9 EECS 711 Spring 2008 Chapter 3 CP Process Elements Required to begin the CP process • Planning methodology • Policy environment • Understanding cause and effect of precursor activities • Access to financial and other resources (budget) 10 EECS 711 Spring 2008 Chapter 3 Creating the CP Document 1. 2. 3. 4. 5. 6. 7. Develop the policy statement Conduct the BIA Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training and exercises Plan maintenance 11 EECS 711 Spring 2008 Chapter 3 Creating the CP Document 12 EECS 711 Spring 2008 Chapter 3 Sample Policy 13 EECS 711 Spring 2008 Chapter 3 Business Impact Analysis • Provides detailed scenarios of effects of potential attacks • Risk management identifies attacks • BIA assumes controls have failed 14 EECS 711 Spring 2008 Chapter 3 Risk Management • Contingency planning and risk management are closely related • Risks must be identified in order to establish the contingency plan 15 EECS 711 Spring 2008 Chapter 3 BIA Stages • Threat Attack Identification and Prioritization • Business Unit Analysis • Attack Success Scenario Development • Potential Damage Assessment • Subordinate Plan Classification 16 EECS 711 Spring 2008 Chapter 3 Threat Attack Identification and Prioritization • Update threat list and add an attack profile – Detailed description of activities that occur during an attack – Develop for every serious threat • Natural or man-made • Deliberate or accidental – Used later to provide indicators of attacks and extent of damage 17 EECS 711 Spring 2008 Chapter 3 Example Attack Profile Elements Include • Date analyzed • Attack name and description • Threat and probable threat agents • Vulnerabilities (known or possible) • Precursor activities or indicators • Likely attack activities or indicators of attack in progress • Information assets at risk • Damage or loss to information assets • Other assets at risk and damage/loss to these assets • Immediate actions indicated when the attack is underway • Follow-up actions after this attack was successfully executed against systems • Comments 18 EECS 711 Spring 2008 Chapter 3 Business Unit Analysis • Analysis and prioritization of business functions • Independently evaluate all departments, units, etc. • Prioritize revenue producing functions 19 EECS 711 Spring 2008 Chapter 3 Attack Success Scenario Development • What are the effects of the threat? • Alternative outcomes to each – Best, worst, most likely • What are the implications for all business functions? 20 EECS 711 Spring 2008 Chapter 3 Potential Damage Assessment • Prepare attack scenario end case – What is the cost for the best, worst, most likely? • Include cost estimates of time and effort 21 EECS 711 Spring 2008 Chapter 3 Subordinate Plan Classification • Is the attack disastrous or not? • Develop subordinate plans – Non disastrous scenarios may be addressed as part of DR and BC plans 22 EECS 711 Spring 2008 Chapter 3 Incident Response Plan “Things which you do not hope happen more frequently than things which you do hope.” -- Plautus (c. 254–184 BCE), in Mostellaria, Act I, Scene 3, 40 (197) 23 EECS 711 Spring 2008 Chapter 3 Incident Response Plan • Incident – An unexpected event • IRP (Incident Response Plan) – Detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets • IR (Incident Response) – A set of procedures that commence when an incident is detected • Minimal damage • Little or no disruption to business operations – What is not is prevention (reactive not preventative) 24 EECS 711 Spring 2008 Chapter 3 IR Policy • CP team develops the policy environment to authorize the creation of each of the planning components (IR, DR, BC) • Defines the roles and responsibilities for the entire enterprise • Defines the roles and responsibilities for for the SIRT (Security Incident Response Team 25 EECS 711 Spring 2008 Chapter 3 IR Policy cont. • Computer Security Incident Handling Guide (NIST SP 800-61) – – – – – – – – Statement of management commitment Purpose and objectives of the policy Scope of the Policy Definition of information security incidents and their consequences within the organization Organizational structure and delineation of roles responsibilities, and levels of authority Prioritization or severity ratings of incidents Performance measures Reporting and contact forms 26 EECS 711 Spring 2008 Chapter 3 What is an InfoSec Incident • It is directed against information assets • It has a realistic chance of success • It threatens the confidentiality, integrity, or availability of information resources and assets 27 EECS 711 Spring 2008 Chapter 3 IR Plan • BIA provides data to develop IR plan – Information systems and the threats they face • Stop the incident, mitigate its effects, and provide information for the recovery from the incident • Three sets of incident procedures – Before an Attack • Backup schedules • Training schedules • Testing plans – During an Attack • Procedures and tasks to be performed during the incident • Minimize the effect of the attack (avoid disaster) – After an Attack • Patches, Updates • Interviews 28 EECS 711 Spring 2008 Chapter 3 Incident Detection • Incident candidates – Possible Indicators • Unfamiliar files, unknown processes, consumption of resources, unusual system crashes – Probable Indicators • Activity at unexpected times, presence of new accounts, reported attacks, IDS – Definite Indicators • Use of dormant accounts, changes to logs, presence of hacker tools, notification by peers, notification by hacker – Occurrences of Actual Incidents • Loss of availability, loss of integrity, loss of confidentiality, violation of policy, violation of law 29 EECS 711 Spring 2008 Chapter 3 • Actual Incident reported by IDS 30 EECS 711 Spring 2008 Chapter 3 Incident Response • Notification of Key Personnel – Alert roster (sequential or hierarchical) • Documenting an Incident – Who, what, when, where, why, how (for each action) • Incident Containment Strategies – Stopping the incident and recovering control • • • • • Disabling compromised accounts Reconfiguring a firewall Disabling the compromised process or service Taking down the conduit application or server Stopping all computers and network devices – Incident Escalation 31 EECS 711 Spring 2008 Chapter 3 Incident Response cont. • Incident Recovery – Incident damage assessment • Scope of C.I.A. • Individuals who document the damage must be trained to collect and preserve evidence – Recovery steps: • Identify vulnerabilities • Address the safeguards that failed to stop or limit the incident or missing • Evaluate monitoring capabilities • Restore data from backups • Restore the services and processes • Continuously monitor the system • Restore the confidence of the members of the organization • Law Enforcement Involvement – FBI, US Secret Service, US Treasury Dept, SEC, Local agencies 32 EECS 711 Spring 2008 Chapter 3 Disaster Recovery Plan • Entails the preparation for and recovery from a disaster • Responsibility of the IT community of interest, under the leadership of the CEO • An incident becomes a disaster when – The organization is unable to contain or control the impact of an incident – The level of damage is so severe that the organization cannot recover from the incident 33 EECS 711 Spring 2008 Chapter 3 Disaster Recovery Plan • The key role of a DR plan is to reestablish operations at the primary location 34 EECS 711 Spring 2008 Chapter 3 DR Planning Process 1. Develop the DR planning policy statement 2. Review the BIA 3. Indentify preventive controls 4. Develop recovery strategies 5. Develop the DR plan document 6. Plan testing, training and exercises 7. Plan maintenance 35 EECS 711 Spring 2008 Chapter 3 DR Planning Policy Statement • The DR team lead by the DR team lead, begins with the development of the DR policy • The DR policy contains the following key elements: 1. 2. 3. 4. 5. 6. 7. 8. 36 Purpose Scope Roles and responsibilities Resource requirements Training requirements Exercise and testing schedules Plan maintenance schedules Special considerations EECS 711 Spring 2008 Chapter 3 Classification of disasters • Natural disasters – Examples: Fire, flood, hurricane, tornado • Man-made disasters – Examples: Cyber-terrorism • Rapid-onset – Examples: Earthquakes, mud-flows • Slow-onset – Examples: Famines, deforestation 37 EECS 711 Spring 2008 Chapter 3 Planning for disaster • Key elements that the CP team must build into a DR plan include the following: 1. 2. 3. 4. 5. 6. 38 Delegation of roles and responsibilities Execution of alert roster and notification of key personnel Clear establishment of priorities Procedures for documentation of disasters Actions to mitigate the impact of disaster on the operations Alternative implementations of various systems in case the primaries are unavailable EECS 711 Spring 2008 Chapter 3 Options to protect information • • • • Traditional back-ups Electronic vaulting Remote journaling Database shadowing 39 EECS 711 Spring 2008 Chapter 3 Crisis Management • Steps taken during and after a disaster that affect people internally and externally • According to Gartner Research, crisis management involves the following activities: – Supporting personnel and their loved ones during the crisis – Determine events impact on normal business and make disaster declaration if necessary – Keep public informed about the event and steps being taken to ensure recovery of personnel and the enterprise – Communicate with major customers, suppliers, partners, regulatory agencies, industry organizations, media and other interested parties. 40 EECS 711 Spring 2008 Chapter 3 Crisis Management • The crisis management team is also charged with two key tasks: 1. Verifying personnel status 2. Activating the alert roster • The most important role of crisis management is, in the event of a disaster tell the whole story as soon as possible directly to the affected audience 41 EECS 711 Spring 2008 Chapter 3 Responding to disasters • During disasters even the most well planned DR plans can be overwhelmed • To be prepared, the CP team should incorporate a degree of flexibility • If facilities are intact DR team should begin restoration of systems and services • If facilities are destroyed, alternative actions must be taken until new facilities are available • When the operations of the primary site are threatened, the disaster recovery process becomes a business continuity process 42 EECS 711 Spring 2008 Chapter 3 Business Continuity Plan • Ensures that critical business functions can continue if a disaster occurs • CEO should manage • Activated and executed concurrently with DR plan – Business can no longer function at primary location – Use an alternate location 43 EECS 711 Spring 2008 Chapter 3 Business Continuity Plan • Identify critical business functions and resources to support them • Want to quickly re-establish these functions at alternate site 44 EECS 711 Spring 2008 Chapter 3 BC Planning Process 1. Develop the BC planning policy statement • Authority, guidance, executive vision 2. Review the BIA • Identify, prioritize critical IT systems 3. Identify preventive controls – Measures to reduce disruption, increase system availability 4. Develop relocation strategies – Critical systems must be recovered quickly 45 EECS 711 Spring 2008 Chapter 3 BC Planning Process 5. Develop the continuity plan • Include detailed guidelines and procedures 6. Plan testing, training, and exercises • Identify planning gaps, prepare personnel for improved effectiveness and preparedness 7. Plan maintenance • Living document, plan to update! 46 EECS 711 Spring 2008 Chapter 3 Develop the BC planning policy statement • Authority, guidance, executive vision • Provide: – Purpose – Scope – Roles and responsibilities – Resource requirements – Training requirements – Plan maintenance schedule – Special considerations 47 EECS 711 Spring 2008 Chapter 3 Plan Similarities • Similar to other elements of the CP • Process are similar • Implementation differs 48 EECS 711 Spring 2008 Chapter 3 Design Parameters • Recovery Time Objective (RTO) – Amount of time that passes before an infrastructure is available • Recovery Point Objective (RPO) – The point in the past to which the recovered applications and data will be restored – How much data loss? 49 EECS 711 Spring 2008 Chapter 3 Continuity Strategies • Exclusive-use options – Hot site – Warm site – Cold site Cost • Shared-use options – Timeshare – Service bureau – Mutual agreement • Other – Rolling mobile site – Mirrored site 50 EECS 711 Spring 2008 Chapter 3 Time to activat e Continuity Strategies 51 EECS 711 Spring 2008 Chapter 3 Timing and Sequence of CP Elements 52 EECS 711 Spring 2008 Chapter 3 Timing and Sequence of CP Elements 53 EECS 711 Spring 2008 Chapter 3 Business Resumption Planning • DR and BC combined • Possibility for two locations • Good template provided by NIST – http://fasp.nist.gov 54 EECS 711 Spring 2008 Chapter 3 Testing Contingency Plans • All plans must be tested to identify vulnerabilities, faults and inefficient processes • Five strategies that can be used to test plans are: 1. 2. 3. 4. 5. Desk Check Structured walk-through Simulation Parallel testing Full interruption • Another important often neglected aspect of training is cross training 55 EECS 711 Spring 2008 Chapter 3 Contingency Planning: Final Thoughts • Iteration results in improvement, a formal implement of this is CPI (Continuous Process Improvement) • Each time the organization rehearses its plans, it must learn and improve • Each time an incident or a disaster occurs the organization should review what went right and what went wrong • Through ongoing evaluation and improvement an organization continually improves and strives for better outcomes 56 EECS 711 Spring 2008 Chapter 3 Conclusion Contingency planning and its various components BIA, IRP, DRP and BCP play a critical role in preparing for, detecting, reacting to and recovering from events that threaten the security of information resources and assets both human and natural. Spring 2008 57 EECS 711: EECS Security 711 Spring Management 2008 Chapter and Audit 3 57 Questions 58 EECS 711 Spring 2008 Chapter 3 References • NIST. Special Publication 800-34: Contingency Planning Guide for Information Technology Systems. June 2002. Accessed Feb. 13, 2008 from http://csrc.nist.gov/publications/nistpubs /800-34/sp800-34.pdf 59 EECS 711 Spring 2008 Chapter 3