Stu-Chapter3 - EECS People Web Server

advertisement
Planning for Contingencies
EECS 711: Security Management and Audit
Philip Mein
"Prakash" Pallavur Sankaranaraynan
Annette Tetmeyer
1
EECS 711 Spring 2008 Chapter 3
Outline
•
•
•
•
•
•
•
•
•
•
What is Contingency Planning?
Components of Contingency Planning
Business Impact Analysis
Incident Response Plan
Disaster Recovery Plan
Business Continuity Plan
Timing and Sequence of CP Elements
Business Resumption Planning
Testing Contingency Plans
Contingency Planning: Final Thoughts
2
EECS 711 Spring 2008 Chapter 3
What is Contingency Planning?
• The overall process of preparing for
unexpected events
• Prepare for, detect, react to, recover
from these events
“many organization contingency plans are
woefully inadequate…”
3
EECS 711 Spring 2008 Chapter 3
What is Contingency Planning?
Communities of Interest
Information
Technolog
y
Information
Security
Prepare for, detect, react to and recover
from unexpected events
Natural
4
Human
Environmental
EECS 711 Spring 2008 Chapter 3
Components of Contingency
Planning
5
EECS 711 Spring 2008 Chapter 3
Components of Contingency
Planning
• Business Impact Analysis (BIA)
– Determine critical business functions and
information systems
• Incident Response Plan (IR)
– Immediate response to an incident
• Disaster Recovery Plan (DR)
– Focus on restoring operations at the primary site
• Business Continuity Plan (BC)
– Enables business to continue at an alternate site
– Occurs concurrently with DR Plan
6
EECS 711 Spring 2008 Chapter 3
Major Tasks
7
EECS 711 Spring 2008 Chapter 3
Developing the CP Plan
• Unified plan
– Smaller organizations
• Four plans with interlocking procedures
– Larger, complex organizations
• Should involve high level administrators
and key personnel
– CIO, CISO, IT and business managers,
system administrators
8
EECS 711 Spring 2008 Chapter 3
CP Team Personnel
• Champion: provides strategic vision
and access to organizational support
• Project Manager
• Team Members: from communities of
interest
9
EECS 711 Spring 2008 Chapter 3
CP Process Elements
Required to begin the CP process
• Planning methodology
• Policy environment
• Understanding cause and effect of
precursor activities
• Access to financial and other resources
(budget)
10
EECS 711 Spring 2008 Chapter 3
Creating the CP Document
1.
2.
3.
4.
5.
6.
7.
Develop the policy statement
Conduct the BIA
Identify preventive controls
Develop recovery strategies
Develop an IT contingency plan
Plan testing, training and exercises
Plan maintenance
11
EECS 711 Spring 2008 Chapter 3
Creating the CP Document
12
EECS 711 Spring 2008 Chapter 3
Sample Policy
13
EECS 711 Spring 2008 Chapter 3
Business Impact Analysis
• Provides detailed scenarios of effects of
potential attacks
• Risk management identifies attacks
• BIA assumes controls have failed
14
EECS 711 Spring 2008 Chapter 3
Risk Management
• Contingency planning and risk
management are closely related
• Risks must be identified in order to
establish the contingency plan
15
EECS 711 Spring 2008 Chapter 3
BIA Stages
• Threat Attack Identification and
Prioritization
• Business Unit Analysis
• Attack Success Scenario Development
• Potential Damage Assessment
• Subordinate Plan Classification
16
EECS 711 Spring 2008 Chapter 3
Threat Attack Identification and
Prioritization
• Update threat list and add an attack
profile
– Detailed description of activities that occur
during an attack
– Develop for every serious threat
• Natural or man-made
• Deliberate or accidental
– Used later to provide indicators of attacks
and extent of damage
17
EECS 711 Spring 2008 Chapter 3
Example Attack Profile Elements
Include
• Date analyzed
• Attack name and description
• Threat and probable threat agents
• Vulnerabilities (known or possible)
• Precursor activities or indicators
• Likely attack activities or indicators of attack in progress
• Information assets at risk
• Damage or loss to information assets
• Other assets at risk and damage/loss to these assets
• Immediate actions indicated when the attack is underway
• Follow-up actions after this attack was successfully executed
against systems
• Comments
18
EECS 711 Spring 2008 Chapter 3
Business Unit Analysis
• Analysis and prioritization of business
functions
• Independently evaluate all departments,
units, etc.
• Prioritize revenue producing functions
19
EECS 711 Spring 2008 Chapter 3
Attack Success Scenario
Development
• What are the effects of the threat?
• Alternative outcomes to each
– Best, worst, most likely
• What are the implications for all
business functions?
20
EECS 711 Spring 2008 Chapter 3
Potential Damage Assessment
• Prepare attack scenario end case
– What is the cost for the best, worst, most
likely?
• Include cost estimates of time and effort
21
EECS 711 Spring 2008 Chapter 3
Subordinate Plan Classification
• Is the attack disastrous or not?
• Develop subordinate plans
– Non disastrous scenarios may be
addressed as part of DR and BC plans
22
EECS 711 Spring 2008 Chapter 3
Incident Response Plan
“Things which you do not hope
happen more frequently
than things which you do hope.”
-- Plautus (c. 254–184 BCE),
in Mostellaria,
Act I, Scene 3, 40 (197)
23
EECS 711 Spring 2008 Chapter 3
Incident Response Plan
• Incident
– An unexpected event
• IRP (Incident Response Plan)
– Detailed set of processes and procedures that
anticipate, detect, and mitigate the effects of an
unexpected event that might compromise
information resources and assets
• IR (Incident Response)
– A set of procedures that commence when an
incident is detected
• Minimal damage
• Little or no disruption to business operations
– What is not is prevention (reactive not
preventative)
24
EECS 711 Spring 2008 Chapter 3
IR Policy
• CP team develops the policy
environment to authorize the creation of
each of the planning components (IR,
DR, BC)
• Defines the roles and responsibilities for
the entire enterprise
• Defines the roles and responsibilities for
for the SIRT (Security Incident
Response Team
25
EECS 711 Spring 2008 Chapter 3
IR Policy cont.
• Computer Security Incident Handling Guide
(NIST SP 800-61)
–
–
–
–
–
–
–
–
Statement of management commitment
Purpose and objectives of the policy
Scope of the Policy
Definition of information security incidents and
their consequences within the organization
Organizational structure and delineation of roles
responsibilities, and levels of authority
Prioritization or severity ratings of incidents
Performance measures
Reporting and contact forms
26
EECS 711 Spring 2008 Chapter 3
What is an InfoSec Incident
• It is directed against information assets
• It has a realistic chance of success
• It threatens the confidentiality, integrity,
or availability of information resources
and assets
27
EECS 711 Spring 2008 Chapter 3
IR Plan
• BIA provides data to develop IR plan
– Information systems and the threats they face
• Stop the incident, mitigate its effects, and provide information for
the recovery from the incident
• Three sets of incident procedures
– Before an Attack
• Backup schedules
• Training schedules
• Testing plans
– During an Attack
• Procedures and tasks to be performed during the incident
• Minimize the effect of the attack (avoid disaster)
– After an Attack
• Patches, Updates
• Interviews
28
EECS 711 Spring 2008 Chapter 3
Incident Detection
• Incident candidates
– Possible Indicators
• Unfamiliar files, unknown processes, consumption of
resources, unusual system crashes
– Probable Indicators
• Activity at unexpected times, presence of new accounts,
reported attacks, IDS
– Definite Indicators
• Use of dormant accounts, changes to logs, presence of
hacker tools, notification by peers, notification by hacker
– Occurrences of Actual Incidents
• Loss of availability, loss of integrity, loss of confidentiality,
violation of policy, violation of law
29
EECS 711 Spring 2008 Chapter 3
• Actual Incident reported by IDS
30
EECS 711 Spring 2008 Chapter 3
Incident Response
• Notification of Key Personnel
– Alert roster (sequential or hierarchical)
• Documenting an Incident
– Who, what, when, where, why, how (for each
action)
• Incident Containment Strategies
– Stopping the incident and recovering control
•
•
•
•
•
Disabling compromised accounts
Reconfiguring a firewall
Disabling the compromised process or service
Taking down the conduit application or server
Stopping all computers and network devices
– Incident Escalation
31
EECS 711 Spring 2008 Chapter 3
Incident Response cont.
• Incident Recovery
– Incident damage assessment
• Scope of C.I.A.
• Individuals who document the damage must be trained to collect and
preserve evidence
– Recovery steps:
• Identify vulnerabilities
• Address the safeguards that failed to stop or limit the incident or
missing
• Evaluate monitoring capabilities
• Restore data from backups
• Restore the services and processes
• Continuously monitor the system
• Restore the confidence of the members of the organization
• Law Enforcement Involvement
– FBI, US Secret Service, US Treasury Dept, SEC, Local agencies
32
EECS 711 Spring 2008 Chapter 3
Disaster Recovery Plan
• Entails the preparation for and recovery
from a disaster
• Responsibility of the IT community of
interest, under the leadership of the CEO
• An incident becomes a disaster when
– The organization is unable to contain or
control the impact of an incident
– The level of damage is so severe that the
organization cannot recover from the incident
33
EECS 711 Spring 2008 Chapter 3
Disaster Recovery Plan
• The key role of a DR plan is to
reestablish operations at the primary
location
34
EECS 711 Spring 2008 Chapter 3
DR Planning Process
1. Develop the DR planning policy
statement
2. Review the BIA
3. Indentify preventive controls
4. Develop recovery strategies
5. Develop the DR plan document
6. Plan testing, training and exercises
7. Plan maintenance
35
EECS 711 Spring 2008 Chapter 3
DR Planning Policy Statement
• The DR team lead by the DR team lead, begins
with the development of the DR policy
• The DR policy contains the following key
elements:
1.
2.
3.
4.
5.
6.
7.
8.
36
Purpose
Scope
Roles and responsibilities
Resource requirements
Training requirements
Exercise and testing schedules
Plan maintenance schedules
Special considerations
EECS 711 Spring 2008 Chapter 3
Classification of disasters
• Natural disasters
– Examples: Fire, flood, hurricane, tornado
• Man-made disasters
– Examples: Cyber-terrorism
• Rapid-onset
– Examples: Earthquakes, mud-flows
• Slow-onset
– Examples: Famines, deforestation
37
EECS 711 Spring 2008 Chapter 3
Planning for disaster
• Key elements that the CP team must build
into a DR plan include the following:
1.
2.
3.
4.
5.
6.
38
Delegation of roles and responsibilities
Execution of alert roster and notification of key
personnel
Clear establishment of priorities
Procedures for documentation of disasters
Actions to mitigate the impact of disaster on the
operations
Alternative implementations of various systems in
case the primaries are unavailable
EECS 711 Spring 2008 Chapter 3
Options to protect information
•
•
•
•
Traditional back-ups
Electronic vaulting
Remote journaling
Database shadowing
39
EECS 711 Spring 2008 Chapter 3
Crisis Management
• Steps taken during and after a disaster that
affect people internally and externally
• According to Gartner Research, crisis
management involves the following activities:
– Supporting personnel and their loved ones during
the crisis
– Determine events impact on normal business and
make disaster declaration if necessary
– Keep public informed about the event and steps
being taken to ensure recovery of personnel and
the enterprise
– Communicate with major customers, suppliers,
partners, regulatory agencies, industry
organizations, media and other interested parties.
40
EECS 711 Spring 2008 Chapter 3
Crisis Management
• The crisis management team is also
charged with two key tasks:
1. Verifying personnel status
2. Activating the alert roster
• The most important role of crisis
management is, in the event of a
disaster tell the whole story as soon as
possible directly to the affected
audience
41
EECS 711 Spring 2008 Chapter 3
Responding to disasters
• During disasters even the most well planned
DR plans can be overwhelmed
• To be prepared, the CP team should
incorporate a degree of flexibility
• If facilities are intact DR team should begin
restoration of systems and services
• If facilities are destroyed, alternative actions
must be taken until new facilities are available
• When the operations of the primary site are
threatened, the disaster recovery process
becomes a business continuity process
42
EECS 711 Spring 2008 Chapter 3
Business Continuity Plan
• Ensures that critical business functions
can continue if a disaster occurs
• CEO should manage
• Activated and executed concurrently
with DR plan
– Business can no longer function at primary
location
– Use an alternate location
43
EECS 711 Spring 2008 Chapter 3
Business Continuity Plan
• Identify critical business functions and
resources to support them
• Want to quickly re-establish these
functions at alternate site
44
EECS 711 Spring 2008 Chapter 3
BC Planning Process
1. Develop the BC planning policy statement
•
Authority, guidance, executive vision
2. Review the BIA
•
Identify, prioritize critical IT systems
3. Identify preventive controls
–
Measures to reduce disruption, increase system
availability
4. Develop relocation strategies
–
Critical systems must be recovered quickly
45
EECS 711 Spring 2008 Chapter 3
BC Planning Process
5. Develop the continuity plan
•
Include detailed guidelines and
procedures
6. Plan testing, training, and exercises
•
Identify planning gaps, prepare personnel
for improved effectiveness and
preparedness
7. Plan maintenance
•
Living document, plan to update!
46
EECS 711 Spring 2008 Chapter 3
Develop the BC planning policy
statement
• Authority, guidance, executive vision
• Provide:
– Purpose
– Scope
– Roles and responsibilities
– Resource requirements
– Training requirements
– Plan maintenance schedule
– Special considerations
47
EECS 711 Spring 2008 Chapter 3
Plan Similarities
• Similar to other elements of the CP
• Process are similar
• Implementation differs
48
EECS 711 Spring 2008 Chapter 3
Design Parameters
• Recovery Time Objective (RTO)
– Amount of time that passes before an
infrastructure is available
• Recovery Point Objective (RPO)
– The point in the past to which the
recovered applications and data will be
restored
– How much data loss?
49
EECS 711 Spring 2008 Chapter 3
Continuity Strategies
• Exclusive-use options
– Hot site
– Warm site
– Cold site
Cost
• Shared-use options
– Timeshare
– Service bureau
– Mutual agreement
• Other
– Rolling mobile site
– Mirrored site
50
EECS 711 Spring 2008 Chapter 3
Time to
activat
e
Continuity Strategies
51
EECS 711 Spring 2008 Chapter 3
Timing and Sequence of CP
Elements
52
EECS 711 Spring 2008 Chapter 3
Timing and Sequence of CP
Elements
53
EECS 711 Spring 2008 Chapter 3
Business Resumption
Planning
• DR and BC combined
• Possibility for two locations
• Good template provided by NIST
– http://fasp.nist.gov
54
EECS 711 Spring 2008 Chapter 3
Testing Contingency Plans
• All plans must be tested to identify
vulnerabilities, faults and inefficient processes
• Five strategies that can be used to test plans
are:
1.
2.
3.
4.
5.
Desk Check
Structured walk-through
Simulation
Parallel testing
Full interruption
• Another important often neglected aspect of
training is cross training
55
EECS 711 Spring 2008 Chapter 3
Contingency Planning: Final
Thoughts
• Iteration results in improvement, a formal
implement of this is CPI (Continuous
Process Improvement)
• Each time the organization rehearses its
plans, it must learn and improve
• Each time an incident or a disaster occurs
the organization should review what went
right and what went wrong
• Through ongoing evaluation and
improvement an organization continually
improves and strives for better outcomes
56
EECS 711 Spring 2008 Chapter 3
Conclusion
Contingency planning and its various
components BIA, IRP, DRP and BCP
play a critical role in preparing for,
detecting, reacting to and recovering
from events that threaten the security of
information resources and assets both
human and natural.
Spring 2008
57
EECS 711:
EECS
Security
711 Spring
Management
2008 Chapter
and Audit
3
57
Questions
58
EECS 711 Spring 2008 Chapter 3
References
• NIST. Special Publication 800-34:
Contingency Planning Guide for
Information Technology Systems. June
2002. Accessed Feb. 13, 2008 from
http://csrc.nist.gov/publications/nistpubs
/800-34/sp800-34.pdf
59
EECS 711 Spring 2008 Chapter 3
Download