Professional Documents
Culture Documents
• Planning / Preperation
• Post-Incident assessment
• Incident closure
Often a period of time elapses between the start of the actual incident and the
moment that the organization is aware of it. This period of time is known as DWELL
TIME.
Typically, event visibility is achieved through the use of event log collection and
analysis tools (typically, a security information and event management system),
together with other tools the detect activities in networks and in servers and
endpoints.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
4. Security incident response plans should contain information about specific roles
and responsibilities to ensure that a security incident is handled properly.
Security incident response, business continuity, and disaster recovery all require
advance planning so that the organization will have discussed, documented, and
outlined the responses required for various types of incidents in advance of their
occurrence.
(REMEMBER that risk assessments are the foundation of planning for all three
disciplines, as it is necessary to discover relevant risks and to establish
priorities during response.)
NOTE: Planning for security incident response, business continuity, and disaster
recovery leads to the improvement of systems and processes.
What is a computer security incident? - an event that has a negative outcome vis-a-
vis C I A against one or more assets as the result of a deliberate attack or
intentional malicious action on the part of one or more users
A security incident can also be thought of as any event that represents a violation
of an organization’s security policy.
• Reconnaissance - intruder researches and identifies targets and learns still more
about the selected target in order to choose a method of attack.
• Delivery - intruder creates a means by which the attack will be delivered to the
target system.
• Actions on objective - intruder proceeds with the attack plan, which may consist
of stealing data, damaging or destroying data, or disrupting the operations of one
or more systems.
=============
Must be supported by Policies | Standards | Procedures that are well documented -->
ONE SIZE FITS ONE !!!
Information Security Manager plays a pivotal role in Incident response & needs to
have a good understanding of BCDR processess to be effective & must act as a bridge
to connect/link resources from other departments/areas of the organization as
needed as part of response. (value delivery)
What are the elements that make up an Incident Response Plan (6)?
IRP's should be aligned with and based on a 6 phase approach to Incident Response:
Prepare
Identify
Contain
Eradicate
Recover
Lesson Learned
=============
Business Impact Analysis (BIA) - Used to determine what impact a disruptive event
would have on an organization.
Goals:
1. Determine Criticality
2. Estimate Maximum Downtime
3. Evaluate Internal and External Resource Requirements
Process Steps:
1. Gather requirements/information
2. Vulnerability assessment
3. Risk Analysis
Quantitative - ALE = SLE * ARO
Qualitative
4. Communicate findings - Audience relevancy
Criticality Analysis (CA) - ONLY once all of the BIA information has been collected
and charted, can the criticality analysis (CA) be performed.
(it’s a special type of a risk analysis that focuses on key processes and systems)
NOTE: BIA --> CA ... NOT THE OTHER WAY AROUND !!!
NOTE: Make sure that any answers you select facilitate the BIA and then the CA
before moving on toward objectives and strategies.
============
Determining Downtime:
Maximum Tolerable Outage (MTO) - A measure of the maximum time that an organization
can tolerate operating in recovery (or alternate processing) mode.
This metric comes into play in situations where systems and processes in recovery
mode operate at a lower level of throughput, consistency, or integrity. MTO drives
the need to reestablish normal production operations within a specific period of
time.
Recovery Time Objective (RTO) - "The time that it takes to recover data and
applications" ---> A LITTLE TOO SIMPLE !!!
How about ... "The targeted duration of time within which a business process must
be restored after a disruption in order to avoid unacceptable consequences
associated with a break in business continuity"
Your RTO should be defined on a per application basis in order to prioritize the
recovery of certain applications, in advance of others, depending on their level of
criticality.
ALSO, KEEP IN MIND THAT ... RTO does not mean that the system (or process) has been
recovered to 100 percent of its former capacity. In an emergency situation,
management may determine that a DR server in another city with, say, 50 percent of
the capacity of the original server is adequate. An organization can establish two
RTO targets, one for partial capacity and one for full capacity.
Recovery Point Objective (RPO) - The point in time you can recover to in the event
of a disaster.
If you have an RPO of 4 hours on your critical applications then this means you
would lose 4 hours of data, as 4 hours ago is the last point in time to which you
can recover.
(The value of a system’s RPO is usually a direct result of the frequency of data
backup or replication)
Management may agree that a recovery site with reduced processing capacity is an
acceptable trade-off, given the relatively low likelihood that a failover to a
recovery site would occur.
Recovery Consistency Objective (RCO) - The consistency and integrity of processing
in a recovery system, as compared to the primary processing system.
Once these objectives are known, the disaster recovery (DR) team can begin to build
system recovery capabilities and procedures that will help the organization to
economically realize these targets.
===============
The primary objective of BCP is to improve the chances that the organization will
survive a dsiruption without incurring costly or even fatal damage to its most
critical activities.
BCP vs DRP ? - BCP tends to be more strategic in nature and focus DRP tends to be
more tactical. Regardless, the most important priority is ALWAYS people !!
BCP Policy - BCP should be an integral part of the IT control framework, not lie
outside of it.
BCP policy should include or cite specific controls that ensure that key activities
in the BCP life cycle are performed appropriately.
BCP policy should also define the scope of the BCP strategy. This means that the
specific business processes (or departments or divisions within an organization)
that are included in the BCP effort must be defined.
• Response documents - These are all the documents that describe the required
action of personnel when a disaster strikes, plus documents containing information
required by those same personnel. Examples of these documents include the
following:
• Test and review documents - This is the entire collection of documents related to
tests of all of the different types of business continuity plans, as well as
reviews and revisions to documents.
Redundancy
Alternative Routing
Diverse Routing
Long-Haul network diversity
Last-Mile circuit protection
Voice & Telephony recovery
Understand the differences between DAS | NAS | SAN for storage services
Keep in mind that the strategies used to recreate data and ensure availability are
linked to RPO & RTO !!!
RPO strategies:
RTO strategies:
Clustering (seconds)
Remote Replication (minutes)
Online Restore (hours)
Tape Restore (hours to days)
Know the difference between Fault Tolerance (FT) & High Availability (HA)
FT --> NO downtime
HA --> Variable downtime
Understand that insurance is a way to treat risk through transferance or sharing,
and should be considered as part of the Incident Response Plan.
=================
Disaster Recovery Planning (DRP) - undertaken to reduce risks related to the onset
of disasters and other events.
DRP is mainly an IT function to ensure that key IT systems are available to support
critical business processes.
The groundwork for DRP begins in BCP activities such as the business impact
analysis, criticality analysis, establishment of recovery objectives, and testing.
The outputs from these activities are the key inputs to DRP:
• The business impact analysis and criticality analysis help to prioritize which
business processes (and, therefore, which IT systems) are the most important.
• Testing of DRP plans can be performed in coordination with tests of BCP plans to
more accurately simulate real disasters and disaster response.
Redundant Center (mirror site) - employed for applications that cannot accept any
downtime without negatively impacting the organization. The applications are split
between two geographically dispersed data centers and either load balanced between
the two centers or hot swapped between the two centers. The surviving data center
must have enough head room to carry the full production load in either case.
Advantages of a redundant center:
a. Little or no downtime
b. Ease of maintenance
c. No recovery required
Hot Site - standby ready with all the technology and equipment necessary to run the
applications positioned there. The administrator will be able to effectively
restart an application in a hot site recovery without having to perform any bare
metal recovery of servers. If this is an internal solution, then often the
organization will run non-time sensitive processes there such as development or
test environments, which will be pushed aside for recovery of production when
needed. When employing this strategy, it is important that the two environments be
kept as close to identical as possible to avoid problems with O/S levels, hardware
differences, capacity differences, etc., from preventing or delaying recovery.
If this is an external hot site, the environment must be rebuilt for the recovery.
These are services contracted through a recovery service provider. Again, it is
important that the two environments be kept as close to identical as possible to
avoid problems with O/S levels, hardware differences, capacity differences, etc.,
from preventing or delaying recovery. Unique equipment or software would generally
need to be provided by the organization.
Warm Site - A facility that is partially configured with some data center support
infrastructure, such as HVAC, computers, etc. It will generally have all the
cooling, cabling, and networks in place to accommodate the recovery but the actual
servers, mainframe, etc., equipment are delivered to the site at time of disaster.
#
Cold Site - a shell or empty data center space with no technology on the floor. All
technology must be purchased or acquired at the time of disaster.
================
Understand the need to triage incidents to allow for priortized response and
utilization of resources
===================
Information Security Manager is responsible for the plan and everything that
supports it and/or that it touches
REMEMBER THE IMPORTANCE OF METRICS (KPI | KRI | KGI) & RESTORATION OBJECTIVES !!!
Test Disaster Recovery Plans (DRP) - Plans must be tested periodically (at a
minimum annually) in order to ensure alignment and relevancy to the organization.
===================
Audits are helpful to review the alignment of the IRP with all current policies,
standards & procedures.
Internal
External
==================
4. Security incident response plans should contain information about specific roles
and responsibilities to ensure that a security incident is handled properly.
Event vs Incident
The IT Infrastructure Library (ITIL) defines an incident as “any event which is not
part of the standard operation of a service and which causes, or may cause, an
interruption to, or a reduction in, the quality of that service. The stated ITIL
objective is to restore normal operations as quickly as possible with the least
possible impact on either the business or the user, at a cost-effective price.”
Clear and formally defined lines of communication & notification requirements need
to be established, documented and communicated in advance of an incident
Mission critical communication networks necessary for Incident Response should also
be identified in advance of an incident and prioritized as part of the BIA
Containment vs Eradication
==================
Before a security professional can begin to identify evidence, the larger incident
scene needs to be dealt with. A incident scene is the environment in which
potential evidence may exist. The principles of criminalistics to apply are:
• Data acquisition
• Data extraction (this must be done in a way that proves the source of the
data and that it was not altered during the extraction process)
• Data protection