EECS 711 Spring 2008 Chapter 31 Planning for Contingencies EECS 711: Security Management and Audit...

EECS 711 Spring 2008 Chapter 31

Planning for Contingencies

EECS 711: Security Management and Audit

Philip Mein

"Prakash" Pallavur Sankaranaraynan

Annette Tetmeyer


Outline• What is Contingency Planning?• Components of Contingency Planning• Business Impact Analysis• Incident Response Plan• Disaster Recovery Plan• Business Continuity Plan• Timing and Sequence of CP Elements• Business Resumption Planning• Testing Contingency Plans• Contingency Planning: Final Thoughts


What is Contingency Planning?

• The overall process of preparing for unexpected events

• Prepare for, detect, react to, recover from these events

“many organization contingency plans are woefully inadequate…”


What is Contingency Planning?

Information Technolog

y

Information Security

Communities of Interest

Prepare for, detect, react to and recover from unexpected events

EnvironmentalHumanNatural


Components of Contingency Planning


Components of Contingency Planning

• Business Impact Analysis (BIA)– Determine critical business functions and

information systems

• Incident Response Plan (IR)– Immediate response to an incident

• Disaster Recovery Plan (DR)– Focus on restoring operations at the primary site

• Business Continuity Plan (BC)– Enables business to continue at an alternate site– Occurs concurrently with DR Plan


Major Tasks


Developing the CP Plan

• Unified plan– Smaller organizations

• Four plans with interlocking procedures– Larger, complex organizations

• Should involve high level administrators and key personnel– CIO, CISO, IT and business managers,

system administrators


CP Team Personnel

• Champion: provides strategic vision and access to organizational support

• Project Manager

• Team Members: from communities of interest


CP Process Elements

Required to begin the CP process

• Planning methodology

• Policy environment

• Understanding cause and effect of precursor activities

• Access to financial and other resources (budget)


Creating the CP Document

1. Develop the policy statement

2. Conduct the BIA

3. Identify preventive controls

4. Develop recovery strategies

5. Develop an IT contingency plan

6. Plan testing, training and exercises

7. Plan maintenance


Creating the CP Document


Sample Policy


Business Impact Analysis

• Provides detailed scenarios of effects of potential attacks

• Risk management identifies attacks

• BIA assumes controls have failed


Risk Management

• Contingency planning and risk management are closely related

• Risks must be identified in order to establish the contingency plan


BIA Stages

• Threat Attack Identification and Prioritization

• Business Unit Analysis

• Attack Success Scenario Development

• Potential Damage Assessment

• Subordinate Plan Classification


Threat Attack Identification and Prioritization

• Update threat list and add an attack profile– Detailed description of activities that occur

during an attack– Develop for every serious threat

• Natural or man-made• Deliberate or accidental

– Used later to provide indicators of attacks and extent of damage


Example Attack Profile ElementsInclude• Date analyzed• Attack name and description• Threat and probable threat agents• Vulnerabilities (known or possible)• Precursor activities or indicators• Likely attack activities or indicators of attack in progress• Information assets at risk• Damage or loss to information assets• Other assets at risk and damage/loss to these assets• Immediate actions indicated when the attack is underway• Follow-up actions after this attack was successfully executed

against systems• Comments


Business Unit Analysis

• Analysis and prioritization of business functions

• Independently evaluate all departments, units, etc.

• Prioritize revenue producing functions


Attack Success Scenario Development

• What are the effects of the threat?

• Alternative outcomes to each– Best, worst, most likely

• What are the implications for all business functions?


Potential Damage Assessment

• Prepare attack scenario end case– What is the cost for the best, worst, most

likely?

• Include cost estimates of time and effort


Subordinate Plan Classification

• Is the attack disastrous or not?

• Develop subordinate plans– Non disastrous scenarios may be

addressed as part of DR and BC plans


Incident Response Plan

“Things which you do not hopehappen more frequently

than things which you do hope.”

-- Plautus (c. 254–184 BCE),in Mostellaria,

Act I, Scene 3, 40 (197)


Incident Response Plan• Incident

– An unexpected event• IRP (Incident Response Plan)

– Detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets

• IR (Incident Response)– A set of procedures that commence when an

incident is detected• Minimal damage• Little or no disruption to business operations

– What is not is prevention (reactive not preventative)


IR Policy

• CP team develops the policy environment to authorize the creation of each of the planning components (IR, DR, BC)

• Defines the roles and responsibilities for the entire enterprise

• Defines the roles and responsibilities for for the SIRT (Security Incident Response Team


IR Policy cont.• Computer Security Incident Handling Guide

(NIST SP 800-61)– Statement of management commitment– Purpose and objectives of the policy– Scope of the Policy– Definition of information security incidents and

their consequences within the organization– Organizational structure and delineation of roles

responsibilities, and levels of authority– Prioritization or severity ratings of incidents– Performance measures– Reporting and contact forms


What is an InfoSec Incident

• It is directed against information assets

• It has a realistic chance of success

• It threatens the confidentiality, integrity, or availability of information resources and assets


IR Plan• BIA provides data to develop IR plan

– Information systems and the threats they face• Stop the incident, mitigate its effects, and provide information for

the recovery from the incident• Three sets of incident procedures

– Before an Attack• Backup schedules• Training schedules• Testing plans

– During an Attack• Procedures and tasks to be performed during the incident• Minimize the effect of the attack (avoid disaster)

– After an Attack• Patches, Updates• Interviews


Incident Detection• Incident candidates

– Possible Indicators• Unfamiliar files, unknown processes, consumption of

resources, unusual system crashes– Probable Indicators

• Activity at unexpected times, presence of new accounts, reported attacks, IDS

– Definite Indicators• Use of dormant accounts, changes to logs, presence of

hacker tools, notification by peers, notification by hacker– Occurrences of Actual Incidents

• Loss of availability, loss of integrity, loss of confidentiality, violation of policy, violation of law


• Actual Incident reported by IDS


Incident Response• Notification of Key Personnel

– Alert roster (sequential or hierarchical)• Documenting an Incident

– Who, what, when, where, why, how (for each action)

• Incident Containment Strategies– Stopping the incident and recovering control

• Disabling compromised accounts• Reconfiguring a firewall• Disabling the compromised process or service• Taking down the conduit application or server• Stopping all computers and network devices

– Incident Escalation


Incident Response cont.• Incident Recovery

– Incident damage assessment• Scope of C.I.A.• Individuals who document the damage must be trained to collect and

preserve evidence– Recovery steps:

• Identify vulnerabilities• Address the safeguards that failed to stop or limit the incident or

missing• Evaluate monitoring capabilities• Restore data from backups• Restore the services and processes• Continuously monitor the system• Restore the confidence of the members of the organization

• Law Enforcement Involvement– FBI, US Secret Service, US Treasury Dept, SEC, Local agencies


Disaster Recovery Plan

• Entails the preparation for and recovery from a disaster

• Responsibility of the IT community of interest, under the leadership of the CEO

• An incident becomes a disaster when– The organization is unable to contain or

control the impact of an incident

– The level of damage is so severe that the organization cannot recover from the incident


Disaster Recovery Plan

• The key role of a DR plan is to reestablish operations at the primary location


DR Planning Process

1. Develop the DR planning policy statement

2. Review the BIA

3. Indentify preventive controls

4. Develop recovery strategies

5. Develop the DR plan document

6. Plan testing, training and exercises

7. Plan maintenance


DR Planning Policy Statement• The DR team lead by the DR team lead, begins

with the development of the DR policy• The DR policy contains the following key

elements:1. Purpose2. Scope3. Roles and responsibilities4. Resource requirements5. Training requirements6. Exercise and testing schedules7. Plan maintenance schedules8. Special considerations


Classification of disasters

• Natural disasters– Examples: Fire, flood, hurricane, tornado

• Man-made disasters– Examples: Cyber-terrorism

• Rapid-onset– Examples: Earthquakes, mud-flows

• Slow-onset– Examples: Famines, deforestation


Planning for disaster

• Key elements that the CP team must build into a DR plan include the following:

1. Delegation of roles and responsibilities

2. Execution of alert roster and notification of key personnel

3. Clear establishment of priorities

4. Procedures for documentation of disasters

5. Actions to mitigate the impact of disaster on the operations

6. Alternative implementations of various systems in case the primaries are unavailable


Options to protect information

• Traditional back-ups

• Electronic vaulting

• Remote journaling

• Database shadowing


Crisis Management• Steps taken during and after a disaster that

affect people internally and externally• According to Gartner Research, crisis

management involves the following activities:– Supporting personnel and their loved ones during

the crisis– Determine events impact on normal business and

make disaster declaration if necessary– Keep public informed about the event and steps

being taken to ensure recovery of personnel and the enterprise

– Communicate with major customers, suppliers, partners, regulatory agencies, industry organizations, media and other interested parties.


Crisis Management

• The crisis management team is also charged with two key tasks:1. Verifying personnel status

2. Activating the alert roster

• The most important role of crisis management is, in the event of a disaster tell the whole story as soon as possible directly to the affected audience


Responding to disasters• During disasters even the most well planned

DR plans can be overwhelmed• To be prepared, the CP team should

incorporate a degree of flexibility• If facilities are intact DR team should begin

restoration of systems and services• If facilities are destroyed, alternative actions

must be taken until new facilities are available• When the operations of the primary site are

threatened, the disaster recovery process becomes a business continuity process


Business Continuity Plan

• Ensures that critical business functions can continue if a disaster occurs

• CEO should manage

• Activated and executed concurrently with DR plan– Business can no longer function at primary

location– Use an alternate location


Business Continuity Plan

• Identify critical business functions and resources to support them

• Want to quickly re-establish these functions at alternate site


BC Planning Process

1. Develop the BC planning policy statement• Authority, guidance, executive vision

2. Review the BIA• Identify, prioritize critical IT systems

3. Identify preventive controls– Measures to reduce disruption, increase system

availability

4. Develop relocation strategies– Critical systems must be recovered quickly


BC Planning Process

5. Develop the continuity plan• Include detailed guidelines and

procedures

6. Plan testing, training, and exercises• Identify planning gaps, prepare personnel

for improved effectiveness and preparedness

7. Plan maintenance• Living document, plan to update!


Develop the BC planning policy statement

• Authority, guidance, executive vision• Provide:

– Purpose– Scope– Roles and responsibilities– Resource requirements– Training requirements– Plan maintenance schedule– Special considerations


Plan Similarities

• Similar to other elements of the CP

• Process are similar

• Implementation differs


Design Parameters

• Recovery Time Objective (RTO)– Amount of time that passes before an

infrastructure is available

• Recovery Point Objective (RPO)– The point in the past to which the

recovered applications and data will be restored

– How much data loss?


Continuity Strategies• Exclusive-use options

– Hot site– Warm site– Cold site

• Shared-use options– Timeshare– Service bureau– Mutual agreement

• Other– Rolling mobile site– Mirrored site

CostTime to activat

e


Continuity Strategies


Timing and Sequence of CP Elements


Business Resumption Planning

• DR and BC combined

• Possibility for two locations

• Good template provided by NIST– http://fasp.nist.gov


Testing Contingency Plans• All plans must be tested to identify

vulnerabilities, faults and inefficient processes• Five strategies that can be used to test plans

are:1. Desk Check2. Structured walk-through3. Simulation4. Parallel testing5. Full interruption

• Another important often neglected aspect of training is cross training


Contingency Planning: Final Thoughts

• Iteration results in improvement, a formal implement of this is CPI (Continuous Process Improvement)

• Each time the organization rehearses its plans, it must learn and improve

• Each time an incident or a disaster occurs the organization should review what went right and what went wrong

• Through ongoing evaluation and improvement an organization continually improves and strives for better outcomes

EECS 711 Spring 2008 Chapter 357Spring 2008 EECS 711: Security Management and Audit 57

Conclusion

Contingency planning and its various components BIA, IRP, DRP and BCP play a critical role in preparing for, detecting, reacting to and recovering from events that threaten the security of information resources and assets both human and natural.


Questions


References

• NIST. Special Publication 800-34: Contingency Planning Guide for Information Technology Systems. June 2002. Accessed Feb. 13, 2008 from http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf

EECS 711 Spring 2008 Chapter 31 Planning for Contingencies EECS 711: Security Management and Audit...

Documents

Transcript of EECS 711 Spring 2008 Chapter 31 Planning for Contingencies EECS 711: Security Management and Audit...