Slide Deck – Session 10 – FRSecure CISSP Mentor Program 2017
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
-
Upload
frsecure-llc -
Category
Education
-
view
465 -
download
0
Transcript of Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
FRSecure 2016 CISSP Mentor Program
EVAN FRANCEN, PRESIDENT & CO -FOUNDER - FRSECURE
CLASS SESSION #11
CISSP Mentor Program Session #11Domain 5: Identity and Access Management - Review• Access Control Methodologies
• Access Control Models
We finished Domain 5.
Now for the Domain 5 Quiz…
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
1. What type of password cracking attack will always be successful?
a. Brute Force
b. Dictionary
c. Hybrid
d. Rainbow Table
A
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
2. What is the difference between password cracking and password guessing?
a. They are the same
b. Password guessing attempts to log into the system, password cracking attempts to determine a password used to create a hash
c. Password guessing uses salts, password cracking does not
d. Password cracking risks account lockout, password guessing does not
B
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
3. The most insidious part of Phishing and Spear Phishing attacks comes from which part of the attack anatomy?
a. Each Phishing and Spear Phishing attack is socially engineered to trick the user to provide information to the attacker.
b. Phishing and Spear Phishing attacks always have malicious code downloaded onto the user’s computer.
c. Phishing and Spear Phishing attacks are always poorly written.
d. Phishing and Spear Phishing attacks are rarely successful.
A
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
4. What is the term used for describing when an attacker, through a command and control network, controls hundreds, thousands, or even tens of thousands of computers and instructs all of these computers to perform actions all at once?
a. Flooding
b. Spamming
c. Phishing
d. Botnets
D
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
5. What are the main differences between retina scans and iris scans?
a. Retina scans are not invasive and iris scans are
b. Iris scans invade a person’s privacy and retina scans do not
c. Iris scans change depending on the person’s health, retina scans are stable
d. Retina scans change depending on the person’s health, iris scans are stable
D
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
6. What is the most important decision an organization needs to make when implementing RBAC?
a. Each user’s security clearance needs to be finalized
b. The roles users have on the system needs to be clearly defined
c. Users’ data needs to be clearly labeled
d. Users’ must be segregated from one another on the IT system to prevent spillage of sensitive data
B
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
7. What access control method weighs additional factors such as time of attempted access before granting access?
a. Content-dependent access control
b. Context-dependent access control
c. Role-based access control
d. Task-based access control
B
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
8. An attacker sees a building is protected by security guards, and attacks a building next door with no guards. What control combination are the security guards?
a. Physical/Compensating
b. Physical/Detective
c. Physical/Deterrent
d. Physical/Preventive
C
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
9. A type II biometric is also known as what?
a. Crossover Error Rate (CER)
b. Equal Error Rate (EER)
c. False Accept Rate (FAR)
d. False Reject Rate (FRR)
C
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
10. Within Kerberos, which part is the single point of failure?
a. The Ticket Granting Ticket
b. The Realm
c. The Key Distribution Center
d. The Client-Server session key
C
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
11. What kind of test should be recommended?
a. Zero knowledge
b. Partial knowledge
c. Full knowledge
d. Vulnerability testing
C
Questions 11 and 12 are based on this scenario: Your company has hired a Third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are: (1) The tests will be conducted on live, business functional networks. These networks must be functional in order for business to run and cannot be shut down, even for an evaluation. (2) The company wants the most in depth test possible.
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
12. While conducting the penetration test, the tester discovers a critical business system is currently compromised. What should the tester do?
a. Note the results in the penetration testing report
b. Immediately end the penetration test and call the CIO
c. Remove the malware
d. Shut the system down
B
Questions 11 and 12 are based on this scenario: Your company has hired a Third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are: (1) The tests will be conducted on live, business functional networks. These networks must be functional in order for business to run and cannot be shut down, even for an evaluation. (2) The company wants the most in depth test possible.
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
13. What group launches the most attacks?
a. Insiders
b. Oustiders
c. Hacktivists
d. Script kiddies
B
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
14. A policy that states a user must have a business requirement to view data before attempting to do so is an example of enforcing what?
a. Least privilege
b. Need to know
c. Rotation of duties
d. Separation of duties
B
CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review
15. What technique would raise the False Accept Rate (FAR) and Lower the False Reject Rate (FRR) in a fingerprint scanning system?
a. Decrease the amount of minutiae that is verified
b. Increase the amount of minutiae that is verified
c. Lengthen the enrollment time
d. Lower the throughput time
A
CISSP Mentor Program Session #11Domain 6: Security Assessment and Testing - Review• Assessing Access Control
• Software Testing Methods
Domain 7: Security Assessment and Testing - Review• Administrative Security
• Forensics
We also finished Domain 6 and part of Domain 7!
CISSP Mentor Program Session #11Domain 7: Security Operations
Electronic Discovery (eDISCOVERY)• legal counsel gaining access to pertinent electronic information during
the pre-trial discovery phase of civil legal proceedings
• seeks ESI, or electronically stored information
• ESI does not need to be conveniently accessible or transferable
• Data Retention Policy (IMPORTANT)• Legal/Regulatory reasons?
• Business reasons?
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management• Every organization faces information security incidents• Regimented and tested methodology for identifying and responding to
incidents is critical• Computer Security Incident Response Team (CSIRT) is a term used for
the group that is tasked with monitoring, identifying, and responding to security incidents
• Overall goal of the incident response plan is to allow the organization to control the cost and damage associated with incidents, and to make the recovery of impacted systems quicker
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – Methodology
Different books and organizations may use different terms and phases associated with incident response; this section will mirror the terms associated with the examination.
Step 1 - Detection (what I can’t prevent, can I detect?)
• Events are analyzed in order to determine whether these events might comprise a security incident
• Emphasis on detective controls
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – MethodologyStep 2 - Containment (OK I’ve detected it, now what?)
• The point at which the incident response team attempts to keep further damage from occurring
• Might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the incident
• Typically where a binary (bit by bit) forensic backup is made of systems involved in the incident
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – MethodologyStep 3 - Eradication
• Involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase
• The cause of the incident must be determined BEFORE recovery
• Root cause analysis is key
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – MethodologyStep 4 - Recovery
• Involves restoring the system or systems to operational status
• Typically, the business unit responsible for the system will dictate when the system will go back online
• Close monitoring of the system after it is returned to production is necessary
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – MethodologyStep 5 - Reporting
• Most likely to be neglected in immature incident response programs
• If done right, this phase has the greatest potential to effect a positive change in security posture
• Goal is to provide a final report on the incident, which will be delivered to management
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – Methodology• NIST Special Publication 800-61r2: Computer Security Incident
Handling Guide (see: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
• 4 Step Lifecycle• Preparation
• Detection & Analysis
• Containment, Eradication, and Recovery
• Post-incident Activity
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – Methodology• Exam lists a 7-step lifecycle; book calls for 8-step (adding “Preparation):• 1. Preparation
• 2. Detection (aka Identification)
• 3. Response (aka Containment)
• 4. Mitigation (aka Eradication)
• 5. Reporting
• 6. Recovery
• 7. Remediation
• 8. Lessons Learned (aka Post-incident Activity, Post Mortem, or Reporting)
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – Methodology1. Preparation• training, writing incident response policies and procedures, providing tools
such as laptops with sniffing software, crossover cables, original OS media, removable drives, etc.
• Everything that you do to prepare for an incident• Policy and procedures• Incident handling checklist and other forms for tracking• Classification
• Impact
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – Methodology2. Detection (aka Identification)• What are all of the inputs into my incident response process?
• Events Incidents
3. Response (aka Containment)• Step-by-step, depending upon classification & severity
• Forensic response? Protection of evidence, while containing damage
• Start root cause analysis
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – Methodology4. Mitigation (aka Eradication)• Root cause analysis completed (mostly/hopefully)
• Get rid of the bad things
5. Reporting• Actually not really a step (happens throughout)
• More formal here; include incident responders (technical and non-technical)
CISSP Mentor Program Session #11Domain 7: Security Operations
Incident Response Management – Methodology6. Recovery• Restore systems and operations
• Increase monitoring
7. Remediation – broader in context
8. Lessons Learned (aka Post-incident Activity, Post Mortem, or Reporting) – there’s always lessons
CISSP Mentor Program Session #11Domain 7: Security Operations
Operational Preventive And Detective Controls• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems
(IPS)
• True Positive: Conficker worm is spreading on a trusted network, and NIDS alerts• True Negative: User surfs the Web to an allowed site, and NIDS is silent
• False Positive: User surfs the Web to an allowed site, and NIDS alerts
• False Negative: Conficker worm is spreading on a trusted network, and NIDS is silent
CISSP Mentor Program Session #11Domain 7: Security Operations
Operational Preventive And Detective Controls• NIDS, NIPS, HIDS, and HIPS
CISSP Mentor Program Session #11Domain 7: Security Operations
Operational Preventive And Detective Controls• NIDS, NIPS, HIDS, and HIPS (detection types)• Pattern Matching
• Protocol Behavior
• Anomaly Detection
• Security Information and Event Management
• Continuous Monitoring
• Data Loss Prevention (network & host)
CISSP Mentor Program Session #11Domain 7: Security Operations
Operational Preventive And Detective ControlsEndpoint Security
• HIDS/HIPS
• Antivirus
• Application Whitelisting
• Removable Media Controls
• Disk Encryption
• Privileged Access
CISSP Mentor Program Session #11Domain 7: Security Operations
Operational Preventive And Detective ControlsEndpoint Security
• HIDS/HIPS
• Antivirus
• Application Whitelisting
• Removable Media Controls
• Disk Encryption
• Privileged Access
CISSP Mentor Program Session #11Domain 7: Security Operations
Asset Management (Configuration Management)The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization.• Hardened baseline configurations• Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs,
enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs
CISSP Mentor Program Session #11Domain 7: Security Operations
Asset Management (Configuration Management)Baselining
• The process of capturing a point in time understanding of the current system security configuration
• Helpful in responding to a potential security incident
• Continual baselining is important
CISSP Mentor Program Session #11Domain 7: Security Operations
Asset Management (Configuration Management)Patch Management• The process of managing software updates• All software has flaws that are not fully addressed in advance of being
released• Software vendors announce patches both publicly and directly to their
customers• Once notified of a patch, organizations need to evaluate the patch from
a risk management perspective to determine how aggressively the patch will need to be deployed.
CISSP Mentor Program Session #11Domain 7: Security Operations
Asset Management (Configuration Management)Vulnerability Management
• Vulnerability scanning is a way to discover poor configurations and missing patches in an environment
• Vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information
• Prioritization and remediation of the vulnerabilities
CISSP Mentor Program Session #11Domain 7: Security Operations
CISSP Mentor Program Session #11Domain 7: Security Operations
Asset Management (Configuration Management)Vulnerability Management
Section 12.6 of the ISO/IEC 27002:2013 provides guidance on technical vulnerability management. A vulnerability management process should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. Vulnerability management starts with asset management, the information required to support systems technically includes tracking operating system software, version numbers, lists of software installed, and the person or persons responsible for maintaining the systems. Additionally, the organization should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required thereof.
CISSP Mentor Program Session #11Domain 7: Security Operations
Asset Management (Configuration Management)Vulnerability Management
Once a potential technical vulnerability has been identified, the organization should identify the associated risks and the actions to be taken - such action could involve the patching of vulnerable systems and/or applying other controls. Depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management or by following information security incident response procedures. Critical-risk and high-risk systems should be addressed first. Patches should be tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls should be considered. The technical vulnerability management process should be regularly monitored and evaluated in order to ensure its effectiveness and efficiency.
CISSP Mentor Program Session #11Domain 7: Security Operations
Asset Management (Configuration Management)Zero-Day Vulnerabilities and Zero-Day Exploits• The average window of time between a patch being released and an
associated exploit being made public is decreasing• Recent research even suggests that for some vulnerabilities, an exploit can be
created within minutes based simply on the availability of the unpatched and patched program
• The term for a vulnerability being known before the existence of a patch (or workaround) is zero day vulnerability.
• A zero-day exploit, rather than vulnerability, refers to the existence of exploit code for a vulnerability which has yet to be patched
CISSP Mentor Program Session #11Domain 7: Security Operations
Change Management• A system that does not change will become less secure over time• Not an exact science, every organization will be a little different• The general flow of the change management process includes:• Identifying a change• Proposing a change• Assessing the risk associated with the change• Testing the change (backout plan)• Scheduling the change• Notifying impacted parties of the change• Implementing the change• Reporting results of the change implementation
• Changes must be closely tracked and auditable
CISSP Mentor Program Session #11Domain 7: Security Operations
Continuity of OperationsService Level Agreements (SLA)• Critical where organizations have external entities perform critical services or
host significant assets and applications• Goal is to stipulate all expectations regarding the behavior of the department
or organization that is responsible for providing services and the quality of the services provided
• Availability is usually the most critical security consideration of a service level agreement
• Organizations must negotiate all security terms of a service level agreement prior to engaging with the company
• Cloud computing
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault ToleranceBackup
• Recoverability in the event of a failure
• Magnetic tape media is old technology, but still is the most common repository of backup data
• Three basic types of backups exist: full backup; the incremental backup; and the differential backup
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault ToleranceBackup
• Full backup - a replica of all allocated data on a hard disk• The most costly in terms of media and time to backup
• Often coupled with either incremental or differential backups to balance the time and media considerations
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault ToleranceBackup• Incremental backup - only archive files that have changed since the last
backup of any kind was performed• The most recent full backup and each and every incremental backup since the full
backup is required to initiate a recovery
• Time to perform each incremental backup is extremely short; however, the downside is that a full restore can require many tapes, especially if full backups are performed less frequently
• The odds of a failed restoration due to a tape integrity issue (such as broken tape) rise with each additional tape required
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault ToleranceBackup
• Differential - will back up any files that have been changed since the last full backup• Only the most recent full backup and most recent differential backup are required
to initiate a full recovery
• As more time passes since the last full backup the length of time to perform a differential backup will also increase
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault ToleranceRedundant Array of Inexpensive Disks (RAID)
• Mitigates the risk associated with hard disk failures
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)Three terms that are important to understand with respect to RAID are: mirroring; striping; and parity• Mirroring - used to achieve full data redundancy by writing the same data to multiple
hard disks• Write times are slower• Read times are faster• Most costly in terms of disk usage - at least half of the drives are used for redundancy
• Striping - increased the read and write performance by spreading data across multiple hard disks• Reads and writes can be performed in parallel across multiple disks rather than serially on one disk• Parallelization provides a performance increase, and does not aid in data redundancy
• Parity - achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)
RAID 0: Striped Set
• Striping to increase the performance of read and writes
• No data redundancy - poor choice if recovery of data is the reason for leveraging RAID
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)
RAID 1: Mirrored Set
• Creates/writes an exact duplicate of all data to an additional disk
• Write performance is decreased
• Read performance can increase
• Highest disk cost
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)RAID 2: Hamming Code
• Not considered commercially viable for hard disks and is not used
• Requires either 14 or 39 hard disks and a specially designed hardware controller
• Cost prohibitive
• RAID 2 is not likely to be tested
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)RAID 3: Striped Set with Dedicated Parity (byte level)• Data, at the byte level, is striped across multiple disks• An additional disk is leveraged for storage of parity information, which
is used for recovery in the event of a failureRAID 4: Striped Set with Dedicated Parity (block level)• Exact same configuration and functionality as that of RAID 3, but
stripes data at the block, rather than byte, level• Employs a dedicated parity drive rather than having parity data
distributed amongst all disks, as in RAID 5
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)
RAID 5: Striped Set with Distributed Parity
• One of the most popular RAID configurations
• Striped Set with Distributed Parity
• Leverages a block level striping
• Writes parity information that is used for recovery purposes
• Distributes the parity information across multiple disks
• Disk cost for redundancy is lower than that of a Mirrored set
• Support for both hardware and software based implementations
• Allows for data recovery in the event that any one disk fails
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)RAID 6: Striped Set with Dual Distributed Parity• Can allow for the failure of two drives and still function• Redundancy is achieved by writing the same parity information to two different disksRAID 1+0 or RAID 10• Example of what is known as nested RAID or multi-RAID (one standard RAID level is
encapsulated within another)• Configuration is a striped set of mirrors
NOTE: There are many and varied RAID configurations which are simply combinations of the standard RAID levels. Nested RAID solutions are becoming increasingly common with larger arrays of disks that require a high degree of both reliability and speed. Some common nested RAID levels include RAID 0+1, 1+0, 5+0, 6+0, and (1+0)+0, which are also commonly written as RAID 01, 10, 50, 60, and 100, respectively.
CISSP Mentor Program Session #11Domain 7: Security Operations
Fault Tolerance - System RedundancyRedundant Hardware• Built-in redundancy (power supplies, disk controllers, and NICs are most
common)• An inventory of spare modules to service the entire datacenter's servers
would be less expensive than having all servers configured with an installed redundant power supply
Redundant Systems• Entire systems available in inventory to serve as a means to recover• Have an SLA with hardware manufacturers to be able to quickly procure
replacement equipment in a timely fashion
CISSP Mentor Program Session #11Domain 7: Security Operations
BCP and DRP Overview and Process (used to be Domain by itself)Unique terms and definitions
• Business Continuity Plan (BCP)—a long-term plan to ensure the continuity of business operations
• Continuity of Operations Plan (COOP)—a plan to maintain operations during a disaster.
• Disaster—any disruptive event that interrupts normal system operations
• Disaster Recovery Plan (DRP)—a short-term plan to recover from a disruptive event
• Mean Time Between Failures (MTBF)—quantifies how long a new or repaired system will run on average before failing
• Mean Time to Repair (MTTR)—describes how long it will take to recover a failed system.
CISSP Mentor Program Session #11Domain 7: Security Operations
BCP and DRP Overview and ProcessBusiness Continuity Planning and Disaster Recovery Planning are two very distinct disciplines
Business Continuity Planning (BCP)• Goal of a BCP is for ensuring that the business will continue to operate
before, throughout, and after a disaster event is experienced• Focus of a BCP is on the business as a whole• Business Continuity Planning provides a long-term strategy• Takes into account items such as people, vital records, and processes in
addition to critical systems
CISSP Mentor Program Session #11Domain 7: Security Operations
BCP and DRP Overview and ProcessBusiness Continuity Planning and Disaster Recovery Planning are two very distinct disciplines
Disaster Recovery Planning (DRP)
• Disaster Recovery Plan is more tactical in its approach
• Short-term plan for dealing with specific IT-oriented disruptions
• Provides a means for immediate response to disasters
• Does not focus on long-term business impact
CISSP Mentor Program Session #11Domain 7: Security Operations
BCP and DRP Overview and ProcessBusiness Continuity Planning and Disaster Recovery Planning are two very distinct disciplinesRelationship between BCP and DRP• Business Continuity Plan is an umbrella plan that includes multiple specific
plans, most importantly the Disaster Recovery Plan• Two plans, which have different scopes, are intertwined• Disaster Recovery Plan serves as a subset of the overall Business Continuity
Plan• NIST Special Publication 800-34, provides a visual means for understanding
the interrelatedness of a BCP and a DRP, as well as Continuity of Operations Plan (COOP), Occupant Emergency Plan (OEP), and others.
CISSP Mentor Program Session #11Domain 7: Security Operations
CISSP Mentor Program Session #11Domain 7: Security Operations
Disasters or Disruptive EventsClassifications of disasters• Three common ways of categorizing the causes for disasters are as to whether the threat agent is
natural, human, or environmental in nature• Natural—the most obvious type of threat that can result in a disaster are naturally occurring. This category includes
such threats as earthquakes, hurricanes, tornadoes, floods, and some types of fires (closely related to geographical location)
• Human—the human category of threats represents the most common source of disasters. Human threats can be further classified as to whether they constitute an intentional or unintentional threat
• Examples of human-intentional threats include terrorists, malware, rogue insider, Denial of Service, hacktivism, phishing, social engineering, etc.
• Examples of human-unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person through lack of knowledge, laziness, or carelessness served as a source of disruption
• Environmental—focused on environment as it pertains to the information systems or datacenter. This class of threat includes items such as power issues (blackout, brownout, surge, spike), system component or other equipment failures, application or software flaws
• Analysis of threats and associated likelihoods is an important part of the BCP and DRP process
CISSP Mentor Program Session #11Domain 7: Security Operations
Disasters or Disruptive Events
CISSP Mentor Program Session #11Domain 7: Security Operations
Disasters or Disruptive EventsErrors and omissions• Typically considered the single most common source of disruptive events• Threat is inadvertently caused by humans, most often in the employ of the
organization, who unintentionally serve as a source of harm• Data entry mistakes are an example of errors and omissionsNatural Disasters• Include earthquakes, hurricanes, floods, tsunamis, etc.• Likelihood of natural threats occurring is largely based upon the geographical location
of the organization's information systems or datacenters• Generally have a rather low likelihood of occurring• Impact can be severe
CISSP Mentor Program Session #11Domain 7: Security Operations
Disasters or Disruptive EventsElectrical or power Problems• Much more common than natural disasters• Considered an environmental disaster• Uninterruptible power supplies (UPS) and/or backup generatorsTemperature and Humidity Failures• Critical controls that must be managed during a disaster• Increased server density can provide for significant heat issues• Mean Time Between Failures (MTBF) for electrical equipment will decrease if
temperature and humidity levels are not within an tolerable range.
CISSP Mentor Program Session #11Domain 7: Security Operations
Disasters or Disruptive EventsWarfare, terrorism, and sabotage• Human-intentional threats• Threat can vary dramatically based on geographic location, industry, brand
value, as well as the interrelatedness with other high-value target organizations
• Cyber-warfare• “Aurora” attacks (named after the word “Aurora,” which was found in a
sample of malware used in the attacks). As the New York Times reported on 2/18/2010: “A series of online attacks on Google and dozens of other American corporations have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military, say people involved in the investigation.”
CISSP Mentor Program Session #11Domain 7: Security Operations
Disasters or Disruptive EventsFinancially-motivated Attackers• Exfiltration of cardholder data, identity theft, pump-and-dump stock
schemes, bogus anti-malware tools, or corporate espionage, etc.• Organized crime syndicatesPersonnel Shortages• Another significant source of disruption can come by means of having staff
unavailable• Most organizations will have some critical processes that are people-
dependent
CISSP Mentor Program Session #11Domain 7: Security Operations
Disasters or Disruptive EventsPersonnel Shortages• Pandemics and Disease• Major biological problems such as pandemic flu or highly communicable infectious disease
outbreaks• A pandemic occurs when an infection spreads through an extremely large geographical area, while
an epidemic is more localized
• Strikes• Strikes usually are carried out in such a manner that the organization can plan for the occurrence• Most strikes are announced and planned in advance, which provides the organization with some
lead time
• Personnel Availability• Sudden separation from employment of a critical member of the workforce
CISSP Mentor Program Session #11Domain 7: Security Operations
Disasters or Disruptive EventsCommunications Failure• Increasing dependence of organizations on call centers, IP telephony, general
Internet access, and providing services via the Internet• One of the most common disaster-causing events is telecommunications lines
being inadvertently cut by someone digging where they are not supposed to
NOTE: One of the eye-opening impacts of Hurricane Katrina was a rather significant outage of Internet2, which provides high-speed connectivity for education and research networks. Qwest, which provides the infrastructure for Internet2, suffered an outage in one of the major long-haul links that ran from Atlanta to Houston. Reportedly, the outage was due to lack of availability of fuel in the area. In addition to this outage, which impacted more than just those areas directly affected by the hurricane, there were substantial outages throughout Mississippi, which at its peak had more than a third of its public address space rendered unreachable.
CISSP Mentor Program Session #11Domain 7: Security Operations
The Disaster Recovery ProcessThe general process of disaster recovery involves responding to the disruption; activation of the recovery team; ongoing tactical communication of the status of disaster and its associated recovery; further assessment of the damage caused by the disruptive event; and recovery of critical assets and processes in a manner consistent with the extent of the disaster.• Different organizations and experts alike might disagree about the
number or names of phases in the process• Personnel safety remains the top priority
CISSP Mentor Program Session #11Domain 7: Security Operations
The Disaster Recovery ProcessRespond• Initial response begins the process of assessing the damage• Speed is essential (initial assessment)• The initial assessment will determine if the event in question constitutes a
disaster• The initial response team should be mindful of assessing the facility's safety
for continued personnel usageActivate TeamIf during the initial response to a disruptive event a disaster is declared, then the team that will be responsible for recovery needs to be activated.
CISSP Mentor Program Session #11Domain 7: Security Operations
The Disaster Recovery ProcessCommunicate• Ensure that consistent timely status updates are communicated back to the central
team managing the response and recovery process• Communication often must occur out-of-band• The organization must also be prepared to provide external communicationsAssess• More detailed and thorough assessment• Assess the extent of the damage and determine the proper steps to ensure the
organization's ability to meet its mission and Maximum Tolerable Downtime (MTD)• Team could recommend that the ultimate restoration or reconstitution occurs at the
alternate site
CISSP Mentor Program Session #11Domain 7: Security Operations
The Disaster Recovery ProcessReconstitution
• Successfully recover critical business operations either at primary or secondary site
• If an alternate site is leveraged, adequate safety and security controls must be in place in order to maintain the expected degree of security the organization typically employs
• A salvage team will be employed to begin the recovery process at the primary facility that experienced the disaster
CISSP Mentor Program Session #11Domain 7: Security Operations
Developing a BCP/DRP• High-level steps, according to NIST 800-34:• Project Initiation• Scope the Project• Business Impact Analysis• Identify Preventive Controls• Recovery Strategy• Plan Design and Development• Implementation, Training, and Testing• BCP/DRP Maintenance
• NIST 800-34 is the National Institute of Standards and Technologies Information Technology Contingency Planning Guide, which can be found at http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf.
CISSP Mentor Program Session #11Domain 7: Security Operations
Project InitiationIn order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones:• 1. Develop the contingency planning policy statement: A formal department
or agency policy provides the authority and guidance necessary to develop an effective contingency plan.
• 2. Conduct the business impact analysis (BIA): The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user.
• 3. Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.
CISSP Mentor Program Session #11Domain 7: Security Operations
Project InitiationIn order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones:• 4. Develop recovery strategies: Thorough recovery strategies ensure that the
system may be recovered quickly and effectively following a disruption.• 5. Develop an IT contingency plan: The contingency plan should contain
detailed guidance and procedures for restoring a damaged system.• 6. Plan testing, training, and exercises: Testing the plan identifies planning
gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.
• 7. Plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements.
CISSP Mentor Program Session #11Domain 7: Security Operations
Management Support“C”-level managers:• Must agree to any plan set forth• Must agree to support the action items listed in the plan if an emergency
event occurs• Refers to people within an organization like the chief executive officer (CEO),
the chief operating officer (COO), the chief information officer (CIO), and the chief financial officer (CFO)
• Have enough power and authority to speak for the entire organization when dealing with outside media
• High enough within the organization to commit resources
CISSP Mentor Program Session #11Domain 7: Security Operations
Other RolesBCP/DRP Project Manager• Key Point of Contact for ensuring that a BCP/DRP is completed and routinely
tested• Must be a good manager and leader in case there is an event that causes the
BCP or DRP to be implemented• Point of Contact (POC) for every person within the organization during a crisis• Must be very organized• Credibility and enough authority within the organization to make important,
critical decisions with regard to implementing the BCP/DRP• Does not need to have in-depth technical skills
CISSP Mentor Program Session #11Domain 7: Security Operations
Other RolesContinuity Planning Project Team (CPPT)• Comprises those personnel that will have responsibilities if/when an
emergency occurs• Comprised of stakeholders within an organization• Focuses on identifying who needs to play a role if a specific emergency event
were to occur• Includes people from the human resources section, public relations (PR), IT
staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions
CISSP Mentor Program Session #11Domain 7: Security Operations
Scoping the Project• Define exactly what assets are protected by the plan, which emergency
events the plan will be able to address, and determining the resources necessary to completely create and implement the plan
• “What is in and out of scope for this plan?”
• After receiving C-level approval and input from the rest of the organization, objectives and deliverables can be determined
CISSP Mentor Program Session #11Domain 7: Security Operations
Scoping the Project• Objectives are usually created as “if/then” statements• For example, “If there is a hurricane, then the organization will enact plan H—the Physical
Relocation and Employee Safety Plan.” Plan H is unique to the organization but it does encompass all the BCP/DRP subplans required
• An objective would be to create this plan and have it reviewed by all members of the organization by a specific date.
• The objective will have a number of deliverables required to create and fully vet this plan: for example, draft documents, exercise planning meetings, table top preliminary exercises, etc.
• Executive management must at least ensure that support is given for three BCP/DRP items:• 1. Executive management support is needed for initiating the plan.• 2. Executive management support is needed for final approval of the plan.• 3. Executive management must demonstrate due care and due diligence and be held liable under
applicable laws/regulations.
CISSP Mentor Program Session #11Domain 7: Security Operations
Assessing the Critical State• Assessing the critical state can be difficult
because determining which pieces of the IT infrastructure are critical depends solely on the how it supports the users within the organization.
• When compiling the critical state and asset list associated with it, the BCP/DRP project manager should note how the assets impact the organization in a section called the “Business Impact” section.
CISSP Mentor Program Session #11Domain 7: Security Operations
Conduct Business Impact Analysis (BIA)• Formal method for determining how a disruption to the IT system(s) of an
organization will impact the organization• An analysis to identify and prioritize critical IT systems and components• Enables the BCP/DRP project manager to fully characterize the IT contingency
requirements and priorities• Objective is to correlate the IT system components with the critical service it
supports• Also aims to quantify the consequence of a disruption to the system component and
how that will affect the organization• Determine the Maximum Tolerable Downtime (MTD) for a specific IT asset• Also provides information to improve business processes and efficiencies because it
details all of the organization's policies and implementation efforts
The BIA is comprised of two processes; Identification of critical assets and a comprehensive risk assessment.
CISSP Mentor Program Session #11Domain 7: Security Operations
Conduct Business Impact Analysis (BIA)Identify Critical Assets• BIA and Critical State Asset List is conducted for every IT system within the
organization, no matter how trivial or unimportant, leading to…• A list of those IT assets that are deemed business-essential by the
organizationConduct BCP/DRP-focused Risk Assessment• Determines what risks are inherent to which IT assets• A vulnerability analysis is also conducted for each IT system and major
application
CISSP Mentor Program Session #11Domain 7: Security Operations
Conduct Business Impact Analysis (BIA)
CISSP Mentor Program Session #11Domain 7: Security Operations
Determine Maximum Tolerable Downtime• Describes the total time a system can be inoperable before an organization is
severely impacted• It is also the maximum time it takes to execute the reconstitution phase• Comprised of two metrics; Recovery Time Objective (RTO) and the Work
Recovery Time (WRT)Alternate terms for MTD• Depending on the business continuity framework that is used, other terms
may be substituted for Maximum Tolerable Downtime. These include Maximum Allowable Downtime (MAD), Maximum Tolerable Outage (MTO), and Maximum Acceptable Outage (MAO).
CISSP Mentor Program Session #11Domain 7: Security Operations
Failure and Recovery Metrics• Used to quantify how frequently systems fail, how long a system may
exist in a failed state, and the maximum time to recover from failure.
• These metrics include the Recovery Point Objective (RPO), Recovery Time Objective (RTO), Work Recovery Time (WRT), Mean Time Between Failures (MTBF), Mean Time to Repair (MTTR), and Minimum Operating Requirements (MOR).
CISSP Mentor Program Session #11Domain 7: Security Operations
Recovery Point Objective• The amount of data loss or system inaccessibility (measured in time)
that an organization can withstand.• “If you perform weekly backups, someone made a decision that your
company could tolerate the loss of a week's worth of data. If backups are performed on Saturday evenings and a system fails on Saturday afternoon, you have lost the entire week's worth of data. This is the recovery point objective. In this case, the RPO is 1 week.”
• RPO represents the maximum acceptable amount of data/work loss for a given process because of a disaster or disruptive event
CISSP Mentor Program Session #11Domain 7: Security Operations
Recovery Time Objective (RTO) and Work Recovery Time (WRT)• Recovery Time Objective (RTO) describes the maximum time allowed
to recover business or IT systems• RTO is also called the systems recovery time. One part of Maximum
Tolerable Downtime: once the system is physically running, it must be configured.
• Work Recovery Time (WRT) describes the time required to configure a recovered system.
• “Downtime consists of two elements, the systems recovery time and the work recovery time. Therefore, MTD = RTO + WRT.”
CISSP Mentor Program Session #11Domain 7: Security Operations
Mean Time Between Failures• Quantifies how long a new or repaired system will run before failing• Typically generated by a component vendor and is largely applicable to
hardware as opposed to applications and software.• A vendor selling LCD computer monitors may run 100 monitors 24 hours a
day for 2 weeks and observe just one monitor failure. The vendor then extrapolates the following:
100 LCD Monitors x 14 days x 24 hours/day = 1 failure/33,600 hours
• The BCP/DRP team determines the correct amount of expected failures within the IT system during a course of time.
• Calculating the MTBF becomes less reliant when an organization uses fewer and fewer hardware assets.
CISSP Mentor Program Session #11Domain 7: Security Operations
Mean Time to Repair (MTTR)• Describes how long it will take to recover a specific failed system• Best estimate for reconstituting the IT system so that business continuity may
occurMinimum Operating Requirements• Describes the minimum environmental and connectivity requirements in
order to operate computer equipment• Important to determine and document for each IT-critical asset because, in
the event of a disruptive event or disaster, proper analysis can be conducted quickly to determine if the IT assets will be able to function in the emergency environment
CISSP Mentor Program Session #11Domain 7: Security Operations
Identify Preventive Controls• Preventive controls prevent disruptive events from having an impact• The BIA will identify some risks which may be mitigated immediatelyRecovery Strategy• Once the BIA is complete, the BCP team knows the Maximum Tolerable
Downtime. This metric, as well as others including the Recovery Point Objective and Recovery Time Objective, are used to determine the recovery strategy.
• Always maintain technical, physical, and administrative controls when using any recovery option
CISSP Mentor Program Session #11Domain 7: Security Operations
Recovery Strategy
CISSP Mentor Program Session #11Domain 7: Security Operations
Recovery StrategySupply Chain Management• In an age of “just in time” shipment of goods, organizations may fail to acquire
adequate replacement computers.• Some computer manufactures offer guaranteed replacement insurance for a specific
range of disasters. The insurance is priced per server, and includes a service level agreement that specifies the replacement time. All forms of relevant insurance should be analyzed by the BCP team.
Telecommunication Management• Ensures the availability of electronic communications during a disaster• Often one of the first processes to fail during a disaster• Wired circuits such as T1s, T3s, frame relay, etc., need to be specifically addressed• Power can be provided by generator if necessary.
CISSP Mentor Program Session #11Domain 7: Security Operations
Recovery StrategyUtility Management• Utility management addresses the availability of utilities such as power,
water, gas, etc. during a disaster• The utility management plan should address all utilities required by business
operations, including power, heating, cooling, and water.• Specific sections should address the unavailability of any required utility.Recovery options• Once an organization has determined its maximum tolerable downtime, the
choice of recovery options can be determined. For example, a 10-day MTD indicates that a cold site may be a reasonable option. An MTD of a few hours indicates that a redundant site or hot site is a potential option.
CISSP Mentor Program Session #11Domain 7: Security Operations
Recovery OptionsRedundant Site• A redundant site is an exact production duplicate of a system that has the capability to seamlessly
operate all necessary IT operations without loss of services to the end user of the system.• A redundant site receives data backups in real time so that in the event of a disaster, the users of the
system have no loss of data.• The most expensive recovery optionHot Site• A hot site is a location that an organization may relocate to following a major disruption or disaster.• It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured
computers.• Will have all necessary hardware and critical applications data mirrored in real time.• A hot site will have the capability to allow the organization to resume critical operations within a
very short period of time—sometimes in less than an hour.• Has all the same physical, technical, and administrative controls implemented of the production site.
CISSP Mentor Program Session #11Domain 7: Security Operations
Recovery OptionsWarm Site• Has some aspects of a hot site, for example, readily-accessible hardware and connectivity, but it will have
to rely upon backup data in order to reconstitute a system after a disruption.• It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers.• MTD of at least 1-3 days• The longer the MTD is, the less expensive the recovery solution will be.Cold Site• The least expensive recovery solution to implement.• Does not include backup copies of data, nor does it contain any immediately available hardware.• Longest amount of time of all recovery solutions to implement and restore critical IT services for the
organization• MTD—usually measured in weeks, not days.• Typically a datacenter with a raised floor, power, utilities, and physical security, but not much beyond that.
CISSP Mentor Program Session #11Domain 7: Security Operations
Recovery OptionsReciprocal Agreement• A bi-directional agreement between two organizations in which one organization
promises another organization that it can move in and share space if it experiences a disaster.
• Documented in the form of a contract• Also referred to as Mutual Aid Agreements (MAAs)Mobile Site• “datacenters on wheels”: towable trailers that contain racks of computer equipment,
as well as HVAC, fire suppression and physical security.• A good fit for disasters such as a datacenter flood• Typically placed within the physical property lines, and are protected by defenses
such as fences, gates, and security cameras
CISSP Mentor Program Session #11Domain 7: Security Operations
Recovery OptionsSubscription Services• Some organizations outsource their BCP/DRP planning and/or
implementation by paying another company to perform those services.
• Effectively transfers the risk to the insurer company.• Based upon a simple insurance model, and companies such as
IBM have built profit models and offer services for customers offering BCP/DRP insurance.
CISSP Mentor Program Session #11Domain 7: Security Operations
Related PlansThe Business Continuity Plan is an umbrella plan that contains others plans:• Disaster recovery plan• Continuity of Operations Plan (COOP)• Business Resumption/Recovery Plan (BRP)• Continuity of Support Plan• Cyber Incident Response Plan• Occupant Emergency Plan (OEP)• Crisis Management Plan (CMP)
CISSP Mentor Program Session #11Domain 7: Security Operations
Related Plans
CISSP Mentor Program Session #11Domain 7: Security Operations
Related PlansContinuity of Operations Plan (COOP)• Describes the procedures required to maintain operations during a disaster• Includes transfer of personnel to an alternate disaster recovery site, and operations of that
site.Business Recovery Plan (BRP)• Also known as the Business Resumption Plan• Details the steps required to restore normal business operations after recovering from a
disruptive event• May include switching operations from an alternate site back to a (repaired) primary site.• Picks up when the COOP is complete• Narrow and focused: the BRP is sometimes included as an appendix to the Business Continuity
Plan
CISSP Mentor Program Session #11Domain 7: Security Operations
Related PlansContinuity of Support Plan• Focuses narrowly on support of specific IT systems and applications• Also called the IT Contingency Plan, emphasizing IT over general business supportCyber Incident Response Plan• Designed to respond to disruptive cyber events, including network-based attacks, worms, computer
viruses, Trojan horses, etc.Occupant Emergency Plan (OEP)• Provides the “response procedures for occupants of a facility in the event of a situation posing a potential
threat to the health and safety of personnel, the environment, or property. Such events would include a fire, hurricane, criminal attack, or a medical emergency.”
• Facilities-focused, as opposed to business or IT-focused.• Focused on safety and evacuation, and should describe specific safety drills, including evacuation drills
(also known as fire drills)• Specific safety roles should be described, including safety warden and meeting point leader
CISSP Mentor Program Session #11Domain 7: Security Operations
Related PlansCrisis Management Plan (CMP)• Designed to provide coordination among the managers of the
organization in the event of an emergency or disruptive event• Details the actions management must take to ensure that life and
safety of personnel and property are immediately protected in case of a disaster
• Crisis Communications Plan• Component of the Crisis Management Plan• Sometimes called the communications plan• A plan for communicating to staff and the public in the event of a disruptive event
CISSP Mentor Program Session #11Domain 7: Security Operations
Related Plans• Crisis Communications Plan• Call Trees
• Is used to quickly communicate news throughout an organization without overburdening any specific person
• Works by assigning each employee a small number of other employees they are responsible for calling in an emergency event
• Most effective when there is two-way reporting of successful communication
• Should contain alternate contact methods, in case the primary methods are unavailable
CISSP Mentor Program Session #11Domain 7: Security Operations
Calling Tree
CISSP Mentor Program Session #11Domain 7: Security Operations
Related Plans• Crisis Communications Plan• Automated Call Trees
• Automatically contact all BCP/DRP team members after a disruptive event
• Tree can be activated by an authorized member, triggered by a phone call, email, or Web transaction
• Once triggered, all BCP/DRP members are automatically contacted
• Can require positive verification of receipt of a message, such as “press 1 to acknowledge receipt.”
• Automated call trees are hosted offsite, and typically supported by a third-party BCP/DRP provider
CISSP Mentor Program Session #11Domain 7: Security Operations
Related Plans• Crisis Communications Plan• Emergency Operations Center (EOC)• The command post established during or just after an emergency event• Placement of the EOC will depend on resources that are available
• Vital Records• Should be stored offsite, at a location and in a format that will allow access during
a disaster• Have both electronic and hardcopy versions of all vital records• Include contact information for all critical staff. Additional vital records include
licensing information, support contracts, service level agreements, reciprocal agreements, telecom circuit IDs, etc.
CISSP Mentor Program Session #11Domain 7: Security Operations
Executive Succession Planning• Organizations must ensure that there is always an executive
available to make decisions during a disaster
• A common mistake is allowing entire executive teams to be offsite at distant meetings
• One of the simplest executive powers is the ability to endorse checks and procure money.
CISSP Mentor Program Session #11Domain 7: Security Operations
Plan Approval• Now that the initial BCP/DRP plan has been completed, senior
management approval is the required next step
• It is ultimately senior management's responsibility to protect an organization's critical assets and personnel
• Senior management must understand that they are responsible for the plan, fully understand the plan, take ownership of it, and ensure its success.
CISSP Mentor Program Session #11Domain 7: Security Operations
Backups and availability (again…)• In order to be able to successfully recover critical business operations,
the organization needs to be able to effectively and efficiently backup and restore both systems and data
• Verification of recoverability from backups is often overlooked• Critical backup media must be stored offsite• Ensure that the organization can quickly procure large high-end tape
drives (if necessary)• If the MTTR is greater than the MTD, then an alternate backup or
availability methodology must be employed
CISSP Mentor Program Session #11Domain 7: Security Operations
Backups and availability (again…)Hardcopy Data• Hardcopy data is any data that are accessed through reading or
writing on paper rather than processing through a computer system.
• In weather-emergency-prone areas such as Florida, Mississippi, and Louisiana, many businesses develop a “paper only” DRP, which will allow them to operate key critical processes with just hard copies of data, battery-operated calculators, and other small electronics, as well as pens and pencils
CISSP Mentor Program Session #11Domain 7: Security Operations
Backups and availability (again…)Electronic Backups• Archives that are stored electronically
• Full Backups• Every piece of data is copied and stored on the backup repository• Time consuming, bandwidth intensive, and resource intensive• Will ensure that any necessary data is available
• Incremental Backups• Archive data that have changed since the last full or incremental backup
• Differential Backups• Archive data that have changed since the last full backup
CISSP Mentor Program Session #11Domain 7: Security Operations
Backups and availability (again…)Electronic Backups• Archives that are stored electronically
• Electronic vaulting• Batch process of electronically transmitting data that is to be backed up on a routine, regularly
scheduled time interval• Used to transfer bulk information to an offsite facility• Good tool for data that need to be backed up on a daily or possibly even hourly rate• Stores sensitive data offsite• Can perform the backup at very short intervals to ensure that the most recent data is backed up• Occurs across the Internet in most cases (important that the information sent for backup be sent
via a secure communication channel and protected through a strong encryption protocol)
CISSP Mentor Program Session #11Domain 7: Security Operations
Backups and availability (again…)Electronic Backups• Archives that are stored electronically
• Remote Journaling• A database journal contains a log of all database transactions• May be used to recover from a database failure• Remote Journaling saves the database checkpoints and database journal to a remote
site
• Database shadowing• Uses two or more identical databases that are updated simultaneously• Can exist locally, but it is best practice to host one shadow database offsite• Allows faster recovery when compared with remote journaling
CISSP Mentor Program Session #11Domain 7: Security Operations
Software Escrow• Maintain the availability of their applications even if the vendor
that developed the software initially goes out of business
• Allow a neutral third party to hold the source code
• Should the development organization go out of business or otherwise violate the terms of the software escrow agreement, then the third party holding the escrow will provide the source code and any other information to the purchasing organization.
CISSP Mentor Program Session #11Domain 7: Security Operations
DRP testing, training, and awareness• Skipping these steps is one of the most common BCP/DRP mistakes• A DRP is never complete, but is rather a continually amended method
for ensuring the ability for the organization to recover in an acceptable manner
• Used to correct mistakes• A DRP that will be effective will have some inherent complex
operations and maneuvers to be performed by administrators• Each member of the DRP should be exceedingly familiar with the
particulars of their role in a DRP
CISSP Mentor Program Session #11Domain 7: Security Operations
DRP Testing• In order to ensure that a Disaster Recovery Plan represents a viable
plan for recovery, thorough testing is needed• Routine infrastructure, hardware, software, and configuration changes
materially alter the way in which the DRP needs to be carried out• Ensure both the initial and continued efficacy of the DRP as a feasible
recovery methodology, testing needs to be performed.• Different types of tests• At an minimum, regardless of the type of test selected, tests should be
performed on an annual basis
CISSP Mentor Program Session #11Domain 7: Security Operations
DRP TestingDRP Review• Most basic form of DRP testing• Focused on simply reading the DRP in its entirety to ensure completeness of coverage• Typically performed by the team that developed the plan, and will involve team members
reading the plan in its entirety to quickly review the overall plan for any obvious flawsChecklist• Also known as consistency testing• Lists all necessary components required for successful recovery, and ensures that they are, or
will be, readily available should a disaster occur• Often performed concurrently with the structured walkthrough or tabletop testing as a first
testing threshold• Focused on ensuring that the organization has, or can acquire in a timely fashion, sufficient
resources on which their successful recovery is dependent
CISSP Mentor Program Session #11Domain 7: Security Operations
DRP TestingParallel Processing• Common in environments where transactional data is a key component of the
critical business processing• Typically involves recovery of critical processing components at an alternate
computing facility, and restore data from a previous backup• Regular production systems are not interrupted• Transactions from the day after the backup are then run against the newly
restored data, and the same results achieved during normal operations for the date in question should be mirrored by the recovery system's results
• Organizations that are highly dependent upon mainframe and midrange systems will often employ this type of test.
CISSP Mentor Program Session #11Domain 7: Security Operations
DRP TestingPartial and Complete Business Interruption• This type of test can actually be the cause of a disaster, so
extreme caution should be exercised before attempting an actual interruption test• Testing will include having the organization stop processing
normal business at the primary location, and instead leverage the alternate computing facility•More common in organizations where fully redundant, load-
balanced, operations exist
CISSP Mentor Program Session #11Domain 7: Security Operations
Training• An element of DRP training comes as part of performing the tests• More detailed training on some specific elements of the DRP process may be
required.Starting Emergency Power• Converting a datacenter to emergency power, such as backup generators• Specific training and testing of changing over to emergency power should be
regularly performed.Calling Tree Training/Test• Individuals with calling responsibilities are expected to be able to answer
within a very short time period, or otherwise make arrangements.
CISSP Mentor Program Session #11Domain 7: Security Operations
Awareness
Even for those members who have little active role with respect to the overall recovery process, there is still the matter of ensuring that all members of an organization are aware of the organization's prioritization of safety and business viability in the wake of a disaster.
CISSP Mentor Program Session #11Domain 7: Security Operations
Continued BCP/DRP maintenance• The BCP/DRP must be kept up to date• BCP/DRP plans must keep pace with all critical business and IT changes.Change Management• The Change Management process is designed to ensure that security is not adversely
affected as systems are introduced, changed, and updated.• Includes tracking and documenting all planned changes, formal approval for
substantial changes, and documentation of the results of the completed change• All changes must be auditable• The change control board manages this process• The BCP team should be a member of the change control board, and attend all
meetings to identify any changes that must be addressed by the BCP/DRP plan
CISSP Mentor Program Session #11Domain 7: Security Operations
BCP/DRP MistakesCommon BCP/DRP mistakes include:• Lack of management support• Lack of business unit involvement• Lack of prioritization among critical staff• Improper (often overly narrow) scope• Inadequate telecommunications management• Inadequate supply chain management• Incomplete or inadequate crisis management plan• Lack of testing• Lack of training and awareness• Failure to keep the BCP/DRP plan up to date
CISSP Mentor Program Session #11Domain 7: Security Operations
Specific BCP/DRP frameworksA handful of specific frameworks include NIST SP 800-34, ISO/IEC-27031, and BCI.NIST SP 800-34• The National Institute of Standards and Technology (NIST)
Special Publication 800-34 “Contingency Planning Guide for Information Technology Systems”•May be downloaded at
http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf.
CISSP Mentor Program Session #11Domain 7: Security Operations
Specific BCP/DRP frameworksISO/IEC-27031
• Draft guideline that is part of the ISO 27000 series, which also includes ISO 27001 and ISO 27002
• Focuses on BCP (DRP is handled by another framework)
• The current formal name is “ISO/IEC 27031 Information technology—Security techniques—Guidelines for ICT Readiness for Business Continuity (final committee draft).” According to http://www.iso27001security.com/html/27031.html, ISO/IEC 27031 is designed to:• “Provide a framework (methods and processes) for any organization—private, governmental, and nongovernmental;
• Identify and specify all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organization's ISMS, helping to ensure business continuity;
• Enable an organization to measure its continuity, security and hence readiness to survive a disaster in a consistent and recognized manner.”
• Terms and acronyms used by ISO/IEC 27031 include:• ICT—Information and Communications Technology
• ISMS—Information Security Management System
• A separate ISO plan for disaster recovery is ISO/IEC 24762:2008, “Information technology—Security techniques—Guidelines for information and communications technology disaster recovery services.” More information is available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=41532
CISSP Mentor Program Session #11Domain 7: Security Operations
Specific BCP/DRP frameworksBS-25999
• British Standards Institution (BSI, http://www.bsigroup.co.uk/) released BS-25999, which is in two parts:• “Part 1, the Code of Practice, provides business continuity management best practice recommendations. Please note that this is a guidance
document only.
• Part 2, the Specification, provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice. This is the part of the standard that you can use to demonstrate compliance via an auditing and certification process.”14
BCI
• The Business Continuity Institute (BCI, http://www.thebci.org/) published a six-step Good Practice Guidelines (GPG) in 2008, latest version is 2013 which describes the Business Continuity Management (BCM) process:• Management Practices
• PP1 Policy & Program Management
• PP2 Embedding Business Continuity
• Technical Practices
• PP3 Analysis
• PP4 Design
• PP5 Implementation
• PP6 Validation
Questions?We made it through Class #11!
132 Slides?!
We finished Domain 7: Security Operations!
Homework for Tuesday (6/7)◦ Try to catch-up. We’re gone through a ton of information!
◦ No Quiz; you have enough already.
Enjoy the weather, see you next week!