Cyber disaster recovery l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 46

Cyber Disaster Recovery PowerPoint PPT Presentation


  • 117 Views
  • Uploaded on
  • Presentation posted in: General

Cyber Disaster Recovery. Planning for the Inevitable. 20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business. Why Focus on Incident Preparedness?.

Download Presentation

Cyber Disaster Recovery

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cyber disaster recovery l.jpg

Cyber Disaster Recovery

Planning for the Inevitable


Slide2 l.jpg

20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business.


Why focus on incident preparedness l.jpg

Why Focus on Incident Preparedness?

  • 20 years ago, survival of the business depended on survival of the brick-and-mortar infrastructure

    • Earthquake and hurricane “proof” buildings

    • Redundant power and communications

    • Disaster recovery planning

    • Regulatory requirements


Slide4 l.jpg

  • Today, survival of the business also depends on survival of the information infrastructure

    • Firewalls, proxies, access controls

    • VPNs, encryption, authentication

    • Growing regulation

      • SOX

      • HIPPA

      • GLBA

      • CA Breach Law

  • Planning ahead insures against catastrophe


Overview l.jpg

Overview

  • Traditional disaster recovery (D/R) planning is formal and tested regularly

  • Cyber-D/R planning is less mature, but more necessary today

  • Cyber-D/R requires quick reaction and different skill sets: e.g., computer forensics

  • Growing trend toward prosecution

  • Critical infrastructure protection requires better Cyber-D/R planning and response capability


Traditional disaster recovery l.jpg

“Traditional” disaster recovery

  • Business impact analysis

    • Determine functional areas critical to the business

    • Identify critical computer systems and applications

    • Determine disaster recovery budget

  • Formal disaster recovery plan

    • Disaster declaration criteria and procedures

    • Hot-site and cold-site arrangements

    • Staff response / call-out plans

    • Recovery procedures

  • Annual testing


Cyber disaster recovery7 l.jpg

“Cyber” disaster recovery

  • Business impact analysis

    • Focusing on impact of “electronic” disasters such as computer security breaches, instead of “natural” disasters

  • Computer Security Incident Response Plan

    • Similar in structure to disaster recovery plan

      • Incident declaration criteria and procedures

      • Staff response / call-out plans

      • Recovery procedures

    • Restore operations “in-place,” not at hot-site

    • Focus on forensic approach

    • Quarterly testing


An observation l.jpg

An observation…

  • ISS responded to as many intrusion incidents in Q4-03 alone as it did all of 2003.

  • 75% of the cases have requested forensic evidence considerations for prosecution.

  • These incidents were all different, but they have had recurring themes which make them easier to prepare for.


What happened l.jpg

What happened?

  • These incidents were not caused by “natural” disasters like fire, flood, or earthquake

    • A “traditional” disaster recovery plan would not have been sufficient

  • But the potential effects were the same

    • Ability to conduct business was impacted

    • Reputation could have been damaged

    • Financial loss could have occurred

    • Loss of customers


The need for good and timely information l.jpg

The need for good and timely information

  • During a natural disaster, information is made available to us by television, radio, and government sources

  • During a cyber-disaster, we are almost always limited to the information we can obtain for ourselves

  • Planning and response are improved when we know ahead of time how these attacks work and how we can defend against them


Obtaining good and timely information l.jpg

Obtaining good and timely information

  • Do you have skills in-house to stay on top of threats and vulnerabilities?

  • Does your staff respond to attacks frequently enough to keep their skills sharp?

  • Do you have ( and follow) escalation, notification and handling procedures?

  • What is the value of a second opinion when you think you’re under attack?

  • Can you conduct a forensic investigation without contaminating evidence?

  • What are your regulatory requirements?


Information security lifecycle l.jpg

Information Security Lifecycle

How well are we protected, now and in the future?

What can we add or change to improve our security?

Put all this in place without impacting users

Given what we have, how do we handle security incidents?


Goals of an incident response l.jpg

Goals of an Incident Response

  • Gain control of any upcoming security problems

  • Facilitate centralized reporting of incidents

  • Coordinate response to incidents

  • Raise security awareness of users

  • Provide a clearinghouse of relevant computer security information

  • Promote security policies

  • Provide liaisons to legal and criminal investigative groups both inside and outside the company


Incident response l.jpg

Incident Response

  • Detection: Analysis of incident data to determine the source of the incident, its cause (program error, human error, or deliberate action), and its effects;

  • Containment: Preventing the effects of the incident from spreading to other computer systems and computer communications networks in your organization;

  • Eradication: Stopping the incident at the source and/or protecting your computer systems and computer communications networks from the effects of the incident;

  • Recovery: Restoration of the affected computer systems and computer communications networks to normal operation; and

  • Risk Reoccurrence Mitigation: Making sure that your computer systems and computer communications networks are protected from future occurrences of the incident.


Incident preparedness l.jpg

Confidentiality

Integrity

Availability

Incident Preparedness

Incident Preparedness

  • Security Best Practices (ISO17799)

  • Roles and Responsibilities

  • Technology

  • Education/Awareness

  • Scenario Testing & Validation


Assess existing controls procedures l.jpg

Assess Existing Controls & Procedures

ISO 17799 Best Practices…

  • Information Security Policy

  • Incident Response and Preparedness

  • Authentication & Access Control

  • Information Ownership and Classification

  • Change Control

  • Auditable

  • Information Security Management

  • Network Management

  • Vulnerability Management & Policy Compliance

  • Threat Management

  • Life Cycle Security Performance Monitoring (Quality)


Assess infrastructure l.jpg

Assess Infrastructure

  • Network Perimeter and Penetration Analysis(determines current exposure to circumventing perimeter controls)

    • Internet Connectivity (e.g., firewalls, routers)

    • Business to Business connectivity

    • Remote Access

  • Vulnerability and Risk Analysis(determines current risks and exposure within the organization)

    • Qualitative and Quantitative Analysis:

      • Network Exposures

      • Host Exposures

      • Database Security

      • Network Architecture

      • Best Practices (ISO 17799)

      • Regulatory Requirements


Define the desired security state l.jpg

Define the Desired Security State

  • Define existing and future business requirements relative to information security

  • Balance business objectives, risks and best practices such as ISO 17799

  • Define controls and their benefits relative to roles, responsibilities and associated risks

  • Identify residual risks

  • Define the requirements for a proactive,integrated strategic security infrastructure


Perform a gap analysis l.jpg

Perform a GAP Analysis

DesiredSecurityState(DSS)

CurrentSecurityState


Incident alert l.jpg

Incident Alert

Alert!

Incident Preparedness

  • Technology (e.g., Firewalls, ID)

  • Management Process (HR)

  • System Administration Staff

  • End Users (Internal, External)

  • News Agencies

  • Hackers

  • Internet Service Provider

Alarm


Incident reporting l.jpg

Incident Reporting

Incident Preparedness

Communicate

Alarm

  • Technology (email, pager, etc.)

  • Help Desk (Trouble Ticket)

  • Call-Out Process

Report & Notification


Incident investigation l.jpg

Incident Investigation

Incident Preparedness

Alarm

Is It Real?

Report & Notification

  • Activity Logs

  • Preliminary Interview and Check

  • Policy Violation

  • Technology

Preliminary Investigation


Decision and resources l.jpg

Decision and Resources

Incident Preparedness

Alarm

Is It Real?

Report & Notification

Preliminary Investigation

  • Emergency Declaration

  • Incident Coordinator/Team

  • Course of action

    • Technical

    • Legal

Decision and Resources


Incident response24 l.jpg

Incident Response

Take Action

Incident Preparedness

  • In depth Investigation

    • Detailed Interviews and Forensics

  • Containment

    • Connectivity (Off, Routing, etc.)

    • Sever Trust among Systems

    • Disable Applications

    • Sandbox

    • Honeypot

    • Remote Access

  • Legal

    • Public Relations

    • Human Resources

    • Law Enforcement

    • Prosecution

  • Customer/Employee Notification

Alarm

Report & Notification

Preliminary Investigation

Decision and Resources

Response


Incident recovery l.jpg

Incident Recovery

Incident Preparedness

Alarm

Report & Notification

Fix & Go On

Preliminary Investigation

  • Eradication

    • Trojans, Root kits, Bogus Accounts

  • Operations Restoration

    • Backups, Cleanup

    • Disaster Recovery

  • Mitigate Reoccurrence Risk

    • Technology

    • Policy and Procedures

Decision and Resources

Response

Recovery


Incident recovery26 l.jpg

L

LessonsLearned

Incident Recovery

Incident Preparedness

Improvement/Quality

Alarm

  • Documentation

  • Update Incident Response Process

  • Financial Impact Analysis

  • Staff Needs

  • Budget Needs

  • Quality in Information Security

Report & Notification

Preliminary Investigation

Decision and Resources

Response

Recovery


Csirp l.jpg

CSIRP


Components of a csirp l.jpg

Components of a CSIRP

  • Charter

  • Incident Definition and Declaration

  • Team Make Up

  • Response Procedures

  • Preplanned Response Procedures

  • Sample Press Release

  • CSIRT Contact Information


Charter l.jpg

Charter

  • Mission

  • Scope

  • Organizational & Team Structure

  • Information Flow

  • Services (Reactive and Proactive)


Incident definition declaration l.jpg

Incident Definition/Declaration

  • Declaration

  • Severity

  • Response Teams

  • D/R Relationship


Team makeup l.jpg

Team Makeup

  • CSIRT Officer and Manager

  • CSIRT Decision Pool


Incident response team l.jpg

Incident Response Team


Roles and responsibilities l.jpg

Roles and Responsibilities

Roles and Responsibilities should be defined:

  • Communication

  • Protocol

  • Coordination

  • Who will be the ultimate decision maker.

  • Who will monitor the monitors.


Centralized incident reporting l.jpg

Centralized Incident Reporting

  • A central point of contact must be created

    • Hotline

    • Email address ([email protected])

  • Centralized reporting is vital to the effectiveness of a company’s ERS initiative

    • Consolidation

    • Correlation

    • Statistics on size, nature and extent of security problems


Response procedures l.jpg

Response Procedures

  • Alert Phase

  • Triage Phase

  • Recovery Phase

  • Maintenance Phase


Preplanned response procedures l.jpg

Preplanned Response Procedures

  • Virus Response

  • Past Incidents

    • Lessons Learned


Sample press release l.jpg

Sample Press Release

  • Plan on word getting out

  • Then be really happy if it doesn’t


Csirt contact information l.jpg

CSIRT Contact Information

  • Call out lists and alternates


Iss jeopardy l.jpg

ISS Jeopardy

  • Asses/Design/Deploy/Manage/Educate

What is the Information Security Life Cycle


Iss jeopardy40 l.jpg

ISS Jeopardy

  • Detect/Contain/Eradicate/Recover/Mitigate Reoccurrence

What are the Goals of Incident Response


Iss jeopardy41 l.jpg

ISS Jeopardy

  • This Item Sets The Charter, Roles and Procedures for Incident Response

What is a Computer Security Incident Response Plan


Iss jeopardy42 l.jpg

ISS Jeopardy

  • Mission/Scope/Team Structure/Info. Flow/Services

What is contained in the CSIRP Charter


Iss jeopardy43 l.jpg

ISS Jeopardy

  • Alert/Triage/Recovery/Maintenance

What are the Response Procedures of a CSIRP


Iss jeopardy44 l.jpg

ISS Jeopardy

  • Rob Gallery

Who was the # 2 Pick, 1st Round in the 2004 NFL Draft

#74, 6’8” 320 lbs, Rob Gallery (Iowa) Offense Tackle to Oakland Raiders


Iss jeopardy45 l.jpg

ISS Jeopardy

  • “Heidi Game”

1968 Raiders/Jets Game interrupted for showing of “Heidi with 65 Seconds remaining and the Jets ahead 32-29

Raiders won. After Raiders scored on a Daryl Lamonica pass to make it 36-32, the Jets fumbled the kick off and the Raiders ran it in to make final score 43-32


Thank you l.jpg

Thank You

Ed Hudson, CISM

Director, Professional Services

X-Force PSS

[email protected]


  • Login