Cyber disaster recovery
1 / 46

Cyber Disaster Recovery - PowerPoint PPT Presentation

  • Updated On :
  • Presentation posted in: General

Cyber Disaster Recovery. Planning for the Inevitable. 20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business. Why Focus on Incident Preparedness?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Cyber Disaster Recovery

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Cyber Disaster Recovery

Planning for the Inevitable

20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business.

Why Focus on Incident Preparedness?

  • 20 years ago, survival of the business depended on survival of the brick-and-mortar infrastructure

    • Earthquake and hurricane “proof” buildings

    • Redundant power and communications

    • Disaster recovery planning

    • Regulatory requirements

  • Today, survival of the business also depends on survival of the information infrastructure

    • Firewalls, proxies, access controls

    • VPNs, encryption, authentication

    • Growing regulation

      • SOX

      • HIPPA

      • GLBA

      • CA Breach Law

  • Planning ahead insures against catastrophe


  • Traditional disaster recovery (D/R) planning is formal and tested regularly

  • Cyber-D/R planning is less mature, but more necessary today

  • Cyber-D/R requires quick reaction and different skill sets: e.g., computer forensics

  • Growing trend toward prosecution

  • Critical infrastructure protection requires better Cyber-D/R planning and response capability

“Traditional” disaster recovery

  • Business impact analysis

    • Determine functional areas critical to the business

    • Identify critical computer systems and applications

    • Determine disaster recovery budget

  • Formal disaster recovery plan

    • Disaster declaration criteria and procedures

    • Hot-site and cold-site arrangements

    • Staff response / call-out plans

    • Recovery procedures

  • Annual testing

“Cyber” disaster recovery

  • Business impact analysis

    • Focusing on impact of “electronic” disasters such as computer security breaches, instead of “natural” disasters

  • Computer Security Incident Response Plan

    • Similar in structure to disaster recovery plan

      • Incident declaration criteria and procedures

      • Staff response / call-out plans

      • Recovery procedures

    • Restore operations “in-place,” not at hot-site

    • Focus on forensic approach

    • Quarterly testing

An observation…

  • ISS responded to as many intrusion incidents in Q4-03 alone as it did all of 2003.

  • 75% of the cases have requested forensic evidence considerations for prosecution.

  • These incidents were all different, but they have had recurring themes which make them easier to prepare for.

What happened?

  • These incidents were not caused by “natural” disasters like fire, flood, or earthquake

    • A “traditional” disaster recovery plan would not have been sufficient

  • But the potential effects were the same

    • Ability to conduct business was impacted

    • Reputation could have been damaged

    • Financial loss could have occurred

    • Loss of customers

The need for good and timely information

  • During a natural disaster, information is made available to us by television, radio, and government sources

  • During a cyber-disaster, we are almost always limited to the information we can obtain for ourselves

  • Planning and response are improved when we know ahead of time how these attacks work and how we can defend against them

Obtaining good and timely information

  • Do you have skills in-house to stay on top of threats and vulnerabilities?

  • Does your staff respond to attacks frequently enough to keep their skills sharp?

  • Do you have ( and follow) escalation, notification and handling procedures?

  • What is the value of a second opinion when you think you’re under attack?

  • Can you conduct a forensic investigation without contaminating evidence?

  • What are your regulatory requirements?

Information Security Lifecycle

How well are we protected, now and in the future?

What can we add or change to improve our security?

Put all this in place without impacting users

Given what we have, how do we handle security incidents?

Goals of an Incident Response

  • Gain control of any upcoming security problems

  • Facilitate centralized reporting of incidents

  • Coordinate response to incidents

  • Raise security awareness of users

  • Provide a clearinghouse of relevant computer security information

  • Promote security policies

  • Provide liaisons to legal and criminal investigative groups both inside and outside the company

Incident Response

  • Detection: Analysis of incident data to determine the source of the incident, its cause (program error, human error, or deliberate action), and its effects;

  • Containment: Preventing the effects of the incident from spreading to other computer systems and computer communications networks in your organization;

  • Eradication: Stopping the incident at the source and/or protecting your computer systems and computer communications networks from the effects of the incident;

  • Recovery: Restoration of the affected computer systems and computer communications networks to normal operation; and

  • Risk Reoccurrence Mitigation: Making sure that your computer systems and computer communications networks are protected from future occurrences of the incident.




Incident Preparedness

Incident Preparedness

  • Security Best Practices (ISO17799)

  • Roles and Responsibilities

  • Technology

  • Education/Awareness

  • Scenario Testing & Validation

Assess Existing Controls & Procedures

ISO 17799 Best Practices…

  • Information Security Policy

  • Incident Response and Preparedness

  • Authentication & Access Control

  • Information Ownership and Classification

  • Change Control

  • Auditable

  • Information Security Management

  • Network Management

  • Vulnerability Management & Policy Compliance

  • Threat Management

  • Life Cycle Security Performance Monitoring (Quality)

Assess Infrastructure

  • Network Perimeter and Penetration Analysis(determines current exposure to circumventing perimeter controls)

    • Internet Connectivity (e.g., firewalls, routers)

    • Business to Business connectivity

    • Remote Access

  • Vulnerability and Risk Analysis(determines current risks and exposure within the organization)

    • Qualitative and Quantitative Analysis:

      • Network Exposures

      • Host Exposures

      • Database Security

      • Network Architecture

      • Best Practices (ISO 17799)

      • Regulatory Requirements

Define the Desired Security State

  • Define existing and future business requirements relative to information security

  • Balance business objectives, risks and best practices such as ISO 17799

  • Define controls and their benefits relative to roles, responsibilities and associated risks

  • Identify residual risks

  • Define the requirements for a proactive,integrated strategic security infrastructure

Perform a GAP Analysis



Incident Alert


Incident Preparedness

  • Technology (e.g., Firewalls, ID)

  • Management Process (HR)

  • System Administration Staff

  • End Users (Internal, External)

  • News Agencies

  • Hackers

  • Internet Service Provider


Incident Reporting

Incident Preparedness



  • Technology (email, pager, etc.)

  • Help Desk (Trouble Ticket)

  • Call-Out Process

Report & Notification

Incident Investigation

Incident Preparedness


Is It Real?

Report & Notification

  • Activity Logs

  • Preliminary Interview and Check

  • Policy Violation

  • Technology

Preliminary Investigation

Decision and Resources

Incident Preparedness


Is It Real?

Report & Notification

Preliminary Investigation

  • Emergency Declaration

  • Incident Coordinator/Team

  • Course of action

    • Technical

    • Legal

Decision and Resources

Incident Response

Take Action

Incident Preparedness

  • In depth Investigation

    • Detailed Interviews and Forensics

  • Containment

    • Connectivity (Off, Routing, etc.)

    • Sever Trust among Systems

    • Disable Applications

    • Sandbox

    • Honeypot

    • Remote Access

  • Legal

    • Public Relations

    • Human Resources

    • Law Enforcement

    • Prosecution

  • Customer/Employee Notification


Report & Notification

Preliminary Investigation

Decision and Resources


Incident Recovery

Incident Preparedness


Report & Notification

Fix & Go On

Preliminary Investigation

  • Eradication

    • Trojans, Root kits, Bogus Accounts

  • Operations Restoration

    • Backups, Cleanup

    • Disaster Recovery

  • Mitigate Reoccurrence Risk

    • Technology

    • Policy and Procedures

Decision and Resources





Incident Recovery

Incident Preparedness



  • Documentation

  • Update Incident Response Process

  • Financial Impact Analysis

  • Staff Needs

  • Budget Needs

  • Quality in Information Security

Report & Notification

Preliminary Investigation

Decision and Resources




Components of a CSIRP

  • Charter

  • Incident Definition and Declaration

  • Team Make Up

  • Response Procedures

  • Preplanned Response Procedures

  • Sample Press Release

  • CSIRT Contact Information


  • Mission

  • Scope

  • Organizational & Team Structure

  • Information Flow

  • Services (Reactive and Proactive)

Incident Definition/Declaration

  • Declaration

  • Severity

  • Response Teams

  • D/R Relationship

Team Makeup

  • CSIRT Officer and Manager

  • CSIRT Decision Pool

Incident Response Team

Roles and Responsibilities

Roles and Responsibilities should be defined:

  • Communication

  • Protocol

  • Coordination

  • Who will be the ultimate decision maker.

  • Who will monitor the monitors.

Centralized Incident Reporting

  • A central point of contact must be created

    • Hotline

    • Email address (

  • Centralized reporting is vital to the effectiveness of a company’s ERS initiative

    • Consolidation

    • Correlation

    • Statistics on size, nature and extent of security problems

Response Procedures

  • Alert Phase

  • Triage Phase

  • Recovery Phase

  • Maintenance Phase

Preplanned Response Procedures

  • Virus Response

  • Past Incidents

    • Lessons Learned

Sample Press Release

  • Plan on word getting out

  • Then be really happy if it doesn’t

CSIRT Contact Information

  • Call out lists and alternates

ISS Jeopardy

  • Asses/Design/Deploy/Manage/Educate

What is the Information Security Life Cycle

ISS Jeopardy

  • Detect/Contain/Eradicate/Recover/Mitigate Reoccurrence

What are the Goals of Incident Response

ISS Jeopardy

  • This Item Sets The Charter, Roles and Procedures for Incident Response

What is a Computer Security Incident Response Plan

ISS Jeopardy

  • Mission/Scope/Team Structure/Info. Flow/Services

What is contained in the CSIRP Charter

ISS Jeopardy

  • Alert/Triage/Recovery/Maintenance

What are the Response Procedures of a CSIRP

ISS Jeopardy

  • Rob Gallery

Who was the # 2 Pick, 1st Round in the 2004 NFL Draft

#74, 6’8” 320 lbs, Rob Gallery (Iowa) Offense Tackle to Oakland Raiders

ISS Jeopardy

  • “Heidi Game”

1968 Raiders/Jets Game interrupted for showing of “Heidi with 65 Seconds remaining and the Jets ahead 32-29

Raiders won. After Raiders scored on a Daryl Lamonica pass to make it 36-32, the Jets fumbled the kick off and the Raiders ran it in to make final score 43-32

Thank You

Ed Hudson, CISM

Director, Professional Services

X-Force PSS

  • Login