cyber disaster recovery l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Cyber Disaster Recovery PowerPoint Presentation
Download Presentation
Cyber Disaster Recovery

Loading in 2 Seconds...

play fullscreen
1 / 46

Cyber Disaster Recovery - PowerPoint PPT Presentation


  • 179 Views
  • Uploaded on

Cyber Disaster Recovery. Planning for the Inevitable. 20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business. Why Focus on Incident Preparedness?.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Cyber Disaster Recovery' - nia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cyber disaster recovery

Cyber Disaster Recovery

Planning for the Inevitable

slide2

20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business.

why focus on incident preparedness
Why Focus on Incident Preparedness?
  • 20 years ago, survival of the business depended on survival of the brick-and-mortar infrastructure
    • Earthquake and hurricane “proof” buildings
    • Redundant power and communications
    • Disaster recovery planning
    • Regulatory requirements
slide4
Today, survival of the business also depends on survival of the information infrastructure
    • Firewalls, proxies, access controls
    • VPNs, encryption, authentication
    • Growing regulation
      • SOX
      • HIPPA
      • GLBA
      • CA Breach Law
  • Planning ahead insures against catastrophe
overview
Overview
  • Traditional disaster recovery (D/R) planning is formal and tested regularly
  • Cyber-D/R planning is less mature, but more necessary today
  • Cyber-D/R requires quick reaction and different skill sets: e.g., computer forensics
  • Growing trend toward prosecution
  • Critical infrastructure protection requires better Cyber-D/R planning and response capability
traditional disaster recovery
“Traditional” disaster recovery
  • Business impact analysis
    • Determine functional areas critical to the business
    • Identify critical computer systems and applications
    • Determine disaster recovery budget
  • Formal disaster recovery plan
    • Disaster declaration criteria and procedures
    • Hot-site and cold-site arrangements
    • Staff response / call-out plans
    • Recovery procedures
  • Annual testing
cyber disaster recovery7
“Cyber” disaster recovery
  • Business impact analysis
    • Focusing on impact of “electronic” disasters such as computer security breaches, instead of “natural” disasters
  • Computer Security Incident Response Plan
    • Similar in structure to disaster recovery plan
      • Incident declaration criteria and procedures
      • Staff response / call-out plans
      • Recovery procedures
    • Restore operations “in-place,” not at hot-site
    • Focus on forensic approach
    • Quarterly testing
an observation
An observation…
  • ISS responded to as many intrusion incidents in Q4-03 alone as it did all of 2003.
  • 75% of the cases have requested forensic evidence considerations for prosecution.
  • These incidents were all different, but they have had recurring themes which make them easier to prepare for.
what happened
What happened?
  • These incidents were not caused by “natural” disasters like fire, flood, or earthquake
    • A “traditional” disaster recovery plan would not have been sufficient
  • But the potential effects were the same
    • Ability to conduct business was impacted
    • Reputation could have been damaged
    • Financial loss could have occurred
    • Loss of customers
the need for good and timely information
The need for good and timely information
  • During a natural disaster, information is made available to us by television, radio, and government sources
  • During a cyber-disaster, we are almost always limited to the information we can obtain for ourselves
  • Planning and response are improved when we know ahead of time how these attacks work and how we can defend against them
obtaining good and timely information
Obtaining good and timely information
  • Do you have skills in-house to stay on top of threats and vulnerabilities?
  • Does your staff respond to attacks frequently enough to keep their skills sharp?
  • Do you have ( and follow) escalation, notification and handling procedures?
  • What is the value of a second opinion when you think you’re under attack?
  • Can you conduct a forensic investigation without contaminating evidence?
  • What are your regulatory requirements?
information security lifecycle
Information Security Lifecycle

How well are we protected, now and in the future?

What can we add or change to improve our security?

Put all this in place without impacting users

Given what we have, how do we handle security incidents?

goals of an incident response
Goals of an Incident Response
  • Gain control of any upcoming security problems
  • Facilitate centralized reporting of incidents
  • Coordinate response to incidents
  • Raise security awareness of users
  • Provide a clearinghouse of relevant computer security information
  • Promote security policies
  • Provide liaisons to legal and criminal investigative groups both inside and outside the company
incident response
Incident Response
  • Detection: Analysis of incident data to determine the source of the incident, its cause (program error, human error, or deliberate action), and its effects;
  • Containment: Preventing the effects of the incident from spreading to other computer systems and computer communications networks in your organization;
  • Eradication: Stopping the incident at the source and/or protecting your computer systems and computer communications networks from the effects of the incident;
  • Recovery: Restoration of the affected computer systems and computer communications networks to normal operation; and
  • Risk Reoccurrence Mitigation: Making sure that your computer systems and computer communications networks are protected from future occurrences of the incident.
incident preparedness

Confidentiality

Integrity

Availability

Incident Preparedness

Incident Preparedness

  • Security Best Practices (ISO17799)
  • Roles and Responsibilities
  • Technology
  • Education/Awareness
  • Scenario Testing & Validation
assess existing controls procedures
Assess Existing Controls & Procedures

ISO 17799 Best Practices…

  • Information Security Policy
  • Incident Response and Preparedness
  • Authentication & Access Control
  • Information Ownership and Classification
  • Change Control
  • Auditable
  • Information Security Management
  • Network Management
  • Vulnerability Management & Policy Compliance
  • Threat Management
  • Life Cycle Security Performance Monitoring (Quality)
assess infrastructure
Assess Infrastructure
  • Network Perimeter and Penetration Analysis(determines current exposure to circumventing perimeter controls)
    • Internet Connectivity (e.g., firewalls, routers)
    • Business to Business connectivity
    • Remote Access
  • Vulnerability and Risk Analysis(determines current risks and exposure within the organization)
    • Qualitative and Quantitative Analysis:
      • Network Exposures
      • Host Exposures
      • Database Security
      • Network Architecture
      • Best Practices (ISO 17799)
      • Regulatory Requirements
define the desired security state
Define the Desired Security State
  • Define existing and future business requirements relative to information security
  • Balance business objectives, risks and best practices such as ISO 17799
  • Define controls and their benefits relative to roles, responsibilities and associated risks
  • Identify residual risks
  • Define the requirements for a proactive,integrated strategic security infrastructure
perform a gap analysis
Perform a GAP Analysis

DesiredSecurityState(DSS)

CurrentSecurityState

incident alert
Incident Alert

Alert!

Incident Preparedness

  • Technology (e.g., Firewalls, ID)
  • Management Process (HR)
  • System Administration Staff
  • End Users (Internal, External)
  • News Agencies
  • Hackers
  • Internet Service Provider

Alarm

incident reporting
Incident Reporting

Incident Preparedness

Communicate

Alarm

  • Technology (email, pager, etc.)
  • Help Desk (Trouble Ticket)
  • Call-Out Process

Report & Notification

incident investigation
Incident Investigation

Incident Preparedness

Alarm

Is It Real?

Report & Notification

  • Activity Logs
  • Preliminary Interview and Check
  • Policy Violation
  • Technology

Preliminary Investigation

decision and resources
Decision and Resources

Incident Preparedness

Alarm

Is It Real?

Report & Notification

Preliminary Investigation

  • Emergency Declaration
  • Incident Coordinator/Team
  • Course of action
    • Technical
    • Legal

Decision and Resources

incident response24
Incident Response

Take Action

Incident Preparedness

  • In depth Investigation
    • Detailed Interviews and Forensics
  • Containment
    • Connectivity (Off, Routing, etc.)
    • Sever Trust among Systems
    • Disable Applications
    • Sandbox
    • Honeypot
    • Remote Access
  • Legal
    • Public Relations
    • Human Resources
    • Law Enforcement
    • Prosecution
  • Customer/Employee Notification

Alarm

Report & Notification

Preliminary Investigation

Decision and Resources

Response

incident recovery
Incident Recovery

Incident Preparedness

Alarm

Report & Notification

Fix & Go On

Preliminary Investigation

  • Eradication
    • Trojans, Root kits, Bogus Accounts
  • Operations Restoration
    • Backups, Cleanup
    • Disaster Recovery
  • Mitigate Reoccurrence Risk
    • Technology
    • Policy and Procedures

Decision and Resources

Response

Recovery

incident recovery26

L

LessonsLearned

Incident Recovery

Incident Preparedness

Improvement/Quality

Alarm

  • Documentation
  • Update Incident Response Process
  • Financial Impact Analysis
  • Staff Needs
  • Budget Needs
  • Quality in Information Security

Report & Notification

Preliminary Investigation

Decision and Resources

Response

Recovery

components of a csirp
Components of a CSIRP
  • Charter
  • Incident Definition and Declaration
  • Team Make Up
  • Response Procedures
  • Preplanned Response Procedures
  • Sample Press Release
  • CSIRT Contact Information
charter
Charter
  • Mission
  • Scope
  • Organizational & Team Structure
  • Information Flow
  • Services (Reactive and Proactive)
incident definition declaration
Incident Definition/Declaration
  • Declaration
  • Severity
  • Response Teams
  • D/R Relationship
team makeup
Team Makeup
  • CSIRT Officer and Manager
  • CSIRT Decision Pool
roles and responsibilities
Roles and Responsibilities

Roles and Responsibilities should be defined:

  • Communication
  • Protocol
  • Coordination
  • Who will be the ultimate decision maker.
  • Who will monitor the monitors.
centralized incident reporting
Centralized Incident Reporting
  • A central point of contact must be created
    • Hotline
    • Email address (ers@mycompany.com)
  • Centralized reporting is vital to the effectiveness of a company’s ERS initiative
    • Consolidation
    • Correlation
    • Statistics on size, nature and extent of security problems
response procedures
Response Procedures
  • Alert Phase
  • Triage Phase
  • Recovery Phase
  • Maintenance Phase
preplanned response procedures
Preplanned Response Procedures
  • Virus Response
  • Past Incidents
    • Lessons Learned
sample press release
Sample Press Release
  • Plan on word getting out
  • Then be really happy if it doesn’t
csirt contact information
CSIRT Contact Information
  • Call out lists and alternates
iss jeopardy
ISS Jeopardy
  • Asses/Design/Deploy/Manage/Educate

What is the Information Security Life Cycle

iss jeopardy40
ISS Jeopardy
  • Detect/Contain/Eradicate/Recover/Mitigate Reoccurrence

What are the Goals of Incident Response

iss jeopardy41
ISS Jeopardy
  • This Item Sets The Charter, Roles and Procedures for Incident Response

What is a Computer Security Incident Response Plan

iss jeopardy42
ISS Jeopardy
  • Mission/Scope/Team Structure/Info. Flow/Services

What is contained in the CSIRP Charter

iss jeopardy43
ISS Jeopardy
  • Alert/Triage/Recovery/Maintenance

What are the Response Procedures of a CSIRP

iss jeopardy44
ISS Jeopardy
  • Rob Gallery

Who was the # 2 Pick, 1st Round in the 2004 NFL Draft

#74, 6’8” 320 lbs, Rob Gallery (Iowa) Offense Tackle to Oakland Raiders

iss jeopardy45
ISS Jeopardy
  • “Heidi Game”

1968 Raiders/Jets Game interrupted for showing of “Heidi with 65 Seconds remaining and the Jets ahead 32-29

Raiders won. After Raiders scored on a Daryl Lamonica pass to make it 36-32, the Jets fumbled the kick off and the Raiders ran it in to make final score 43-32

thank you

Thank You

Ed Hudson, CISM

Director, Professional Services

X-Force PSS

ed.hudson@iss.net