Cyber disaster recovery
1 / 46

Cyber Disaster Recovery - PowerPoint PPT Presentation

  • Updated On :

Cyber Disaster Recovery. Planning for the Inevitable. 20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business. Why Focus on Incident Preparedness?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Cyber Disaster Recovery' - nia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Cyber disaster recovery l.jpg

Cyber Disaster Recovery

Planning for the Inevitable

Slide2 l.jpg

20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business.

Why focus on incident preparedness l.jpg
Why Focus on Incident Preparedness? and mortar companies. Today it must protect the growing virtual side of business: E-business.

  • 20 years ago, survival of the business depended on survival of the brick-and-mortar infrastructure

    • Earthquake and hurricane “proof” buildings

    • Redundant power and communications

    • Disaster recovery planning

    • Regulatory requirements

Slide4 l.jpg

Overview l.jpg
Overview the

  • Traditional disaster recovery (D/R) planning is formal and tested regularly

  • Cyber-D/R planning is less mature, but more necessary today

  • Cyber-D/R requires quick reaction and different skill sets: e.g., computer forensics

  • Growing trend toward prosecution

  • Critical infrastructure protection requires better Cyber-D/R planning and response capability

Traditional disaster recovery l.jpg
“Traditional” disaster recovery the

  • Business impact analysis

    • Determine functional areas critical to the business

    • Identify critical computer systems and applications

    • Determine disaster recovery budget

  • Formal disaster recovery plan

    • Disaster declaration criteria and procedures

    • Hot-site and cold-site arrangements

    • Staff response / call-out plans

    • Recovery procedures

  • Annual testing

Cyber disaster recovery7 l.jpg
“Cyber” disaster recovery the

  • Business impact analysis

    • Focusing on impact of “electronic” disasters such as computer security breaches, instead of “natural” disasters

  • Computer Security Incident Response Plan

    • Similar in structure to disaster recovery plan

      • Incident declaration criteria and procedures

      • Staff response / call-out plans

      • Recovery procedures

    • Restore operations “in-place,” not at hot-site

    • Focus on forensic approach

    • Quarterly testing

An observation l.jpg
An observation… the

  • ISS responded to as many intrusion incidents in Q4-03 alone as it did all of 2003.

  • 75% of the cases have requested forensic evidence considerations for prosecution.

  • These incidents were all different, but they have had recurring themes which make them easier to prepare for.

What happened l.jpg
What happened? the

  • These incidents were not caused by “natural” disasters like fire, flood, or earthquake

    • A “traditional” disaster recovery plan would not have been sufficient

  • But the potential effects were the same

    • Ability to conduct business was impacted

    • Reputation could have been damaged

    • Financial loss could have occurred

    • Loss of customers

The need for good and timely information l.jpg
The need for good and timely information the

  • During a natural disaster, information is made available to us by television, radio, and government sources

  • During a cyber-disaster, we are almost always limited to the information we can obtain for ourselves

  • Planning and response are improved when we know ahead of time how these attacks work and how we can defend against them

Obtaining good and timely information l.jpg
Obtaining good and timely information the

  • Do you have skills in-house to stay on top of threats and vulnerabilities?

  • Does your staff respond to attacks frequently enough to keep their skills sharp?

  • Do you have ( and follow) escalation, notification and handling procedures?

  • What is the value of a second opinion when you think you’re under attack?

  • Can you conduct a forensic investigation without contaminating evidence?

  • What are your regulatory requirements?

Information security lifecycle l.jpg
Information Security Lifecycle the

How well are we protected, now and in the future?

What can we add or change to improve our security?

Put all this in place without impacting users

Given what we have, how do we handle security incidents?

Goals of an incident response l.jpg
Goals of an Incident Response the

  • Gain control of any upcoming security problems

  • Facilitate centralized reporting of incidents

  • Coordinate response to incidents

  • Raise security awareness of users

  • Provide a clearinghouse of relevant computer security information

  • Promote security policies

  • Provide liaisons to legal and criminal investigative groups both inside and outside the company

Incident response l.jpg
Incident Response the

  • Detection: Analysis of incident data to determine the source of the incident, its cause (program error, human error, or deliberate action), and its effects;

  • Containment: Preventing the effects of the incident from spreading to other computer systems and computer communications networks in your organization;

  • Eradication: Stopping the incident at the source and/or protecting your computer systems and computer communications networks from the effects of the incident;

  • Recovery: Restoration of the affected computer systems and computer communications networks to normal operation; and

  • Risk Reoccurrence Mitigation: Making sure that your computer systems and computer communications networks are protected from future occurrences of the incident.

Incident preparedness l.jpg

Confidentiality the



Incident Preparedness

Incident Preparedness

  • Security Best Practices (ISO17799)

  • Roles and Responsibilities

  • Technology

  • Education/Awareness

  • Scenario Testing & Validation

Assess existing controls procedures l.jpg
Assess Existing Controls & Procedures the

ISO 17799 Best Practices…

  • Information Security Policy

  • Incident Response and Preparedness

  • Authentication & Access Control

  • Information Ownership and Classification

  • Change Control

  • Auditable

  • Information Security Management

  • Network Management

  • Vulnerability Management & Policy Compliance

  • Threat Management

  • Life Cycle Security Performance Monitoring (Quality)

Assess infrastructure l.jpg
Assess Infrastructure the

  • Network Perimeter and Penetration Analysis(determines current exposure to circumventing perimeter controls)

    • Internet Connectivity (e.g., firewalls, routers)

    • Business to Business connectivity

    • Remote Access

  • Vulnerability and Risk Analysis(determines current risks and exposure within the organization)

    • Qualitative and Quantitative Analysis:

      • Network Exposures

      • Host Exposures

      • Database Security

      • Network Architecture

      • Best Practices (ISO 17799)

      • Regulatory Requirements

Define the desired security state l.jpg
Define the Desired Security State the

  • Define existing and future business requirements relative to information security

  • Balance business objectives, risks and best practices such as ISO 17799

  • Define controls and their benefits relative to roles, responsibilities and associated risks

  • Identify residual risks

  • Define the requirements for a proactive,integrated strategic security infrastructure

Perform a gap analysis l.jpg
Perform a GAP Analysis the



Incident alert l.jpg
Incident Alert the


Incident Preparedness

  • Technology (e.g., Firewalls, ID)

  • Management Process (HR)

  • System Administration Staff

  • End Users (Internal, External)

  • News Agencies

  • Hackers

  • Internet Service Provider


Incident reporting l.jpg
Incident Reporting the

Incident Preparedness



  • Technology (email, pager, etc.)

  • Help Desk (Trouble Ticket)

  • Call-Out Process

Report & Notification

Incident investigation l.jpg
Incident Investigation the

Incident Preparedness


Is It Real?

Report & Notification

  • Activity Logs

  • Preliminary Interview and Check

  • Policy Violation

  • Technology

Preliminary Investigation

Decision and resources l.jpg
Decision and Resources the

Incident Preparedness


Is It Real?

Report & Notification

Preliminary Investigation

  • Emergency Declaration

  • Incident Coordinator/Team

  • Course of action

    • Technical

    • Legal

Decision and Resources

Incident response24 l.jpg
Incident Response the

Take Action

Incident Preparedness

  • In depth Investigation

    • Detailed Interviews and Forensics

  • Containment

    • Connectivity (Off, Routing, etc.)

    • Sever Trust among Systems

    • Disable Applications

    • Sandbox

    • Honeypot

    • Remote Access

  • Legal

    • Public Relations

    • Human Resources

    • Law Enforcement

    • Prosecution

  • Customer/Employee Notification


Report & Notification

Preliminary Investigation

Decision and Resources


Incident recovery l.jpg
Incident Recovery the

Incident Preparedness


Report & Notification

Fix & Go On

Preliminary Investigation

  • Eradication

    • Trojans, Root kits, Bogus Accounts

  • Operations Restoration

    • Backups, Cleanup

    • Disaster Recovery

  • Mitigate Reoccurrence Risk

    • Technology

    • Policy and Procedures

Decision and Resources



Incident recovery26 l.jpg

L the


Incident Recovery

Incident Preparedness



  • Documentation

  • Update Incident Response Process

  • Financial Impact Analysis

  • Staff Needs

  • Budget Needs

  • Quality in Information Security

Report & Notification

Preliminary Investigation

Decision and Resources



Csirp l.jpg

Components of a csirp l.jpg
Components of a CSIRP the

  • Charter

  • Incident Definition and Declaration

  • Team Make Up

  • Response Procedures

  • Preplanned Response Procedures

  • Sample Press Release

  • CSIRT Contact Information

Charter l.jpg
Charter the

  • Mission

  • Scope

  • Organizational & Team Structure

  • Information Flow

  • Services (Reactive and Proactive)

Incident definition declaration l.jpg
Incident Definition/Declaration the

  • Declaration

  • Severity

  • Response Teams

  • D/R Relationship

Team makeup l.jpg
Team Makeup the

  • CSIRT Officer and Manager

  • CSIRT Decision Pool

Roles and responsibilities l.jpg
Roles and Responsibilities the

Roles and Responsibilities should be defined:

  • Communication

  • Protocol

  • Coordination

  • Who will be the ultimate decision maker.

  • Who will monitor the monitors.

Centralized incident reporting l.jpg
Centralized Incident Reporting the

  • A central point of contact must be created

    • Hotline

    • Email address (

  • Centralized reporting is vital to the effectiveness of a company’s ERS initiative

    • Consolidation

    • Correlation

    • Statistics on size, nature and extent of security problems

Response procedures l.jpg
Response Procedures the

  • Alert Phase

  • Triage Phase

  • Recovery Phase

  • Maintenance Phase

Preplanned response procedures l.jpg
Preplanned Response Procedures the

  • Virus Response

  • Past Incidents

    • Lessons Learned

Sample press release l.jpg
Sample Press Release the

  • Plan on word getting out

  • Then be really happy if it doesn’t

Csirt contact information l.jpg
CSIRT Contact Information the

  • Call out lists and alternates

Iss jeopardy l.jpg
ISS Jeopardy the

  • Asses/Design/Deploy/Manage/Educate

What is the Information Security Life Cycle

Iss jeopardy40 l.jpg
ISS Jeopardy the

  • Detect/Contain/Eradicate/Recover/Mitigate Reoccurrence

What are the Goals of Incident Response

Iss jeopardy41 l.jpg
ISS Jeopardy the

  • This Item Sets The Charter, Roles and Procedures for Incident Response

What is a Computer Security Incident Response Plan

Iss jeopardy42 l.jpg
ISS Jeopardy the

  • Mission/Scope/Team Structure/Info. Flow/Services

What is contained in the CSIRP Charter

Iss jeopardy43 l.jpg
ISS Jeopardy the

  • Alert/Triage/Recovery/Maintenance

What are the Response Procedures of a CSIRP

Iss jeopardy44 l.jpg
ISS Jeopardy the

  • Rob Gallery

Who was the # 2 Pick, 1st Round in the 2004 NFL Draft

#74, 6’8” 320 lbs, Rob Gallery (Iowa) Offense Tackle to Oakland Raiders

Iss jeopardy45 l.jpg
ISS Jeopardy the

  • “Heidi Game”

1968 Raiders/Jets Game interrupted for showing of “Heidi with 65 Seconds remaining and the Jets ahead 32-29

Raiders won. After Raiders scored on a Daryl Lamonica pass to make it 36-32, the Jets fumbled the kick off and the Raiders ran it in to make final score 43-32

Thank you l.jpg

Thank You the

Ed Hudson, CISM

Director, Professional Services

X-Force PSS