1 / 46

Cyber Disaster Recovery

Cyber Disaster Recovery. Planning for the Inevitable. 20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business. Why Focus on Incident Preparedness?.

nia
Download Presentation

Cyber Disaster Recovery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cyber Disaster Recovery Planning for the Inevitable

  2. 20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business.

  3. Why Focus on Incident Preparedness? • 20 years ago, survival of the business depended on survival of the brick-and-mortar infrastructure • Earthquake and hurricane “proof” buildings • Redundant power and communications • Disaster recovery planning • Regulatory requirements

  4. Today, survival of the business also depends on survival of the information infrastructure • Firewalls, proxies, access controls • VPNs, encryption, authentication • Growing regulation • SOX • HIPPA • GLBA • CA Breach Law • Planning ahead insures against catastrophe

  5. Overview • Traditional disaster recovery (D/R) planning is formal and tested regularly • Cyber-D/R planning is less mature, but more necessary today • Cyber-D/R requires quick reaction and different skill sets: e.g., computer forensics • Growing trend toward prosecution • Critical infrastructure protection requires better Cyber-D/R planning and response capability

  6. “Traditional” disaster recovery • Business impact analysis • Determine functional areas critical to the business • Identify critical computer systems and applications • Determine disaster recovery budget • Formal disaster recovery plan • Disaster declaration criteria and procedures • Hot-site and cold-site arrangements • Staff response / call-out plans • Recovery procedures • Annual testing

  7. “Cyber” disaster recovery • Business impact analysis • Focusing on impact of “electronic” disasters such as computer security breaches, instead of “natural” disasters • Computer Security Incident Response Plan • Similar in structure to disaster recovery plan • Incident declaration criteria and procedures • Staff response / call-out plans • Recovery procedures • Restore operations “in-place,” not at hot-site • Focus on forensic approach • Quarterly testing

  8. An observation… • ISS responded to as many intrusion incidents in Q4-03 alone as it did all of 2003. • 75% of the cases have requested forensic evidence considerations for prosecution. • These incidents were all different, but they have had recurring themes which make them easier to prepare for.

  9. What happened? • These incidents were not caused by “natural” disasters like fire, flood, or earthquake • A “traditional” disaster recovery plan would not have been sufficient • But the potential effects were the same • Ability to conduct business was impacted • Reputation could have been damaged • Financial loss could have occurred • Loss of customers

  10. The need for good and timely information • During a natural disaster, information is made available to us by television, radio, and government sources • During a cyber-disaster, we are almost always limited to the information we can obtain for ourselves • Planning and response are improved when we know ahead of time how these attacks work and how we can defend against them

  11. Obtaining good and timely information • Do you have skills in-house to stay on top of threats and vulnerabilities? • Does your staff respond to attacks frequently enough to keep their skills sharp? • Do you have ( and follow) escalation, notification and handling procedures? • What is the value of a second opinion when you think you’re under attack? • Can you conduct a forensic investigation without contaminating evidence? • What are your regulatory requirements?

  12. Information Security Lifecycle How well are we protected, now and in the future? What can we add or change to improve our security? Put all this in place without impacting users Given what we have, how do we handle security incidents?

  13. Goals of an Incident Response • Gain control of any upcoming security problems • Facilitate centralized reporting of incidents • Coordinate response to incidents • Raise security awareness of users • Provide a clearinghouse of relevant computer security information • Promote security policies • Provide liaisons to legal and criminal investigative groups both inside and outside the company

  14. Incident Response • Detection: Analysis of incident data to determine the source of the incident, its cause (program error, human error, or deliberate action), and its effects; • Containment: Preventing the effects of the incident from spreading to other computer systems and computer communications networks in your organization; • Eradication: Stopping the incident at the source and/or protecting your computer systems and computer communications networks from the effects of the incident; • Recovery: Restoration of the affected computer systems and computer communications networks to normal operation; and • Risk Reoccurrence Mitigation: Making sure that your computer systems and computer communications networks are protected from future occurrences of the incident.

  15. Confidentiality Integrity Availability Incident Preparedness Incident Preparedness • Security Best Practices (ISO17799) • Roles and Responsibilities • Technology • Education/Awareness • Scenario Testing & Validation

  16. Assess Existing Controls & Procedures ISO 17799 Best Practices… • Information Security Policy • Incident Response and Preparedness • Authentication & Access Control • Information Ownership and Classification • Change Control • Auditable • Information Security Management • Network Management • Vulnerability Management & Policy Compliance • Threat Management • Life Cycle Security Performance Monitoring (Quality)

  17. Assess Infrastructure • Network Perimeter and Penetration Analysis(determines current exposure to circumventing perimeter controls) • Internet Connectivity (e.g., firewalls, routers) • Business to Business connectivity • Remote Access • Vulnerability and Risk Analysis(determines current risks and exposure within the organization) • Qualitative and Quantitative Analysis: • Network Exposures • Host Exposures • Database Security • Network Architecture • Best Practices (ISO 17799) • Regulatory Requirements

  18. Define the Desired Security State • Define existing and future business requirements relative to information security • Balance business objectives, risks and best practices such as ISO 17799 • Define controls and their benefits relative to roles, responsibilities and associated risks • Identify residual risks • Define the requirements for a proactive,integrated strategic security infrastructure

  19. Perform a GAP Analysis DesiredSecurityState(DSS) CurrentSecurityState

  20. Incident Alert Alert! Incident Preparedness • Technology (e.g., Firewalls, ID) • Management Process (HR) • System Administration Staff • End Users (Internal, External) • News Agencies • Hackers • Internet Service Provider Alarm

  21. Incident Reporting Incident Preparedness Communicate Alarm • Technology (email, pager, etc.) • Help Desk (Trouble Ticket) • Call-Out Process Report & Notification

  22. Incident Investigation Incident Preparedness Alarm Is It Real? Report & Notification • Activity Logs • Preliminary Interview and Check • Policy Violation • Technology Preliminary Investigation

  23. Decision and Resources Incident Preparedness Alarm Is It Real? Report & Notification Preliminary Investigation • Emergency Declaration • Incident Coordinator/Team • Course of action • Technical • Legal Decision and Resources

  24. Incident Response Take Action Incident Preparedness • In depth Investigation • Detailed Interviews and Forensics • Containment • Connectivity (Off, Routing, etc.) • Sever Trust among Systems • Disable Applications • Sandbox • Honeypot • Remote Access • Legal • Public Relations • Human Resources • Law Enforcement • Prosecution • Customer/Employee Notification Alarm Report & Notification Preliminary Investigation Decision and Resources Response

  25. Incident Recovery Incident Preparedness Alarm Report & Notification Fix & Go On Preliminary Investigation • Eradication • Trojans, Root kits, Bogus Accounts • Operations Restoration • Backups, Cleanup • Disaster Recovery • Mitigate Reoccurrence Risk • Technology • Policy and Procedures Decision and Resources Response Recovery

  26. L LessonsLearned Incident Recovery Incident Preparedness Improvement/Quality Alarm • Documentation • Update Incident Response Process • Financial Impact Analysis • Staff Needs • Budget Needs • Quality in Information Security Report & Notification Preliminary Investigation Decision and Resources Response Recovery

  27. CSIRP

  28. Components of a CSIRP • Charter • Incident Definition and Declaration • Team Make Up • Response Procedures • Preplanned Response Procedures • Sample Press Release • CSIRT Contact Information

  29. Charter • Mission • Scope • Organizational & Team Structure • Information Flow • Services (Reactive and Proactive)

  30. Incident Definition/Declaration • Declaration • Severity • Response Teams • D/R Relationship

  31. Team Makeup • CSIRT Officer and Manager • CSIRT Decision Pool

  32. Incident Response Team

  33. Roles and Responsibilities Roles and Responsibilities should be defined: • Communication • Protocol • Coordination • Who will be the ultimate decision maker. • Who will monitor the monitors.

  34. Centralized Incident Reporting • A central point of contact must be created • Hotline • Email address (ers@mycompany.com) • Centralized reporting is vital to the effectiveness of a company’s ERS initiative • Consolidation • Correlation • Statistics on size, nature and extent of security problems

  35. Response Procedures • Alert Phase • Triage Phase • Recovery Phase • Maintenance Phase

  36. Preplanned Response Procedures • Virus Response • Past Incidents • Lessons Learned

  37. Sample Press Release • Plan on word getting out • Then be really happy if it doesn’t

  38. CSIRT Contact Information • Call out lists and alternates

  39. ISS Jeopardy • Asses/Design/Deploy/Manage/Educate What is the Information Security Life Cycle

  40. ISS Jeopardy • Detect/Contain/Eradicate/Recover/Mitigate Reoccurrence What are the Goals of Incident Response

  41. ISS Jeopardy • This Item Sets The Charter, Roles and Procedures for Incident Response What is a Computer Security Incident Response Plan

  42. ISS Jeopardy • Mission/Scope/Team Structure/Info. Flow/Services What is contained in the CSIRP Charter

  43. ISS Jeopardy • Alert/Triage/Recovery/Maintenance What are the Response Procedures of a CSIRP

  44. ISS Jeopardy • Rob Gallery Who was the # 2 Pick, 1st Round in the 2004 NFL Draft #74, 6’8” 320 lbs, Rob Gallery (Iowa) Offense Tackle to Oakland Raiders

  45. ISS Jeopardy • “Heidi Game” 1968 Raiders/Jets Game interrupted for showing of “Heidi with 65 Seconds remaining and the Jets ahead 32-29 Raiders won. After Raiders scored on a Daryl Lamonica pass to make it 36-32, the Jets fumbled the kick off and the Raiders ran it in to make final score 43-32

  46. Thank You Ed Hudson, CISM Director, Professional Services X-Force PSS ed.hudson@iss.net

More Related