9780840024220 ppt ch11

Guide to Network Security 1st Edition

Chapter ElevenContingency Planning and Networking

Incident Response

© 2013 Course Technology/Cengage Learning. All Rights Reserved

Objectives

• Explain the need for contingency planning• List the major components of contingency planning• Create a simple set of contingency plans, using

business impact analysis• Prepare and execute a test of contingency plans• Explain the network incident response process• Explain the need for sound backup and recovery

practices and what they consist of

2


Introduction

• Threats to network systems– Deliberate attacks from hostile parties– Outside events– Internal failures– Unintended actions of friendly parties

• Network disruption may bring business operations to a standstill

• Organizations should prepare for the unexpected

3


What Is Contingency Planning?

• Contingency planning (CP)– Process of positioning an organization to prepare for,

detect, react to, and recover from man-made or natural threats to information security assets

– Main goal: restore normal operations following disruptive event

• Four components of CP– Business impact analysis (BIA)– Incident response plan (IR plan)– Disaster recovery plan (DR plan)– Business continuity plan (BC plan)

4


What Is Contingency Planning? (cont’d.)

• Contingency planning teams– CP Management Team (CPMT)

• Manages the overall process• Develops master plan for CP operations• Collects information about threats to information

systems• Conducts the BIA• Staffs the leadership of the subordinate teams• Provides guidance to and integrates work of

subordinate teams

5



• Contingency planning teams (cont’d.)– Incident response (IR) team

• Develops, tests, manages, and executes the IR plan• Detects, evaluates, and responds to incidents

– Disaster recovery (DR) team• Develops, tests, manages, and executes the DR plan• Responsible for re-establishing operations at the

primary business site– Business continuity (BC) team

• Responsible for setting up and starting off-site operations after an incident or a disaster

6



• Incident response– Focus is on small-scale events– Examples: hacking attempts, malware, or misuse of

corporate assets• Incident may escalate into a disaster

– IR plan may give way to the DR and BC plans• Business resumption plan

– Used by some organizations as combination of DR and BC plans

7

© 2013 Course Technology/Cengage Learning. All Rights Reserved 8

Figure 11-1 An incident turns into a disaster© Cengage Learning 2013


Figure 11-2 Move from disaster recovery to business continuity© Cengage Learning 2013


Stages and Components of Contingency Planning

• Major steps from NIST Special Publication 800-34 Rev. 1 Contingency Planning Guide for Federal Information Systems1. Form the CPMT

2. Develop the CP policy statement

3. Conduct the BIA

4. Form subordinate planning teams

5. Develop subordinate planning policies

6. Integrate the BIA

7. Identify preventive controls

10


Stages and Components of Contingency Planning (cont’d.)

• Major steps (cont’d.)8. Organize response teams

9. Create contingency strategies

10.Develop subordinate plans

11. Ensure plan testing, training, and exercises

12.Ensure plan maintenance

11


Figure 11-3 Incident response, disaster recovery, and business continuity workflow© Cengage Learning 2013


Figure 11-4 Contingency planning life cycle© Cengage Learning 2013



• Business impact analysis– First major component of the CP process– Provides CPMT with information about systems and

threats they face• Three major steps of the BIA

– Determine mission/business processes and recovery criticality

– Identify resource requirements– Identify recovery priorities for system resources

14


Figure 11-5 Business impact analysis process© Cengage Learning 2013



• Incident response plan– Documents actions organization should take while

an incident is in progress• Absence of well-defined procedures can lead to:

– Extensive damage to data, systems, and networks– Intrusions affecting multiple systems both inside and

outside the organization– Negative exposure in the news media– Legal liability for attacks against others using

organization’s systems

16



• Disaster recovery plan– Entails preparation for and recovery from a disaster

• Criteria for a disaster– Organization is unable to gain control of impact of

the incident– Organization cannot quickly recover because level of

damage is so severe• DR plan documents whether an event is classified

as an incident or a disaster

17



• Business continuity plan– Ensures critical business functions continue if a

disaster occurs– Managed by the CEO of an organization– Activated and executed concurrently with the DR

plan:• When disaster is major or long-term

– Involves re-establishing business functions at an alternate site

18



• CP disruption phases– Defines actions that occur when an event becomes

an incident or disaster– Phase 1: activation/notification phase

• Activate the plan based on outage impacts• Notify recovery personnel

– Phase 2: recovery phase• Recovery teams restore system operations using

alternate site– Phase 3: reconstitution phase

• Return the system to normal operating conditions


Data and Application Resumption

• Data backup and management methods– Disk backup– Tape backup

• Data files and critical system files should be backed up daily– Nonessential files backed up weekly

• Data retention plan– Laws govern how long data must be stored

• Full backups of entire systems should be stored in a secure location

20


Disk-to-Disk-to-Tape

• Cost of storage media continues to decrease– Disk backups more convenient than tape

• Storage area networks– Used to store information in arrays of independent,

large-capacity disk drives• Secondary data disk series should be periodically

backed up to tape or other removable media

21


Backup Strategies

• Types of backups– Full

• Complete backup of the entire system– Differential

• Stores all new files and files modified since last full backup

– Incremental• Stores data modified since last backup of any type• Requires less space and time than differential backup• Multiple backups needed to restore full system

22


Backup Strategies (cont’d.)

• General guidelines– Secure on-site and off-site storage– Provide a controlled environment for the media– Clearly label and write-protect each media unit– Retire media units prior to reaching end of useful life

• Tape backup and recovery– Common types of tape media

• Digital audio tapes (DATs)• Quarter-inch cartridge drives (QIC)• 8 mm tape• Digital linear tape (DLT) and Linear Tape Open (LTO)

23



• Classic methods for selecting files to back up– Six tape rotation– Grandfather-Father-Son method– Towers of Hanoi

• Online backups and the cloud– Online backup to a third-party storage vendor

• Cloud computing forms– Software as a Service (SaaS)– Platform as a Service (PaaS)– Infrastructure as a Service (IaaS)

24


Table 11-1 Selecting the best rotation method© Cengage Learning 2013



• Cloud ownership– Public

• Most common implementation• Third party makes services available over the Internet

– Community• Collaboration between a few entities for their sole use

– Private• Parent company creates a cloud for its own use and

that of subordinate organizations• Theoretical implementation

26


Threats to Stored Information

• Processes to prevent accidental loss of backup media– Careful processes– Use of professional couriers– Tape encryption– Erase backup tapes before returning to “scratch

pool” for reuse• Backup and recovery elapsed time

– Usually requires twice as much time to restore information as to produce the backup

27


Threats to Stored Information (cont’d.)

• Redundant array of independent disks (RAID)– Method for ensuring data is not lost– Does not replace backup and recovery processes

• Most common RAID configurations (levels)– RAID Level 0

• Creates one larger logical volume across several physical hard disk drives

• Stores data in segments called stripes

28



• Most common RAID configurations (cont’d.)– RAID Level 1

• Data is written to two drives simultaneously• Disk mirroring

– RAID Level 2• Specialized form of disk striping with parity• Not commonly used

– RAID Levels 3 and 4 • Byte and block-level striping of data• Parity information stored on a separate drive

29




• Similar to RAID 3 and 4 without a dedicated parity drive

• Data segments interleaved with parity data– RAID Level 6

• Similar to RAID 5 with two blocks of parity data striped across the drives

– RAID Level 7• Proprietary variation on RAID 5• Array works as a single virtual drive

30




• Combines benefits of RAID 0 and RAID 1

31


Figure 11-6 Samples of RAID implementations© Cengage Learning 2013


Database Backups

• Databases require special backup and recovery procedures– May or may not be able to back up database with

server operating system utilities• System backup procedures may interrupt use of

the database• Administrators need to know whether database

uses special journal file systems– Files must be backed-up properly

33


Application Backups

• Some applications use file systems in ways that invalidate customary backup methods– Ensure advance planning and inclusion of

application support team members• Real-time protection; server recovery and

application recovery– Use of mirroring provides real-time protection– One implementation method: using hot, warm, and

cold servers

34


Application Backups (cont’d.)

• Bare metal recovery technologies– Designed to replace operating systems and services

when they fail• Server clustering

– Active/passive clustering• Two identically configured servers share access to the

application data storage• Passive server takes control if active server fails

– Active/active clustering• All members of a cluster simultaneously provide

application services

35



• Electronic vaulting– Bulk transfer of data in batches to an off-site facility– Usually conducted over dedicated network links– Criteria: cost of the service and required bandwidth– More expensive than tape backup– Slower than data mirroring– Data must be encrypted while in transit

36


Figure 11-7 Electronic vaulting architecture© Cengage Learning 2013



• Remote journaling– Transfer of live transactions to an off-site facility– Only transaction data is transferred, not archived

data– Transfer is performed online and closer to real-time

38


Figure 11-8 Remote journaling architecture© Cengage Learning 2013



• Database shadowing– Propagation of transactions to a remote copy of the

database– Combines electronic vaulting with remote journaling

• Applying transactions to the database simultaneously in two separate locations

40


Figure 11-9 Database shadowing architecture© Cengage Learning 2013


Network-Attached Storage and Storage Area Networks

• Network-attached storage (NAS)– Single device or server that attaches to the network– Provides online storage– Configured to allow users or groups of users to

access data storage– Does not work well with real-time applications

• Storage area networks (SANs)– Uses fibre-channel or iSCSI connections

42


Figure 11-10 SAN and NAS architectures© Cengage Learning 2013


Service Level Agreements (SLAs)

• Contractual documents guaranteeing certain minimum levels of service provided by vendors

• Service levels commonly measured as series of nines– Example: three nines availability − 99.9 percent

uptime or better

45


Incident Response Plan

• Incident response– Set of procedures that commences when an incident

is detected– Must be carefully planned and coordinated

46

Figure 11-11 NIST incident response process© Cengage Learning 2013


Form IR Planning Team

• First step in the incident response planning process• Example stakeholder groups represented in the IR

team– General management– IT management– Information security management– Operations– Legal affairs– Public relations– Customer support

47


Develop IR Planning Policy

• Structural overview of a typical IR policy– Statement of management commitment– Purpose and objectives of the policy– Scope of the policy– Definition of information security incidents and

consequences– Definition of roles and responsibilities– Prioritization of incidents– Performance measures– Reporting and contact forms

48


Integrate the Business Impact Analysis (BIA)

• Identify potentially successful attacks and understand possible outcomes

• Three-stage process– Threat attack identification and prioritization– Attack success scenario development– Potential damage assessment

49


Identify Preventive Controls Unique to IR

• Identify preventative controls currently in place– Involves asset inventory and prioritization

• Determine whether controls are effective• Some assets protect organizations against

incidents and disaster– Example: fire suppression equipment

50


Organize the Computer Security Incident Response Team (CSIRT)

• Computer Security Incident Response Team– Group of individuals who will respond to an incident– Select personnel based on skills and access

privileges– Different CSIRT subteams can be formed based on

scope and type of incident• Training members can occur in various ways

– National training programs and conferences– Mentoring-type training

51


Create IR Contingency Strategies

• Plan exactly how to respond to various incidents• Strategies vary greatly

– Single IR strategy– Several optional plans to handle different

circumstances• General categories of strategies

– Protect and forget– Apprehend and prosecute

52


Develop the Incident Response (IR) Plan

• General sections of the incident response plan– Identification– Response– Containment and eradication– Recovery

• Incident classification– Process of evaluating organizational events

• Possible indicators of an incident– Presence of unfamiliar files

54


Develop the Incident Response (IR) Plan (cont’d.)

• Possible indicators of an incident (cont’d.)– Presence of unknown programs or processes– Unusual consumption of computing resources– Unusual system crashes

• Probable indicators of an incident– Activities at unexpected times– Presence of new accounts– Reported attacks– Notification from IDS

55



• Definite indicators of an incident– Use of dormant accounts– Modified or missing logs– Presence of hacker tools– Notifications by a partner or peer– Notification by hacker

• Response actions– Notification– Documenting the incident

• Interview individuals involved

56



• Containment/eradication– First step: identify the affected area

• Containment strategies– Disable compromised user accounts– Reconfigure firewall to block problem traffic– Temporarily disable compromised process or service– Take down the conduit application or server– Stopping all computers and network devices

57



• Recovery– Inform appropriate human resources– Assess full extent of the damage– Begin recovery operations based on appropriate

section of the IR plan– Steps

• Identify and resolve vulnerabilities• Restore data• Restore services and processes• Restore confidence across the organization• After-action review

58


Ensure Plan Testing, Training, and Exercises

• Five strategies to test contingency plans– Desk check– Structured walk-through– Simulation– Parallel testing– Full interruption– War gaming

59


IR Plan Maintenance

• Plan should be periodically reviewed– Every one year or less– Shortcomings should be noted

• Deficiencies may come to light based on:– AARs– Use of plan for actual incidents– Use of plan for simulated incidents– Review during periodic maintenance

• Revise plan to correct deficiencies

60


Summary

• Contingency planning (CP)– Process of positioning an organization to prepare,

detect, react to, and recover from events that threaten information security assets

• CP has 12 stages• BIA provides the CP team with information about

systems and the threats they face• IR plan documents actions an organization should

take while an incident is in progress

61


Summary (cont’d.)

• Business continuity planning (BCP) ensures that business-critical functions can continue when a disaster occurs

• Two general IR strategies include “protect and forget” and “apprehend and prosecute”

• Stopping the incident or containing its impact is a critical component of incident response

• Ongoing maintenance of the IR plan includes after-action reviews (AARs)

62

9780840024220 ppt ch11

Education

contingency planning

contingency planning

disaster ir plan

business operations

test of contingency

disaster cengage learning

rights reserved stages

rights reserved objectives