© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Cyber Disaster Recovery Planning for the Inevitable.

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.

Cyber Disaster RecoveryPlanning for the Inevitable


20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business.


Why Focus on Incident Preparedness?

20 years ago, survival of the business depended on survival of the brick-and-mortar infrastructure Earthquake and hurricane “proof” buildings Redundant power and communications Disaster recovery planning Regulatory requirements


Today, survival of the business also depends on survival of the information infrastructure Firewalls, proxies, access controls VPNs, encryption, authentication Growing regulation

SOX HIPPA GLBA CA Breach Law

Planning ahead insures against catastrophe


Overview

Traditional disaster recovery (D/R) planning is formal and tested regularly

Cyber-D/R planning is less mature, but more necessary today Cyber-D/R requires quick reaction and different skill sets: e.g.,

computer forensics Growing trend toward prosecution Critical infrastructure protection requires better Cyber-D/R

planning and response capability


“Traditional” disaster recovery

Business impact analysis Determine functional areas critical to the business Identify critical computer systems and applications Determine disaster recovery budget

Formal disaster recovery plan Disaster declaration criteria and procedures Hot-site and cold-site arrangements Staff response / call-out plans Recovery procedures

Annual testing


“Cyber” disaster recovery

Business impact analysis Focusing on impact of “electronic” disasters such as computer security

breaches, instead of “natural” disasters Computer Security Incident Response Plan

Similar in structure to disaster recovery plan Incident declaration criteria and procedures Staff response / call-out plans Recovery procedures

Restore operations “in-place,” not at hot-site Focus on forensic approach Quarterly testing


An observation…

ISS responded to as many intrusion incidents in Q4-03 alone as it did all of 2003.

75% of the cases have requested forensic evidence considerations for prosecution.

These incidents were all different, but they have had recurring themes which make them easier to prepare for.


What happened?

These incidents were not caused by “natural” disasters like fire, flood, or earthquake A “traditional” disaster recovery plan would not have been sufficient

But the potential effects were the same Ability to conduct business was impacted Reputation could have been damaged Financial loss could have occurred Loss of customers


The need for good and timely information

During a natural disaster, information is made available to us by television, radio, and government sources

During a cyber-disaster, we are almost always limited to the information we can obtain for ourselves

Planning and response are improved when we know ahead of time how these attacks work and how we can defend against them


Obtaining good and timely information

Do you have skills in-house to stay on top of threats and vulnerabilities? Does your staff respond to attacks frequently enough to keep their skills

sharp? Do you have ( and follow) escalation, notification and handling

procedures? What is the value of a second opinion when you think you’re under

attack? Can you conduct a forensic investigation without contaminating

evidence? What are your regulatory requirements?


Information Security Lifecycle

Put all this in place without impacting

users

What can we add or change to improve

our security?

How well are we protected, now and

in the future?

Given what we have, how do we handle security incidents?


Goals of an Incident Response

Gain control of any upcoming security problems Facilitate centralized reporting of incidents Coordinate response to incidents Raise security awareness of users Provide a clearinghouse of relevant computer security

information Promote security policies Provide liaisons to legal and criminal investigative groups both

inside and outside the company


Incident Response

• Detection: Analysis of incident data to determine the source of the incident, its cause (program error, human error, or deliberate action), and its effects;

• Containment: Preventing the effects of the incident from spreading to other computer systems and computer communications networks in your organization;

• Eradication: Stopping the incident at the source and/or protecting your computer systems and computer communications networks from the effects of the incident;

• Recovery: Restoration of the affected computer systems and computer communications networks to normal operation; and

• Risk Reoccurrence Mitigation: Making sure that your computer systems and computer communications networks are protected from future occurrences of the incident.


Incident Preparedness • Security Best Practices (ISO17799)

• Roles and Responsibilities

• Technology

• Education/Awareness

• Scenario Testing & Validation

ConfidentialityConfidentiality

IntegrityIntegrity

AvailabilityAvailability

Incident Preparedness


Information Security Policy Incident Response and Preparedness Authentication & Access Control Information Ownership and Classification Change Control Auditable Information Security Management Network Management Vulnerability Management & Policy Compliance Threat Management Life Cycle Security Performance Monitoring

(Quality)

Assess Existing Controls & Procedures

ISO 17799 Best Practices…


Assess Infrastructure

Network Perimeter and Penetration Analysis (determines current exposure to circumventing perimeter controls) Internet Connectivity (e.g., firewalls, routers) Business to Business connectivity Remote Access

Vulnerability and Risk Analysis(determines current risks and exposure within the organization) Qualitative and Quantitative Analysis:

Network Exposures Host Exposures Database Security Network Architecture Best Practices (ISO 17799) Regulatory Requirements


Define the Desired Security State

Define existing and future business requirements relative to information security

Balance business objectives, risks and best practices such as ISO 17799

Define controls and their benefits relative to roles, responsibilities and associated risks

Identify residual risks

Define the requirements for a proactive,integrated strategic security infrastructure


CurrentSecurity

State

Perform a GAP Analysis

DesiredSecurity

State(DSS)


Incident Preparedness • Technology (e.g., Firewalls, ID)

• Management Process (HR)

• System Administration Staff

• End Users (Internal, External)

• News Agencies

• Hackers

• Internet Service Provider

Alarm

Alert!Alert!Incident Alert



• Technology (email, pager, etc.)

• Help Desk (Trouble Ticket)

• Call-Out Process

Alarm

Report & Notification

CommunicateCommunicate

Incident Reporting



• Activity Logs

• Preliminary Interview and Check

• Policy Violation

• Technology

Alarm


Preliminary Investigation

Is It Real?Is It Real?

Incident Investigation



• Emergency Declaration

• Incident Coordinator/Team

• Course of action

• Technical

• Legal

Alarm


Is It Real?Is It Real?

Decision and Resources




Incident Preparedness • In depth Investigation

Detailed Interviews and Forensics

• Containment Connectivity (Off, Routing, etc.) Sever Trust among Systems Disable Applications Sandbox Honeypot Remote Access

• Legal Public Relations Human Resources Law Enforcement Prosecution

• Customer/Employee Notification

Alarm




Response

Take ActionTake ActionIncident Response



• Eradication Trojans, Root kits, Bogus

Accounts

• Operations Restoration Backups, Cleanup Disaster Recovery

• Mitigate Reoccurrence Risk Technology Policy and Procedures

Alarm




Response

Recovery

Fix & Go OnFix & Go On

Incident Recovery


LLessonsLearned


Alarm




Response

Recovery

Incident Recovery

• Documentation

• Update Incident Response Process

• Financial Impact Analysis

• Staff Needs

• Budget Needs

• Quality in Information Security

Improvement/QualityImprovement/Quality


CSIRP

C omputer

S ecurity

I ncident

R esponse

P lan


Components of a CSIRP

Charter Incident Definition and Declaration Team Make Up Response Procedures Preplanned Response Procedures Sample Press Release CSIRT Contact Information


Charter

Mission Scope Organizational & Team Structure Information Flow Services (Reactive and Proactive)


Incident Definition/Declaration

Declaration Severity Response Teams D/R Relationship


Team Makeup

CSIRT Officer and Manager CSIRT Decision Pool


Incident Response Team

Computer Incident Response Team

CISOCIRT Coordinator

Vendor AugmentEmergency Response Service

Business Security OfficerBusiness Unit A

Business Security OfficerBusiness Unit B

VP Human ResourcesLegal Council

Technology InfrastructureDisaster Recovery

Technology Manager

UNIX Ops NT Operations Internet Ops

Technology Manager

UNIX Ops NT Operations Internet Ops

Public Relations


Roles and Responsibilities

Role and responsibilities are defined herein with the context of threat and vulnerabilitymanagement in mind. Thus, there are many responsibilities and interactions between theroles that exist that are out of the scope of this document.

Role/ Responsibili ty•Understand Client’s enterprise security posture (e.g. via routine reports)•Support the information security team’s (i.e. the Technical and Security Program Manager’s)efforts to secure the Client environment•Provide on-going funding for security•Ensure the information security team has the appropriate knowledge level to perform their dut iesManagement involvement will be lead by Jane Doe.

Management

Role/ Responsibili ty•Track Client vulnerability and threat management issues•Maintain threat and vulnerability management policy, processes, and procedures•Assist technical specialists with threat and vulnerability tool policy development as needed (e.g.collaborate to develop security tool policy via monthly meetings and ad hoc discussions)• Periodically review policies on all threat and vulnerability management tools to ensure theycontinue to meet the needs of Client•Accommodate penetrat ion tests by notifying the relevant personnel and determining logistics•Alert Management to critical and potentially critical threat and vulnerability issues•Contribute to regular reports for monthly security meetings•Host monthly security meetingsThe Security Program Manager is John Doe.

Security Program Manager

Role/ Responsibili ty•Run and maintain vulnerability scanning tools including system databases•Monitor and maintain threat management (intrusion detection) tools including system databases•Collaborate with Business Units and Security Program Manager to resolve threats andvulnerabilities (e.g. research impact of vulnerability fixes on their devices, discuss approaches)•Document security events such as incidents or vulnerability fixes•Generate regular reports for monthly security meetings and ad hoc reports to investigateexceptions or suspicious events•Distribute reports and comments on a t imely basis•Attend and contribute to monthly information security meetings•Alert Management to critical and potentially critical threat and vulnerability issues•Accommodate penetrat ion tests by notifying the relevant personnel and determining logistics•Track Client technical vulnerability and threat management issues•Periodically assess the need for updates and/or addit ional toolsThe Technical Program Manager is Jim Doe.

Technical Program Manager

Roles & ResponsibilitiesRole and responsibilities are defined herein with the context of threat and vulnerabilitymanagement in mind. Thus, there are many responsibilities and interactions between theroles that exist that are out of the scope of this document.

Role/ Responsibili ty•Understand Client’s enterprise security posture (e.g. via routine reports)•Support the information security team’s (i.e. the Technical and Security Program Manager’s)efforts to secure the Client environment•Provide on-going funding for security•Ensure the information security team has the appropriate knowledge level to perform their dut iesManagement involvement will be lead by Jane Doe.

Management

Role/ Responsibili ty•Track Client vulnerability and threat management issues•Maintain threat and vulnerability management policy, processes, and procedures•Assist technical specialists with threat and vulnerability tool policy development as needed (e.g.collaborate to develop security tool policy via monthly meetings and ad hoc discussions)• Periodically review policies on all threat and vulnerability management tools to ensure theycontinue to meet the needs of Client•Accommodate penetrat ion tests by notifying the relevant personnel and determining logistics•Alert Management to critical and potentially critical threat and vulnerability issues•Contribute to regular reports for monthly security meetings•Host monthly security meetingsThe Security Program Manager is John Doe.

Security Program Manager

Role/ Responsibili ty•Run and maintain vulnerability scanning tools including system databases•Monitor and maintain threat management (intrusion detection) tools including system databases•Collaborate with Business Units and Security Program Manager to resolve threats andvulnerabilities (e.g. research impact of vulnerability fixes on their devices, discuss approaches)•Document security events such as incidents or vulnerability fixes•Generate regular reports for monthly security meetings and ad hoc reports to investigateexceptions or suspicious events•Distribute reports and comments on a t imely basis•Attend and contribute to monthly information security meetings•Alert Management to critical and potentially critical threat and vulnerability issues•Accommodate penetrat ion tests by notifying the relevant personnel and determining logistics•Track Client technical vulnerability and threat management issues•Periodically assess the need for updates and/or addit ional toolsThe Technical Program Manager is Jim Doe.

Technical Program Manager

Roles & Responsibilities

Roles and Responsibilities should be defined:

Communication Protocol Coordination Who will be the

ultimate decision maker.

Who will monitor the monitors.


Centralized Incident Reporting

A central point of contact must be created Hotline Email address ([email protected])

Centralized reporting is vital to the effectiveness of a company’s ERS initiative Consolidation Correlation Statistics on size, nature and extent of security problems


Response Procedures

Alert Phase Triage Phase Recovery Phase Maintenance Phase


Preplanned Response Procedures

Virus Response Past Incidents

Lessons Learned


Sample Press Release

Plan on word getting out Then be really happy if it doesn’t


CSIRT Contact Information

Call out lists and alternates


ISS Jeopardy

Asses/Design/Deploy/Manage/Educate

What is the Information Security Life Cycle


ISS Jeopardy

Detect/Contain/Eradicate/Recover/Mitigate Reoccurrence

What are the Goals of Incident Response


ISS Jeopardy

This Item Sets The Charter, Roles and Procedures for Incident Response

What is a Computer Security Incident Response Plan


ISS Jeopardy

Mission/Scope/Team Structure/Info. Flow/Services

What is contained in the CSIRP Charter


ISS Jeopardy

Alert/Triage/Recovery/Maintenance

What are the Response Procedures of a CSIRP


ISS Jeopardy

Rob Gallery

Who was the # 2 Pick, 1st Round in the 2004 NFL Draft

#74, 6’8” 320 lbs, Rob Gallery (Iowa) Offense Tackle to Oakland Raiders


ISS Jeopardy

“Heidi Game”

1968 Raiders/Jets Game interrupted for showing of “Heidi with 65 Seconds remaining and the Jets ahead 32-29

Raiders won. After Raiders scored on a Daryl Lamonica pass to make it 36-32, the Jets fumbled the kick off and the Raiders ran it in to make final score 43-32


Thank YouEd Hudson, CISM

Director, Professional Services

X-Force PSS

[email protected]

© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems. Cyber Disaster Recovery Planning for the Inevitable.

Documents

critical computer systems

computer security breaches

disaster recovery dr

inevitable slide

catastrophe slide

response capability

better cyberdr planning

procedures staff response