About the Presentations
• The presentations cover the objectives found in the
opening of each chapter.
• All chapter objectives are listed in the beginning of
each presentation.
• You may customize the presentations to fit your
class needs.
• Some figures from the chapters are included. A
complete set of images from the book can be found
on the Instructor Resources disc.
Principles of Incident Response
and Disaster Recovery, 2nd Edition
Chapter 01
An Overview of Information
Security and Risk Management
Objectives
• Define and explain information security
• Identify and explain the basic concepts of risk
management
• List and discuss the components of contingency
planning
• Describe the role of information security policy in the
development of contingency plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
Introduction
• Contingency planning
– Being ready for incidents and disasters
• Example: 1/10 of one percent of online users
– Allows for two and a half million potential attackers
• Example: World Trade Center (WTC) organizations
– Had contingency plans due to February 1993 attack
• Example: 2008 Gartner report
– 2/3 of organizations invoked plans in prior two years
• Information security includes contingency planning
– Ensures confidentiality, integrity, availability of data
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
Information Security
• Committee on National Security Systems (CNSS)
information security definition
– Protection of information and its critical elements
• Includes systems and hardware storing, transmitting
information
– Part of the CNSS model (evolved from C.I.A. triangle)
• Conceptual framework for understanding security
• Information security (InfoSec)
– Protection of confidentiality, integrity, and availability
of information
• In storage, during processing, and during transmission
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
Key Information Security Concepts
• Threat: object, person, other entity posing potential
risk of loss to an asset
• Asset: organizational resource being protected
– Logical or physical
• Attack: attempt to cause damage to or compromise
information of supporting systems
– Arises from a threat; intentional or unintentional
• Threat-agent: threat instance
– Specific and identifiable; exploits asset vulnerabilities
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
Key Information Security Concepts
(cont’d.)
• Vulnerability
– Flaw or weakness in system security procedures,
design, implementation, internal controls
• Results in security breach or security policy violation
– Well-known or latent
– Exercised accidently or intentionally
• Exploit: caused by threat-agent
– Can exploit system or information through illegal use
– Can create an exploit to target a specific vulnerability
• Control/safeguard/countermeasure: prevent attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
Key Information Security Concepts
(cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
8
Key Information Security Concepts
(cont’d.)
• Trespass
– Broad category of electronic and human activities
• Can breach information confidentiality
• Leads to unauthorized real or virtual actions
• Results in unauthorized access to premises or system
• Software attacks
– Malicious code, malicious software, malware
– Designed to damage, destroy, deny service to the
target systems
– Example: hackers
Principles of Incident Response and Disaster Recovery, 2nd Edition
9
Key Information Security Concepts
(cont’d.)
– Common malicious code instances
• Viruses and worms, Trojan horses, logic bombs, bots,
rootkits, back doors, denial-of-service (DoS) attack,
distributed DoS (DDoS) attack
– Malicious code threats: sources of confusion
• Method of propagation, payload, vector of infection
– Viruses
• Segments of code that perform malicious actions
• Macro virus: embedded automatically in macrocode
• Boot virus: infects key operating systems files
Principles of Incident Response and Disaster Recovery, 2nd Edition
10
Key Information Security Concepts
(cont’d.)
– Worms
• Replicate themselves constantly
• No other program needed
• Can replicate until available resources filled
– Back doors and trap doors
• Installed by virus or worm payload
• Provides at will special privilege system access
– Polymorphism
• Threat changes apparent shape over time
• Elude antivirus software detection
Principles of Incident Response and Disaster Recovery, 2nd Edition
11
Key Information Security Concepts
(cont’d.)
– Propagation vectors
• Manner by which malicious code spreads can vary
• May use social engineering: Trojan horse looks
desirable, but is not
• May leverage open network connection, file shares or
software vulnerability
– Malware hoaxes
• Well-meaning people send random e-mails warning of
fictitious dangerous malware
• Wastes a lot of time and energy
Principles of Incident Response and Disaster Recovery, 2nd Edition
12
Key Information Security Concepts
(cont’d.)
• Human error or failure
– Introduces acts performed by an authorized user
• No malicious intent or purpose
– Human error
• Small mistakes produce extensive damage with
catastrophic results
– Human failure
• Intentional refusal or unintentional inability to comply
with policies, guidelines, and procedures, with a
potential loss of information
Principles of Incident Response and Disaster Recovery, 2nd Edition
13
Key Information Security Concepts
(cont’d.)
• Theft
– Illegal taking of another’s property
• Property: physical, electronic, intellectual
• Includes acts of espionage and breach of
confidentiality
– Methods
• Competitive intelligence or industrial espionage
– Theft or loss of mobile devices
• Phones, tablets, and computers
• Stored information more important than devices
Principles of Incident Response and Disaster Recovery, 2nd Edition
14
Key Information Security Concepts
(cont’d.)
• Compromises to intellectual property
– FOLDOC intellectual property (IP) definition
• The ownership of ideas and control over the tangible
or virtual representation of those ideas. Use of another
person’s intellectual property may or may not involve
royalty payments or permission but should always
include proper credit to the source
– Includes
• Trade secrets, copyrights, trademarks, patents
• Exfiltration, or unauthorized removal of information
• Software piracy
Principles of Incident Response and Disaster Recovery, 2nd Edition
15
Key Information Security Concepts
(cont’d.)
• Sabotage or vandalism
– Destroys asset or damages an organization’s image
• Assault on an organization’s Web site
• Cyberterrorism (more sinister hacking)
• Technical software failures or errors
– Software with unknown hidden faults
• Code sold before security-related bugs detected
• Trap doors
– Helpful Web sites
• Bugtraq and National Vulnerability Database
Principles of Incident Response and Disaster Recovery, 2nd Edition
16
Key Information Security Concepts
(cont’d.)
• Technical hardware failures or errors
– Equipment distributed with known or unknown flaw
– System performs outside expected parameters
– Errors can be terminal or intermittent
• Forces of nature
– Known as force majeure, or acts of God
– Pose most dangerous threats imaginable
• Occur with very little warning
Principles of Incident Response and Disaster Recovery, 2nd Edition
17
Key Information Security Concepts
(cont’d.)
• Deviations in quality of service by service providers
– Product or service not delivered as expected
• Support systems interrupted by storms, employee
illnesses, unforeseen events
• Technological obsolescence
– Antiquated or outdated infrastructure
• Leads to unreliable and untrustworthy systems
• Risk loss of data integrity from attacks
Principles of Incident Response and Disaster Recovery, 2nd Edition
18
Key Information Security Concepts
(cont’d.)
• Information extortion
– Attacker or trusted insider steals information from a
computer system
• Demands compensation for its return or for an
agreement to not disclose the information
– Common in credit card number theft
• Other threats
– See Table 1-2
Principles of Incident Response and Disaster Recovery, 2nd Edition
19
Principles of Incident Response and Disaster Recovery, 2nd Edition
20
Overview of Risk Management
• Risk management process
– Identifying and controlling information asset risks
– Security managers play the largest roles
– Includes contingency planning
• Risk identification process
– Examining, documenting, and assessing the security
posture of an organization’s IT and the risks it faces
• Risk control process
– Applying controls to reduce the risks
Principles of Incident Response and Disaster Recovery, 2nd Edition
21
Overview of Risk Management (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
22
Overview of Risk Management (cont’d.)
• Risk management redefined
– Process of identifying vulnerabilities and taking
carefully reasoned steps to ensure the confidentiality,
integrity, and availability of the information system
“If you know the enemy and know yourself, you need
not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained you
will also suffer a defeat. If you know neither the enemy
nor yourself, you will succumb in every battle.”
- Chinese General Sun Tzu
Source: Oxford University Press
Principles of Incident Response and Disaster Recovery, 2nd Edition
23
Overview of Risk Management (cont’d.)
• Know yourself
– Identify, examine, and understand the information and
systems currently in place
– Asset: information and systems that use, store, and
transmit information
– Question to ask when protecting assets
• What are they?
• How do they add value to the organization?
• To which vulnerabilities are they susceptible?
– Have periodic review, revision, and maintenance of
control mechanisms
Principles of Incident Response and Disaster Recovery, 2nd Edition
24
Overview of Risk Management (cont’d.)
• Know the enemy
– Identify, examine, and understand threats
– Determine threat aspects affecting the organization
and the security of the assets
• List threats prioritized by importance
– Conduct periodic management reviews
•
•
•
•
•
Verify completeness and accuracy of asset inventory
Review and verify identified threats and vulnerabilities
Review current controls and mitigation strategies
Review cost effectiveness and deployment issues
Verify ongoing effectiveness of every control
Principles of Incident Response and Disaster Recovery, 2nd Edition
25
Risk Identification
• Identify, classify, and prioritize information assets
• Threat identification process begins afterwards
– Asset examined to identify vulnerabilities
– Controls identified
– Controls assessed
• Regarding capability to limit possible losses should
attack occur
Principles of Incident Response and Disaster Recovery, 2nd Edition
26
Principles of Incident Response and Disaster Recovery, 2nd Edition
27
Asset Identification and Value
Assessment
• Iterative process of identifying assets and assessing
their value
• Information asset classification
– Classify with respect to security needs
– Components must be specific for the creation of
various priority levels
– Components ranked according to criteria established
by the categorization
– Use comprehensive and mutually exclusive
categories
– Establish clear and comprehensive category sets
Principles of Incident Response and Disaster Recovery, 2nd Edition
28
Asset Identification and Value
Assessment (cont’d.)
• Information asset valuation
– Is this asset the most critical to the organizations’
success?
– Does it generate the most revenue?
– Does it generate the most profit?
– Would it be the most expensive to replace?
– Will it be the most expensive to protect?
– If revealed, would it cause the most embarrassment
or greatest damage?
– Does the law or other regulation require us to protect
this asset?
Principles of Incident Response and Disaster Recovery, 2nd Edition
29
Asset Identification and Value
Assessment (cont’d.)
• Answers determine weighting criteria
– Used for asset valuation and impact evaluation
• Must decide criteria best suited to establish the
information asset value
• Perform weighted factor analysis
– Calculates relative importance of each asset
– Assign score from 0.1 to 1.0 for each critical factor
– Assign each critical factor a weight from 1 to 100
• Identify, document and add company-specific
criteria
Principles of Incident Response and Disaster Recovery, 2nd Edition
30
Asset Identification and Value
Assessment (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
31
Data Classification and Management
(cont’d.)
• Data classification schemes
– Procedures requiring organizational data to be
classified into mutually exclusive categories
– Based on need to protect data category confidentiality
• Military specialized classification ratings
– “Public” to “For Official Use Only” to “Confidential“ to
“Secret” to “Top Secret”
Principles of Incident Response and Disaster Recovery, 2nd Edition
32
Data Classification and Management
(cont’d.)
• Alternative information classification scheme
– Public: for general public dissemination
– For official use: Not particularly sensitive but not for
public release
– Sensitive: important to the business and could cause
embarrassment or loss of market share if revealed
– Classified: requires utmost security; disclosure could
severely impact the organization
• Personnel information security clearances
– On a need-to-know basis
Principles of Incident Response and Disaster Recovery, 2nd Edition
33
Threat Identification
• Conduct a threat assessment
– Which threats present a danger to the organization’s
assets in the given environment?
– Which threats represent the most danger to the
organization’s information?
– Which threats would cost the most to recover from if
there was an attack?
– Which threats require the greatest expenditure to
prevent?
Principles of Incident Response and Disaster Recovery, 2nd Edition
34
Vulnerability Identification
• Review each asset and each threat it faces
– Create list of vulnerabilities
• Examine how each threat could be perpetrated
• List organization’s assets and its vulnerabilities
• Notes
– Threat may yield multiple vulnerabilities
– People with diverse backgrounds should participate
Principles of Incident Response and Disaster Recovery, 2nd Edition
35
Risk Assessment
• Process of assigning a risk rating or score to each
information asset
• Goal
– Determine relative risk of each vulnerability using
various factors
• Likelihood
– Probability that a specific vulnerability will be
successfully attacked
– Many asset/vulnerability combinations have external
references for likelihood values
Principles of Incident Response and Disaster Recovery, 2nd Edition
36
Valuation of Information Assets
• Assign weighted scores for the value to the
organization of each information asset
• Re-ask questions described in the “Threat
Identification” section
– Which of these questions is most important to the
protection of the organization’s information?
• Examine how current controls can reduce risk faced
by specific vulnerabilities
• Impossible to know everything about each
vulnerability
Principles of Incident Response and Disaster Recovery, 2nd Edition
37
Risk Determination
• Risk = (likelihood of vulnerability x value) – percent
of risk currently controlled + uncertainty of
assumptions
• Qualitative Risk Management
– General categories and ranking used to evaluate risk
– Factor Analysis of Information Risk (FAIR) strategy
• Promoted by CXOWARE
– Residual risk
• Remaining risk after control applied
Principles of Incident Response and Disaster Recovery, 2nd Edition
38
Identify Possible Controls
• Controls, safeguards, and countermeasures
– Represent security mechanisms, policies, and
procedures that reduce risk
• Three types of security policies
– Enterprise information security policy
– Issue-specific policies
– Systems-specific policies
• Programs
– Activities performed within the organization to
improve security
Principles of Incident Response and Disaster Recovery, 2nd Edition
39
Risk Control Strategies
• Defense approach (preferred approach)
• Attempts to prevent vulnerability exploitation
• Risk defense methods
– Defense through application of policy
– Defense through training and education programs
– Defense through technology application
• Usually requires technical solutions
• Eliminate asset exposure
– Attempt to reduce risk to an acceptable level
Principles of Incident Response and Disaster Recovery, 2nd Edition
40
Risk Control Strategies (cont’d.)
• Implement security controls and safeguards
– Deflect attacks to minimize the successful probability
• Transference
– Attempts to shift risk to other assets, processes,
organizations
•
•
•
•
•
Rethink how services offered
Revise deployment models
Outsource to other organizations
Purchase insurance
Implement service contracts with providers
Principles of Incident Response and Disaster Recovery, 2nd Edition
41
Risk Control Strategies (cont’d.)
• Mitigation
– Attempts to reduce impact caused by the vulnerability
exploitation
• Through planning and preparation
– Includes contingency planning
•
•
•
•
Business impact analysis
Incident response plan
Disaster recovery plan
Business continuity plan
– Requires quick attack detection and response
– Relies on existence and quality of the other plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
42
Risk Control Strategies (cont’d.)
• Acceptance
– Do nothing to protect an information asset
• Accept the outcome of its potential exploitation
– Only valid when the organization has:
•
•
•
•
•
•
Determined the level of risk
Assessed the probability of attack
Estimated potential damage that could occur
Performed a thorough cost-benefit analysis
Evaluated controls
Decided asset did not justify the cost of protection
Principles of Incident Response and Disaster Recovery, 2nd Edition
43
Risk Control Strategies (cont’d.)
• Termination
– Difference from acceptance
• Remove asset from the environment representing risk
– Two main reasons
• Cost of protecting an asset outweighs its value
• Too difficult or expensive to protect asset compared to
value or advantage asset offers
– Termination must be a conscious business decision
• Not simple asset abandonment
Principles of Incident Response and Disaster Recovery, 2nd Edition
44
Contingency Planning and Its
Components
• Contingency plan
– Used to anticipate, react to, and recover from events
threatening events
– Restores organization to normal modes of business
operations
• Four subordinate functions
–
–
–
–
Business impact assessment (BIA)
Incident response planning (IRP)
Disaster recovery planning (DRP)
Business continuity planning (BCP)
Principles of Incident Response and Disaster Recovery, 2nd Edition
45
Business Impact Analysis
• Business impact analysis (BIA)
– Investigation and assessment of the impact of attacks
– Adds detail to prioritized threat and vulnerability list
created in the risk management process
– Provides detailed scenarios of potential impact of
each type of attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
46
Incident Response Plan
• Incident
– Any clearly identified attack on assets
• Incident response plan (IRP)
– Deals with the identification, classification, response,
and recovery from an incident
– Assesses the likelihood of imminent damage
– Informs key decision makers
– Enables the organization to take coordinated action
Principles of Incident Response and Disaster Recovery, 2nd Edition
47
Disaster Recovery Plan
• Preparation for and recovery from natural or manmade disaster
• Includes:
– Preparations for the recovery process
– Strategies to limit losses during the disaster
– Detailed steps to follow after immediate danger
• Focus
– Preparation before the incident
– Actions taken after the incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
48
BCP and BRP
• Business continuity plan (BCP)
– Expresses how to ensure critical business functions
continue at an alternate location
• After catastrophic incident or disaster
– Used when DRP cannot restore primary site
operations
– Most strategic and long-term plan
• Business resumption plan (BRP)
– Emerging new concept in contingency planning
– Merges the DRP and BCP into a single process
Principles of Incident Response and Disaster Recovery, 2nd Edition
49
Contingency Planning Timeline
• Steps in contingency planning
– IR plan focuses on immediate response
• May move to DRP and BCP if disastrous
– DR plan focuses on restoring systems at original site
– BC runs concurrently with DRP
• When major or long-term damage occurs
– IRP, DRP, and BCP distinction
• When each comes into play during the incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
50
Principles of Incident Response and Disaster Recovery, 2nd Edition
51
Principles of Incident Response and Disaster Recovery, 2nd Edition
52
Contingency Planning Timeline
(cont’d.)
• Seven steps in NIST SP 800-34, Revision 1
Principles of Incident Response and Disaster Recovery, 2nd Edition
53
Role of Information Security Policy in
Developing Contingency Plans
• Policy needs to enforce information protection
requirements
– Before, during, and after incident
• Quality security programs
– Begin and end with policy
• Information security
– A management problem
• Difficulties in shaping policy
– Must never conflict with laws; must stand up in court if
challenged; must be properly administered
Principles of Incident Response and Disaster Recovery, 2nd Edition
54
Key Policy Definitions
• Policy
– Plan or course of action
• Conveys instructions from senior management to
those who make decisions, take action, perform duties
– Organizational law
• Dictates acceptable and unacceptable behavior
• Defines penalties for violations
• Standard
– Detailed statement of what must be done to comply
• De facto standard (informal standard)
• De jure standard (formal standard)
Principles of Incident Response and Disaster Recovery, 2nd Edition
55
Principles of Incident Response and Disaster Recovery, 2nd Edition
56
Key Policy Definitions (cont’d.)
• Mission
– Written statement of an organization’s purpose
• Vision
– Written statement about organization’s goals
• Strategic planning
– Process of moving organization toward its vision
• Information security policy
– Provides rules for protecting information assets
• Enterprise information security policy, issue-specific
security policy, systems-specific security policy
Principles of Incident Response and Disaster Recovery, 2nd Edition
57
Enterprise Information Security Policy
• Enterprise information security policy (EISP)
– Based on and directly supports the mission, vision,
and direction of the organization
– Executive-level
– Sets strategic direction, scope, and tone for all
security efforts
• Contains requirements to be met
• Defines purpose, scope, constraints, and applicability
• Assigns responsibilities
– Addresses legal compliance
Principles of Incident Response and Disaster Recovery, 2nd Edition
58
Issue-Specific Security Policy
• Issue-specific security policy (ISSP)
– Addresses specific areas of technology
• Three common approaches to creating ISSPs
– Independent ISSP documents, each tailored to a
specific issue
– A single comprehensive ISSP document covering all
issues
– Modular ISSP document that unifies policy creation
and administration while maintaining each specific
issue’s requirements
Principles of Incident Response and Disaster Recovery, 2nd Edition
59
Principles of Incident Response and Disaster Recovery, 2nd Edition
60
Issue-Specific Security Policy (cont’d.)
• Statement of policy
– Defines scope, responsibility for implementation,
technologies and issues being addressed
• Authorized access and usage of equipment
– Addresses who can use technology and for what it
can be used
– Defines “fair and responsible use”
– Addresses key legal issues
• Prohibited usage of equipment
– Outlines what technology cannot be used for
Principles of Incident Response and Disaster Recovery, 2nd Edition
61
Issue-Specific Security Policy (cont’d.)
• Systems management
– Focuses on users’ relationship to management
• Violations of policy
– Specifies penalties and how to report violations
• Policy review and modification
– Procedures and a timetable for periodic review so
users do not circumvent it as it grows obsolete
• Limitations of liability
– States company will not protect user and is not liable
for their actions
Principles of Incident Response and Disaster Recovery, 2nd Edition
62
Systems-Specific Policy
• Systems-specific security policies (SysSPs)
– Standards and procedures used when configuring or
maintaining systems
– Access control lists (ACLs)
• Govern rights and privileges of particular users to
particular systems
– Configuration rules
• Specific configuration codes entered into security
systems
Principles of Incident Response and Disaster Recovery, 2nd Edition
63
Systems-Specific Policy (cont’d.)
• ACL policies
– Translated into configuration sets
• Controls access to systems
– Regulate the who, what, when, and where of access
– ACL rules
• Known as capability tables, user profiles, user policies
• Specify what a user can and cannot do with resources
• Rule policies
– More specific than ACLs
– May or may not deal with users directly
Principles of Incident Response and Disaster Recovery, 2nd Edition
64
Policy Management
• Policies
– Constantly changing and growing
– Must be properly disseminated
– Security policies must have the following
• Individual responsible for creation, revision,
distribution, and storage
• Schedule of reviews
• Mechanism for recommendations for revisions
• Policy/revision date; possibly “sunset” expiration date
• Policy management software (optional)
Principles of Incident Response and Disaster Recovery, 2nd Edition
65
Summary
• Information security protects information and its
critical elements
• C.I.A. triangle: basis for CNSS model
• Threat: entity posing potential for loss to an asset
• Asset: has value to the organization
• Vulnerability: weakness in protection mechanisms
• Risk management process: identify vulnerabilities
and taking steps to protect assets
Principles of Incident Response and Disaster Recovery, 2nd Edition
66
Summary (cont’d.)
• Risk identification: process of identifying risks
• Risk control: applying controls to reduce risk
• Contingency planning: avoidance, transference,
mitigation, acceptance strategies
• Business impact analysis: assess attack type impact
• Incident response plan: actions taken when an
incident in progress
• Disaster recovery plan: preparation for and recovery
from a disaster
Principles of Incident Response and Disaster Recovery, 2nd Edition
67
Summary (cont’d.)
• Business continuity plan: ensures critical business
functions continue after a disaster
• Policies: organizational laws dictating behavior
• Enterprise information security policy: sets strategic
scope, direction, tone
• Issue-specific security policy: addresses specific
areas of technology
• Systems-specific security policy: used when
configuring or maintaining systems
Principles of Incident Response and Disaster Recovery, 2nd Edition
68
Purchase answer to see full
attachment