EECS 711 Spring 2008 Chapter 31
Planning for Contingencies
EECS 711: Security Management and Audit
Philip Mein
"Prakash" Pallavur Sankaranaraynan
Annette Tetmeyer
EECS 711 Spring 2008 Chapter 32
Outline• What is Contingency Planning?• Components of Contingency Planning• Business Impact Analysis• Incident Response Plan• Disaster Recovery Plan• Business Continuity Plan• Timing and Sequence of CP Elements• Business Resumption Planning• Testing Contingency Plans• Contingency Planning: Final Thoughts
EECS 711 Spring 2008 Chapter 33
What is Contingency Planning?
• The overall process of preparing for unexpected events
• Prepare for, detect, react to, recover from these events
“many organization contingency plans are woefully inadequate…”
EECS 711 Spring 2008 Chapter 34
What is Contingency Planning?
Information Technolog
y
Information Security
Communities of Interest
Prepare for, detect, react to and recover from unexpected events
EnvironmentalHumanNatural
EECS 711 Spring 2008 Chapter 36
Components of Contingency Planning
• Business Impact Analysis (BIA)– Determine critical business functions and
information systems
• Incident Response Plan (IR)– Immediate response to an incident
• Disaster Recovery Plan (DR)– Focus on restoring operations at the primary site
• Business Continuity Plan (BC)– Enables business to continue at an alternate site– Occurs concurrently with DR Plan
EECS 711 Spring 2008 Chapter 38
Developing the CP Plan
• Unified plan– Smaller organizations
• Four plans with interlocking procedures– Larger, complex organizations
• Should involve high level administrators and key personnel– CIO, CISO, IT and business managers,
system administrators
EECS 711 Spring 2008 Chapter 39
CP Team Personnel
• Champion: provides strategic vision and access to organizational support
• Project Manager
• Team Members: from communities of interest
EECS 711 Spring 2008 Chapter 310
CP Process Elements
Required to begin the CP process
• Planning methodology
• Policy environment
• Understanding cause and effect of precursor activities
• Access to financial and other resources (budget)
EECS 711 Spring 2008 Chapter 311
Creating the CP Document
1. Develop the policy statement
2. Conduct the BIA
3. Identify preventive controls
4. Develop recovery strategies
5. Develop an IT contingency plan
6. Plan testing, training and exercises
7. Plan maintenance
EECS 711 Spring 2008 Chapter 314
Business Impact Analysis
• Provides detailed scenarios of effects of potential attacks
• Risk management identifies attacks
• BIA assumes controls have failed
EECS 711 Spring 2008 Chapter 315
Risk Management
• Contingency planning and risk management are closely related
• Risks must be identified in order to establish the contingency plan
EECS 711 Spring 2008 Chapter 316
BIA Stages
• Threat Attack Identification and Prioritization
• Business Unit Analysis
• Attack Success Scenario Development
• Potential Damage Assessment
• Subordinate Plan Classification
EECS 711 Spring 2008 Chapter 317
Threat Attack Identification and Prioritization
• Update threat list and add an attack profile– Detailed description of activities that occur
during an attack– Develop for every serious threat
• Natural or man-made• Deliberate or accidental
– Used later to provide indicators of attacks and extent of damage
EECS 711 Spring 2008 Chapter 318
Example Attack Profile ElementsInclude• Date analyzed• Attack name and description• Threat and probable threat agents• Vulnerabilities (known or possible)• Precursor activities or indicators• Likely attack activities or indicators of attack in progress• Information assets at risk• Damage or loss to information assets• Other assets at risk and damage/loss to these assets• Immediate actions indicated when the attack is underway• Follow-up actions after this attack was successfully executed
against systems• Comments
EECS 711 Spring 2008 Chapter 319
Business Unit Analysis
• Analysis and prioritization of business functions
• Independently evaluate all departments, units, etc.
• Prioritize revenue producing functions
EECS 711 Spring 2008 Chapter 320
Attack Success Scenario Development
• What are the effects of the threat?
• Alternative outcomes to each– Best, worst, most likely
• What are the implications for all business functions?
EECS 711 Spring 2008 Chapter 321
Potential Damage Assessment
• Prepare attack scenario end case– What is the cost for the best, worst, most
likely?
• Include cost estimates of time and effort
EECS 711 Spring 2008 Chapter 322
Subordinate Plan Classification
• Is the attack disastrous or not?
• Develop subordinate plans– Non disastrous scenarios may be
addressed as part of DR and BC plans
EECS 711 Spring 2008 Chapter 323
Incident Response Plan
“Things which you do not hopehappen more frequently
than things which you do hope.”
-- Plautus (c. 254–184 BCE),in Mostellaria,
Act I, Scene 3, 40 (197)
EECS 711 Spring 2008 Chapter 324
Incident Response Plan• Incident
– An unexpected event• IRP (Incident Response Plan)
– Detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets
• IR (Incident Response)– A set of procedures that commence when an
incident is detected• Minimal damage• Little or no disruption to business operations
– What is not is prevention (reactive not preventative)
EECS 711 Spring 2008 Chapter 325
IR Policy
• CP team develops the policy environment to authorize the creation of each of the planning components (IR, DR, BC)
• Defines the roles and responsibilities for the entire enterprise
• Defines the roles and responsibilities for for the SIRT (Security Incident Response Team
EECS 711 Spring 2008 Chapter 326
IR Policy cont.• Computer Security Incident Handling Guide
(NIST SP 800-61)– Statement of management commitment– Purpose and objectives of the policy– Scope of the Policy– Definition of information security incidents and
their consequences within the organization– Organizational structure and delineation of roles
responsibilities, and levels of authority– Prioritization or severity ratings of incidents– Performance measures– Reporting and contact forms
EECS 711 Spring 2008 Chapter 327
What is an InfoSec Incident
• It is directed against information assets
• It has a realistic chance of success
• It threatens the confidentiality, integrity, or availability of information resources and assets
EECS 711 Spring 2008 Chapter 328
IR Plan• BIA provides data to develop IR plan
– Information systems and the threats they face• Stop the incident, mitigate its effects, and provide information for
the recovery from the incident• Three sets of incident procedures
– Before an Attack• Backup schedules• Training schedules• Testing plans
– During an Attack• Procedures and tasks to be performed during the incident• Minimize the effect of the attack (avoid disaster)
– After an Attack• Patches, Updates• Interviews
EECS 711 Spring 2008 Chapter 329
Incident Detection• Incident candidates
– Possible Indicators• Unfamiliar files, unknown processes, consumption of
resources, unusual system crashes– Probable Indicators
• Activity at unexpected times, presence of new accounts, reported attacks, IDS
– Definite Indicators• Use of dormant accounts, changes to logs, presence of
hacker tools, notification by peers, notification by hacker– Occurrences of Actual Incidents
• Loss of availability, loss of integrity, loss of confidentiality, violation of policy, violation of law
EECS 711 Spring 2008 Chapter 331
Incident Response• Notification of Key Personnel
– Alert roster (sequential or hierarchical)• Documenting an Incident
– Who, what, when, where, why, how (for each action)
• Incident Containment Strategies– Stopping the incident and recovering control
• Disabling compromised accounts• Reconfiguring a firewall• Disabling the compromised process or service• Taking down the conduit application or server• Stopping all computers and network devices
– Incident Escalation
EECS 711 Spring 2008 Chapter 332
Incident Response cont.• Incident Recovery
– Incident damage assessment• Scope of C.I.A.• Individuals who document the damage must be trained to collect and
preserve evidence– Recovery steps:
• Identify vulnerabilities• Address the safeguards that failed to stop or limit the incident or
missing• Evaluate monitoring capabilities• Restore data from backups• Restore the services and processes• Continuously monitor the system• Restore the confidence of the members of the organization
• Law Enforcement Involvement– FBI, US Secret Service, US Treasury Dept, SEC, Local agencies
EECS 711 Spring 2008 Chapter 333
Disaster Recovery Plan
• Entails the preparation for and recovery from a disaster
• Responsibility of the IT community of interest, under the leadership of the CEO
• An incident becomes a disaster when– The organization is unable to contain or
control the impact of an incident
– The level of damage is so severe that the organization cannot recover from the incident
EECS 711 Spring 2008 Chapter 334
Disaster Recovery Plan
• The key role of a DR plan is to reestablish operations at the primary location
EECS 711 Spring 2008 Chapter 335
DR Planning Process
1. Develop the DR planning policy statement
2. Review the BIA
3. Indentify preventive controls
4. Develop recovery strategies
5. Develop the DR plan document
6. Plan testing, training and exercises
7. Plan maintenance
EECS 711 Spring 2008 Chapter 336
DR Planning Policy Statement• The DR team lead by the DR team lead, begins
with the development of the DR policy• The DR policy contains the following key
elements:1. Purpose2. Scope3. Roles and responsibilities4. Resource requirements5. Training requirements6. Exercise and testing schedules7. Plan maintenance schedules8. Special considerations
EECS 711 Spring 2008 Chapter 337
Classification of disasters
• Natural disasters– Examples: Fire, flood, hurricane, tornado
• Man-made disasters– Examples: Cyber-terrorism
• Rapid-onset– Examples: Earthquakes, mud-flows
• Slow-onset– Examples: Famines, deforestation
EECS 711 Spring 2008 Chapter 338
Planning for disaster
• Key elements that the CP team must build into a DR plan include the following:
1. Delegation of roles and responsibilities
2. Execution of alert roster and notification of key personnel
3. Clear establishment of priorities
4. Procedures for documentation of disasters
5. Actions to mitigate the impact of disaster on the operations
6. Alternative implementations of various systems in case the primaries are unavailable
EECS 711 Spring 2008 Chapter 339
Options to protect information
• Traditional back-ups
• Electronic vaulting
• Remote journaling
• Database shadowing
EECS 711 Spring 2008 Chapter 340
Crisis Management• Steps taken during and after a disaster that
affect people internally and externally• According to Gartner Research, crisis
management involves the following activities:– Supporting personnel and their loved ones during
the crisis– Determine events impact on normal business and
make disaster declaration if necessary– Keep public informed about the event and steps
being taken to ensure recovery of personnel and the enterprise
– Communicate with major customers, suppliers, partners, regulatory agencies, industry organizations, media and other interested parties.
EECS 711 Spring 2008 Chapter 341
Crisis Management
• The crisis management team is also charged with two key tasks:1. Verifying personnel status
2. Activating the alert roster
• The most important role of crisis management is, in the event of a disaster tell the whole story as soon as possible directly to the affected audience
EECS 711 Spring 2008 Chapter 342
Responding to disasters• During disasters even the most well planned
DR plans can be overwhelmed• To be prepared, the CP team should
incorporate a degree of flexibility• If facilities are intact DR team should begin
restoration of systems and services• If facilities are destroyed, alternative actions
must be taken until new facilities are available• When the operations of the primary site are
threatened, the disaster recovery process becomes a business continuity process
EECS 711 Spring 2008 Chapter 343
Business Continuity Plan
• Ensures that critical business functions can continue if a disaster occurs
• CEO should manage
• Activated and executed concurrently with DR plan– Business can no longer function at primary
location– Use an alternate location
EECS 711 Spring 2008 Chapter 344
Business Continuity Plan
• Identify critical business functions and resources to support them
• Want to quickly re-establish these functions at alternate site
EECS 711 Spring 2008 Chapter 345
BC Planning Process
1. Develop the BC planning policy statement• Authority, guidance, executive vision
2. Review the BIA• Identify, prioritize critical IT systems
3. Identify preventive controls– Measures to reduce disruption, increase system
availability
4. Develop relocation strategies– Critical systems must be recovered quickly
EECS 711 Spring 2008 Chapter 346
BC Planning Process
5. Develop the continuity plan• Include detailed guidelines and
procedures
6. Plan testing, training, and exercises• Identify planning gaps, prepare personnel
for improved effectiveness and preparedness
7. Plan maintenance• Living document, plan to update!
EECS 711 Spring 2008 Chapter 347
Develop the BC planning policy statement
• Authority, guidance, executive vision• Provide:
– Purpose– Scope– Roles and responsibilities– Resource requirements– Training requirements– Plan maintenance schedule– Special considerations
EECS 711 Spring 2008 Chapter 348
Plan Similarities
• Similar to other elements of the CP
• Process are similar
• Implementation differs
EECS 711 Spring 2008 Chapter 349
Design Parameters
• Recovery Time Objective (RTO)– Amount of time that passes before an
infrastructure is available
• Recovery Point Objective (RPO)– The point in the past to which the
recovered applications and data will be restored
– How much data loss?
EECS 711 Spring 2008 Chapter 350
Continuity Strategies• Exclusive-use options
– Hot site– Warm site– Cold site
• Shared-use options– Timeshare– Service bureau– Mutual agreement
• Other– Rolling mobile site– Mirrored site
CostTime to activat
e
EECS 711 Spring 2008 Chapter 354
Business Resumption Planning
• DR and BC combined
• Possibility for two locations
• Good template provided by NIST– http://fasp.nist.gov
EECS 711 Spring 2008 Chapter 355
Testing Contingency Plans• All plans must be tested to identify
vulnerabilities, faults and inefficient processes• Five strategies that can be used to test plans
are:1. Desk Check2. Structured walk-through3. Simulation4. Parallel testing5. Full interruption
• Another important often neglected aspect of training is cross training
EECS 711 Spring 2008 Chapter 356
Contingency Planning: Final Thoughts
• Iteration results in improvement, a formal implement of this is CPI (Continuous Process Improvement)
• Each time the organization rehearses its plans, it must learn and improve
• Each time an incident or a disaster occurs the organization should review what went right and what went wrong
• Through ongoing evaluation and improvement an organization continually improves and strives for better outcomes
EECS 711 Spring 2008 Chapter 357Spring 2008 EECS 711: Security Management and Audit 57
Conclusion
Contingency planning and its various components BIA, IRP, DRP and BCP play a critical role in preparing for, detecting, reacting to and recovering from events that threaten the security of information resources and assets both human and natural.