pascal steichen - pst.libre.lu1)-mssi-uni.lu_v2015.pdf · 17. business continuity management 7....
TRANSCRIPT
Pascal Steichen ¡ Managing Director – SECURITYMADEIN.LU
Since May 2010
¡ Information Security Officer - Ministry of the Economy 2008 – 2010
¡ Head of CIRCL Since 2008
¡ Lecturer at University of Luxembourg Since 2006
¡ Management Board Member at ENISA Since 2005
¡ Lecturer at University of Lorraine (Metz) 2005 – 2012
¡ Application Developer - Canal+ Belgium 2000 – 2002
MSSI - uni.lu
2
(my) Lectures ¡ M3 : Gestion de la sécurité de l'information - Politique de sécurité
[MPMSSI-83]
Information Security Management – Security Policy Incident Management
¡ M4 : Aspects techniques - Menaces, attaques et parades [MPMSSI-86]
Technical aspects – Threats, attacks and countermeasures Countermeasures and forensics analysis
MSSI - uni.lu
3
Incident Management
in the context of an Information Security Policy
Management de la Sécurité des Systèmes d’Informations
4 IM - PolSec - MSSI - uni.lu
Incident Management part 1
MSSI – uni.lu
IM (1) - PolSec - MSSI - uni.lu 5
Introduction To protect its assets (information and systems) on a daily basis an organisation has to:
¡ organise its security by documenting the countermeasures or controls to protect the confidentiality, integrity and availability of the assets, in a security policy,
¡ with the prime goal to manage and reduce its risks.
IM (1) - PolSec - MSSI - uni.lu
6
Information Security Policy → THE tool for today’s (C)ISO ←
IM (1) - PolSec - MSSI - uni.lu
7
Definitions ¡ Asset anything that has value to the organization.
¡ Control means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature. NOTE: Control is also used as a synonym for safeguard or countermeasure.
IM (1) - PolSec - MSSI - uni.lu
8
Information security policy ¡ defines the business rules, principles and
standards defining the organisation's approach to managing information security, provides management direction and support for information security in accordance with business requirements and relevant laws and regulations,
¡ defines control objectives and controls intended to be implemented to meet the requirements identified by a risk assessment,
¡ needs approval by the highest level of management.
IM (1) - PolSec - MSSI - uni.lu
9
Sources to start with... 1. One source is derived from assessing risks of the
organisation : ¡ Risk = Vulnerability * Threat * Impact
2. Another source is the legal, statutory, regulatory, and contractual requirements that an organisation, its trading partners, contractors, and service providers have to satisfy, and their socio- cultural environment.
3. A further source is the particular set of principles, objectives and business requirements for information processing that an organisation has developed to support its operations.
4. Finally, already happened incidents and their lessons learned are often a very useful source too.
IM (1) - PolSec - MSSI - uni.lu
10
even before… ¡ Before one can identify, quantify, and prioritise risks
it is a good practice to identify the organisation's important/critical assets on which the risks appose
(→ asset management/classification)
Examples are: ¡ business critical information, ¡ physical and logical resources (filing cabinet,
computers, network equipment, software...), ¡ staff(most important and critical resources!), ¡ image, reputation ¡ know-how, "business" intelligence
IM (1) - PolSec - MSSI - uni.lu
11
Complete management lifecycle
Risk assessment
Security Policy
Control Framework
Policies Procedures
Standards Guidelines
Evaluation Audit
IM (1) - PolSec - MSSI - uni.lu
12
ISO/IEC 27002:2013 "Code of practice for information security controls“ (formerly known as ISO/IEC 17799 and BS7799)
Scope ¡ "This International Standard gives guidelines for
organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s)."
¡ "The International Standard is designed to be used by organizations that intend to: ¡ select controls within the process of implementing an
Information Security Management System based on ISO/IEC 27001 ;
¡ implement commonly accepted information security controls ; ¡ develop their own information security management
guidelines.
IM (1) - PolSec - MSSI - uni.lu
13
Overview
5. & 6. information security policy & organisation
18. Compliance
17. Business continuity management
7. Human resources
15. Supplier relationships
9. Access control
10. Cryptography
13 Communications security
8. Asset management
11. Physical and environmental security
14. Acquisition,
development and maintenance
12. Operations security
16. Information security incident management
IM (1) - PolSec - MSSI - uni.lu
14
Core clauses
7. Human resources
15. Supplier relationships
9. Access control
10. Cryptography
13 Communications security
11. Physical and environmental security
14. Acquisition, development
and maintenance
12. Operations security
16. Information security incident management
8. Asset management
IM (1) - PolSec - MSSI - uni.lu
15
Clause 16 Incident management ¡ Responsibilities and procedures
¡ Reporting information security events
¡ Reporting security weaknesses
¡ Appreciation of information security incidents and decision taking
¡ Information security incident response
¡ Learning from information security incidents
¡ Collection of evidence
IM (1) - PolSec - MSSI - uni.lu
16
Clause 17 Business continuity ¡ Including information security in the business
continuity management process
¡ Business continuity planning framework
¡ Developing and implementing continuity plans including information security
¡ Testing, maintaining and re-assessing business continuity plans
¡ Redundancy and availability of information systems
IM (1) - PolSec - MSSI - uni.lu
17
Clause 18 Compliance ¡ Compliance with legal requirements ¡ Identification of applicable legislation
¡ Intellectual property rights (IPR)
¡ Protection of organizational records
¡ Data protection and privacy of personal information
¡ Regulation of cryptographic controls
¡ Information security audit considerations ¡ Independent Information systems audit
¡ Compliance with security policies and standards
¡ Technical compliance checking
IM (1) - PolSec - MSSI - uni.lu
18
Management of information security incidents
¡ Responsibilities and procedures
¡ Reporting information security events
¡ Reporting security weaknesses
¡ Assessment of information security incidents and decision taking
¡ Information security incident response
¡ Learning from information security incidents
¡ Collection of evidence
IM (1) - PolSec - MSSI - uni.lu
19
Management vs. Handling Incident
Management Incident Handling
Response
Analysis
Triage
Detection
Before and after coordination
Announcements, Alerts
Vulnerability handling
Reporting & procedures
IM (1) - PolSec - MSSI - uni.lu
20
Policies & procedures
Besides the “security policy”, others are important:
¡ information classification policy
¡ information disclosure policy
¡ media policy
¡ privacy policy
IM (1) - PolSec - MSSI - uni.lu
21
Pyramid of events (ITU-T E.409)
Crisis
Security Incident
Incident
Event
IM (1) - PolSec - MSSI - uni.lu
22
Definitions ¡ Event: An event is an observable occurrence which is not
possible to (completely) predict or control.
¡ Incident: An event that might have led to an occurrence or an episode which is not serious.
¡ Security incident: A security incident is any adverse event where by some aspect of security could be threatened.
¡ Crisis: A crisis is a state caused by an event, or the knowledge of a forthcoming event, that may cause severe negative consequences. ¡ During a crisis, one may, in best cases, have the possibility of taking
measures to prevent the crisis from becoming a catastrophe. When a catastrophe occurs, a Business Continuity Plan (BCP) shall exist as well as a crisis management team to handle the situation.
IM (1) - PolSec - MSSI - uni.lu
23
Roles & Governance
Following: ENISA – Incident Management Guide
IM (1) - PolSec - MSSI - uni.lu
24
Roles
IM (1) - PolSec - MSSI - uni.lu
25
Governance ¡ CISO & CIO interactions ¡ Prevention and awareness raising ¡ Detection and reporting ¡ Escalation
¡ Escalation ¡ Clear, well-established mechanism ¡ Internal and external considerations ¡ Production/operations considerations
¡ Crisis management ¡ Mix of executives, experts, public relations and legal
counsels
IM (1) - PolSec - MSSI - uni.lu
26
Management & Handling Incident
Management Incident Handling
Response
Analysis
Triage
Detection
Before and after coordination
Announcements, Alerts
Vulnerability handling
Reporting & procedures
IM (1) - PolSec - MSSI - uni.lu
27
Incident reporting Following: ENISA – Incident Management Guide
IM (1) - PolSec - MSSI - uni.lu
28
IM (1) - PolSec - MSSI - uni.lu
29
Incident Handling Following: ITU-T E.409 – Incident organization and
security incident handling
IM (1) - PolSec - MSSI - uni.lu
30
IM (1) - PolSec - MSSI - uni.lu
31
Incident Resolution Cycle Following: ENISA – Incident Management Guide
IM (1) - PolSec - MSSI - uni.lu
32
Incident resolution cycle
IM (1) - PolSec - MSSI - uni.lu
33
Data analysis - collection ¡ From reporter: ¡ detailed contact information
¡ detailed description of the incident
¡ incident classification suggested by the incident reporter
¡ logs
¡ the exact time of the incident
¡ operating systems and network setup
¡ security systems setup (eg, antivirus software or firewall)
¡ incident severity (in the incident reporter’s opinion)
IM (1) - PolSec - MSSI - uni.lu
34
Data analysis - correlation ¡ Monitoring systems: ¡ information related to the IP addresses involved in
network monitoring systems (e.g., netflow database).
¡ Referring database: ¡ check if this kind of incident or this incident reporter
are already in your incident database.
¡ Other sources: ¡ relevant log-files (routers, firewalls, proxy servers,
switches, web application, mail servers, DHCP servers, authentication servers, etc.).
IM (1) - PolSec - MSSI - uni.lu
35
Research resolution ¡ Based on analysis, team brainstorming
on resolution
¡ Avoid the pitfall of perfectionism
¡ Sometimes a quick response has the same or a higher value than a comprehensive and complete understanding
IM (1) - PolSec - MSSI - uni.lu
36
Proposed actions (1)
¡ Prepare a set of concrete and practical tasks for each party involved
¡ Remember to adjust your language
IM (1) - PolSec - MSSI - uni.lu
37
Proposed actions (2) ¡ Attack target ¡ How to stop and mitigate an ongoing attack:
¡ turn off a service
¡ check the system for malware
¡ patch a system or an application
¡ perform or order an audit if you are not able to improve your system security yourself
¡ How to deliver more data:
¡ concrete practical instructions (e.g. how to obtain a full e-mail header)
IM (1) - PolSec - MSSI - uni.lu
38
Proposed actions (3)
¡ ISP/ICP ¡ To collect, save and archive data. ¡ To monitor network traffic related to the
case and inform you if something important happens.
¡ To filter network traffic in the case of an ongoing attack if such filtering can help to stop or mitigate it.
IM (1) - PolSec - MSSI - uni.lu
39
Proposed actions (4) ¡ CERTs ¡ To contact the local ISP/ICP within its
constituency
¡ To ask for advice on how to deal with an incident
¡ Law enforcement: ¡ To follow a case if it is significant (e.g. you
suspect organised crime activity)
¡ To assist the reporter of a crime if an incident is to be reported to the police
IM (1) - PolSec - MSSI - uni.lu
40
Monitor action(s) performance
¡ Basic rules for monitoring the performance of actions: ¡ Is the attack target’s service turned
off? ¡ Is the attack target’s service still
vulnerable? ¡ Is the traffic which should be filtered still
visible in the network?
IM (1) - PolSec - MSSI - uni.lu
41
Recovery
¡ Recover or restore to normal the service that was attacked during the incident
IM (1) - PolSec - MSSI - uni.lu
42
Incident closure & improvements
IM (1) - PolSec - MSSI - uni.lu
43
Information disclosure TLP (Traffic Light Protocol)
IM (1) - PolSec - MSSI - uni.lu
44
Incident Taxonomy
IM (1) - PolSec - MSSI - uni.lu
45
Exercise Triage and Basic Incident Handling
IM (1) - PolSec - MSSI - uni.lu
46
Set-up ¡ Only brain is needed
¡ « World set-up »: ¡ 10/8 are networks located in Utopia
¡ 10.187/16 are networks of Utopia NREN
¡ .ut is Utopia’s top-level domain
IM (1) - PolSec - MSSI - uni.lu
47
Description The exercise simulates the initial phases of incident handling with 10 real-life incident reports. These phases include:
¡ verification of the report (did the incident actually occur?);
¡ interpretation (what actually happened?);
¡ determination of the scope of incident (what are the actual and possible consequences for your constituency and others?);
¡ classification;
and
¡ prioritization (based on the previous factors).
IM (1) - PolSec - MSSI - uni.lu
48