© 2004 internet security systems. all rights reserved. contents are property of internet security...
TRANSCRIPT
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Cyber Disaster RecoveryPlanning for the Inevitable
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
20 years ago Disaster Recovery (D/R) plans protected brick and mortar companies. Today it must protect the growing virtual side of business: E-business.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Why Focus on Incident Preparedness?
20 years ago, survival of the business depended on survival of the brick-and-mortar infrastructure Earthquake and hurricane “proof” buildings Redundant power and communications Disaster recovery planning Regulatory requirements
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Today, survival of the business also depends on survival of the information infrastructure Firewalls, proxies, access controls VPNs, encryption, authentication Growing regulation
SOX HIPPA GLBA CA Breach Law
Planning ahead insures against catastrophe
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Overview
Traditional disaster recovery (D/R) planning is formal and tested regularly
Cyber-D/R planning is less mature, but more necessary today Cyber-D/R requires quick reaction and different skill sets: e.g.,
computer forensics Growing trend toward prosecution Critical infrastructure protection requires better Cyber-D/R
planning and response capability
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
“Traditional” disaster recovery
Business impact analysis Determine functional areas critical to the business Identify critical computer systems and applications Determine disaster recovery budget
Formal disaster recovery plan Disaster declaration criteria and procedures Hot-site and cold-site arrangements Staff response / call-out plans Recovery procedures
Annual testing
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
“Cyber” disaster recovery
Business impact analysis Focusing on impact of “electronic” disasters such as computer security
breaches, instead of “natural” disasters Computer Security Incident Response Plan
Similar in structure to disaster recovery plan Incident declaration criteria and procedures Staff response / call-out plans Recovery procedures
Restore operations “in-place,” not at hot-site Focus on forensic approach Quarterly testing
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
An observation…
ISS responded to as many intrusion incidents in Q4-03 alone as it did all of 2003.
75% of the cases have requested forensic evidence considerations for prosecution.
These incidents were all different, but they have had recurring themes which make them easier to prepare for.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
What happened?
These incidents were not caused by “natural” disasters like fire, flood, or earthquake A “traditional” disaster recovery plan would not have been sufficient
But the potential effects were the same Ability to conduct business was impacted Reputation could have been damaged Financial loss could have occurred Loss of customers
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
The need for good and timely information
During a natural disaster, information is made available to us by television, radio, and government sources
During a cyber-disaster, we are almost always limited to the information we can obtain for ourselves
Planning and response are improved when we know ahead of time how these attacks work and how we can defend against them
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Obtaining good and timely information
Do you have skills in-house to stay on top of threats and vulnerabilities? Does your staff respond to attacks frequently enough to keep their skills
sharp? Do you have ( and follow) escalation, notification and handling
procedures? What is the value of a second opinion when you think you’re under
attack? Can you conduct a forensic investigation without contaminating
evidence? What are your regulatory requirements?
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Information Security Lifecycle
Put all this in place without impacting
users
What can we add or change to improve
our security?
How well are we protected, now and
in the future?
Given what we have, how do we handle security incidents?
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Goals of an Incident Response
Gain control of any upcoming security problems Facilitate centralized reporting of incidents Coordinate response to incidents Raise security awareness of users Provide a clearinghouse of relevant computer security
information Promote security policies Provide liaisons to legal and criminal investigative groups both
inside and outside the company
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Response
• Detection: Analysis of incident data to determine the source of the incident, its cause (program error, human error, or deliberate action), and its effects;
• Containment: Preventing the effects of the incident from spreading to other computer systems and computer communications networks in your organization;
• Eradication: Stopping the incident at the source and/or protecting your computer systems and computer communications networks from the effects of the incident;
• Recovery: Restoration of the affected computer systems and computer communications networks to normal operation; and
• Risk Reoccurrence Mitigation: Making sure that your computer systems and computer communications networks are protected from future occurrences of the incident.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Preparedness • Security Best Practices (ISO17799)
• Roles and Responsibilities
• Technology
• Education/Awareness
• Scenario Testing & Validation
ConfidentialityConfidentiality
IntegrityIntegrity
AvailabilityAvailability
Incident Preparedness
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Information Security Policy Incident Response and Preparedness Authentication & Access Control Information Ownership and Classification Change Control Auditable Information Security Management Network Management Vulnerability Management & Policy Compliance Threat Management Life Cycle Security Performance Monitoring
(Quality)
Assess Existing Controls & Procedures
ISO 17799 Best Practices…
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Assess Infrastructure
Network Perimeter and Penetration Analysis (determines current exposure to circumventing perimeter controls) Internet Connectivity (e.g., firewalls, routers) Business to Business connectivity Remote Access
Vulnerability and Risk Analysis(determines current risks and exposure within the organization) Qualitative and Quantitative Analysis:
Network Exposures Host Exposures Database Security Network Architecture Best Practices (ISO 17799) Regulatory Requirements
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Define the Desired Security State
Define existing and future business requirements relative to information security
Balance business objectives, risks and best practices such as ISO 17799
Define controls and their benefits relative to roles, responsibilities and associated risks
Identify residual risks
Define the requirements for a proactive,integrated strategic security infrastructure
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
CurrentSecurity
State
Perform a GAP Analysis
DesiredSecurity
State(DSS)
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Preparedness • Technology (e.g., Firewalls, ID)
• Management Process (HR)
• System Administration Staff
• End Users (Internal, External)
• News Agencies
• Hackers
• Internet Service Provider
Alarm
Alert!Alert!Incident Alert
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Preparedness
• Technology (email, pager, etc.)
• Help Desk (Trouble Ticket)
• Call-Out Process
Alarm
Report & Notification
CommunicateCommunicate
Incident Reporting
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Preparedness
• Activity Logs
• Preliminary Interview and Check
• Policy Violation
• Technology
Alarm
Report & Notification
Preliminary Investigation
Is It Real?Is It Real?
Incident Investigation
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Preparedness
• Emergency Declaration
• Incident Coordinator/Team
• Course of action
• Technical
• Legal
Alarm
Report & Notification
Is It Real?Is It Real?
Decision and Resources
Decision and Resources
Preliminary Investigation
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Preparedness • In depth Investigation
Detailed Interviews and Forensics
• Containment Connectivity (Off, Routing, etc.) Sever Trust among Systems Disable Applications Sandbox Honeypot Remote Access
• Legal Public Relations Human Resources Law Enforcement Prosecution
• Customer/Employee Notification
Alarm
Report & Notification
Preliminary Investigation
Decision and Resources
Response
Take ActionTake ActionIncident Response
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Preparedness
• Eradication Trojans, Root kits, Bogus
Accounts
• Operations Restoration Backups, Cleanup Disaster Recovery
• Mitigate Reoccurrence Risk Technology Policy and Procedures
Alarm
Report & Notification
Preliminary Investigation
Decision and Resources
Response
Recovery
Fix & Go OnFix & Go On
Incident Recovery
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
LLessonsLearned
Incident Preparedness
Alarm
Report & Notification
Preliminary Investigation
Decision and Resources
Response
Recovery
Incident Recovery
• Documentation
• Update Incident Response Process
• Financial Impact Analysis
• Staff Needs
• Budget Needs
• Quality in Information Security
Improvement/QualityImprovement/Quality
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
CSIRP
C omputer
S ecurity
I ncident
R esponse
P lan
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Components of a CSIRP
Charter Incident Definition and Declaration Team Make Up Response Procedures Preplanned Response Procedures Sample Press Release CSIRT Contact Information
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Charter
Mission Scope Organizational & Team Structure Information Flow Services (Reactive and Proactive)
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Definition/Declaration
Declaration Severity Response Teams D/R Relationship
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Team Makeup
CSIRT Officer and Manager CSIRT Decision Pool
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Incident Response Team
Computer Incident Response Team
CISOCIRT Coordinator
Vendor AugmentEmergency Response Service
Business Security OfficerBusiness Unit A
Business Security OfficerBusiness Unit B
VP Human ResourcesLegal Council
Technology InfrastructureDisaster Recovery
Technology Manager
UNIX Ops NT Operations Internet Ops
Technology Manager
UNIX Ops NT Operations Internet Ops
Public Relations
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Roles and Responsibilities
Role and responsibilities are defined herein with the context of threat and vulnerabilitymanagement in mind. Thus, there are many responsibilities and interactions between theroles that exist that are out of the scope of this document.
Role/ Responsibili ty•Understand Client’s enterprise security posture (e.g. via routine reports)•Support the information security team’s (i.e. the Technical and Security Program Manager’s)efforts to secure the Client environment•Provide on-going funding for security•Ensure the information security team has the appropriate knowledge level to perform their dut iesManagement involvement will be lead by Jane Doe.
Management
Role/ Responsibili ty•Track Client vulnerability and threat management issues•Maintain threat and vulnerability management policy, processes, and procedures•Assist technical specialists with threat and vulnerability tool policy development as needed (e.g.collaborate to develop security tool policy via monthly meetings and ad hoc discussions)• Periodically review policies on all threat and vulnerability management tools to ensure theycontinue to meet the needs of Client•Accommodate penetrat ion tests by notifying the relevant personnel and determining logistics•Alert Management to critical and potentially critical threat and vulnerability issues•Contribute to regular reports for monthly security meetings•Host monthly security meetingsThe Security Program Manager is John Doe.
Security Program Manager
Role/ Responsibili ty•Run and maintain vulnerability scanning tools including system databases•Monitor and maintain threat management (intrusion detection) tools including system databases•Collaborate with Business Units and Security Program Manager to resolve threats andvulnerabilities (e.g. research impact of vulnerability fixes on their devices, discuss approaches)•Document security events such as incidents or vulnerability fixes•Generate regular reports for monthly security meetings and ad hoc reports to investigateexceptions or suspicious events•Distribute reports and comments on a t imely basis•Attend and contribute to monthly information security meetings•Alert Management to critical and potentially critical threat and vulnerability issues•Accommodate penetrat ion tests by notifying the relevant personnel and determining logistics•Track Client technical vulnerability and threat management issues•Periodically assess the need for updates and/or addit ional toolsThe Technical Program Manager is Jim Doe.
Technical Program Manager
Roles & ResponsibilitiesRole and responsibilities are defined herein with the context of threat and vulnerabilitymanagement in mind. Thus, there are many responsibilities and interactions between theroles that exist that are out of the scope of this document.
Role/ Responsibili ty•Understand Client’s enterprise security posture (e.g. via routine reports)•Support the information security team’s (i.e. the Technical and Security Program Manager’s)efforts to secure the Client environment•Provide on-going funding for security•Ensure the information security team has the appropriate knowledge level to perform their dut iesManagement involvement will be lead by Jane Doe.
Management
Role/ Responsibili ty•Track Client vulnerability and threat management issues•Maintain threat and vulnerability management policy, processes, and procedures•Assist technical specialists with threat and vulnerability tool policy development as needed (e.g.collaborate to develop security tool policy via monthly meetings and ad hoc discussions)• Periodically review policies on all threat and vulnerability management tools to ensure theycontinue to meet the needs of Client•Accommodate penetrat ion tests by notifying the relevant personnel and determining logistics•Alert Management to critical and potentially critical threat and vulnerability issues•Contribute to regular reports for monthly security meetings•Host monthly security meetingsThe Security Program Manager is John Doe.
Security Program Manager
Role/ Responsibili ty•Run and maintain vulnerability scanning tools including system databases•Monitor and maintain threat management (intrusion detection) tools including system databases•Collaborate with Business Units and Security Program Manager to resolve threats andvulnerabilities (e.g. research impact of vulnerability fixes on their devices, discuss approaches)•Document security events such as incidents or vulnerability fixes•Generate regular reports for monthly security meetings and ad hoc reports to investigateexceptions or suspicious events•Distribute reports and comments on a t imely basis•Attend and contribute to monthly information security meetings•Alert Management to critical and potentially critical threat and vulnerability issues•Accommodate penetrat ion tests by notifying the relevant personnel and determining logistics•Track Client technical vulnerability and threat management issues•Periodically assess the need for updates and/or addit ional toolsThe Technical Program Manager is Jim Doe.
Technical Program Manager
Roles & Responsibilities
Roles and Responsibilities should be defined:
Communication Protocol Coordination Who will be the
ultimate decision maker.
Who will monitor the monitors.
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Centralized Incident Reporting
A central point of contact must be created Hotline Email address ([email protected])
Centralized reporting is vital to the effectiveness of a company’s ERS initiative Consolidation Correlation Statistics on size, nature and extent of security problems
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Response Procedures
Alert Phase Triage Phase Recovery Phase Maintenance Phase
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Preplanned Response Procedures
Virus Response Past Incidents
Lessons Learned
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Sample Press Release
Plan on word getting out Then be really happy if it doesn’t
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
CSIRT Contact Information
Call out lists and alternates
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
ISS Jeopardy
Asses/Design/Deploy/Manage/Educate
What is the Information Security Life Cycle
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
ISS Jeopardy
Detect/Contain/Eradicate/Recover/Mitigate Reoccurrence
What are the Goals of Incident Response
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
ISS Jeopardy
This Item Sets The Charter, Roles and Procedures for Incident Response
What is a Computer Security Incident Response Plan
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
ISS Jeopardy
Mission/Scope/Team Structure/Info. Flow/Services
What is contained in the CSIRP Charter
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
ISS Jeopardy
Alert/Triage/Recovery/Maintenance
What are the Response Procedures of a CSIRP
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
ISS Jeopardy
Rob Gallery
Who was the # 2 Pick, 1st Round in the 2004 NFL Draft
#74, 6’8” 320 lbs, Rob Gallery (Iowa) Offense Tackle to Oakland Raiders
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
ISS Jeopardy
“Heidi Game”
1968 Raiders/Jets Game interrupted for showing of “Heidi with 65 Seconds remaining and the Jets ahead 32-29
Raiders won. After Raiders scored on a Daryl Lamonica pass to make it 36-32, the Jets fumbled the kick off and the Raiders ran it in to make final score 43-32
© 2004 Internet Security Systems. All rights reserved. Contents are property of Internet Security Systems.
Thank YouEd Hudson, CISM
Director, Professional Services
X-Force PSS