cism - firebrand training · 5/6/2016 © 2016 firebrand ensure that the cism candidate… establish...
TRANSCRIPT
5/6/2016© 2016 Firebrand
CISM™
Certified Information
Security Manager
Firebrand Custom Designed Courseware
5/6/2016© 2016 Firebrand
Chapter 4Information Security Incident
Management
5/6/2016© 2016 Firebrand
Ensure that the CISM candidate…
Establish an effective program to respond to and subsequently manage incidents that threaten an organization’s information systems and infrastructure
The content area in this chapter will represent approximately 18% of the CISM examination
(approximately 36 questions).
Exam Relevance
ISACA CISM Review Manual Page 220
5/6/2016© 2016 Firebrand
Chapter 4
Learning Objectives
Develop and implement processes for:
• Detecting
• Identifying
• Analyzing
• Responding
To information security incidents
ISACA CISM Review Manual Page 220
5/6/2016© 2016 Firebrand
Learning Objectives cont.
Incident Management process
• Establish a severity hierarchy for identification and response to security incidents
• Maintain an incident response plan
• Establish processes toidentify and investigate incidents
• Establish escalation and communications plans
• Develop a skilled team
ISACA CISM Review Manual Page 220
5/6/2016© 2016 Firebrand
Learning Objectives cont.
Test and refine information security incident response plans
Manage incident response
Conduct post-incident reviews of security incidents to determine root cause, develop corrective actions and reassess risk
Integrate incident response plans with business continuity plans (BCP) and disaster recovery plans (DRP)
ISACA CISM Review Manual Page 220
5/6/2016© 2016 Firebrand
Definition
• Any event that has the potential to adversely impact the ability of the business to meet its objectives
Incident
• The capability to effectively manage unexpected disruptive events
• Minimize impacts
• Maintain and restore normal business operations within defined time limits
Incident management
ISACA CISM Review Manual Page 233
5/6/2016© 2016 Firebrand
Definition
Incident response
• The operational capability of incident management that identifies, prepares for and responds to incidents
• Provide forensic and investigative capabilities
• Restore normal operations as defined in service level agreements (SLAs)
• Manage the impact of unexpected disruptive events to acceptable levels
ISACA CISM Review Manual Page 234
5/6/2016© 2016 Firebrand
Definition
Incident Management will ensure that incidents are detected, recorded and
managed to limit impacts.
ISACA CISM Review Manual Page 234
5/6/2016© 2016 Firebrand
Goals of Incident Management and
Response
The goals of incident management and response include:
• The ability to deal effectively with unanticipated events
• Detection and monitoring capabilities to alert staff to a potential incident
• Effective notification and reporting to management
• A response plan that is aligned with business priorities
ISACA CISM Review Manual Page 234
5/6/2016© 2016 Firebrand
Goals of
Incident Response cont.
The ability to learn from past incidents and prevent future problems
Regular testing and validation of the effectiveness of the plan
ISACA CISM Review Manual Page 234
5/6/2016© 2016 Firebrand
What is an
Incident - Intentional
Malicious code
Unauthorized access to IT systems, facilities, information
Unauthorized use of resources
Unauthorized changes to systems, networks
Denial of service (DOS)
Surveillance, espionage
Social Engineering
Fraud
ISACA CISM Review Manual Page 236
5/6/2016© 2016 Firebrand
What is an
Incident - Unintentional
Equipment failure
Utility failure (power)
Software bugs
Deletion of files
Weather-related issues
ISACA CISM Review Manual Page 236
5/6/2016© 2016 Firebrand
Incident Response Team Members
5/6/2016© 2016 Firebrand
Personnel
An Incident Response Team usually consists of
•The Incident Manager (often an Information Security Manager)
•The Team Leader
•Steering committee/advisory board
•Provide oversight and authority
ISACA CISM Review Manual Page 239
5/6/2016© 2016 Firebrand
Personnel cont.
• Permanent/dedicated team members
• Specialized skills – forensics, audit, communications, legal
• Representation from key departments – Operations, IT, HR, Finance, Security, Executive, etc.
• Virtual/temporary team members
• External experts
An Incident Response
Team usually consists
of
ISACA CISM Review Manual Page 237
5/6/2016© 2016 Firebrand
Personnel cont.
The composition of the incident response team will depend on a number of factors such as
• Mission and goals of the incident response program
• Nature and range of services provided
• Available staff expertise
• Scope and technology base
• Anticipated incident load
• Severity or complexity of incident reports
• Funding
• Regulations and legal considerations
ISACA CISM Review Manual Page 237
5/6/2016© 2016 Firebrand
Team Member Skills
The set of basic skills that incident response team members need can be separated into two
broad groups:
• Personal skills
• Ability to handle stress
• Leadership skills
• Expertise based on the incident handler’s daily activity.
• Technical skills
• Specialized skills in IT, communications, etc
ISACA CISM Review Manual Page 238
5/6/2016© 2016 Firebrand
Skills cont.
Personal skills
• Communication
• Presentation skills
• Ability to follow policies and procedures
• Team skills
• Integrity
• Confidence
• Problem solving
• Time management
ISACA CISM Review Manual Page 238
5/6/2016© 2016 Firebrand
Skills cont.
• Basic understanding of the underlying technologies used by the organization
• Understanding of the techniques, decision points and supporting tools required in incident management
Technical skills
ISACA CISM Review Manual Page 239
5/6/2016© 2016 Firebrand
Security Concepts
and Technologies
• Security principles
• Security vulnerabilities/ weaknesses
• The Internet
• Network protocols
The following security concepts and technologies should be considered and known to IRTs
• Network applications and services
• Network security issues
• Operating systems
• Malicious code
• Programming skills
ISACA CISM Review Manual Page 237
5/6/2016© 2016 Firebrand
Organizing, Training and Equipping the
Response Staff
Every incident response team member should get the following types of training:
• Induction to Incident response - basic information about the team and its operations
• Description of the team’s roles, responsibilities and procedures
• On the job training
• Formal training
ISACA CISM Review Manual Page 238
5/6/2016© 2016 Firebrand
Review and Audit of Incident Response
ISACA CISM Review Manual Page 240
5/6/2016© 2016 Firebrand
Value Delivery
To deliver value, incident management should:
• Integrate and align with business processes and structures
• Improve the capability of businesses to manage incidents effectively
• Integrate incident management with risk and business continuity
• Become part of an organization’s overall strategy and effort to protect and secure critical business function and assets
ISACA CISM Review Manual Page 241
5/6/2016© 2016 Firebrand
Performance Measurement
Performance measurements for incident management and response will focus on achieving the defined objectives and optimizing effectiveness
• Incident response time
• Application of lessons learned
KPIs and KGIs should be defined and agreed upon by stakeholders and ratified by senior management
ISACA CISM Review Manual Page 241
5/6/2016© 2016 Firebrand
Reviewing the Current State of Incident
Response Capability
Survey of senior management, business managers and IT representatives
Self-assessment
External assessment or audit
ISACA CISM Review Manual Page 243
5/6/2016© 2016 Firebrand
Audits
Audits (internal and external) must be
performed to verify
• Incidents have been resolved and closed off
• Lessons learned applied to the organization
• Adherence by the incident response team to the policies and procedures defined by the organization
ISACA CISM Review Manual Page 240
5/6/2016© 2016 Firebrand
History of Incidents
Past incidents provide valuable information on risk trends, threat types and business impact due to an incident
•Can be used to evaluate the existing plans
•Used as input to know the types of incidents that must be considered and planned for
ISACA CISM Review Manual Page 244
5/6/2016© 2016 Firebrand
Gap Analysis – Basis for
an Incident Response Plan
Gap analysis – compares current incident response capabilities with
the desired level.
• Processes that need to be improved to be more efficient and effective
• Resources needed to achieve the objectives for the incident response capability
The following may be
identified:
ISACA CISM Review Manual Page 245
5/6/2016© 2016 Firebrand
Preparing the Incident Response Plan
5/6/2016© 2016 Firebrand
Incident Management and Response
• Incident Response Planning
• Business Continuity Planning
• Disaster Recovery Planning
• Recovery of IT systems
The incident management and response
structure should
include:
5/6/2016© 2016 Firebrand
Incident Management
and Response cont.
Plans must be
•Clearly documented
•Readily accessible
•Based on the long range IT plan
•Consistent with the overall business continuity and security strategies
5/6/2016© 2016 Firebrand
Incident Management
and Response cont.
Incident Response planning includes
• Incident detection capabilities (ability to recognize an event (false positive vs. real event)
• Clearly defined severity criteria (catastrophic, major, minor)
• Assessment and triage capabilities (determine extent of incident)
• Declaration criteria (activation of response teams)
5/6/2016© 2016 Firebrand
Importance of Incident Management and
Response
Incident response is required since even minor incidents may:
•Affect business viability
•Develop into major incidents
•Require public communications plans
•Necessitate advising regulators, clients or other affected stakeholders
Even the best controls cannot prevent all incidents
ISACA CISM Review Manual Page 234
5/6/2016© 2016 Firebrand
Incident Response Functions
Detection and reporting
• Alerting, escalation
Triage
• Containment, recovery
Analysis
• Root cause, lessons learned
Incident response team skills
• Necessary training and experience
ISACA CISM Review Manual Page 234
5/6/2016© 2016 Firebrand
Incident
Management Technologies
• Monitor and consolidate inputs from multiple systems
• Identify incidents or potential incidents
• Prioritize incidents based on business impact
• Provide status tracking and notifications
• Integrate with major IT management systems
• Follow good practices guidelines
An effective incident
management system should
ISACA CISM Review Manual Page 235
5/6/2016© 2016 Firebrand
Responsibilities of the CISM
Developing the information security incident management and response plans
Handling and coordinating information security incident response activities
Validating, verifying and reporting on the effectiveness of protective controls and countermeasure solutions
Planning, budgeting and program development for all matters related to information security incident management and response
ISACA CISM Review Manual Page 236
5/6/2016© 2016 Firebrand
Incident Response Responsibilities
The responsibilities of the incident response include:
• Managing the incident so that the impact is contained and minimal damage occurs
• Notifying the appropriate people and escalating the incident to management when required
• Recovering quickly and efficiently from security incidents
• Balancing operational and security needs
ISACA CISM Review Manual Page 236
5/6/2016© 2016 Firebrand
Incident Response Responsibilities cont.
The responsibilities of incident
response include:
• Responding systematically and decreasing the likelihood of cascading problems or incident recurrence
• Dealing with legal and law enforcement-related issues
• Ensuring that the incident response is documented
• Following up on lessons learned to enhance controls
ISACA CISM Review Manual Page 236
5/6/2016© 2016 Firebrand
Requirements for Incident Response
Managers
Have the leadership skills necessary to manage crisis teams
Understand business priorities and culture
Have the experience, knowledge, and the authority to invoke the disaster recovery processes necessary to maintain or recover operational status
ISACA CISM Review Manual Page 236
5/6/2016© 2016 Firebrand
Senior Management Involvement
Senior management provides strategic direction during the crisis
•Reporting of the incident is escalated to senior management
•Decisions and direction are passed down to the incident management teams
ISACA CISM Review Manual Page 236
5/6/2016© 2016 Firebrand
The Desired State
Incident management and response requires
• Well-developed monitoring capabilities for key controls
• Personnel trained in assessing the situation, capable of providing triage, and managing effective responses
• Managers that have made provisions to capture all relevant information and apply previously learned lessons
ISACA CISM Review Manual Page 240
5/6/2016© 2016 Firebrand
Strategic Alignment of Incident
Response
• Scope – what incidents are the responsibility of the Incident response team
• Services – services should be clearly defined
• Organizational structure – Reporting and oversight
• Resources – sufficient staffing and skills necessary for effective response
• Funding – sufficient funding as required to manage incident response
• Management buy-in – Senior management buy-in is essential
Incident management
must be aligned with
the organization’s strategic plan
ISACA CISM Review Manual Page 240
5/6/2016© 2016 Firebrand
Creating a Detailed Incident Response Plan
5/6/2016© 2016 Firebrand
Detailed Plan of Action for Incident
Management
The incident management action plan outlined in the CMU/SEI technical report
titled Defining Incident Management Processes:
• Prepare/improve/sustain (prepare)
• Protect infrastructure (protect)
• Detect events (detect)
• Triage events (triage)
• Respond
ISACA CISM Review Manual Page 242
5/6/2016© 2016 Firebrand
Detailed Plan of Action for Incident
Management - Prepare
Prepare/improve/sustain (prepare)phase:
• Coordinate planning and design.
• Identify incident management requirements.
• Establish vision and mission.
• Obtain funding and sponsorship.
• Develop implementation plan.
• Coordinate implementation.
ISACA CISM Review Manual Page 242
5/6/2016© 2016 Firebrand
Detailed Plan of Action for Incident
Management – Prepare cont.
Prepare/improve/sustain (prepare) phase
• Develop policies, processes and plans.
• Establish incident handling criteria.
• Implement defined resources.
• Evaluate incident management capability.
• Conduct postmortem review.
• Determine incident management process changes.
• Implement incident management process changes.
ISACA CISM Review Manual Page 242
5/6/2016© 2016 Firebrand
Detailed Plan of Action for Incident
Management - Protect
Protect infrastructure (protect) phase
• Implement changes to computing infrastructure to mitigate ongoing or potential incident.
• Implement infrastructure protection improvements from postmortem reviews or other process improvement mechanisms.
•Evaluate computing infrastructure by performing proactive security assessments and evaluations.
•Provide input to detect processes on incidents/potential incidents.
ISACA CISM Review Manual Page 242
5/6/2016© 2016 Firebrand
Detailed Plan of Action for Incident
Management - Detect
• Proactive detection—The detection process is conducted prior to incident alert. This will enable the response team to detect attack precursors, false negatives and emerging threats.
• Reactive detection—The detection process is conducted when there are reports of possible incidents from system users or other organizations
Detect events
(detect) phase
ISACA CISM Review Manual Page 242
5/6/2016© 2016 Firebrand
Detailed Plan of Action for Incident
Management - Triage
Triage
Requires initial gathering of incident data, incident severity determination, notification and activation of incident response team
• Can be done on two levels
• Tactical - Based on a set of criteria
• Strategic - Based on the impact of business
ISACA CISM Review Manual Page 242
5/6/2016© 2016 Firebrand
Detailed Plan of Action for Incident Management
- Response
Response
• Technical response
• Collecting data for further analysis
• Analyzing incident supporting information such as log files
• Technical mitigation strategies and recovery options
• Development and deployment of workarounds
• Management response
• Legal response
ISACA CISM Review Manual Page 242
5/6/2016© 2016 Firebrand
Elements of an Incident Response Plan
Another approach to the development of an incident response plan
•Preparation
• Identification
•Containment
•Eradication
•Recovery
•Lessons learned
ISACA CISM Review Manual Page 244
5/6/2016© 2016 Firebrand
Crisis Communications
• Internal
• Staff, management, business units
• External
• Business partners
• Shareholders
• General public
• Government and regulatory bodies
• Law Enforcement
One of the greatest
challenges in a crisis is
effective communications
ISACA CISM Review Manual Page 248
5/6/2016© 2016 Firebrand
Challenges in Developing an Incident
Management Plan
Unanticipated challenges may be the result of
• Lack of management buy-in and organizational consensus
• Mismatch to organizational goals and priorities
• Incident management team member turnover
• Poor communications
• Complex and wide plan
ISACA CISM Review Manual Page 248
5/6/2016© 2016 Firebrand
Responding to an Incident
5/6/2016© 2016 Firebrand
When an Incident Occurs
If an incident occurs:
• The Incident response team should follow the procedures set out in the Incident response plan
• Properly document (record and preserve) all information related to the incident
• Follow data/evidence preservation procedures
• Take precautions to avoid changing, altering or contaminating any potential or actual evidence
ISACA CISM Review Manual Page 258
5/6/2016© 2016 Firebrand
During an Incident
• Retrieving information needed to confirm an incident
• False positive or real event
• Notify incident manager and activate incident response teams
The initial
response to an
incident should
include:
ISACA CISM Review Manual Page 258
5/6/2016© 2016 Firebrand
During an Incident cont.
Identifying the scope and size of the affected environment (e.g., networks, systems, applications)
• Contain the incident and minimize the potential for further damage
Determining the degree of loss, modification or damage (if any)
Identifying the possible path or means of attack
Restore critical services
ISACA CISM Review Manual Page 258
5/6/2016© 2016 Firebrand
Containment Strategies
• Network isolation and segmentation
• Fire doors and fire suppression
• Fail secure
• Multiple suppliers
• Multiple facilities
• Cross trained staff
During an incident it is
critically important to contain the crisis and
attempt to minimize the
amount of damage that
occurs.
ISACA CISM Review Manual Page 258
5/6/2016© 2016 Firebrand
The Battle Box
Preloaded kits containing the tools and support materials needed by the response team in a crisis
•Flashlights
•Communications (radio, satellite phones)
•Battery
•Forms and documentation, pens
•Tools
•Protective clothing
•First aid kits
•Evidence collection bags
5/6/2016© 2016 Firebrand
Evidence Identification and
Preservation
• Requirements for collecting and preserving evidence
• Rules for evidence, admissibility of evidence, and quality and completeness of evidence
• The consequences of any contamination of evidence following a security incident
• Consider enlisting the help of third-party specialists if detailed forensic skills are needed
The CISM must know
ISACA CISM Review Manual Page 260
5/6/2016© 2016 Firebrand
Post Event Reviews
• Use information gathered to improve response procedures
• Do reviews with all affected staff
• Follow up on all lessons
Post Event Reviews allow lessons learned to be applied to future incidents
ISACA CISM Review Manual Page 259
5/6/2016© 2016 Firebrand
Business Continuity and Disaster Recovery Planning
5/6/2016© 2016 Firebrand
Disaster Recovery Planning (DRP) and Business
Recovery Processes
Disaster recovery has traditionally been defined as the recovery of IT systems from disastrous events
Business recovery (resumption) is defined as the recovery of the critical business processes necessary to continue or resume operations.
ISACA CISM Review Manual Page 249
5/6/2016© 2016 Firebrand
Development of BCP and DRP
Each of these planning processes typically includes several main phases, including:
• Risk and business impact assessment
• Response and recovery strategy definition
• Documenting response and recovery plans
• Training all users and response teams
• Updating response and recovery plans
• Testing response and recovery plans
• Auditing response and recovery plans
ISACA CISM Review Manual Page 249
5/6/2016© 2016 Firebrand
Plan Development
Plan development factors include:
• Pre-incident readiness
• Evacuation procedures
• How to declare a disaster
• Identifying the business processes and IT resources that should be recovered
• Identifying the responsibilities in the plan
ISACA CISM Review Manual Page 249
5/6/2016© 2016 Firebrand
Plan Development cont.
• Identifying contact information
• The step-by-step explanation of the recovery options
• Identifying the various resources required for recovery and continued operations
• Ensuring that other logistics such as personnel relocation and temporary housing are considered
Plan development
factors include:
ISACA CISM Review Manual Page 250
5/6/2016© 2016 Firebrand
Developing Response
and Recovery Plans
•Available resources
•Expected services levels
•Types, kinds, and severity of threats faced by the organization
Factors to consider
when developing response
and recovery
plans include:
ISACA CISM Review Manual Page 250
5/6/2016© 2016 Firebrand
Recovery Strategies
Recovery strategies must be sustainable for the entire period of recovery until business processes
are restored to normal
• Doing nothing until recovery facilities are ready
• Using manual procedures / workarounds
• Focusing on the most important customers, suppliers, products, and systems with resources that are still available
Strategies may
include:
ISACA CISM Review Manual Page 251
5/6/2016© 2016 Firebrand
Recovery Strategies
•The ability to recover within acceptable recovery times at a reasonable cost
•Which recovery strategies are available
•Several options may be considered including outsourcing of certain functions
The most appropriate
recovery strategy is based on:
ISACA CISM Review Manual Page 252
5/6/2016© 2016 Firebrand
Basis for
Recovery Strategy Selections
Response and recovery strategy plans should be based on the following considerations:
• Interruption window
• RTOs
• RPOs
• Services delivery objectives (SDOs)
• Maximum tolerable outages (MTOs) / Maximum Tolerable Period of Disruption (MTPD)
• Location
• Nature of probable disruptions
ISACA CISM Review Manual Page 252
5/6/2016© 2016 Firebrand
Disaster Recovery Sites
Types of offsite backup hardware facilities available include:
• Hot sites
• Warm sites
• Cold sites
• Mobile sites
• Duplicate information processing facilities
• Mirror sites
ISACA CISM Review Manual Page 250
5/6/2016© 2016 Firebrand
Disaster Recovery Sites cont.
Criteria for selecting alternate sites for processing in the event of a disaster
include:
• The recovery site should not be subject to the same disaster(s) as the primary site
• Availability of similar hardware /software
• Ability to move people and resources to the recovery location
• Ability to test the recovery strategy
ISACA CISM Review Manual Page 250
5/6/2016© 2016 Firebrand
Recovery
of Communications
Recovery of IT facilities involves
telecommunications and network recovery
• Alternative / Diverse routing
• Long-haul network diversity
• Voice recovery
• Availability of appropriate circuits and adequate bandwidth
• Availability of out-of-band communications in case of failure of primary communication methods
ISACA CISM Review Manual Page 254
5/6/2016© 2016 Firebrand
Notification Requirements
• Representatives of equipment and software vendors
• Contacts within companies that have been designated to provide supplies and equipment or services
• Contacts at recovery facilities, including hot-site representatives or predefined network communications rerouting services
Plan should
include a call tree with a
prioritized list of
contacts
ISACA CISM Review Manual Page 253
5/6/2016© 2016 Firebrand
Notification
Requirements cont.
Plan should include a call tree with a prioritized list of
• Contacts at off-site media storage facilities and the contacts within the company who are authorized to retrieve media from the off-site facility
• Insurance company agents
• Contacts at human resources (HR) and/or contract personnel services
• Law enforcement contacts
ISACA CISM Review Manual Page 253
5/6/2016© 2016 Firebrand
Response Teams
Number of teams depends upon size of organization and magnitude of operations - examples include:
• The emergency action team
• Damage assessment team
• Emergency management team
• Relocation team
• Security team
ISACA CISM Review Manual Page 247
5/6/2016© 2016 Firebrand
Insurance
Types of insurance coverage
• IT equipment and facilities
• Media (software) reconstruction
• Extra expense
• Business interruption
• Valuable papers and records
• Errors and omissions
• Fidelity coverage
• Media transportation
ISACA CISM Review Manual Page 255
5/6/2016© 2016 Firebrand
Testing Response
and Recovery Plans
Testing must include:
• Developing test objectives
• Executing the test
• Evaluating the test
• Developing recommendations to improve the effectiveness of testing processes as well as response and recovery plans
• Implementing a follow-up process to ensure that the recommendations are implemented
ISACA CISM Review Manual Page 256
5/6/2016© 2016 Firebrand
Types of Tests
Tests can include:
•Desk check / Table-top walk-through of the plans
•Table-top walk-through with mock disaster scenarios (simulation tests)
•Testing the infrastructure and communication components of the recovery plan
•Testing the infrastructure and recovery of the critical applications (parallel tests)
•Full restoration and recovery tests with some personnel unfamiliar with the systems
ISACA CISM Review Manual Page 256
5/6/2016© 2016 Firebrand
Test Results
The test should strive to:
• Verify the completeness and effectiveness of the response and recovery plans
• Evaluate the performance of the personnel involved in the exercise
• Evaluate the coordination among the team members and external vendors and suppliers
• Indicate areas where improvements to the plan are necessary
ISACA CISM Review Manual Page 256
5/6/2016© 2016 Firebrand
Test Results cont.
• Measure the ability and capacity of the backup site to perform required processing
• Ensure vital records / data can be retrieved
• Evaluate the state and quantity of equipment and supplies that have been relocated to the recovery site
• Measure the overall performance of operational and information systems related to maintaining the business entity
The test should strive
to:
ISACA CISM Review Manual Page 257
5/6/2016© 2016 Firebrand
Plan Maintenance Activities
The BCP and DR plans must be maintained through:
• Developing a schedule for periodic review and maintenance of the plan
• Updating plan with personnel changes, phone numbers and responsibilities or status within the company
• Updating the plan whenever significant changes have occurred
• Organizational change
• Results of tests or incidents
ISACA CISM Review Manual Page 255
5/6/2016© 2016 Firebrand
BCP and DRP Training
Training must be provided for all staff dependent on their responsibilities:
• Develop a schedule for training personnel in emergency and recovery procedures
• Users
• Team members
• Local business unit liaisons
5/6/2016© 2016 Firebrand
End of Chapter
This concludes the 2016 CISM Course