Module 1 Assignment
guest_07
9781111138059_PPT_ch01.pptxAbout the Presentations
The presentations cover the objectives found in the opening of each chapter.
All chapter objectives are listed in the beginning of each presentation.
You may customize the presentations to fit your class needs.
Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc.
1
Principles of Incident Response and Disaster Recovery, 2nd Edition
Chapter 01
An Overview of Information
Security and Risk Management
2
2
Objectives
Define and explain information security
Identify and explain the basic concepts of risk management
List and discuss the components of contingency planning
Describe the role of information security policy in the development of contingency plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
3
Introduction
Contingency planning
Being ready for incidents and disasters
Example: 1/10 of one percent of online users
Allows for two and a half million potential attackers
Example: World Trade Center (WTC) organizations
Had contingency plans due to February 1993 attack
Example: 2008 Gartner report
2/3 of organizations invoked plans in prior two years
Information security includes contingency planning
Ensures confidentiality, integrity, availability of data
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
4
Information Security
Committee on National Security Systems (CNSS) information security definition
Protection of information and its critical elements
Includes systems and hardware storing, transmitting information
Part of the CNSS model (evolved from C.I.A. triangle)
Conceptual framework for understanding security
Information security (InfoSec)
Protection of confidentiality, integrity, and availability of information
In storage, during processing, and during transmission
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
5
Key Information Security Concepts
Threat: object, person, other entity posing potential risk of loss to an asset
Asset: organizational resource being protected
Logical or physical
Attack: attempt to cause damage to or compromise information of supporting systems
Arises from a threat; intentional or unintentional
Threat-agent: threat instance
Specific and identifiable; exploits asset vulnerabilities
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
6
Key Information Security Concepts (cont’d.)
Vulnerability
Flaw or weakness in system security procedures, design, implementation, internal controls
Results in security breach or security policy violation
Well-known or latent
Exercised accidently or intentionally
Exploit: caused by threat-agent
Can exploit system or information through illegal use
Can create an exploit to target a specific vulnerability
Control/safeguard/countermeasure: prevent attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
7
Key Information Security Concepts (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
8
8
Key Information Security Concepts (cont’d.)
Trespass
Broad category of electronic and human activities
Can breach information confidentiality
Leads to unauthorized real or virtual actions
Results in unauthorized access to premises or system
Software attacks
Malicious code, malicious software, malware
Designed to damage, destroy, deny service to the target systems
Example: hackers
Principles of Incident Response and Disaster Recovery, 2nd Edition
9
9
Key Information Security Concepts (cont’d.)
Common malicious code instances
Viruses and worms, Trojan horses, logic bombs, bots, rootkits, back doors, denial-of-service (DoS) attack, distributed DoS (DDoS) attack
Malicious code threats: sources of confusion
Method of propagation, payload, vector of infection
Viruses
Segments of code that perform malicious actions
Macro virus: embedded automatically in macrocode
Boot virus: infects key operating systems files
Principles of Incident Response and Disaster Recovery, 2nd Edition
10
10
Key Information Security Concepts (cont’d.)
Worms
Replicate themselves constantly
No other program needed
Can replicate until available resources filled
Back doors and trap doors
Installed by virus or worm payload
Provides at will special privilege system access
Polymorphism
Threat changes apparent shape over time
Elude antivirus software detection
Principles of Incident Response and Disaster Recovery, 2nd Edition
11
11
Key Information Security Concepts (cont’d.)
Propagation vectors
Manner by which malicious code spreads can vary
May use social engineering: Trojan horse looks desirable, but is not
May leverage open network connection, file shares or software vulnerability
Malware hoaxes
Well-meaning people send random e-mails warning of fictitious dangerous malware
Wastes a lot of time and energy
Principles of Incident Response and Disaster Recovery, 2nd Edition
12
12
Key Information Security Concepts (cont’d.)
Human error or failure
Introduces acts performed by an authorized user
No malicious intent or purpose
Human error
Small mistakes produce extensive damage with catastrophic results
Human failure
Intentional refusal or unintentional inability to comply with policies, guidelines, and procedures, with a potential loss of information
Principles of Incident Response and Disaster Recovery, 2nd Edition
13
13
Key Information Security Concepts (cont’d.)
Theft
Illegal taking of another’s property
Property: physical, electronic, intellectual
Includes acts of espionage and breach of confidentiality
Methods
Competitive intelligence or industrial espionage
Theft or loss of mobile devices
Phones, tablets, and computers
Stored information more important than devices
Principles of Incident Response and Disaster Recovery, 2nd Edition
14
14
Key Information Security Concepts (cont’d.)
Compromises to intellectual property
FOLDOC intellectual property (IP) definition
The ownership of ideas and control over the tangible or virtual representation of those ideas. Use of another person’s intellectual property may or may not involve royalty payments or permission but should always include proper credit to the source
Includes
Trade secrets, copyrights, trademarks, patents
Exfiltration, or unauthorized removal of information
Software piracy
Principles of Incident Response and Disaster Recovery, 2nd Edition
15
15
Key Information Security Concepts (cont’d.)
Sabotage or vandalism
Destroys asset or damages an organization’s image
Assault on an organization’s Web site
Cyberterrorism (more sinister hacking)
Technical software failures or errors
Software with unknown hidden faults
Code sold before security-related bugs detected
Trap doors
Helpful Web sites
Bugtraq and National Vulnerability Database
Principles of Incident Response and Disaster Recovery, 2nd Edition
16
16
Key Information Security Concepts (cont’d.)
Technical hardware failures or errors
Equipment distributed with known or unknown flaw
System performs outside expected parameters
Errors can be terminal or intermittent
Forces of nature
Known as force majeure, or acts of God
Pose most dangerous threats imaginable
Occur with very little warning
Principles of Incident Response and Disaster Recovery, 2nd Edition
17
17
Key Information Security Concepts (cont’d.)
Deviations in quality of service by service providers
Product or service not delivered as expected
Support systems interrupted by storms, employee illnesses, unforeseen events
Technological obsolescence
Antiquated or outdated infrastructure
Leads to unreliable and untrustworthy systems
Risk loss of data integrity from attacks
Principles of Incident Response and Disaster Recovery, 2nd Edition
18
18
Key Information Security Concepts (cont’d.)
Information extortion
Attacker or trusted insider steals information from a computer system
Demands compensation for its return or for an agreement to not disclose the information
Common in credit card number theft
Other threats
See Table 1-2
Principles of Incident Response and Disaster Recovery, 2nd Edition
19
19
Principles of Incident Response and Disaster Recovery, 2nd Edition
20
20
Overview of Risk Management
Risk management process
Identifying and controlling information asset risks
Security managers play the largest roles
Includes contingency planning
Risk identification process
Examining, documenting, and assessing the security posture of an organization’s IT and the risks it faces
Risk control process
Applying controls to reduce the risks
Principles of Incident Response and Disaster Recovery, 2nd Edition
21
21
Overview of Risk Management (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
22
22
Overview of Risk Management (cont’d.)
Risk management redefined
Process of identifying vulnerabilities and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the information system
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
- Chinese General Sun Tzu
Source: Oxford University Press
Principles of Incident Response and Disaster Recovery, 2nd Edition
23
23
Overview of Risk Management (cont’d.)
Know yourself
Identify, examine, and understand the information and systems currently in place
Asset: information and systems that use, store, and transmit information
Question to ask when protecting assets
What are they?
How do they add value to the organization?
To which vulnerabilities are they susceptible?
Have periodic review, revision, and maintenance of control mechanisms
Principles of Incident Response and Disaster Recovery, 2nd Edition
24
24
Overview of Risk Management (cont’d.)
Know the enemy
Identify, examine, and understand threats
Determine threat aspects affecting the organization and the security of the assets
List threats prioritized by importance
Conduct periodic management reviews
Verify completeness and accuracy of asset inventory
Review and verify identified threats and vulnerabilities
Review current controls and mitigation strategies
Review cost effectiveness and deployment issues
Verify ongoing effectiveness of every control
Principles of Incident Response and Disaster Recovery, 2nd Edition
25
25
Risk Identification
Identify, classify, and prioritize information assets
Threat identification process begins afterwards
Asset examined to identify vulnerabilities
Controls identified
Controls assessed
Regarding capability to limit possible losses should attack occur
Principles of Incident Response and Disaster Recovery, 2nd Edition
26
26
Principles of Incident Response and Disaster Recovery, 2nd Edition
27
27
Asset Identification and Value Assessment
Iterative process of identifying assets and assessing their value
Information asset classification
Classify with respect to security needs
Components must be specific for the creation of various priority levels
Components ranked according to criteria established by the categorization
Use comprehensive and mutually exclusive categories
Establish clear and comprehensive category sets
Principles of Incident Response and Disaster Recovery, 2nd Edition
28
28
Asset Identification and Value Assessment (cont’d.)
Information asset valuation
Is this asset the most critical to the organizations’ success?
Does it generate the most revenue?
Does it generate the most profit?
Would it be the most expensive to replace?
Will it be the most expensive to protect?
If revealed, would it cause the most embarrassment or greatest damage?
Does the law or other regulation require us to protect this asset?
Principles of Incident Response and Disaster Recovery, 2nd Edition
29
29
Asset Identification and Value Assessment (cont’d.)
Answers determine weighting criteria
Used for asset valuation and impact evaluation
Must decide criteria best suited to establish the information asset value
Perform weighted factor analysis
Calculates relative importance of each asset
Assign score from 0.1 to 1.0 for each critical factor
Assign each critical factor a weight from 1 to 100
Identify, document and add company-specific criteria
Principles of Incident Response and Disaster Recovery, 2nd Edition
30
30
Asset Identification and Value Assessment (cont’d.)
Principles of Incident Response and Disaster Recovery, 2nd Edition
31
31
Data Classification and Management (cont’d.)
Data classification schemes
Procedures requiring organizational data to be classified into mutually exclusive categories
Based on need to protect data category confidentiality
Military specialized classification ratings
“Public” to “For Official Use Only” to “Confidential“ to “Secret” to “Top Secret”
Principles of Incident Response and Disaster Recovery, 2nd Edition
32
32
Data Classification and Management (cont’d.)
Alternative information classification scheme
Public: for general public dissemination
For official use: Not particularly sensitive but not for public release
Sensitive: important to the business and could cause embarrassment or loss of market share if revealed
Classified: requires utmost security; disclosure could severely impact the organization
Personnel information security clearances
On a need-to-know basis
Principles of Incident Response and Disaster Recovery, 2nd Edition
33
33
Threat Identification
Conduct a threat assessment
Which threats present a danger to the organization’s assets in the given environment?
Which threats represent the most danger to the organization’s information?
Which threats would cost the most to recover from if there was an attack?
Which threats require the greatest expenditure to prevent?
Principles of Incident Response and Disaster Recovery, 2nd Edition
34
34
Vulnerability Identification
Review each asset and each threat it faces
Create list of vulnerabilities
Examine how each threat could be perpetrated
List organization’s assets and its vulnerabilities
Notes
Threat may yield multiple vulnerabilities
People with diverse backgrounds should participate
Principles of Incident Response and Disaster Recovery, 2nd Edition
35
35
Risk Assessment
Process of assigning a risk rating or score to each information asset
Goal
Determine relative risk of each vulnerability using various factors
Likelihood
Probability that a specific vulnerability will be successfully attacked
Many asset/vulnerability combinations have external references for likelihood values
Principles of Incident Response and Disaster Recovery, 2nd Edition
36
36
Valuation of Information Assets
Assign weighted scores for the value to the organization of each information asset
Re-ask questions described in the “Threat Identification” section
Which of these questions is most important to the protection of the organization’s information?
Examine how current controls can reduce risk faced by specific vulnerabilities
Impossible to know everything about each vulnerability
Principles of Incident Response and Disaster Recovery, 2nd Edition
37
37
Risk Determination
Risk = (likelihood of vulnerability x value) – percent of risk currently controlled + uncertainty of assumptions
Qualitative Risk Management
General categories and ranking used to evaluate risk
Factor Analysis of Information Risk (FAIR) strategy
Promoted by CXOWARE
Residual risk
Remaining risk after control applied
Principles of Incident Response and Disaster Recovery, 2nd Edition
38
38
Identify Possible Controls
Controls, safeguards, and countermeasures
Represent security mechanisms, policies, and procedures that reduce risk
Three types of security policies
Enterprise information security policy
Issue-specific policies
Systems-specific policies
Programs
Activities performed within the organization to improve security
Principles of Incident Response and Disaster Recovery, 2nd Edition
39
39
Risk Control Strategies
Defense approach (preferred approach)
Attempts to prevent vulnerability exploitation
Risk defense methods
Defense through application of policy
Defense through training and education programs
Defense through technology application
Usually requires technical solutions
Eliminate asset exposure
Attempt to reduce risk to an acceptable level
Principles of Incident Response and Disaster Recovery, 2nd Edition
40
40
Risk Control Strategies (cont’d.)
Implement security controls and safeguards
Deflect attacks to minimize the successful probability
Transference
Attempts to shift risk to other assets, processes, organizations
Rethink how services offered
Revise deployment models
Outsource to other organizations
Purchase insurance
Implement service contracts with providers
Principles of Incident Response and Disaster Recovery, 2nd Edition
41
41
Risk Control Strategies (cont’d.)
Mitigation
Attempts to reduce impact caused by the vulnerability exploitation
Through planning and preparation
Includes contingency planning
Business impact analysis
Incident response plan
Disaster recovery plan
Business continuity plan
Requires quick attack detection and response
Relies on existence and quality of the other plans
Principles of Incident Response and Disaster Recovery, 2nd Edition
42
42
Risk Control Strategies (cont’d.)
Acceptance
Do nothing to protect an information asset
Accept the outcome of its potential exploitation
Only valid when the organization has:
Determined the level of risk
Assessed the probability of attack
Estimated potential damage that could occur
Performed a thorough cost-benefit analysis
Evaluated controls
Decided asset did not justify the cost of protection
Principles of Incident Response and Disaster Recovery, 2nd Edition
43
43
Risk Control Strategies (cont’d.)
Termination
Difference from acceptance
Remove asset from the environment representing risk
Two main reasons
Cost of protecting an asset outweighs its value
Too difficult or expensive to protect asset compared to value or advantage asset offers
Termination must be a conscious business decision
Not simple asset abandonment
Principles of Incident Response and Disaster Recovery, 2nd Edition
44
44
Contingency Planning and Its Components
Contingency plan
Used to anticipate, react to, and recover from events threatening events
Restores organization to normal modes of business operations
Four subordinate functions
Business impact assessment (BIA)
Incident response planning (IRP)
Disaster recovery planning (DRP)
Business continuity planning (BCP)
Principles of Incident Response and Disaster Recovery, 2nd Edition
45
45
Business Impact Analysis
Business impact analysis (BIA)
Investigation and assessment of the impact of attacks
Adds detail to prioritized threat and vulnerability list created in the risk management process
Provides detailed scenarios of potential impact of each type of attack
Principles of Incident Response and Disaster Recovery, 2nd Edition
46
46
Incident Response Plan
Incident
Any clearly identified attack on assets
Incident response plan (IRP)
Deals with the identification, classification, response, and recovery from an incident
Assesses the likelihood of imminent damage
Informs key decision makers
Enables the organization to take coordinated action
Principles of Incident Response and Disaster Recovery, 2nd Edition
47
47
Disaster Recovery Plan
Preparation for and recovery from natural or man-made disaster
Includes:
Preparations for the recovery process
Strategies to limit losses during the disaster
Detailed steps to follow after immediate danger
Focus
Preparation before the incident
Actions taken after the incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
48
48
BCP and BRP
Business continuity plan (BCP)
Expresses how to ensure critical business functions continue at an alternate location
After catastrophic incident or disaster
Used when DRP cannot restore primary site operations
Most strategic and long-term plan
Business resumption plan (BRP)
Emerging new concept in contingency planning
Merges the DRP and BCP into a single process
Principles of Incident Response and Disaster Recovery, 2nd Edition
49
49
Contingency Planning Timeline
Steps in contingency planning
IR plan focuses on immediate response
May move to DRP and BCP if disastrous
DR plan focuses on restoring systems at original site
BC runs concurrently with DRP
When major or long-term damage occurs
IRP, DRP, and BCP distinction
When each comes into play during the incident
Principles of Incident Response and Disaster Recovery, 2nd Edition
50
50
Principles of Incident Response and Disaster Recovery, 2nd Edition
51
51
Principles of Incident Response and Disaster Recovery, 2nd Edition
52
52
Contingency Planning Timeline (cont’d.)
Seven steps in NIST SP 800-34, Revision 1
Principles of Incident Response and Disaster Recovery, 2nd Edition
53
53
Role of Information Security Policy in Developing Contingency Plans
Policy needs to enforce information protection requirements
Before, during, and after incident
Quality security programs
Begin and end with policy
Information security
A management problem
Difficulties in shaping policy
Must never conflict with laws; must stand up in court if challenged; must be properly administered
Principles of Incident Response and Disaster Recovery, 2nd Edition
54
54
Key Policy Definitions
Policy
Plan or course of action
Conveys instructions from senior management to those who make decisions, take action, perform duties
Organizational law
Dictates acceptable and unacceptable behavior
Defines penalties for violations
Standard
Detailed statement of what must be done to comply
De facto standard (informal standard)
De jure standard (formal standard)
Principles of Incident Response and Disaster Recovery, 2nd Edition
55
55
Principles of Incident Response and Disaster Recovery, 2nd Edition
56
56
Key Policy Definitions (cont’d.)
Mission
Written statement of an organization’s purpose
Vision
Written statement about organization’s goals
Strategic planning
Process of moving organization toward its vision
Information security policy
Provides rules for protecting information assets
Enterprise information security policy, issue-specific security policy, systems-specific security policy
Principles of Incident Response and Disaster Recovery, 2nd Edition
57
57
Enterprise Information Security Policy
Enterprise information security policy (EISP)
Based on and directly supports the mission, vision, and direction of the organization
Executive-level
Sets strategic direction, scope, and tone for all security efforts
Contains requirements to be met
Defines purpose, scope, constraints, and applicability
Assigns responsibilities
Addresses legal compliance
Principles of Incident Response and Disaster Recovery, 2nd Edition
58
58
Issue-Specific Security Policy
Issue-specific security policy (ISSP)
Addresses specific areas of technology
Three common approaches to creating ISSPs
Independent ISSP documents, each tailored to a specific issue
A single comprehensive ISSP document covering all issues
Modular ISSP document that unifies policy creation and administration while maintaining each specific issue’s requirements
Principles of Incident Response and Disaster Recovery, 2nd Edition
59
59
Principles of Incident Response and Disaster Recovery, 2nd Edition
60
60
Issue-Specific Security Policy (cont’d.)
Statement of policy
Defines scope, responsibility for implementation, technologies and issues being addressed
Authorized access and usage of equipment
Addresses who can use technology and for what it can be used
Defines “fair and responsible use”
Addresses key legal issues
Prohibited usage of equipment
Outlines what technology cannot be used for
Principles of Incident Response and Disaster Recovery, 2nd Edition
61
61
Issue-Specific Security Policy (cont’d.)
Systems management
Focuses on users’ relationship to management
Violations of policy
Specifies penalties and how to report violations
Policy review and modification
Procedures and a timetable for periodic review so users do not circumvent it as it grows obsolete
Limitations of liability
States company will not protect user and is not liable for their actions
Principles of Incident Response and Disaster Recovery, 2nd Edition
62
62
Systems-Specific Policy
Systems-specific security policies (SysSPs)
Standards and procedures used when configuring or maintaining systems
Access control lists (ACLs)
Govern rights and privileges of particular users to particular systems
Configuration rules
Specific configuration codes entered into security systems
Principles of Incident Response and Disaster Recovery, 2nd Edition
63
63
Systems-Specific Policy (cont’d.)
ACL policies
Translated into configuration sets
Controls access to systems
Regulate the who, what, when, and where of access
ACL rules
Known as capability tables, user profiles, user policies
Specify what a user can and cannot do with resources
Rule policies
More specific than ACLs
May or may not deal with users directly
Principles of Incident Response and Disaster Recovery, 2nd Edition
64
64
Policy Management
Policies
Constantly changing and growing
Must be properly disseminated
Security policies must have the following
Individual responsible for creation, revision, distribution, and storage
Schedule of reviews
Mechanism for recommendations for revisions
Policy/revision date; possibly “sunset” expiration date
Policy management software (optional)
Principles of Incident Response and Disaster Recovery, 2nd Edition
65
65
Summary
Information security protects information and its critical elements
C.I.A. triangle: basis for CNSS model
Threat: entity posing potential for loss to an asset
Asset: has value to the organization
Vulnerability: weakness in protection mechanisms
Risk management process: identify vulnerabilities and taking steps to protect assets
Principles of Incident Response and Disaster Recovery, 2nd Edition
66
66
Summary (cont’d.)
Risk identification: process of identifying risks
Risk control: applying controls to reduce risk
Contingency planning: avoidance, transference, mitigation, acceptance strategies
Business impact analysis: assess attack type impact
Incident response plan: actions taken when an incident in progress
Disaster recovery plan: preparation for and recovery from a disaster
Principles of Incident Response and Disaster Recovery, 2nd Edition
67
67
Summary (cont’d.)
Business continuity plan: ensures critical business functions continue after a disaster
Policies: organizational laws dictating behavior
Enterprise information security policy: sets strategic scope, direction, tone
Issue-specific security policy: addresses specific areas of technology
Systems-specific security policy: used when configuring or maintaining systems
Principles of Incident Response and Disaster Recovery, 2nd Edition
68
68
