Anda di halaman 1dari 71

1 10/26/2014 1

Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875



Lectures: Tues (CB 122), 710 PM

Office hours: Wed 3-5 pm (CSEB 3043), or by
appointment.

Textbooks:
1. "Management of Information Security", M. E. Whitman, H. J.
Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition
2. "Guide to Computer Forensics and Investigations", B. Nelson, A.
Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE
Learning, 2010, 4th Edition.
CSE 4482: Computer Security Management:
Assessment and Forensics
2
Expected learning outcomes
Upon completion, you should be able to:
Identify the roles in organizations that are active in
the planning process
Explain the principal components of information
security system implementation planning in the
organizational planning scheme
Differentiate between strategic organizational
InfoSec and specialized contingency planning
Describe the unique considerations and
relationships between strategic and contingency
plans
Management of Information Security, 3rd Edition
Many of these slides are adapted from the authors
3
Planning
Computing a path towards a goal
Resemblance with game-playing
Plan for expected and unlikely
scenarios
Risk assessment and management is a
big part of security management
planning (ch 8,9,10)

4
Figure 2-1 Information Security and Planning
Source: Course Technology/Cengage Learning
Introduction
Management of Information Security, 3rd Edition
High-level view of planning
5
The Role of Planning
Successful organizations utilize planning
Planning involves
Employees
Management
Stockholders
Other outside stakeholders
The physical and technological environment
The political and legal environment
The competitive environment
Management of Information Security, 3rd Edition
6
The Role of Planning (contd.)
Strategic planning includes:
Vision statement
Mission statement
Strategy
Coordinated plans for sub units
Knowing how the general organizational
planning process works helps in the
information security planning process
Management of Information Security, 3rd Edition
Why are these needed?
7
Values Statement
Establishes organizational principles
Makes organizations conduct standards clear
RWW values commitment, honesty, integrity and
social responsibility among its employees, and is
committed to providing its services in harmony with
its corporate, social, legal and natural environments
The values, vision, and mission statements
together provide the foundation for planning
Management of Information Security, 3rd Edition
8
Vision Statement
The vision statement expresses what the
organization wants to become
Vision statements should be ambitious(?)
Random Widget Works will be the preferred
manufacturer of choice for every businesss
widget equipment needs, with an RWW
widget in every machine they use
Management of Information Security, 3rd Edition
9
Mission Statement
Mission statement
Declares the business of the organization and
its intended areas of operations
Explains what the organization does and for
whom
Random Widget Works, Inc. designs and
manufactures quality widgets and associated
equipment and supplies for use in modern
business environments
Management of Information Security, 3rd Edition
10
Figure 2-2 Microsofts Mission and Values Statement
Source: Course Technology/Cengage Learning Management of Information Security, 3rd Edition
11
Strategic Planning (Ch 2)
Strategy is the basis for long-term direction
Strategic planning guides organizational
efforts
Focuses resources on clearly defined goals
strategic planning is a disciplined effort to
produce fundamental decisions and actions
that shape and guide what an organization is,
what it does, and why it does it, with a focus on
the future.
Management of Information Security, 3rd Edition
12
Creating a Strategic Plan
An organization develops a general
strategy
Then creates specific strategic plans for major
divisions
Each level or division translates those
objectives into more specific objectives for the
level below
In order to execute this broad strategy
executives must define individual
managerial responsibilities
Management of Information Security, 3rd Edition
13
Top-down vs bottom-up
Top down advantages
Management support, funding
Better coordination and cohesion
accountability
Bottom-up advantages
Comes from technical people
14
Top-down vs bottom-up contd.
Figure 2-9 Approaches to security implementation
Source: Course Technology/Cengage learning Management of Information Security, 3rd Edition
15
Planning Levels
Strategic goals are translated into tasks
Objectives should be specific, measurable,
achievable, reasonably high and time-
bound (SMART)
Strategic planning then begins a
transformation from general to specific
objectives
Management of Information Security, 3rd Edition
16
Planning Levels (contd.)
Figure 2-4 Planning Levels
Source: Course Technology/Cengage Learning Management of Information Security, 3rd Edition
17
Planning Levels (contd.)
Tactical Planning
Has a shorter focus than strategic planning
Usually one to three years
Breaks applicable strategic goals into a
series of incremental objectives
Management of Information Security, 3rd Edition
18
Planning Levels (contd.)
Operational Planning
Used by managers and employees to organize
the ongoing, day-to-day performance of tasks
Includes clearly identified coordination
activities across department boundaries such
as:
Communications requirements
Weekly meetings
Summaries
Progress reports
Management of Information Security, 3rd Edition
19
Information Security Governance
Governance of information security is a
strategic planning responsibility
Importance has grown in recent years
Information security objectives must be
addressed at the highest levels of an
organization's management team
To be effective and offer a sustainable
approach

Management of Information Security, 3rd Edition
20
Implementing Information
Security Governance
Figure 2-6 General Governance Framework
Source: IDEAL is a service mark of Carnegie
Mellon University Management of Information Security, 3rd Edition
21
Implementing Information
Security Governance (contd.)
Figure 2-7 The IDEAL model governance framework
Source: IDEAL is a service mark of Carnegie
Mellon University Management of Information Security, 3rd Edition
22
Planning For Information
Security Implementation
CISO Job Description
Creates a strategic information security plan
with a vision for the future of information
security
Understands the fundamental business
activities and suggests appropriate information
security solutions to protect these activities
Develops action plans, schedules, budgets,
and status reports

Management of Information Security, 3rd Edition
23
Security Systems Development Life
Cycle
An SDLC is a methodology for the design
and implementation of an information
system
SDLC-based projects may be initiated by
events or planned
At the end of each phase, a review occurs
to determine if the project should be
continued, discontinued, outsourced, or
postponed
Management of Information Security, 3rd Edition
24
Introduction to SecSDLC
SecSDLC methodology is similar to SDLC
Identification of specific threats and associated risks
Design and implementation of specific controls to
counter those threats and manage risks posed to the
organization
Management of Information Security, 3rd Edition
25
Investigation
directive from management specifying the process,
outcomes, and goals of the project and its budget
Teams assembled to analyze problems, define scope,
specify goals and identify constraints
Feasibility analysis: resources, commitment
Analysis
existing security policies and programs, known threats
and current controls
relevant legal issues that could affect the design of the
security solution
Introduction to the SecSDLC - contd.
Management of Information Security, 3rd Edition
26
Introduction to the SecSDLC - contd.
Management of Information Security, 3rd Edition
Analysis (contd.)
Risk management
identifying, assessing, and evaluating the levels of
risk facing the organization, specifically the threats
to the information stored and processed by the
organization
A threat is an object, person, or other entity that
represents a constant danger to an asset

27
Risks
Management of Information Security, 3rd Edition
An attack
A deliberate act that exploits a vulnerability to
achieve the compromise of a controlled system
Accomplished by a threat agent that damages or
steals an organizations information or physical assets
An exploit
A technique or mechanism used to compromise a
system
A vulnerability
An identified weakness of a controlled system in
which necessary controls that are not present or are
no longer effective
28
Table 2-1 Threats to Information Security
Threat types.)
Source: Course Technology/Cengage Learning
(adapted from Whitman, 2003)
Management of Information Security, 3rd Edition
29
Common Attacks
Malicious code (viruses, worms, Trojan
horses, spyware, bots, adware)
Back doors
Password crack (Brute force, Dictionary)
Denial-of-service (DoS) and distributed
denial-of-service (DDoS) (zombie)
Social engineering (phishing)
Buffer overflow
DNS cache poisoning (pharming)
30
Common Attacks - contd
Spoofing (ingress filtering, egress filtering)
Man-in-the-middle (TCP hijacking)
Spam
Mail bombing
Sniffer
Timing
Hoaxes
31
Planning to protect against attacks
Prioritize the risk posed by each
category of threat
Identify and assess the value of your
information assets
Assign a comparative risk rating or score to
each specific information asset
Design and implementation of
SecSDLC : read on your own

32
Maintaining Security
Figure 2-11 Maintenance model
Source: Course Technology/Cengage learning
33
Summary
Introduction
Components of organizational planning
Information security governance
Planning for information security
implementation
Introduction to the security systems
development life cycle
Management of Information Security, 3rd Edition
34
Ch 3: Contingency planning
Plan for unexpected scenarios
When the use of technology is disrupted and
business operations come close to a standstill
Procedures are required to permit the organization
to continue essential functions if information
technology support is interrupted
Over 40% of businesses that don't have a disaster
plan go out of business after a major loss

What scenarios should a company plan for?
Management of Information Security, 3rd Edition
35
Objectives
Upon completion of this material, you
should be able to:
Recognize the need for contingency planning
Describe the major components of contingency
planning
Create a simple set of contingency plans, using
business impact analysis
Prepare and execute a test of contingency plans
Explain the combined contingency plan approach
Management of Information Security, 3rd ed.
36
Contingency Planning fundamentals
Contingency planning (CP)
The overall planning for unexpected events
preparing for, detecting, reacting to, and recovering
from events that threaten the security of information
resources and assets
Main goal
The restoration to normal modes of operation with
minimum cost and disruption to normal business
activities after an unexpected event
Management of Information Security, 3rd ed.
37
Components of Contingency
Planning
Figure 3-1 Contingency planning hierarchies
Source: Course Technology/Cengage Learning
Management of Information Security, 3rd ed.
38
Incident response planning (IRP)
immediate response
Disaster recovery planning (DRP)
restoring operations at the primary site after disasters
Business continuity planning (BCP)
establishment of operations at an alternate site
To ensure continuity planners should
Identify the mission- or business-critical functions and
the resources that support them
Select contingency planning strategies
Implement the selected strategy
Test and revise contingency plans
Contingency Planning
Management of Information Security, 3rd ed.
39
Contingency Planning - contd
the contingency planning policy statement
Provides the authority and guidance necessary to
develop an effective contingency plan
Conduct the BIA
identify and prioritize critical IT systems and components
Identify preventive controls
Measures taken to reduce the effects of system
disruptions can increase system availability and reduce
contingency life cycle costs
Develop recovery strategies
Ensure that the system may be recovered quickly and
effectively following a disruption
Management of Information Security, 3rd ed.
40
Contingency Planning - contd
Develop an IT contingency plan
detailed guidance and procedures for restoring a
damaged system
Plan testing, training, and exercises
Testing the plan identifies planning gaps
Training prepares recovery personnel for plan
activation
Both activities improve plan effectiveness and overall
agency preparedness
Plan maintenance
The plan should be updated regularly to remain
current with system enhancements
Management of Information Security, 3rd ed.
41
Business Impact Analysis (BIA)
Provides the CP team with information about
systems and the threats they face
A crucial component of the initial planning stages
Provides detailed scenarios of each potential attacks
impact
BIA is not risk management (which focuses on
identifying threats, vulnerabilities, and attacks to
determine controls)
BIA assumes controls have been bypassed or
are ineffective, and attack was successful
Management of Information Security, 3rd ed.
42
Business Impact Analysis
(contd.)
Figure 3-2 Major tasks in contingency planning
Source: Course Technology/Cengage Learning
Management of Information Security, 3rd ed.
43
Table 3-1 Example attack profile
Source: Course Technology/Cengage Learning
Management of Information Security 3rd ed.
44
Business Impact Analysis
Create a series of scenarios depicting impact of
successful attack on each functional area
Attack profiles should include scenarios depicting
typical attack including:
Methodology
Indicators
Broad consequences
List outcomes (Best case, worst case, and most likely)
Estimate the cost of each of these outcomes
By preparing an attack scenario end case
Allows identification of what must be done to recover
from each possible case
Management of Information Security, 3rd ed.
45
Incident Response Plan
A detailed set of processes and procedures that
anticipate, detect, and mitigate the impact of an
unexpected event that might compromise
information resources and assets
Procedures commence when an incident is detected
When a threat becomes a valid attack, it is
classified as an information security incident if:
It is directed against information assets
It has a realistic chance of success
It threatens the confidentiality, integrity, or availability
of information assets
Incident response is a reactive measure, not a
preventative one
Management of Information Security, 3rd ed.
46
Develop procedures for tasks that must be
performed in advance of the incident
Details of data backup schedules
Disaster recovery preparation
Training schedules
Testing plans
Copies of service agreements
Business continuity plans
Incident Response Plan details
Management of Information Security, 3rd ed.
47
Incident Response Plan (contd.)
Figure 3-3 Incident response planning
Source: Course Technology/Cengage Learning
Management of Information Security, 3rd ed.
48
Incident classification
Determine whether an event is an actual
incident
May be challenging
Uses initial reports from end users, intrusion
detection systems, host- and network-based
virus detection software, and systems
administrators
Careful training allows everyone to relay vital
information to the IR team
Incident Response Plan (contd.)
Management of Information Security, 3rd ed.
49
Incident Response Plan (contd.)
Possible indicators
Presence of unfamiliar files
Presence or execution of unknown programs or processes
Unusual consumption of computing resources
Unusual system crashes
Probable indicators
Activities at unexpected times
Presence of new accounts
Reported attacks
Notification from IDS
Definite indicators
Use of dormant accounts
Changes to logs
Presence of hacker tools
Notifications by partner or peer
Notification by hacker
Management of Information Security, 3rd ed.
50
Incident Response Plan (contd.)
Occurrences of actual incidents
When these occur, the corresponding IR must be
immediately activated
Loss of availability
Loss of integrity
Loss of confidentiality
Violation of policy
Violation of law
The essential task of IR is to stop the incident or
contain its impact
Incident containment strategies focus
Stopping the incident
Recovering control of the systems
Management of Information Security, 3rd ed.
51
Containment strategies
Disconnect the affected communication circuits
Dynamically apply filtering rules to limit certain
types of network access
Disabling compromised user accounts
Reconfiguring firewalls to block the problem
traffic
Temporarily disabling the compromised process
or service
Taking down the conduit application or server
Stopping all computers and network devices
Management of Information Security, 3rd ed.
52
Containment strategies (contd.)
An incident may increase in scope or
severity to the point that the IRP cannot
adequately contain the incident
Each organization will have to determine,
during the business impact analysis, the point
at which the incident becomes a disaster
The organization must also document when
to involve outside response
Management of Information Security, 3rd ed.
53
Containment strategies (contd.)
Once contained and system control regained,
incident recovery can begin
The IR team must assess the full extent of the
damage in order to determine what must be done to
restore the systems
Incident damage assessment
Determination of the scope of the breach of
confidentiality, integrity, and availability of information
and information assets
Those who document the damage must be
trained to collect and preserve evidence, in case
the incident is part of a crime or results in a civil
action
Management of Information Security, 3rd ed.
54
Recovery process
Identify the vulnerabilities that allowed the incident to
occur and spread and resolve them
Address the safeguards that failed to stop or limit the
incident, or were missing from the system; install,
replace or upgrade them
Evaluate existing monitoring capabilities, install new
monitoring capabilities
Restore the data from backups as needed
Restore the services and processes in use where
compromised (and interrupted) services and processes
must be examined, cleaned, and then restored
Continuously monitor the system
Restore the confidence of the members of the
organizations communities of interest
Management of Information Security, 3rd ed.
55
Recovery process (contd.)
Before returning to routine duties, the IR team
must conduct an after-action review (AAR)
A detailed examination of the events that occurred
All team members review their actions during the
incident and identify areas where the IR plan worked,
didnt work, or should improve
When an incident violates civil or criminal law, it
is the organizations responsibility to notify the
proper authorities
Selecting the appropriate law enforcement agency
depends on the type of crime committed: Federal,
State, or local

Management of Information Security, 3rd ed.
56
Disaster Recovery Plan
The preparation for and recovery from a disaster,
whether natural or man made
In general, an incident is a disaster when:
The organization is unable to contain or control the
impact of an incident, or
The level of damage or destruction from an incident is
so severe the organization is unable to quickly recover
The key role of a DRP is defining how to
reestablish operations at the location where the
organization is usually located
Management of Information Security, 3rd ed.
57
Disaster Recovery Plan (contd.)
Key points in the DRP
Clear delegation of roles and responsibilities
Execution of the alert roster and notification of
key personnel
Clear establishment of priorities
Documentation of the disaster
Action steps to mitigate the impact
Alternative implementations for the various
systems components
Management of Information Security, 3rd ed.
58
Disaster Recovery Plan (contd.)
classify disasters as
natural disasters vs man-made disasters
Rapid onset disasters vs slow onset disasters
Scenario development and impact analysis
Used to categorize the level of threat of each
potential disaster
DRP must be tested regularly
Management of Information Security, 3rd ed.
59
Business Continuity Plan
Ensures critical business functions can continue
in a disaster
Managed by CEO of the organization
Activated and executed concurrently with the
DRP when needed
While BCP reestablishes critical functions at alternate
site, DRP focuses on reestablishment at the primary
site
Relies on identification of critical business
functions and the resources to support them
Management of Information Security, 3rd ed.
60
Business Continuity Strategies
Exclusive-use options: hot, warm and cold sites
Hot Sites: Fully configured computer facility with
all services
Warm Sites: Like hot site, but software
applications not kept fully prepared
Cold Sites: Only rudimentary services and
facilities kept ready
Shared-use options: timeshare, service bureaus,
mutual agreements
Determining factor is usually cost
Management of Information Security, 3rd ed.
61
Business Continuity Strategies - 2
Timeshares
Like an exclusive use site but leased
Service bureaus
Agency that provides physical facilities
Mutual agreements
Contract between two organizations to assist
Specialized alternatives
Rolling mobile site
Externally stored resources
Management of Information Security, 3rd ed.
62
Data recovery
To get any BCP site running quickly
organization must be able to recover data
Options include:
Electronic vaulting
Bulk batch-transfer of data to an off-site facility
Remote journaling
Transfer of live transactions to an off-site facility
Database shadowing
Storage of duplicate online transaction data
Management of Information Security, 3rd ed.
Each option adds different risks
63
Timing and Sequence of CP
Elements
Figure 3-4 Incident response and disaster recovery
Source: Course Technology/Cengage Learning
Management of Information Security, 3rd ed.
64
Timing and Sequence of CP
Elements (contd.)
Figure 3-5 Disaster recovery and business continuity planning
Source: Course Technology/Cengage Learning
Management of Information Security, 3rd ed.
65
Timing and Sequence of CP
Elements (contd.)
Figure 3-6 Contingency planning implementation timeline
Source: Course Technology/Cengage Learning
Management of Information Security, 3rd ed.
66
Crisis Management
A set of focused steps that deal primarily with the
people involved during and after a disaster
Crisis management team actions
Supporting personnel and their loved ones during the
crisis
Determining the event's impact on normal business
operations
Making a disaster declaration
Keeping the public informed about the event
Communicating with outside parties
Key tasks of the crisis management team
Verifying personnel status
Activating the alert roster
Management of Information Security, 3rd ed.
67
Business Resumption Planning
Because the DRP and BCP are closely related,
most organizations prepare them concurrently
Components of a simple disaster recovery plan
Name of agency, Date of completion
Agency staff to be called in the event of a disaster
Emergency services to be called (if needed)
Locations of in-house emergency equipment, supplies
Sources of off-site equipment and supplies
Salvage priority list
Agency disaster recovery procedures
Follow-up assessment
Management of Information Security, 3rd ed.
68
Source:
(http://csrc.nist.gov/fasp/FASPDocs/contingency-
plan/contingencyplan-template.doc)
Table 3-3Contingency plan template
Management of Information Security, 3rd ed.
69
Testing Contingency Plans
Problems are identified during testing
Improvements can be made, resulting in a
reliable plan
Contingency plan testing strategies
Desk check
Structured walkthrough
Simulation
Parallel testing
Full interruption testing
Management of Information Security, 3rd ed.
70
Contingency Planning:
Final Thoughts
Iteration results in improvement
A formal implementation of this
methodology is a process known as
continuous process improvement (CPI)
Each time the plan is rehearsed it should
be improved
Constant evaluation and improvement lead
to an improved outcome
Management of Information Security, 3rd ed.
71
Summary
Introduction
What Is Contingency Planning?
Components of Contingency Planning
Putting a Contingency Plan Together
Testing Contingency Plans
A Single Continuity Plan
Management of Information Security, 3rd ed.