Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017

FRSecure 2017 CISSP Mentor ProgramEVAN FRANCEN, PRESIDENT & CEO – FRSECURE

BRAD NIGH, SENIOR INFORMATION SECURITY ANALYST - FRSECURE

CLASS SESSION #11

CISSP Mentor Program Session #11Domain 5: Identity and Access Management - Review• Access Control Methodologies

• Access Control Models

We finished Domain 5.

Now for the Domain 5 Quiz…

CISSP Mentor Program Session #11Domain 5: Identity and Access Management Quiz Review


1. What type of password cracking attack will always be successful?

a. Brute Force

b. Dictionary

c. Hybrid

d. Rainbow Table

A


2. What is the difference between password cracking and password guessing?

a. They are the same

b. Password guessing attempts to log into the system, password cracking attempts to determine a password used to create a hash

c. Password guessing uses salts, password cracking does not

d. Password cracking risks account lockout, password guessing does not

B


3. The most insidious part of Phishing and Spear Phishing attacks comes from which part of the attack anatomy?

a. Each Phishing and Spear Phishing attack is socially engineered to trick the user to provide information to the attacker.

b. Phishing and Spear Phishing attacks always have malicious code downloaded onto the user’s computer.

c. Phishing and Spear Phishing attacks are always poorly written.

d. Phishing and Spear Phishing attacks are rarely successful.

A


4. What is the term used for describing when an attacker, through a command and control network, controls hundreds, thousands, or even tens of thousands of computers and instructs all of these computers to perform actions all at once?

a. Flooding

b. Spamming

c. Phishing

d. Botnets

D


5. What are the main differences between retina scans and iris scans?

a. Retina scans are not invasive and iris scans are

b. Iris scans invade a person’s privacy and retina scans do not

c. Iris scans change depending on the person’s health, retina scans are stable

d. Retina scans change depending on the person’s health, iris scans are stable

D


6. What is the most important decision an organization needs to make when implementing RBAC?

a. Each user’s security clearance needs to be finalized

b. The roles users have on the system needs to be clearly defined

c. Users’ data needs to be clearly labeled

d. Users’ must be segregated from one another on the IT system to prevent spillage of sensitive data

B


7. What access control method weighs additional factors such as time of attempted access before granting access?

a. Content-dependent access control

b. Context-dependent access control

c. Role-based access control

d. Task-based access control

B


8. An attacker sees a building is protected by security guards, and attacks a building next door with no guards. What control combination are the security guards?

a. Physical/Compensating

b. Physical/Detective

c. Physical/Deterrent

d. Physical/Preventive

C


9. A type II biometric is also known as what?

a. Crossover Error Rate (CER)

b. Equal Error Rate (EER)

c. False Accept Rate (FAR)

d. False Reject Rate (FRR)

C


10. Within Kerberos, which part is the single point of failure?

a. The Ticket Granting Ticket

b. The Realm

c. The Key Distribution Center

d. The Client-Server session key

C


11. What kind of test should be recommended?

a. Zero knowledge

b. Partial knowledge

c. Full knowledge

d. Vulnerability testing

C

Questions 11 and 12 are based on this scenario: Your company has hired a Third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are: (1) The tests will be conducted on live, business functional networks. These networks must be functional in order for business to run and cannot be shut down, even for an evaluation. (2) The company wants the most in depth test possible.


12. While conducting the penetration test, the tester discovers a critical business system is currently compromised. What should the tester do?

a. Note the results in the penetration testing report

b. Immediately end the penetration test and call the CIO

c. Remove the malware

d. Shut the system down

B

Questions 11 and 12 are based on this scenario: Your company has hired a Third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are: (1) The tests will be conducted on live, business functional networks. These networks must be functional in order for business to run and cannot be shut down, even for an evaluation. (2) The company wants the most in depth test possible.


13. What group launches the most attacks?

a. Insiders

b. Outsiders

c. Hacktivists

d. Script kiddies

B


14. A policy that states a user must have a business requirement to view data before attempting to do so is an example of enforcing what?

a. Least privilege

b. Need to know

c. Rotation of duties

d. Separation of duties

B


15. What technique would raise the False Accept Rate (FAR) and Lower the False Reject Rate (FRR) in a fingerprint scanning system?

a. Decrease the amount of minutiae that is verified

b. Increase the amount of minutiae that is verified

c. Lengthen the enrollment time

d. Lower the throughput time

A

CISSP Mentor Program Session #11Domain 6: Security Assessment and Testing - Review• Assessing Access Control

• Software Testing Methods

Domain 7: Security Assessment and Testing - Review• Administrative Security

• Forensics

We also finished Domain 6 and part of Domain 7!

CISSP Mentor Program Session #11Domain 7: Security Operations

Electronic Discovery (eDISCOVERY)• legal counsel gaining access to pertinent electronic information during

the pre-trial discovery phase of civil legal proceedings

• seeks ESI, or electronically stored information

• ESI does not need to be conveniently accessible or transferable

• Data Retention Policy (IMPORTANT)• Legal/Regulatory reasons?

• Business reasons?


Incident Response Management• Every organization faces information security incidents• Regimented and tested methodology for identifying and responding to

incidents is critical• Computer Security Incident Response Team (CSIRT) is a term used for

the group that is tasked with monitoring, identifying, and responding to security incidents

• Overall goal of the incident response plan is to allow the organization to control the cost and damage associated with incidents, and to make the recovery of impacted systems quicker


Incident Response Management – Methodology

Different books and organizations may use different terms and phases associated with incident response; this section will mirror the terms associated with the examination.

Step 1 - Detection (what I can’t prevent, can I detect?)

• Events are analyzed in order to determine whether these events might comprise a security incident

• Emphasis on detective controls


Incident Response Management – MethodologyStep 2 - Containment (OK I’ve detected it, now what?)

• The point at which the incident response team attempts to keep further damage from occurring

• Might include taking a system off the network, isolating traffic, powering off the system, or other items to control both the scope and severity of the incident

• Typically where a binary (bit by bit) forensic backup is made of systems involved in the incident


Incident Response Management – MethodologyStep 3 - Eradication

• Involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase

• The cause of the incident must be determined BEFORE recovery

• Root cause analysis is key


Incident Response Management – MethodologyStep 4 - Recovery

• Involves restoring the system or systems to operational status

• Typically, the business unit responsible for the system will dictate when the system will go back online

• Close monitoring of the system after it is returned to production is necessary


Incident Response Management – MethodologyStep 5 - Reporting

• Most likely to be neglected in immature incident response programs

• If done right, this phase has the greatest potential to effect a positive change in security posture

• Goal is to provide a final report on the incident, which will be delivered to management


Incident Response Management – Methodology• NIST Special Publication 800-61r2: Computer Security Incident

Handling Guide (see: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

• 4 Step Lifecycle• Preparation

• Detection & Analysis

• Containment, Eradication, and Recovery

• Post-incident Activity

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf


Incident Response Management – Methodology• Exam lists a 7-step lifecycle; book calls for 8-step (adding “Preparation):• 1. Preparation

• 2. Detection (aka Identification)

• 3. Response (aka Containment)

• 4. Mitigation (aka Eradication)

• 5. Reporting

• 6. Recovery

• 7. Remediation

• 8. Lessons Learned (aka Post-incident Activity, Post Mortem, or Reporting)


Incident Response Management – Methodology1. Preparation• training, writing incident response policies and procedures, providing tools

such as laptops with sniffing software, crossover cables, original OS media, removable drives, etc.

• Everything that you do to prepare for an incident• Policy and procedures• Incident handling checklist and other forms for tracking• Classification

• Impact


Incident Response Management – Methodology

NOTE to Evan. Show something…


Incident Response Management – Methodology2. Detection (aka Identification)• What are all of the inputs into my incident response process?

• Events Incidents

3. Response (aka Containment)• Step-by-step, depending upon classification & severity

• Forensic response? Protection of evidence, while containing damage

• Start root cause analysis


Incident Response Management – Methodology4. Mitigation (aka Eradication)• Root cause analysis completed (mostly/hopefully)

• Get rid of the bad things

5. Reporting• Actually not really a step (happens throughout)

• More formal here; include incident responders (technical and non-technical)


Incident Response Management – Methodology6. Recovery• Restore systems and operations

• Increase monitoring

7. Remediation – broader in context

8. Lessons Learned (aka Post-incident Activity, Post Mortem, or Reporting) – there’s always lessons


Operational Preventive And Detective Controls• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems

(IPS)

• True Positive: Conficker worm is spreading on a trusted network, and NIDS alerts• True Negative: User surfs the Web to an allowed site, and NIDS is silent

• False Positive: User surfs the Web to an allowed site, and NIDS alerts

• False Negative: Conficker worm is spreading on a trusted network, and NIDS is silent


Operational Preventive And Detective Controls• NIDS, NIPS, HIDS, and HIPS


Operational Preventive And Detective Controls• NIDS, NIPS, HIDS, and HIPS (detection types)• Pattern Matching

• Protocol Behavior

• Anomaly Detection

• Security Information and Event Management

• Continuous Monitoring

• Data Loss Prevention (network & host)


Operational Preventive And Detective ControlsEndpoint Security

• HIDS/HIPS

• Antivirus

• Application Whitelisting

• Removable Media Controls

• Disk Encryption

• Privileged Access


Operational Preventive And Detective Controls

NOTE to Evan. Show something…


Asset Management (Configuration Management)The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization.• Hardened baseline configurations• Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs,

enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs

http://www.cisecurity.org/


Asset Management (Configuration Management)Baselining

• The process of capturing a point in time understanding of the current system security configuration

• Helpful in responding to a potential security incident

• Continual baselining is important


Asset Management (Configuration Management)Patch Management• The process of managing software updates• All software has flaws that are not fully addressed in advance of being

released• Software vendors announce patches both publicly and directly to their

customers• Once notified of a patch, organizations need to evaluate the patch from

a risk management perspective to determine how aggressively the patch will need to be deployed.


Asset Management (Configuration Management)Vulnerability Management

• Vulnerability scanning is a way to discover poor configurations and missing patches in an environment

• Vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information

• Prioritization and remediation of the vulnerabilities


Asset Management (Configuration Management)



Section 12.6 of the ISO/IEC 27002:2013 provides guidance on technical vulnerability management. A vulnerability management process should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. Vulnerability management starts with asset management, the information required to support systems technically includes tracking operating system software, version numbers, lists of software installed, and the person or persons responsible for maintaining the systems. Additionally, the organization should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required thereof.



Once a potential technical vulnerability has been identified, the organization should identify the associated risks and the actions to be taken - such action could involve the patching of vulnerable systems and/or applying other controls. Depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management or by following information security incident response procedures. Critical-risk and high-risk systems should be addressed first. Patches should be tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls should be considered. The technical vulnerability management process should be regularly monitored and evaluated in order to ensure its effectiveness and efficiency.


Asset Management (Configuration Management)Zero-Day Vulnerabilities and Zero-Day Exploits• The average window of time between a patch being released and an

associated exploit being made public is decreasing• Recent research even suggests that for some vulnerabilities, an exploit can be

created within minutes based simply on the availability of the unpatched and patched program

• The term for a vulnerability being known before the existence of a patch (or workaround) is zero day vulnerability.

• A zero-day exploit, rather than vulnerability, refers to the existence of exploit code for a vulnerability which has yet to be patched


Change Management• A system that does not change will become less secure over time• Not an exact science, every organization will be a little different• The general flow of the change management process includes:• Identifying a change• Proposing a change• Assessing the risk associated with the change• Testing the change (backout plan)• Scheduling the change• Notifying impacted parties of the change• Implementing the change• Reporting results of the change implementation

• Changes must be closely tracked and auditable


Continuity of OperationsService Level Agreements (SLA)• Critical where organizations have external entities perform critical services or

host significant assets and applications• Goal is to stipulate all expectations regarding the behavior of the department

or organization that is responsible for providing services and the quality of the services provided

• Availability is usually the most critical security consideration of a service level agreement

• Organizations must negotiate all security terms of a service level agreement prior to engaging with the company

• Cloud computing


Fault ToleranceBackup

• Recoverability in the event of a failure

• Magnetic tape media is old technology, but still is the most common repository of backup data

• Three basic types of backups exist: full backup; the incremental backup; and the differential backup



• Full backup - a replica of all allocated data on a hard disk• The most costly in terms of media and time to backup

• Often coupled with either incremental or differential backups to balance the time and media considerations


Fault ToleranceBackup• Incremental backup - only archive files that have changed since the last

backup of any kind was performed• The most recent full backup and each and every incremental backup since the full

backup is required to initiate a recovery

• Time to perform each incremental backup is extremely short; however, the downside is that a full restore can require many tapes, especially if full backups are performed less frequently

• The odds of a failed restoration due to a tape integrity issue (such as broken tape) rise with each additional tape required



• Differential - will back up any files that have been changed since the last full backup• Only the most recent full backup and most recent differential backup are required

to initiate a full recovery

• As more time passes since the last full backup the length of time to perform a differential backup will also increase


Fault ToleranceRedundant Array of Inexpensive Disks (RAID)

• Mitigates the risk associated with hard disk failures


Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)Three terms that are important to understand with respect to RAID are: mirroring; striping; and parity• Mirroring - used to achieve full data redundancy by writing the same data to multiple

hard disks• Write times are slower• Read times are faster• Most costly in terms of disk usage - at least half of the drives are used for redundancy

• Striping - increased the read and write performance by spreading data across multiple hard disks• Reads and writes can be performed in parallel across multiple disks rather than serially on one disk• Parallelization provides a performance increase, and does not aid in data redundancy

• Parity - achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance


Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)

RAID 0: Striped Set

• Striping to increase the performance of read and writes

• No data redundancy - poor choice if recovery of data is the reason for leveraging RAID



RAID 1: Mirrored Set

• Creates/writes an exact duplicate of all data to an additional disk

• Write performance is decreased

• Read performance can increase

• Highest disk cost


Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)RAID 2: Hamming Code

• Not considered commercially viable for hard disks and is not used

• Requires either 14 or 39 hard disks and a specially designed hardware controller

• Cost prohibitive

• RAID 2 is not likely to be tested


Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)RAID 3: Striped Set with Dedicated Parity (byte level)• Data, at the byte level, is striped across multiple disks• An additional disk is leveraged for storage of parity information, which

is used for recovery in the event of a failureRAID 4: Striped Set with Dedicated Parity (block level)• Exact same configuration and functionality as that of RAID 3, but

stripes data at the block, rather than byte, level• Employs a dedicated parity drive rather than having parity data

distributed amongst all disks, as in RAID 5



RAID 5: Striped Set with Distributed Parity

• One of the most popular RAID configurations

• Striped Set with Distributed Parity

• Leverages a block level striping

• Writes parity information that is used for recovery purposes

• Distributes the parity information across multiple disks

• Disk cost for redundancy is lower than that of a Mirrored set

• Support for both hardware and software based implementations

• Allows for data recovery in the event that any one disk fails


Fault Tolerance - Redundant Array of Inexpensive Disks (RAID)RAID 6: Striped Set with Dual Distributed Parity• Can allow for the failure of two drives and still function• Redundancy is achieved by writing the same parity information to two different disksRAID 1+0 or RAID 10• Example of what is known as nested RAID or multi-RAID (one standard RAID level is

encapsulated within another)• Configuration is a striped set of mirrors

NOTE: There are many and varied RAID configurations which are simply combinations of the standard RAID levels. Nested RAID solutions are becoming increasingly common with larger arrays of disks that require a high degree of both reliability and speed. Some common nested RAID levels include RAID 0+1, 1+0, 5+0, 6+0, and (1+0)+0, which are also commonly written as RAID 01, 10, 50, 60, and 100, respectively.


Fault Tolerance - System RedundancyRedundant Hardware• Built-in redundancy (power supplies, disk controllers, and NICs are most

common)• An inventory of spare modules to service the entire datacenter's servers

would be less expensive than having all servers configured with an installed redundant power supply

Redundant Systems• Entire systems available in inventory to serve as a means to recover• Have an SLA with hardware manufacturers to be able to quickly procure

replacement equipment in a timely fashion


BCP and DRP Overview and Process (used to be Domain by itself)Unique terms and definitions

• Business Continuity Plan (BCP)—a long-term plan to ensure the continuity of business operations

• Continuity of Operations Plan (COOP)—a plan to maintain operations during a disaster.

• Disaster—any disruptive event that interrupts normal system operations

• Disaster Recovery Plan (DRP)—a short-term plan to recover from a disruptive event

• Mean Time Between Failures (MTBF)—quantifies how long a new or repaired system will run on average before failing

• Mean Time to Repair (MTTR)—describes how long it will take to recover a failed system.


BCP and DRP Overview and ProcessBusiness Continuity Planning and Disaster Recovery Planning are two very distinct disciplines

Business Continuity Planning (BCP)• Goal of a BCP is for ensuring that the business will continue to operate

before, throughout, and after a disaster event is experienced• Focus of a BCP is on the business as a whole• Business Continuity Planning provides a long-term strategy• Takes into account items such as people, vital records, and processes in

addition to critical systems


BCP and DRP Overview and ProcessBusiness Continuity Planning and Disaster Recovery Planning are two very distinct disciplines

Disaster Recovery Planning (DRP)

• Disaster Recovery Plan is more tactical in its approach

• Short-term plan for dealing with specific IT-oriented disruptions

• Provides a means for immediate response to disasters

• Does not focus on long-term business impact


BCP and DRP Overview and ProcessBusiness Continuity Planning and Disaster Recovery Planning are two very distinct disciplinesRelationship between BCP and DRP• Business Continuity Plan is an umbrella plan that includes multiple specific

plans, most importantly the Disaster Recovery Plan• Two plans, which have different scopes, are intertwined• Disaster Recovery Plan serves as a subset of the overall Business Continuity

Plan• NIST Special Publication 800-34, provides a visual means for understanding

the interrelatedness of a BCP and a DRP, as well as Continuity of Operations Plan (COOP), Occupant Emergency Plan (OEP), and others.


Disasters or Disruptive EventsClassifications of disasters• Three common ways of categorizing the causes for disasters are as to whether the threat agent is

natural, human, or environmental in nature• Natural—the most obvious type of threat that can result in a disaster are naturally occurring. This category includes

such threats as earthquakes, hurricanes, tornadoes, floods, and some types of fires (closely related to geographical location)

• Human—the human category of threats represents the most common source of disasters. Human threats can be further classified as to whether they constitute an intentional or unintentional threat

• Examples of human-intentional threats include terrorists, malware, rogue insider, Denial of Service, hacktivism, phishing, social engineering, etc.

• Examples of human-unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person through lack of knowledge, laziness, or carelessness served as a source of disruption

• Environmental—focused on environment as it pertains to the information systems or datacenter. This class of threat includes items such as power issues (blackout, brownout, surge, spike), system component or other equipment failures, application or software flaws

• Analysis of threats and associated likelihoods is an important part of the BCP and DRP process


Disasters or Disruptive Events


Disasters or Disruptive EventsErrors and omissions• Typically considered the single most common source of disruptive events• Threat is inadvertently caused by humans, most often in the employ of the

organization, who unintentionally serve as a source of harm• Data entry mistakes are an example of errors and omissionsNatural Disasters• Include earthquakes, hurricanes, floods, tsunamis, etc.• Likelihood of natural threats occurring is largely based upon the geographical location

of the organization's information systems or datacenters• Generally have a rather low likelihood of occurring• Impact can be severe


Disasters or Disruptive EventsElectrical or power Problems• Much more common than natural disasters• Considered an environmental disaster• Uninterruptible power supplies (UPS) and/or backup generatorsTemperature and Humidity Failures• Critical controls that must be managed during a disaster• Increased server density can provide for significant heat issues• Mean Time Between Failures (MTBF) for electrical equipment will decrease if

temperature and humidity levels are not within an tolerable range.


Disasters or Disruptive EventsWarfare, terrorism, and sabotage• Human-intentional threats• Threat can vary dramatically based on geographic location, industry, brand

value, as well as the interrelatedness with other high-value target organizations

• Cyber-warfare• “Aurora” attacks (named after the word “Aurora,” which was found in a

sample of malware used in the attacks). As the New York Times reported on 2/18/2010: “A series of online attacks on Google and dozens of other American corporations have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military, say people involved in the investigation.”


Disasters or Disruptive EventsFinancially-motivated Attackers• Exfiltration of cardholder data, identity theft, pump-and-dump stock

schemes, bogus anti-malware tools, or corporate espionage, etc.• Organized crime syndicatesPersonnel Shortages• Another significant source of disruption can come by means of having staff

unavailable• Most organizations will have some critical processes that are people-

dependent


Disasters or Disruptive Events


Disasters or Disruptive EventsPersonnel Shortages• Pandemics and Disease• Major biological problems such as pandemic flu or highly communicable infectious disease

outbreaks• A pandemic occurs when an infection spreads through an extremely large geographical area, while

an epidemic is more localized

• Strikes• Strikes usually are carried out in such a manner that the organization can plan for the occurrence• Most strikes are announced and planned in advance, which provides the organization with some

lead time

• Personnel Availability• Sudden separation from employment of a critical member of the workforce


Disasters or Disruptive EventsCommunications Failure• Increasing dependence of organizations on call centers, IP telephony, general

Internet access, and providing services via the Internet• One of the most common disaster-causing events is telecommunications lines

being inadvertently cut by someone digging where they are not supposed to

NOTE: One of the eye-opening impacts of Hurricane Katrina was a rather significant outage of Internet2, which provides high-speed connectivity for education and research networks. Qwest, which provides the infrastructure for Internet2, suffered an outage in one of the major long-haul links that ran from Atlanta to Houston. Reportedly, the outage was due to lack of availability of fuel in the area. In addition to this outage, which impacted more than just those areas directly affected by the hurricane, there were substantial outages throughout Mississippi, which at its peak had more than a third of its public address space rendered unreachable.


The Disaster Recovery ProcessThe general process of disaster recovery involves responding to the disruption; activation of the recovery team; ongoing tactical communication of the status of disaster and its associated recovery; further assessment of the damage caused by the disruptive event; and recovery of critical assets and processes in a manner consistent with the extent of the disaster.• Different organizations and experts alike might disagree about the

number or names of phases in the process• Personnel safety remains the top priority


The Disaster Recovery ProcessRespond• Initial response begins the process of assessing the damage• Speed is essential (initial assessment)• The initial assessment will determine if the event in question constitutes a

disaster• The initial response team should be mindful of assessing the facility's safety

for continued personnel usageActivate TeamIf during the initial response to a disruptive event a disaster is declared, then the team that will be responsible for recovery needs to be activated.


The Disaster Recovery ProcessCommunicate• Ensure that consistent timely status updates are communicated back to the central

team managing the response and recovery process• Communication often must occur out-of-band• The organization must also be prepared to provide external communicationsAssess• More detailed and thorough assessment• Assess the extent of the damage and determine the proper steps to ensure the

organization's ability to meet its mission and Maximum Tolerable Downtime (MTD)• Team could recommend that the ultimate restoration or reconstitution occurs at the

alternate site


The Disaster Recovery ProcessReconstitution

• Successfully recover critical business operations either at primary or secondary site

• If an alternate site is leveraged, adequate safety and security controls must be in place in order to maintain the expected degree of security the organization typically employs

• A salvage team will be employed to begin the recovery process at the primary facility that experienced the disaster


Developing a BCP/DRP• High-level steps, according to NIST 800-34:• Project Initiation• Scope the Project• Business Impact Analysis• Identify Preventive Controls• Recovery Strategy• Plan Design and Development• Implementation, Training, and Testing• BCP/DRP Maintenance

• NIST 800-34 is the National Institute of Standards and Technologies Information Technology Contingency Planning Guide, which can be found at http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf.

http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf


Project InitiationIn order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones:• 1. Develop the contingency planning policy statement: A formal department

or agency policy provides the authority and guidance necessary to develop an effective contingency plan.

• 2. Conduct the business impact analysis (BIA): The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user.

• 3. Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.


Project InitiationIn order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones:• 4. Develop recovery strategies: Thorough recovery strategies ensure that the

system may be recovered quickly and effectively following a disruption.• 5. Develop an IT contingency plan: The contingency plan should contain

detailed guidance and procedures for restoring a damaged system.• 6. Plan testing, training, and exercises: Testing the plan identifies planning

gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.

• 7. Plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements.


Management Support“C”-level managers:• Must agree to any plan set forth• Must agree to support the action items listed in the plan if an emergency

event occurs• Refers to people within an organization like the chief executive officer (CEO),

the chief operating officer (COO), the chief information officer (CIO), and the chief financial officer (CFO)

• Have enough power and authority to speak for the entire organization when dealing with outside media

• High enough within the organization to commit resources


Other RolesBCP/DRP Project Manager• Key Point of Contact for ensuring that a BCP/DRP is completed and routinely

tested• Must be a good manager and leader in case there is an event that causes the

BCP or DRP to be implemented• Point of Contact (POC) for every person within the organization during a crisis• Must be very organized• Credibility and enough authority within the organization to make important,

critical decisions with regard to implementing the BCP/DRP• Does not need to have in-depth technical skills


Other RolesContinuity Planning Project Team (CPPT)• Comprises those personnel that will have responsibilities if/when an

emergency occurs• Comprised of stakeholders within an organization• Focuses on identifying who needs to play a role if a specific emergency event

were to occur• Includes people from the human resources section, public relations (PR), IT

staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions


Scoping the Project• Define exactly what assets are protected by the plan, which emergency

events the plan will be able to address, and determining the resources necessary to completely create and implement the plan

• “What is in and out of scope for this plan?”

• After receiving C-level approval and input from the rest of the organization, objectives and deliverables can be determined


Scoping the Project• Objectives are usually created as “if/then” statements• For example, “If there is a hurricane, then the organization will enact plan H—the Physical

Relocation and Employee Safety Plan.” Plan H is unique to the organization but it does encompass all the BCP/DRP subplans required

• An objective would be to create this plan and have it reviewed by all members of the organization by a specific date.

• The objective will have a number of deliverables required to create and fully vet this plan: for example, draft documents, exercise planning meetings, table top preliminary exercises, etc.

• Executive management must at least ensure that support is given for three BCP/DRP items:• 1. Executive management support is needed for initiating the plan.• 2. Executive management support is needed for final approval of the plan.• 3. Executive management must demonstrate due care and due diligence and be held liable under

applicable laws/regulations.


Assessing the Critical State• Assessing the critical state can be difficult

because determining which pieces of the IT infrastructure are critical depends solely on the how it supports the users within the organization.

• When compiling the critical state and asset list associated with it, the BCP/DRP project manager should note how the assets impact the organization in a section called the “Business Impact” section.


Conduct Business Impact Analysis (BIA)• Formal method for determining how a disruption to the IT system(s) of an

organization will impact the organization• An analysis to identify and prioritize critical IT systems and components• Enables the BCP/DRP project manager to fully characterize the IT contingency

requirements and priorities• Objective is to correlate the IT system components with the critical service it

supports• Also aims to quantify the consequence of a disruption to the system component and

how that will affect the organization• Determine the Maximum Tolerable Downtime (MTD) for a specific IT asset• Also provides information to improve business processes and efficiencies because it

details all of the organization's policies and implementation efforts

The BIA is comprised of two processes; Identification of critical assets and a comprehensive risk assessment.


Conduct Business Impact Analysis (BIA)Identify Critical Assets• BIA and Critical State Asset List is conducted for every IT system within the

organization, no matter how trivial or unimportant, leading to…• A list of those IT assets that are deemed business-essential by the

organizationConduct BCP/DRP-focused Risk Assessment• Determines what risks are inherent to which IT assets• A vulnerability analysis is also conducted for each IT system and major

application


Conduct Business Impact Analysis (BIA)


Determine Maximum Tolerable Downtime• Describes the total time a system can be inoperable before an organization is

severely impacted• It is also the maximum time it takes to execute the reconstitution phase• Comprised of two metrics; Recovery Time Objective (RTO) and the Work

Recovery Time (WRT)Alternate terms for MTD• Depending on the business continuity framework that is used, other terms

may be substituted for Maximum Tolerable Downtime. These include Maximum Allowable Downtime (MAD), Maximum Tolerable Outage (MTO), and Maximum Acceptable Outage (MAO).


Failure and Recovery Metrics• Used to quantify how frequently systems fail, how long a system may

exist in a failed state, and the maximum time to recover from failure.

• These metrics include the Recovery Point Objective (RPO), Recovery Time Objective (RTO), Work Recovery Time (WRT), Mean Time Between Failures (MTBF), Mean Time to Repair (MTTR), and Minimum Operating Requirements (MOR).


Recovery Point Objective• The amount of data loss or system inaccessibility (measured in time)

that an organization can withstand.• “If you perform weekly backups, someone made a decision that your

company could tolerate the loss of a week's worth of data. If backups are performed on Saturday evenings and a system fails on Saturday afternoon, you have lost the entire week's worth of data. This is the recovery point objective. In this case, the RPO is 1 week.”

• RPO represents the maximum acceptable amount of data/work loss for a given process because of a disaster or disruptive event


Recovery Time Objective (RTO) and Work Recovery Time (WRT)• Recovery Time Objective (RTO) describes the maximum time allowed

to recover business or IT systems• RTO is also called the systems recovery time. One part of Maximum

Tolerable Downtime: once the system is physically running, it must be configured.

• Work Recovery Time (WRT) describes the time required to configure a recovered system.

• “Downtime consists of two elements, the systems recovery time and the work recovery time. Therefore, MTD = RTO + WRT.”


Mean Time Between Failures• Quantifies how long a new or repaired system will run before failing• Typically generated by a component vendor and is largely applicable to

hardware as opposed to applications and software.• A vendor selling LCD computer monitors may run 100 monitors 24 hours a

day for 2 weeks and observe just one monitor failure. The vendor then extrapolates the following:

100 LCD Monitors x 14 days x 24 hours/day = 1 failure/33,600 hours

• The BCP/DRP team determines the correct amount of expected failures within the IT system during a course of time.

• Calculating the MTBF becomes less reliant when an organization uses fewer and fewer hardware assets.


Mean Time to Repair (MTTR)• Describes how long it will take to recover a specific failed system• Best estimate for reconstituting the IT system so that business continuity may

occurMinimum Operating Requirements• Describes the minimum environmental and connectivity requirements in

order to operate computer equipment• Important to determine and document for each IT-critical asset because, in

the event of a disruptive event or disaster, proper analysis can be conducted quickly to determine if the IT assets will be able to function in the emergency environment


Identify Preventive Controls• Preventive controls prevent disruptive events from having an impact• The BIA will identify some risks which may be mitigated immediatelyRecovery Strategy• Once the BIA is complete, the BCP team knows the Maximum Tolerable

Downtime. This metric, as well as others including the Recovery Point Objective and Recovery Time Objective, are used to determine the recovery strategy.

• Always maintain technical, physical, and administrative controls when using any recovery option


Recovery Strategy


Recovery StrategySupply Chain Management• In an age of “just in time” shipment of goods, organizations may fail to acquire

adequate replacement computers.• Some computer manufactures offer guaranteed replacement insurance for a specific

range of disasters. The insurance is priced per server, and includes a service level agreement that specifies the replacement time. All forms of relevant insurance should be analyzed by the BCP team.

Telecommunication Management• Ensures the availability of electronic communications during a disaster• Often one of the first processes to fail during a disaster• Wired circuits such as T1s, T3s, frame relay, etc., need to be specifically addressed• Power can be provided by generator if necessary.


Recovery StrategyUtility Management• Utility management addresses the availability of utilities such as power,

water, gas, etc. during a disaster• The utility management plan should address all utilities required by business

operations, including power, heating, cooling, and water.• Specific sections should address the unavailability of any required utility.Recovery options• Once an organization has determined its maximum tolerable downtime, the

choice of recovery options can be determined. For example, a 10-day MTD indicates that a cold site may be a reasonable option. An MTD of a few hours indicates that a redundant site or hot site is a potential option.


Recovery OptionsRedundant Site• A redundant site is an exact production duplicate of a system that has the capability to seamlessly

operate all necessary IT operations without loss of services to the end user of the system.• A redundant site receives data backups in real time so that in the event of a disaster, the users of the

system have no loss of data.• The most expensive recovery optionHot Site• A hot site is a location that an organization may relocate to following a major disruption or disaster.• It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured

computers.• Will have all necessary hardware and critical applications data mirrored in real time.• A hot site will have the capability to allow the organization to resume critical operations within a

very short period of time—sometimes in less than an hour.• Has all the same physical, technical, and administrative controls implemented of the production site.


Recovery OptionsWarm Site• Has some aspects of a hot site, for example, readily-accessible hardware and connectivity, but it will have

to rely upon backup data in order to reconstitute a system after a disruption.• It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers.• MTD of at least 1-3 days• The longer the MTD is, the less expensive the recovery solution will be.Cold Site• The least expensive recovery solution to implement.• Does not include backup copies of data, nor does it contain any immediately available hardware.• Longest amount of time of all recovery solutions to implement and restore critical IT services for the

organization• MTD—usually measured in weeks, not days.• Typically a datacenter with a raised floor, power, utilities, and physical security, but not much beyond that.


Recovery OptionsReciprocal Agreement• A bi-directional agreement between two organizations in which one organization

promises another organization that it can move in and share space if it experiences a disaster.

• Documented in the form of a contract• Also referred to as Mutual Aid Agreements (MAAs)Mobile Site• “datacenters on wheels”: towable trailers that contain racks of computer equipment,

as well as HVAC, fire suppression and physical security.• A good fit for disasters such as a datacenter flood• Typically placed within the physical property lines, and are protected by defenses

such as fences, gates, and security cameras


Recovery OptionsSubscription Services• Some organizations outsource their BCP/DRP planning and/or

implementation by paying another company to perform those services.

• Effectively transfers the risk to the insurer company.• Based upon a simple insurance model, and companies such as

IBM have built profit models and offer services for customers offering BCP/DRP insurance.


Related PlansThe Business Continuity Plan is an umbrella plan that contains others plans:• Disaster recovery plan• Continuity of Operations Plan (COOP)• Business Resumption/Recovery Plan (BRP)• Continuity of Support Plan• Cyber Incident Response Plan• Occupant Emergency Plan (OEP)• Crisis Management Plan (CMP)


Related Plans


Related PlansContinuity of Operations Plan (COOP)• Describes the procedures required to maintain operations during a disaster• Includes transfer of personnel to an alternate disaster recovery site, and operations of that

site.Business Recovery Plan (BRP)• Also known as the Business Resumption Plan• Details the steps required to restore normal business operations after recovering from a

disruptive event• May include switching operations from an alternate site back to a (repaired) primary site.• Picks up when the COOP is complete• Narrow and focused: the BRP is sometimes included as an appendix to the Business Continuity

Plan


Related PlansContinuity of Support Plan• Focuses narrowly on support of specific IT systems and applications• Also called the IT Contingency Plan, emphasizing IT over general business supportCyber Incident Response Plan• Designed to respond to disruptive cyber events, including network-based attacks, worms, computer

viruses, Trojan horses, etc.Occupant Emergency Plan (OEP)• Provides the “response procedures for occupants of a facility in the event of a situation posing a potential

threat to the health and safety of personnel, the environment, or property. Such events would include a fire, hurricane, criminal attack, or a medical emergency.”

• Facilities-focused, as opposed to business or IT-focused.• Focused on safety and evacuation, and should describe specific safety drills, including evacuation drills

(also known as fire drills)• Specific safety roles should be described, including safety warden and meeting point leader


Related PlansCrisis Management Plan (CMP)• Designed to provide coordination among the managers of the

organization in the event of an emergency or disruptive event• Details the actions management must take to ensure that life and

safety of personnel and property are immediately protected in case of a disaster

• Crisis Communications Plan• Component of the Crisis Management Plan• Sometimes called the communications plan• A plan for communicating to staff and the public in the event of a disruptive event


Related Plans• Crisis Communications Plan• Call Trees

• Is used to quickly communicate news throughout an organization without overburdening any specific person

• Works by assigning each employee a small number of other employees they are responsible for calling in an emergency event

• Most effective when there is two-way reporting of successful communication

• Should contain alternate contact methods, in case the primary methods are unavailable


Calling Tree


Related Plans• Crisis Communications Plan• Automated Call Trees

• Automatically contact all BCP/DRP team members after a disruptive event

• Tree can be activated by an authorized member, triggered by a phone call, email, or Web transaction

• Once triggered, all BCP/DRP members are automatically contacted

• Can require positive verification of receipt of a message, such as “press 1 to acknowledge receipt.”

• Automated call trees are hosted offsite, and typically supported by a third-party BCP/DRP provider


Related Plans• Crisis Communications Plan• Emergency Operations Center (EOC)• The command post established during or just after an emergency event• Placement of the EOC will depend on resources that are available

• Vital Records• Should be stored offsite, at a location and in a format that will allow access during

a disaster• Have both electronic and hardcopy versions of all vital records• Include contact information for all critical staff. Additional vital records include

licensing information, support contracts, service level agreements, reciprocal agreements, telecom circuit IDs, etc.


Executive Succession Planning• Organizations must ensure that there is always an executive

available to make decisions during a disaster

• A common mistake is allowing entire executive teams to be offsite at distant meetings

• One of the simplest executive powers is the ability to endorse checks and procure money.


Plan Approval• Now that the initial BCP/DRP plan has been completed, senior

management approval is the required next step

• It is ultimately senior management's responsibility to protect an organization's critical assets and personnel

• Senior management must understand that they are responsible for the plan, fully understand the plan, take ownership of it, and ensure its success.


Backups and availability (again…)• In order to be able to successfully recover critical business operations,

the organization needs to be able to effectively and efficiently backup and restore both systems and data

• Verification of recoverability from backups is often overlooked• Critical backup media must be stored offsite• Ensure that the organization can quickly procure large high-end tape

drives (if necessary)• If the MTTR is greater than the MTD, then an alternate backup or

availability methodology must be employed


Backups and availability (again…)Hardcopy Data• Hardcopy data is any data that are accessed through reading or

writing on paper rather than processing through a computer system.

• In weather-emergency-prone areas such as Florida, Mississippi, and Louisiana, many businesses develop a “paper only” DRP, which will allow them to operate key critical processes with just hard copies of data, battery-operated calculators, and other small electronics, as well as pens and pencils


Backups and availability (again…)Electronic Backups• Archives that are stored electronically

• Full Backups• Every piece of data is copied and stored on the backup repository• Time consuming, bandwidth intensive, and resource intensive• Will ensure that any necessary data is available

• Incremental Backups• Archive data that have changed since the last full or incremental backup

• Differential Backups• Archive data that have changed since the last full backup



• Electronic vaulting• Batch process of electronically transmitting data that is to be backed up on a routine, regularly

scheduled time interval• Used to transfer bulk information to an offsite facility• Good tool for data that need to be backed up on a daily or possibly even hourly rate• Stores sensitive data offsite• Can perform the backup at very short intervals to ensure that the most recent data is backed up• Occurs across the Internet in most cases (important that the information sent for backup be sent

via a secure communication channel and protected through a strong encryption protocol)



• Remote Journaling• A database journal contains a log of all database transactions• May be used to recover from a database failure• Remote Journaling saves the database checkpoints and database journal to a remote

site

• Database shadowing• Uses two or more identical databases that are updated simultaneously• Can exist locally, but it is best practice to host one shadow database offsite• Allows faster recovery when compared with remote journaling


Software Escrow• Maintain the availability of their applications even if the vendor

that developed the software initially goes out of business

• Allow a neutral third party to hold the source code

• Should the development organization go out of business or otherwise violate the terms of the software escrow agreement, then the third party holding the escrow will provide the source code and any other information to the purchasing organization.


DRP testing, training, and awareness• Skipping these steps is one of the most common BCP/DRP mistakes• A DRP is never complete, but is rather a continually amended method

for ensuring the ability for the organization to recover in an acceptable manner

• Used to correct mistakes• A DRP that will be effective will have some inherent complex

operations and maneuvers to be performed by administrators• Each member of the DRP should be exceedingly familiar with the

particulars of their role in a DRP


DRP Testing• In order to ensure that a Disaster Recovery Plan represents a viable

plan for recovery, thorough testing is needed• Routine infrastructure, hardware, software, and configuration changes

materially alter the way in which the DRP needs to be carried out• Ensure both the initial and continued efficacy of the DRP as a feasible

recovery methodology, testing needs to be performed.• Different types of tests• At an minimum, regardless of the type of test selected, tests should be

performed on an annual basis


DRP TestingDRP Review• Most basic form of DRP testing• Focused on simply reading the DRP in its entirety to ensure completeness of coverage• Typically performed by the team that developed the plan, and will involve team members

reading the plan in its entirety to quickly review the overall plan for any obvious flawsChecklist• Also known as consistency testing• Lists all necessary components required for successful recovery, and ensures that they are, or

will be, readily available should a disaster occur• Often performed concurrently with the structured walkthrough or tabletop testing as a first

testing threshold• Focused on ensuring that the organization has, or can acquire in a timely fashion, sufficient

resources on which their successful recovery is dependent


DRP TestingParallel Processing• Common in environments where transactional data is a key component of the

critical business processing• Typically involves recovery of critical processing components at an alternate

computing facility, and restore data from a previous backup• Regular production systems are not interrupted• Transactions from the day after the backup are then run against the newly

restored data, and the same results achieved during normal operations for the date in question should be mirrored by the recovery system's results

• Organizations that are highly dependent upon mainframe and midrange systems will often employ this type of test.


DRP TestingPartial and Complete Business Interruption• This type of test can actually be the cause of a disaster, so

extreme caution should be exercised before attempting an actual interruption test• Testing will include having the organization stop processing

normal business at the primary location, and instead leverage the alternate computing facility•More common in organizations where fully redundant, load-

balanced, operations exist


Training• An element of DRP training comes as part of performing the tests• More detailed training on some specific elements of the DRP process may be

required.Starting Emergency Power• Converting a datacenter to emergency power, such as backup generators• Specific training and testing of changing over to emergency power should be

regularly performed.Calling Tree Training/Test• Individuals with calling responsibilities are expected to be able to answer

within a very short time period, or otherwise make arrangements.


Awareness

Even for those members who have little active role with respect to the overall recovery process, there is still the matter of ensuring that all members of an organization are aware of the organization's prioritization of safety and business viability in the wake of a disaster.


Continued BCP/DRP maintenance• The BCP/DRP must be kept up to date• BCP/DRP plans must keep pace with all critical business and IT changes.Change Management• The Change Management process is designed to ensure that security is not adversely

affected as systems are introduced, changed, and updated.• Includes tracking and documenting all planned changes, formal approval for

substantial changes, and documentation of the results of the completed change• All changes must be auditable• The change control board manages this process• The BCP team should be a member of the change control board, and attend all

meetings to identify any changes that must be addressed by the BCP/DRP plan


BCP/DRP MistakesCommon BCP/DRP mistakes include:• Lack of management support• Lack of business unit involvement• Lack of prioritization among critical staff• Improper (often overly narrow) scope• Inadequate telecommunications management• Inadequate supply chain management• Incomplete or inadequate crisis management plan• Lack of testing• Lack of training and awareness• Failure to keep the BCP/DRP plan up to date


Specific BCP/DRP frameworksA handful of specific frameworks include NIST SP 800-34, ISO/IEC-27031, and BCI.NIST SP 800-34• The National Institute of Standards and Technology (NIST)

Special Publication 800-34 “Contingency Planning Guide for Information Technology Systems”•May be downloaded at

http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf.

http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf


Specific BCP/DRP frameworksISO/IEC-27031

• Draft guideline that is part of the ISO 27000 series, which also includes ISO 27001 and ISO 27002

• Focuses on BCP (DRP is handled by another framework)

• The current formal name is “ISO/IEC 27031 Information technology—Security techniques—Guidelines for ICT Readiness for Business Continuity (final committee draft).” According to http://www.iso27001security.com/html/27031.html, ISO/IEC 27031 is designed to:• “Provide a framework (methods and processes) for any organization—private, governmental, and nongovernmental;

• Identify and specify all relevant aspects including performance criteria, design, and implementation details, for improving ICT readiness as part of the organization's ISMS, helping to ensure business continuity;

• Enable an organization to measure its continuity, security and hence readiness to survive a disaster in a consistent and recognized manner.”

• Terms and acronyms used by ISO/IEC 27031 include:• ICT—Information and Communications Technology

• ISMS—Information Security Management System

• A separate ISO plan for disaster recovery is ISO/IEC 24762:2008, “Information technology—Security techniques—Guidelines for information and communications technology disaster recovery services.” More information is available at http://www.iso.org/iso/catalogue_detail.htm?csnumber=41532

http://www.iso27001security.com/html/27031.html

http://www.iso.org/iso/catalogue_detail.htm?csnumber=41532


Specific BCP/DRP frameworksBS-25999

• British Standards Institution (BSI, http://www.bsigroup.co.uk/) released BS-25999, which is in two parts:• “Part 1, the Code of Practice, provides business continuity management best practice recommendations. Please note that this is a guidance

document only.

• Part 2, the Specification, provides the requirements for a Business Continuity Management System (BCMS) based on BCM best practice. This is the part of the standard that you can use to demonstrate compliance via an auditing and certification process.”14

BCI

• The Business Continuity Institute (BCI, http://www.thebci.org/) published a six-step Good Practice Guidelines (GPG) in 2008, latest version is 2013 which describes the Business Continuity Management (BCM) process:• Management Practices

• PP1 Policy & Program Management

• PP2 Embedding Business Continuity

• Technical Practices

• PP3 Analysis

• PP4 Design

• PP5 Implementation

• PP6 Validation

http://www.bsigroup.co.uk/

http://www.thebci.org/

Questions?We made it through Class #11!

132 137 Slides?!

We finished Domain 7: Security Operations!

Homework for Tuesday (5/4)◦ Try to catch-up. We’re gone through a ton of information!

◦ No Quiz; you have enough already.

Enjoy the weather, see you Thursday! We’re almost there!

Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017

Education

Transcript of Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017