Lecture 6 Flashcards
?
Everyone in an organization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security
Identify
1/3 ?
Security Education
?
When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education
Identify
2/3 ?
Security Education
?
A number of universities have formal coursework in information security
Identify
3/3 ?
Security Education
?
Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely
Identify
1/2 ?
Security Training
?
Management of information security can develop customized in-house training or outsource the training program
Identify
2/2 ?
Security Training
?
One of least frequently implemented but most beneficial programs is the ? program
Identify
1/4 ?
Security Awareness
?
Designed to keep information security at the forefront of users’ minds
Identify
2/4 ?
Security Awareness
?
Need not be complicated or expensive
Identify
3/4 ?
Security Awareness
?
If the program is not actively implemented, employees begin to “tune out” and risk of employee accidents and failures increases
Identify
4/4 ?
Security Awareness
?
Continuous availability of info systems
Identify
1/3 ?
Continuity Strategies
?
Probability high for attack
Identify
2/3 ?
Continuity Strategies
?
Managers must be ready to act
Identify
3/3 ?
Continuity Strategies
?
Prepared by organization
Identify
Continuity Strategies - 1/3 ?
Contingency Plan (CP)
?
Anticipate, react to, & recover from attacks
Identify
Continuity Strategies - 2/3 ?
Contingency Plan (CP)
?
Restore organization to normal operations
Identify
Continuity Strategies - 3/3 ?
Contingency Plan (CP)
3 Components of Contingency Plan
Enumerate
Continuity Strategies - 3 Components of Contingency Plan
- Incident Response (IRPs)
- Disaster Recovery (DRPs)
- Business Continuity (BCPs)
?
Focus on immediate response
Identify
Continuity Strategies - 1/3 Components of Contingency Plan
Incident Response (IRPs)
?
Focus on restoring system
Identify
Continuity Strategies - 2/3 Components of Contingency Plan
Disaster Recovery (DRPs)
?
Focus establish business functions at alternate site
Identify
Continuity Strategies - 3/3 Components of Contingency Plan
Business Continuity (BCPs)
?
Before planning can begin, a team has to plan effort and prepare resulting documents
Identify
1/4 ? (continued)
Continuity Strategies
?
??: high-level manager to support, promote, and endorse findings of project
Identify
2/4 ? (continued)
- Continuity Strategies
- Champion
?
??: leads project and makes sure sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed
Identify
3/4 ? (continued)
- Continuity Strategies
- Project Manager
?
??: should be managers or their representatives from various communities of interest: business, IT, and information security
Identify
4/4 ? (continued)
- Continuity Strategies
- Team members
?
Investigate & assess impact of various attack
Identify
1/5 ?
Business Impact Analysis (BIA)
?
First risk assessment – then ?
Identify
2/5 ?
Business Impact Analysis (BIA)
?
Prioritized list of threats & critical info
Identify
3/5 ?
Business Impact Analysis (BIA)
?
Detailed scenarios of potential impact of each attack
Identify
4/5 ?
Business Impact Analysis (BIA)
?
Answers question: “if the attack succeeds, what do you do then?”
Identify
5/5 ?
Business Impact Analysis (BIA)
5 BIA (Business Impact Analysis) Sections
Enumerate
5 BIA Sections
- Threat attack identification & prioritization
- Business Unit analysis
- Attack success scenario development
- Potential damage assessment
- Subordinate Plan Classification
5 BIA (Business Impact Analysis) Sections
?
- Attack profile – detailed description of activities that occur during an attack
- Determine the extent of resulting damage
Identify
1/5 BIA Sections
Threat attack identification & prioritization
5 BIA (Business Impact Analysis) Sections
Threat attack identification & prioritization
- ? - detailed description of activities that occur during an attack
- Determine the extent of resulting damage
Identify
1/5 BIA Sections
Attack Profile
5 BIA (Business Impact Analysis) Sections
?
- Analysis & prioritization-business functions
- Identify & prioritize functions within orgs units
Identify
2/5 BIA Sections
Business Unit analysis
5 BIA (Business Impact Analysis) Sections
?
- Series of scenarios showing impact
- Each treat on prioritized list
- Alternate outcomes (Best, worst, probable cases)
Identify
3/5 BIA Sections
Attack success scenario development
5 BIA (Business Impact Analysis) Sections
?
- Estimate cost of best, worst, probable
- What must be done under each
- Not how much to spend
Identify
4/5 BIA Sections
Potential damage assessment
5 BIA (Business Impact Analysis) Sections
?
- Basis for classification as disastrous not disastrous
Identify
5/5 BIA Sections
Subordinate Plan Classification
?
covers identification of,
classification of, and response to an incident
Identify
1/3 ?
Incident Response Planning (IRPs)
?
Attacks classified as incidents if they:
* Are directed against information assets
* Have a realistic chance of success
* Could threaten confidentiality, integrity, or availability of information resources
Identify
2/3 ?
Incident Response Planning (IRPs)
?
?? is more reactive, than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident
Identify
3/3 ?
- Incident Response Planning (IRPs)
- Incident Response (IR)
?
Set of activities taken to plan for, detect, and correct the impact
Identify
1/3 ?
Incident Response
?
??
* Requires understanding BIA scenarios
* Develop series of predefined responses
* Enables org to react quickly
Identify
2/3 ?
- Incident Response
- Incident Planning
?
??
??? – intrusion detection systems, virus detection, system
administrators, end users
Identify
3/3 ?
- Incident Response
- Incident Detection
- Mechanisms
Incident Detection
4 Possible Indicators
Enumerate
Incident Response - Incident Detection - 4 Possible Indicators
- Presence of unfamiliar files
- Execution of unknown programs or processes
- Unusual consumption of computing resources
- Unusual system crashes
Incident Detection
4 Probable Indicators
Enumerate
Incident Response - Incident Detection - 4 Probable Indicators
- Activities at unexpected times
- Presence of new accounts
- Reported attacks
- Notification form IDS
Incident Detection
4 Definite Indicators
Enumerate
Incident Response - Incident Detection - 4 Definite Indicators
- Use of dormant accounts
- Changes to logs
- Presence of hacker tools
- Notification by partner or peer
- Notification by hackers
Incident Detection
4 Predefined Situation
Enumerate
Incident Response - Incident Detection - 4 Predefined Situation
- Loss of availability
- Loss of integrity
- Loss of confidentiality
- Violation of policy
- Violation of law
?
- Actions outlined in the IRP
- Guide the organization
- Stop the incident
- Mitigate the impact
- Provide information recovery - Notify key personnel
- Document incident
Identify
?
Incident Reaction
?
- Sever affected communication circuits
- Disable accounts
- Reconfigure firewall
- Disable process or service
- Take down email
- Stop all computers and network devices
- Isolate affected channels, processes, services, or computers
Identify
?
Incident Containment Strategies
?
- Get everyone moving and focused
- Assess Damage
- Recovery
- Identify and resolve vulnerabilities
- Address safeguards
- Evaluate monitoring capabilities
- Restore data from backups
- Restore process and services
- Continuously monitor system
- Restore confidence
Identify
?
Incident Recovery
?
- Provide guidance in the event of a disaster
- Clear establishment of priorities
- Clear delegation of roles & responsibilities
- Alert key personnel
- Document disaster
- Mitigate impact
- Evacuation of physical assets
Identify
?
Disaster Recovery Plan (DRPs)
?
Disaster recovery personnel must know their responses without any supporting documentation
Identify
1/3 ?
Crisis Management
?
Actions taken during and after a disaster focusing on people involved and addressing viability of business
Identify
2/3 ?
Crisis Management
?
?? responsible for managing event from an enterprise perspective and covers:
* Support personnel and loved ones
* Determine impact on normal operations
* Keep public informed
* Communicate with major players such as major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties
Identify
3/3 ?
- Crisis Management
- Crisis Management Team
?
Outlines reestablishment of critical business operations during a disaster that impacts operations
Identify
1/3 ?
Business Continuity Planning (BCPs)
?
If disaster has rendered the business unusable for continued operations, there must be a plan to allow business to continue functioning
Identify
2/3 ?
Business Continuity Planning (BCPs)
?
Development of ? somewhat simpler than IRP or DRP; consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy
Identify
3/3 ?
Business Continuity Planning (BCPs)
?
There are a number of strategies for planning for business continuity
Identify
1/4 ?
Continuity Strategies
?
Determining factor in selecting between options usually cost
Identify
2/4 ?
Continuity Strategies
?
In general there are three exclusive options: hot sites; warm sites; and cold sites
Identify
3/4 ?
Continuity Strategies
?
Three shared functions: time-share; service bureaus; and mutual agreements
Identify
4/4 ?
Continuity Strategies
?
??
- Fully configured computer facilities
- All services & communication links
- Physical plant operations
Identify
1/6 ?
- Alternative Site Configurations
- Hot Sites
?
??
- Does not include actual applications
- Application may not be installed and configured
- Required hours to days to become operational
Identify
2/6 ?
- Alternative Site Configurations
- Warm Sites
?
??
- Rudimentary services and facilities
- No hardware or peripherals
- Empty room
Identify
3/6 ?
- Alternative Site Configurations
- Cold Sites
?
??
- Hot, warm, or cold
- Leased with other orgs
Identify
4/6 ?
- Alternative Site Configurations
- Time-shares
?
??
- Provides service for a fee
Identify
5/6 ?
- Alternative Site Configurations
- Service bureau
?
??
- A contract between two or more organizations that specifies how each will assist the other in the event of a disaster.
Identify
6/6 ?
- Alternative Site Configurations
- Mutual agreements
?
To get sites up and running quickly, organization must have ability to port data into new site’s systems
Identify
1/4 ?
Off-Site Disaster Data Storage
?
??
* Transfer of large batches of data
* Receiving server archives data
* Fee
Identify
2/4 ?
- Off-Site Disaster Data Storage
- Electronic vaulting
?
??
- Transfer of live transactions to off-site
- Only transactions are transferred
- Transfer is real time
Identify
3/4 ?
- Off-Site Disaster Data Storage
- Journaling
?
??
- Duplicated databases
- Multiple servers
- Processes duplicated
- 3 or more copies simultaneously
Identify
4/4 ?
- Off-Site Disaster Data Storage
- Shadowing
Model for a Consolidated Contingency Plan
? supports concise planning and encourages smaller organizations to develop, test, and use IR and DR plans
Identify
1/2 Model for a Consolidated Contingency Plan
Single document set
Model for a Consolidated Contingency Plan
? is based on analyses of disaster recovery and incident response plans of dozens of organizations
Identify
2/2 Model for a Consolidated Contingency Plan
Model
The Planning Document
6 steps in contingency planning process
Enumerate
The Planning Document - 6 Steps in Contingency Planning Process
- Identifying mission- or business-critical functions
- Identifying resources that support critical functions
- Anticipating potential contingencies or disasters
- Selecting contingency planning strategies
- Implementing contingency strategies
- Testing and revising strategy
?
- When incident at hand constitutes a violation of law, organization may determine involving law enforcement is necessary
- Questions:
- When should organization get law enforcement involved?
- What level of law enforcement agency should be involved (local, state, federal)?
- What happens when law enforcement agency is involved? - Some questions are best answered by organization’s legal department
Identify
?
Law Enforcement Involvement
Benefits and Drawbacks of Law Enforcement Involvement
Involving law enforcement agencies has ?:
* Agencies may be better equipped at processing evidence
* Organization may be less effective in convicting suspects
* Law enforcement agencies prepared to handle warrants and subpoenas needed
* Law enforcement skilled at obtaining witness statements and other information collection
Identify
?
Advantages (of Law Enforcement Involvement)
Benefits and Drawbacks of Law Enforcement Involvement
Involving law enforcement agencies has ?:
* Once a law enforcement agency takes over case, organization loses complete control over chain of events
* Organization may not hear about case for weeks or months
* Equipment vital to the organization’s business may be tagged evidence
* If organization detects a criminal act, it is legally obligated to involve appropriate law enforcement officials
Identify
?
Disadvantages (of Law Enforcement Involvement)
Summary
? is control measure that reduces accidental security breaches and increases organizational resistance to many other forms of attack
Identify
1/2 Summary
Information security education, training, and awareness (SETA)
Summary
? made up of 3 components:
* Incident Response Planning (IRP)
* Disaster Recovery Planning (DRP)
* Business Continuity Planning (BCP)
Identify
2/2 Summary
Contigency Planning (CP)