Business Security

of 45
22 views
PDF
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
1. The Business of Security 2. Business of Security <ul><li>Business Continuity </li></ul><ul><li>Business impact…
Document Share
Document Transcript
  • 1. The Business of Security
  • 2. Business of Security <ul><li>Business Continuity </li></ul><ul><li>Business impact </li></ul><ul><li>Incident response </li></ul><ul><li>Disaster recovery </li></ul><ul><li>Security laws </li></ul>
  • 3. Building a Business Case <ul><li>A business exists to satisfy business objectives </li></ul><ul><ul><li>Security programs are there to support this primary goal </li></ul></ul><ul><li>First step in building a case is to understand the business objectives </li></ul><ul><li>Security efforts must be described in relation to organization’s mission </li></ul><ul><li>Use quantitative and qualitative analysis to justify security measures </li></ul>
  • 4. Business Continuity Planning <ul><li>A business continuity plan (BCP) describes how a business will continue operations in the face of risk </li></ul><ul><li>Vulnerability assessment determines which risks merit attention </li></ul><ul><ul><li>Risk = Threat x Vulnerability </li></ul></ul><ul><li>A quadrant map is a good tool for vulnerability assessment </li></ul>
  • 5. Vulnerability Assessment Check processing Employee Strike Tsunami High Low Flood I II III IV Low High
  • 6. Continuity Strategy <ul><li>Contingency planning </li></ul><ul><li>Incident response planning </li></ul><ul><li>Disaster recovery planning </li></ul><ul><li>Business continuity planning </li></ul>
  • 7. Contingency Planning <ul><li>Contingency planning consists of: </li></ul><ul><ul><li>Incident response plan </li></ul></ul><ul><ul><li>Disaster recovery plan </li></ul></ul><ul><ul><li>Business continuity plan </li></ul></ul><ul><li>Incident response involves: </li></ul><ul><ul><li>notification of key people </li></ul></ul><ul><ul><li>Documenting the incident </li></ul></ul><ul><ul><li>Contain the damage due to the incident </li></ul></ul>
  • 8. Contingency Planning Diagram
  • 9. Contingency Planning Timeline
  • 10. Contingency Planning <ul><li>Primary goal is to restore all systems to pre-failure level </li></ul><ul><li>CP requires support of: </li></ul><ul><ul><li>Upper level management </li></ul></ul><ul><ul><li>IT people </li></ul></ul><ul><ul><li>Security people </li></ul></ul>
  • 11. Business Impact Analysis <ul><li>BIA is the first step in CP </li></ul><ul><li>Takes off from where risk assessment ended </li></ul><ul><li>Main steps in BIA are: </li></ul><ul><ul><li>Threat attack identification </li></ul></ul><ul><ul><li>Business unit analysis </li></ul></ul><ul><ul><li>Attack success scenarios </li></ul></ul><ul><ul><li>Potential damage assessment </li></ul></ul><ul><ul><li>Subordinate plan classification </li></ul></ul>
  • 12. Business Impact Analysis <ul><li>Threat identification includes : </li></ul><ul><ul><li>Attack name and description </li></ul></ul><ul><ul><li>Known vulnerabilities </li></ul></ul><ul><ul><li>Indicators preceding an attack </li></ul></ul><ul><ul><li>Information assets at risk from the attack </li></ul></ul><ul><ul><li>Damage estimates </li></ul></ul>
  • 13. Business Impact Analysis <ul><li>Business Unit Analysis includes: </li></ul><ul><ul><li>Prioritization of business functions </li></ul></ul><ul><ul><li>Identify critical business units </li></ul></ul><ul><li>Attack success scenario includes: </li></ul><ul><ul><li>Known methods of attack </li></ul></ul><ul><ul><li>Indicators of attack </li></ul></ul><ul><ul><li>Broad consequences </li></ul></ul>
  • 14. Business Impact Analysis <ul><li>Potential damage assessment includes: </li></ul><ul><ul><li>Actions needed immediately to recover from the attack </li></ul></ul><ul><ul><li>Personnel who will do the restoration </li></ul></ul><ul><ul><li>Cost estimates for management use </li></ul></ul><ul><li>Subordinate plan classification includes: </li></ul><ul><ul><li>Classification of attack as disastrous or non-disastrous </li></ul></ul><ul><ul><li>Disastrous attacks require disaster recovery plan </li></ul></ul><ul><ul><li>Non-disastrous attacks require incident response plan </li></ul></ul><ul><ul><li>Most attacks are non-disastrous, e.g., blackout </li></ul></ul>
  • 15. Business Impact Analysis Diagram
  • 16. Incident Response Plan <ul><li>Responsible people aware of IR plan details </li></ul><ul><li>Periodic testing of IR plan as a desktop exercise </li></ul><ul><li>Goals to remember (Richard Marcinko): </li></ul><ul><ul><li>More sweat in training means less bleeding in combat </li></ul></ul><ul><ul><li>Preparation hurts </li></ul></ul><ul><ul><li>Lead from the front and not the rear </li></ul></ul><ul><ul><li>Keep it simple </li></ul></ul><ul><ul><li>Never assume </li></ul></ul><ul><ul><li>You get paid for results not your methods </li></ul></ul>
  • 17. Incident Response Plan <ul><li>Incidents are usually detected from complaints to help desk </li></ul><ul><li>Security administrators may receive alarms based on: </li></ul><ul><ul><li>Unfamiliar files </li></ul></ul><ul><ul><li>Unknown processes </li></ul></ul><ul><ul><li>Unusual resource consumption </li></ul></ul><ul><ul><li>Activities at unexpected times </li></ul></ul><ul><ul><li>Use of dormant accounts </li></ul></ul>
  • 18. Incident Response Plan <ul><li>Additional incidence indicators: </li></ul><ul><ul><li>IDS system detects unusual activity </li></ul></ul><ul><ul><li>Presence of hacker tools such as sniffers and keystroke loggers </li></ul></ul><ul><ul><li>Partners detect an attack from the organization system </li></ul></ul><ul><ul><li>Hacker taunts </li></ul></ul><ul><li>How to classify an incident as a disaster? </li></ul><ul><ul><li>Organizational controls for an incident are ineffective </li></ul></ul><ul><ul><li>Level of damage to the system is severe </li></ul></ul>
  • 19. Incident Response Plan <ul><li>Incident reaction involves </li></ul><ul><ul><li>Notifying proper personnel </li></ul></ul><ul><ul><ul><li>Involves notifying people on the alert roster </li></ul></ul></ul><ul><ul><ul><li>Notification could be accomplished using a predefined tree structure </li></ul></ul></ul><ul><ul><ul><li>Notification is pre-scripted to activate relevant portions of the incident response plan </li></ul></ul></ul><ul><ul><li>Designated personnel start documenting the incident </li></ul></ul>
  • 20. Incident Response Plan <ul><ul><li>Activate incident containment strategies such as: </li></ul></ul><ul><ul><ul><li>Take system offline </li></ul></ul></ul><ul><ul><ul><li>Disable compromised accounts </li></ul></ul></ul><ul><ul><ul><li>Reconfigure firewall as needed </li></ul></ul></ul><ul><ul><ul><li>Shut down specific applications such as email or database </li></ul></ul></ul><ul><ul><ul><li>Might necessitate shutting down the system completely </li></ul></ul></ul>
  • 21. Incident Response Plan <ul><li>Post-incident actions </li></ul><ul><ul><li>Preserve evidence </li></ul></ul><ul><ul><li>Activate recovery procedures </li></ul></ul><ul><ul><li>Assess damage </li></ul></ul>
  • 22. Disaster Recovery planning <ul><li>Prioritize recovery of components </li></ul><ul><li>Crisis management </li></ul><ul><li>Activate recovery from backup data </li></ul>
  • 23. Business Continuity <ul><li>Service Level Agreements </li></ul><ul><li>Software escrow </li></ul><ul><li>ISO 17799 addresses business continuity management </li></ul><ul><li>Cold / warm / hot site </li></ul><ul><li>Restoration vs. recovery </li></ul><ul><li>FARM (Functional Area Recovery Management) specifies plans for operational area recovery </li></ul>
  • 24. Business Continuity <ul><li>Case Study of MIT Business Continuity plan http:// web.mit.edu/security/www/MIT_Pub_Plan.pdf </li></ul><ul><li>Case Study of Avaya Business Continuity plan http://www1.avaya.com/enterprise/whitepapers/lb2258.pdf </li></ul>
  • 25. Implementing Controls <ul><li>Techniques used to manage risks identified in vulnerability assessment </li></ul><ul><ul><li>Risk avoidance, mitigation, acceptance </li></ul></ul><ul><li>BCP team must determine exactly how these strategies will be applied to each of the risks identified </li></ul><ul><li>Not all risks can be handled with technical approaches, some may require education & training or external expertise </li></ul>
  • 26. Maintaining the Plan <ul><li>BCP is a living document </li></ul><ul><li>Changes in the environment, the business, and in current technologies will induce new risks </li></ul><ul><li>BCP should be flexible and comprehensive enough to absorb changes </li></ul><ul><li>However, periodic review and updating of the BCP will be required </li></ul>
  • 27. Disaster Recovery Planning <ul><li>Disaster recovery planning is used to prepare for continuing an organization’s operations when they are interrupted due to a crisis </li></ul><ul><li>A Disaster Recovery Plan (DRP) is the document describing the recovery plan </li></ul><ul><li>Goals of a DRP </li></ul><ul><ul><li>Resume operations at an alternate facility as necessary </li></ul></ul><ul><ul><li>Provide for extended operation at the alternate facility </li></ul></ul><ul><ul><li>Prepare for transition back to the the primary facility when possible </li></ul></ul>
  • 28. Selecting the Team <ul><li>Who should be on a disaster recovery team? </li></ul><ul><ul><li>Important to cover critical departments and missions within the organization </li></ul></ul><ul><ul><li>Size of the organization will dictate size of team </li></ul></ul><ul><ul><li>In a larger organization, planning and implementation teams can be different </li></ul></ul><ul><ul><li>DRP responsibilities are usually secondary to the team members’ primary roles within the organization </li></ul></ul>
  • 29. Building the Plan <ul><li>The DRP should describe the processes to follow in the event of disaster </li></ul><ul><ul><li>Should detail the responsibilities of all individuals involved in the plan </li></ul></ul><ul><ul><li>Should detail resources needed, including financial, manpower, hardware, and software </li></ul></ul><ul><li>Selection of at least one alternate facility is a primary challenge </li></ul><ul><ul><li>The greater the required capabilities, the more expensive it will be </li></ul></ul>
  • 30. Disaster Recover Facilities <ul><li>Hot site </li></ul><ul><ul><li>Contains all hardware, software, and data required. Capable of taking over production immediately </li></ul></ul><ul><li>Warm site </li></ul><ul><ul><li>Contains most hardware and software required, does not maintain live copies of data. Capable of taking over production within hours or days. </li></ul></ul><ul><li>Cold site </li></ul><ul><ul><li>Contains basic power, telecommunications, and support systems. Does not maintain hardware, software, and data. Capable of taking over production within weeks or months. </li></ul></ul>
  • 31. Creative Disaster Recovery <ul><li>Nontraditional arrangements for disaster recovery are possible and may be suitable for a particular organization </li></ul><ul><li>Geographically dispersed organizations might consider mobile facilities </li></ul><ul><ul><li>Trailers, mobile homes, air-transportable units </li></ul></ul><ul><ul><li>Don’t keep them all in one place </li></ul></ul><ul><li>Mutual assistance agreements </li></ul><ul><ul><li>Share costs with other organizations </li></ul></ul><ul><ul><li>Care must be taken in maintaining confidentiality of data </li></ul></ul>
  • 32. Training <ul><li>DRP team members need training to prepare for responsibilities under the plan </li></ul><ul><li>Initial training </li></ul><ul><ul><li>Comprehensive training takes place when individuals are placed on the team </li></ul></ul><ul><li>Refresher training </li></ul><ul><ul><li>Periodic training to update and refresh team members’ skills and readiness </li></ul></ul><ul><li>Length, frequency, and scope of DRP training must be customized to each individual’s responsibilities </li></ul>
  • 33. Testing <ul><li>Checklist review </li></ul><ul><ul><li>Simplest, least labor-intensive form of testing </li></ul></ul><ul><ul><li>Each individual has a checklist of responsibilities under the DRP </li></ul></ul><ul><ul><li>During testing, each individual reviews his/her checklist </li></ul></ul><ul><ul><li>Can be done as a group or individually </li></ul></ul><ul><li>Tabletop exercise </li></ul><ul><ul><li>Test facilitator describe a specific disaster scenario </li></ul></ul><ul><ul><li>DRP team members verbally walk through their responses to the scenario </li></ul></ul><ul><ul><li>Scenarios can be disseminated at the test or in advance </li></ul></ul>
  • 34. Testing <ul><li>Soft test (parallel test) </li></ul><ul><ul><li>DRP team members are given a disaster scenario and respond by activating the recovery facility </li></ul></ul><ul><ul><li>Recovery facility works in parallel with main facility, does not take responsibility for full operation </li></ul></ul><ul><ul><li>A more comprehensive test, also a more expensive test </li></ul></ul><ul><li>Hard test (full-interruption test) </li></ul><ul><ul><li>Used only rarely in mission critical situations, too disruptive and expensive </li></ul></ul><ul><ul><li>Involves full transfer of control to alternative facility and back </li></ul></ul>
  • 35. Implementing the Plan <ul><li>When a plan must be implemented, the situation is going to be chaotic </li></ul><ul><li>Plan must define actions of first responders, whoever they might be </li></ul><ul><ul><li>All employees should know what to do if they witness an event that might signal a need for disaster recovery </li></ul></ul><ul><li>The authority to declare a disaster situation should be carefully allocated </li></ul><ul><ul><li>Possibly to multiple people </li></ul></ul>
  • 36. Maintaining the Plan <ul><li>The disaster recovery team’s membership, procedures, and tools will change over time </li></ul><ul><li>The team should rely heavily on checklists to avoid panic and chaos </li></ul><ul><ul><li>Checklists must be up-to-date </li></ul></ul><ul><li>The DRP should be continually tested and evaluated with lessons learned debriefings </li></ul>
  • 37. Data Classification <ul><li>Provides users with a way to stratify sensitive information </li></ul><ul><li>Provides a
  • We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks
    SAVE OUR EARTH

    We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

    More details...

    Sign Now!

    We are very appreciated for your Prompt Action!

    x