Planning for Contingencies EECS 711: Security Management and Audit Philip Mein "Prakash" Pallavur Sankaranaraynan Annette Tetmeyer EECS 711 Spring 2008 Chapter 3

Outline What is Contingency Planning? Components of Contingency Planning Business Impact Analysis Incident Response Plan Disaster Recovery Plan Business Continuity Plan Timing and Sequence of CP Elements Business Resumption Planning Testing Contingency Plans Contingency Planning: Final Thoughts EECS 711 Spring 2008 Chapter 3

What is Contingency Planning? The overall process of preparing for unexpected events Prepare for, detect, react to, recover from these events “many organization contingency plans are woefully inadequate…” EECS 711 Spring 2008 Chapter 3

What is Contingency Planning? Communities of Interest Information Technology Information Security Prepare for, detect, react to and recover from unexpected events Natural Human Environmental EECS 711 Spring 2008 Chapter 3

Components of Contingency Planning EECS 711 Spring 2008 Chapter 3

Components of Contingency Planning Business Impact Analysis (BIA) Determine critical business functions and information systems Incident Response Plan (IR) Immediate response to an incident Disaster Recovery Plan (DR) Focus on restoring operations at the primary site Business Continuity Plan (BC) Enables business to continue at an alternate site Occurs concurrently with DR Plan EECS 711 Spring 2008 Chapter 3

Major Tasks EECS 711 Spring 2008 Chapter 3

Developing the CP Plan Unified plan Smaller organizations Four plans with interlocking procedures Larger, complex organizations Should involve high level administrators and key personnel CIO, CISO, IT and business managers, system administrators EECS 711 Spring 2008 Chapter 3

CP Team Personnel Champion: provides strategic vision and access to organizational support Project Manager Team Members: from communities of interest EECS 711 Spring 2008 Chapter 3

CP Process Elements Required to begin the CP process Planning methodology Policy environment Understanding cause and effect of precursor activities Access to financial and other resources (budget) EECS 711 Spring 2008 Chapter 3

Creating the CP Document Develop the policy statement Conduct the BIA Identify preventive controls Develop recovery strategies Develop an IT contingency plan Plan testing, training and exercises Plan maintenance Policy is the precursor to planning… The first step in all contingency efforts is the development of policy; then next step is to plan. EECS 711 Spring 2008 Chapter 3

Creating the CP Document Develop the policy to set the stage and vision Conduct the BIA to prioritze Identify Preventive Controls: Fire suppression systems? Backup procedures? Develop Recovery Strategies: How will you restore from backup? What are your offsite options? Develop the contingency plan: Document recovery strategies EECS 711 Spring 2008 Chapter 3

Sample Policy EECS 711 Spring 2008 Chapter 3

Business Impact Analysis Provides detailed scenarios of effects of potential attacks Risk management identifies attacks BIA assumes controls have failed Business impact analysis is the first phase in the CP process EECS 711 Spring 2008 Chapter 3

Risk Management Contingency planning and risk management are closely related Risks must be identified in order to establish the contingency plan EECS 711 Spring 2008 Chapter 3

BIA Stages Threat Attack Identification and Prioritization Business Unit Analysis Attack Success Scenario Development Potential Damage Assessment Subordinate Plan Classification EECS 711 Spring 2008 Chapter 3

Threat Attack Identification and Prioritization Update threat list and add an attack profile Detailed description of activities that occur during an attack Develop for every serious threat Natural or man-made Deliberate or accidental Used later to provide indicators of attacks and extent of damage EECS 711 Spring 2008 Chapter 3

Example Attack Profile Elements Include Date analyzed Attack name and description Threat and probable threat agents Vulnerabilities (known or possible) Precursor activities or indicators Likely attack activities or indicators of attack in progress Information assets at risk Damage or loss to information assets Other assets at risk and damage/loss to these assets Immediate actions indicated when the attack is underway Follow-up actions after this attack was successfully executed against systems Comments EECS 711 Spring 2008 Chapter 3

Business Unit Analysis Analysis and prioritization of business functions Independently evaluate all departments, units, etc. Prioritize revenue producing functions EECS 711 Spring 2008 Chapter 3

Attack Success Scenario Development What are the effects of the threat? Alternative outcomes to each Best, worst, most likely What are the implications for all business functions? EECS 711 Spring 2008 Chapter 3

Potential Damage Assessment Prepare attack scenario end case What is the cost for the best, worst, most likely? Include cost estimates of time and effort Could be used as an attention grabber for upper management EECS 711 Spring 2008 Chapter 3

Subordinate Plan Classification Is the attack disastrous or not? Develop subordinate plans Non disastrous scenarios may be addressed as part of DR and BC plans EECS 711 Spring 2008 Chapter 3

Incident Response Plan “Things which you do not hope happen more frequently than things which you do hope.” -- Plautus (c. 254–184 BCE), in Mostellaria, Act I, Scene 3, 40 (197) EECS 711 Spring 2008 Chapter 3

Incident Response Plan An unexpected event IRP (Incident Response Plan) Detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets IR (Incident Response) A set of procedures that commence when an incident is detected Minimal damage Little or no disruption to business operations What is not is prevention (reactive not preventative) EECS 711 Spring 2008 Chapter 3

IR Policy CP team develops the policy environment to authorize the creation of each of the planning components (IR, DR, BC) Defines the roles and responsibilities for the entire enterprise Defines the roles and responsibilities for for the SIRT (Security Incident Response Team EECS 711 Spring 2008 Chapter 3

IR Policy cont. Computer Security Incident Handling Guide (NIST SP 800-61) Statement of management commitment Purpose and objectives of the policy Scope of the Policy Definition of information security incidents and their consequences within the organization Organizational structure and delineation of roles responsibilities, and levels of authority Prioritization or severity ratings of incidents Performance measures Reporting and contact forms EECS 711 Spring 2008 Chapter 3

What is an InfoSec Incident It is directed against information assets It has a realistic chance of success It threatens the confidentiality, integrity, or availability of information resources and assets EECS 711 Spring 2008 Chapter 3

IR Plan BIA provides data to develop IR plan Information systems and the threats they face Stop the incident, mitigate its effects, and provide information for the recovery from the incident Three sets of incident procedures Before an Attack Backup schedules Training schedules Testing plans During an Attack Procedures and tasks to be performed during the incident Minimize the effect of the attack (avoid disaster) After an Attack Patches, Updates Interviews EECS 711 Spring 2008 Chapter 3

Incident Detection Incident candidates Possible Indicators Unfamiliar files, unknown processes, consumption of resources, unusual system crashes Probable Indicators Activity at unexpected times, presence of new accounts, reported attacks, IDS Definite Indicators Use of dormant accounts, changes to logs, presence of hacker tools, notification by peers, notification by hacker Occurrences of Actual Incidents Loss of availability, loss of integrity, loss of confidentiality, violation of policy, violation of law EECS 711 Spring 2008 Chapter 3

Actual Incident reported by IDS EECS 711 Spring 2008 Chapter 3

Incident Response Notification of Key Personnel Alert roster (sequential or hierarchical) Documenting an Incident Who, what, when, where, why, how (for each action) Incident Containment Strategies Stopping the incident and recovering control Disabling compromised accounts Reconfiguring a firewall Disabling the compromised process or service Taking down the conduit application or server Stopping all computers and network devices Incident Escalation EECS 711 Spring 2008 Chapter 3

Incident Response cont. Incident Recovery Incident damage assessment Scope of C.I.A. Individuals who document the damage must be trained to collect and preserve evidence Recovery steps: Identify vulnerabilities Address the safeguards that failed to stop or limit the incident or missing Evaluate monitoring capabilities Restore data from backups Restore the services and processes Continuously monitor the system Restore the confidence of the members of the organization Law Enforcement Involvement FBI, US Secret Service, US Treasury Dept, SEC, Local agencies EECS 711 Spring 2008 Chapter 3

Disaster Recovery Plan Entails the preparation for and recovery from a disaster Responsibility of the IT community of interest, under the leadership of the CEO An incident becomes a disaster when The organization is unable to contain or control the impact of an incident The level of damage is so severe that the organization cannot recover from the incident DR plan is activated when incidents are escalated to a level of disaster and incident response is no longer able to handle the effective and efficient recovery from loss. EECS 711 Spring 2008 Chapter 3

Disaster Recovery Plan The key role of a DR plan is to reestablish operations at the primary location EECS 711 Spring 2008 Chapter 3

DR Planning Process Develop the DR planning policy statement Review the BIA Indentify preventive controls Develop recovery strategies Develop the DR plan document Plan testing, training and exercises Plan maintenance This is the planning process recommended by the NIST and follows 7 steps This provides the authority and guidance necessary to develop an effective contingency plan The business impact analysis was prepared to help identify prioritize critical IT systems and components Measures to reduce disruptions and increase availability and reduce contingency costs This ensures that the systems can be recovered quickly and effectively after the disruption This provides detailed guidance and procedures for restoring a damaged system Testing helps identify planning gaps, training ensures the recovery personnel are prepared. Both help improve the effectiveness of the plan and overall preparedness Helps keep the plan a living document that remains current with systems enhancements EECS 711 Spring 2008 Chapter 3

DR Planning Policy Statement The DR team lead by the DR team lead, begins with the development of the DR policy The DR policy contains the following key elements: Purpose Scope Roles and responsibilities Resource requirements Training requirements Exercise and testing schedules Plan maintenance schedules Special considerations since this is a major enterprise wide activity it is important that the program begins with a clear statement of executive vision Indentifies to who this plan applies. imp if geographically disperse or multiple policies exist Identifies key players Identifies Resources needed to develop DR plan Training requirements Stipulates test intervals, testing types and individuals involved The plan review and update intervals and who is involved in the reviews Such as information storage and maintenance EECS 711 Spring 2008 Chapter 3

Classification of disasters Natural disasters Examples: Fire, flood, hurricane, tornado Man-made disasters Examples: Cyber-terrorism Rapid-onset Examples: Earthquakes, mud-flows Slow-onset Examples: Famines, deforestation EECS 711 Spring 2008 Chapter 3

Planning for disaster Key elements that the CP team must build into a DR plan include the following: Delegation of roles and responsibilities Execution of alert roster and notification of key personnel Clear establishment of priorities Procedures for documentation of disasters Actions to mitigate the impact of disaster on the operations Alternative implementations of various systems in case the primaries are unavailable Everyone member has an assignment and maybe as simple as pack up an leave Notifications to fire, police, medical external and management internal E.g. 1st priority is human life Record the disaster right from onset can be used for later planning This documents the actions that need to be take by each DR team member E.g. using stand-by equipment, DHCP instead of static IP, EECS 711 Spring 2008 Chapter 3

Options to protect information Traditional back-ups Electronic vaulting Remote journaling Database shadowing Uses methods like RAID (Random array of independent disks) or disk-disk-tape methods Data transferred via bulk-batch transfer to offsite locations via leased lines or secure internet connections Transfer of live transactions to remote sites. Differs form electronic vaulting in 2 ways 1. only transaction are transferred not archived data. 2. More real time that electronic vaulting Combines electronic vaulting and remote journaling to write multiple copies of database simultaneously to 2 separate locations EECS 711 Spring 2008 Chapter 3

Crisis Management Steps taken during and after a disaster that affect people internally and externally According to Gartner Research, crisis management involves the following activities: Supporting personnel and their loved ones during the crisis Determine events impact on normal business and make disaster declaration if necessary Keep public informed about the event and steps being taken to ensure recovery of personnel and the enterprise Communicate with major customers, suppliers, partners, regulatory agencies, industry organizations, media and other interested parties. EECS 711 Spring 2008 Chapter 3

Crisis Management The crisis management team is also charged with two key tasks: Verifying personnel status Activating the alert roster The most important role of crisis management is, in the event of a disaster tell the whole story as soon as possible directly to the affected audience EECS 711 Spring 2008 Chapter 3

Responding to disasters During disasters even the most well planned DR plans can be overwhelmed To be prepared, the CP team should incorporate a degree of flexibility If facilities are intact DR team should begin restoration of systems and services If facilities are destroyed, alternative actions must be taken until new facilities are available When the operations of the primary site are threatened, the disaster recovery process becomes a business continuity process EECS 711 Spring 2008 Chapter 3

Business Continuity Plan Ensures that critical business functions can continue if a disaster occurs CEO should manage Activated and executed concurrently with DR plan Business can no longer function at primary location Use an alternate location EECS 711 Spring 2008 Chapter 3

Business Continuity Plan Identify critical business functions and resources to support them Want to quickly re-establish these functions at alternate site EECS 711 Spring 2008 Chapter 3

BC Planning Process Develop the BC planning policy statement Authority, guidance, executive vision Review the BIA Identify, prioritize critical IT systems Identify preventive controls Measures to reduce disruption, increase system availability Develop relocation strategies Critical systems must be recovered quickly EECS 711 Spring 2008 Chapter 3

BC Planning Process Develop the continuity plan Include detailed guidelines and procedures Plan testing, training, and exercises Identify planning gaps, prepare personnel for improved effectiveness and preparedness Plan maintenance Living document, plan to update! EECS 711 Spring 2008 Chapter 3

Develop the BC planning policy statement Authority, guidance, executive vision Provide: Purpose Scope Roles and responsibilities Resource requirements Training requirements Plan maintenance schedule Special considerations EECS 711 Spring 2008 Chapter 3

Plan Similarities Similar to other elements of the CP Process are similar Implementation differs EECS 711 Spring 2008 Chapter 3

Design Parameters Recovery Time Objective (RTO) Amount of time that passes before an infrastructure is available Recovery Point Objective (RPO) The point in the past to which the recovered applications and data will be restored How much data loss? EECS 711 Spring 2008 Chapter 3

Continuity Strategies Exclusive-use options Hot site Warm site Cold site Shared-use options Timeshare Service bureau Mutual agreement Other Rolling mobile site Mirrored site Cost Time to activate Advantages and disadvantages? EECS 711 Spring 2008 Chapter 3

Continuity Strategies EECS 711 Spring 2008 Chapter 3

Timing and Sequence of CP Elements EECS 711 Spring 2008 Chapter 3

Timing and Sequence of CP Elements EECS 711 Spring 2008 Chapter 3

Business Resumption Planning DR and BC combined Possibility for two locations Good template provided by NIST http://fasp.nist.gov EECS 711 Spring 2008 Chapter 3

Testing Contingency Plans All plans must be tested to identify vulnerabilities, faults and inefficient processes Five strategies that can be used to test plans are: Desk Check Structured walk-through Simulation Parallel testing Full interruption Another important often neglected aspect of training is cross training Desk check to create a list of correct and incorrect components Involves all involved individuals walk through the steps they would take during an actual event. Could be an onsite walk through or a talk through Each person individually instead of in a group walks through the simulation of the tasks stops short of physical tasks Individuals act as if actual incident has occurred and begin performing their tasks and executing necessary procedures take care not to interrupt operations which may result in a incident by itself Individuals follow and execute all procedures including those that may interrupt normal operations usually done after business hours to minimize impacts on end users. E.g. scheduled outages In the even that the person responsible for a certain task is sick or affected by the incident and cannot perform their tasks. EECS 711 Spring 2008 Chapter 3

Contingency Planning: Final Thoughts Iteration results in improvement, a formal implement of this is CPI (Continuous Process Improvement) Each time the organization rehearses its plans, it must learn and improve Each time an incident or a disaster occurs the organization should review what went right and what went wrong Through ongoing evaluation and improvement an organization continually improves and strives for better outcomes EECS 711 Spring 2008 Chapter 3

EECS 711: Security Management and Audit Conclusion Contingency planning and its various components BIA, IRP, DRP and BCP play a critical role in preparing for, detecting, reacting to and recovering from events that threaten the security of information resources and assets both human and natural. Success is then measured by achievement of the goal of delivering value to the customer within the reasonable business constraints imposed on the business, not by mindless adherence to the plan Spring 2008 EECS 711: Security Management and Audit EECS 711 Spring 2008 Chapter 3 57 57

Questions EECS 711 Spring 2008 Chapter 3

References NIST. Special Publication 800-34: Contingency Planning Guide for Information Technology Systems. June 2002. Accessed Feb. 13, 2008 from http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf EECS 711 Spring 2008 Chapter 3