Embed Size (px)
Citation preview
Contingency Planning, Disaster Recovery, and
Risk Assessments
Lesson 23
Some Terminology• Nondisasters: Disruptions in service stemming from system
malfunction or other failure. Requires action to recover to operational status in order to resume service.
• Disasters: Disruptions causing the entire facility to be inoperative for a lengthy period of time, usually more than one day. Requires action to recover operational status, usually the use of an alternate processing facility.
• Catastrophes: Major disruptions entailing the destruction of the data processing facility. Short-term and long-term fallback is required. An alternate processing facility is needed to satisfy immediate operational needs, as in the case of a disaster.
Disaster Recovery
• A disaster recovery plan is often called a "business continuity plan" because the most important goal is to enable your company to remain in business.
• To determine your risk of a major disaster, ask yourself the following questions:• What would you do if your employees couldn’t get to work? • What would happen if your customers couldn’t reach you for a
few hours, days or even weeks? • How would you deal with the loss of critical business data? • Does your location frequently experience flash flooding,
hurricanes, or tornadoes?
Business Continuity
• The key phrase in business continuity is "reduce risk"—meaning to prepare for any event that could jeopardize your business’ ability to operate.
• If disaster strikes, companies have everything to lose—critical data, profits, and information, all of which are critical assets in any company.
• A solid business continuity plan will ensure that your business can carry on as usual.
#1 Priority
• “The number-one priority of all business continuity and disaster planning is always this: people first. While we talk about preservation of capital, resumption of normal business processing activities, and other business continuity issues, the main overriding concern of all plans is to get the personnel out of harm’s way. If there is at any time a conflict between preserving hardware or data and the threat of physical danger to personnel, the protection of the people always comes first. Personnel evacuation and safety must be the first element of a disaster response plan.”
Prime Elements of BCP Process
• Scope and Plan Initiation• This phase marks the beginning of the BCP
process. • It entails creating the scope and the other
elements needed to define the parameters of the plan.
• Business Impact Assessment• A BIA is a process used to help business units
understand the impact of a disruptive event.• This phase includes the execution of a
vulnerability assessment.
Prime Elements of BCP Process
• Business Continuity Plan Development• Refers to the information collected in the BIA
to develop the actual business continuity plan.
• Includes the areas of plan implementation, plan testing, and ongoing plan maintenance.
• Plan Approval and Implementation• Involves getting the final senior management
sign-off, creating enterprise-wide awareness of the plan, and implementing a maintenance procedure for updating the plan as needed.
Business Impact Assessment
• The purpose of the BIA is to create a document to be used to help understand what impact a disruptive event would have on the business.• A “criticality survey” is a standardized
questionnaire or survey methodology, such as the INFOSEC Assessment Method (IAM). Its purpose is to help identify the most critical business functions by gathering input from management personnel in the various business units.
Determining what’s critical
• One important task is to determine what assets are critical.• Many texts have sample questionnaires that can be used
to help an organization determine what is critical• How long can the organization survive without the asset?
• What would be the loss to the organization should the asset be lost
– For 1 day? For 3 days? For a week? For a month?
• Loss in terms of lost revenue, clients, sales, fines/penalties, and/or additional expenses
• What other negative impacts might occur?
NSA INFOSEC Assessment Methodology
• The IAM is conducted in 3 phases:• Pre-assessment phase: The team defines the customer’s needs and
begins to identify the system, its boundaries, and the criticality of the information and begins to write the assessment plan. This phase normally takes about 2 to 4 weeks.
• On-site phase: Explore and confirm the conclusions made during phase I, gather data and documentation, conduct interviews, and provide an initial analysis. This phase takes about 1 to 2 weeks.
• Post-assessment phase: Finalize the analysis and prepare and distribute the report and recommendations. This phase can take from 2 to 8 weeks.
• The heart of the IAM is the creation of the Organizational Criticality Matrix. In this chart, all relevant automated systems are assigned impact attributes (high, med, low) based on their estimated effect on Confidentiality, Integrity, and Availability, and criticality to the organization.
Business Continuity• “The survival of most organizations in today’s
environment is dependent on the continuity and preservation of essential requirements”• Disruption or impairment of certain necessities can affect
the health of the enterprise.
• Lengthy disruptions can undermine the continuity of the business.
• Planning for disruption requires the establishment of strategies to minimize its effects and ensure timely resumption of business operations.
Continuity Strategy
• The BCP strategy should include several elements including consideration of:• Computing: A strategy needs to be defined to preserve
the elements of hardware, software, communication media, applications, and data.
• Facilities: The strategy needs to address the use of the main buildings or campus and any remote facilities.
• People: Operators, management, and technical support personnel will have defined roles in implementing the continuity strategy.
• Supplies and equipment: Paper, forms, HVAC, or specialized security equipment must be defined as they apply to the continuity plan.
Disaster Recovery Planning
• “A comprehensive statement of consistent actions to be taken before, during, and after a disruptive event that causes a significant loss of information systems resources.
• Disaster Recovery Plans are the procedures for responding to an emergency, providing extended backup operations during the interruption, and managing recovery and salvage processes afterwards, should an organization experience a substantial loss of processing capability.”
BCP –vs– DRP • “Obviously, these two concepts are so close as to
allow combining them into one domain.• There are some differences, however. Basically:
• BCP is the process of making the plans that will ensure that critical business functions can withstand a variety of emergencies.
• DRP involves making preparations for a disaster, but also addresses the procedures to be followed during and after a loss.”
• Think “focus”,• BCP: “What do I need to do to keep the business going?”• DRP: “What do we need to do in case of <this> disaster?• The answer to both questions MAY be the same.
Backup –vs- Contingency Planning
• Backup strategies focus on alternatives for short-term and component failures.
• Contingency (continuity) Planning describes a more formal methodology for longer-term outages and disasters.
How extensive should the plans be?
• “While it is incumbent upon management to plan for chance events, particularly where the events might seriously endanger the well-being of the enterprise, it must also be recognized that it is impossible to protect against all contingencies.
• At best, contingency planning should provide reasonable security within the economic constraints mandated by the nature of the processes performed.”
Basic Elements of Contingency Plans
• Define Contingency (continuity) Planning Goals
• Identify and preserve vital records/data
• Develop (and test) emergency response guidelines and procedures
Transaction Redundancy
• Useful for more than just continuity planning.• Electronic Vaulting: the transfer of backup data to an
off-site location. This is primarily a batch process of dumping the data through communications lines to a server at an alternate location.
• Remote journaling: the parallel processing of transactions to an alternate site, as opposed to a batch dump process like electronic vaulting. A communications line is used to transmit live data as it occurs. This allows the alternate site to be fully operational at all times and introduces a very high level of fault tolerance.
• Database shadowing: uses the live processing of remote journaling, but creates even more redundancy by duplicating the database sets to multiple servers.
Backup Requirements
• Hardware• Hot sites – fully configured and ready to operate within a
few hours• Warm sites – partially configured (usually with
peripherals but not the main computer or maybe with a smaller cpu). After installation of required computer the site will be ready to process within hours. Installation of computer can take days, however.
• Cold sites – Basic environmental controls only. Ready to receive equipment but does not have any components on site in advance. Activation may take weeks.
Backup Requirements
• Software and Information Backup• On-site local backup – fire-resistant safe located on site
with most recent backups.
• Off-site local backup – fire-resistant vault located in another building but within a few miles. Used to store backup files changed on a weekly basis.
• Off-site remote backup – fire-resistant vault located at least 5 miles from site. Used to retain remaining backup files in active use for more than a week.
• Archival storage – underground, fire-resistant and earthquake-resistant storage facility located at least 50 miles from site. Used to house permanent records.
Some other considerations
• Multiple Centers (processing is spread over several operations centers, each capable of conducting the services by itself)
• Third-party (subscription services) hot, warm, or cold sites.
• Mobile Backup sites (computer-ready trailers that can be set up in a subscriber’s parking lot following a disaster)
• Mutual aid agreements• RAID
RAID
• Redundant Array of Independent (Inexpensive) Disks
• Idea is to combine multiple inexpensive disk drives into an array of disk drives to obtain performance, capacity, and reliability that exceeds that of a single large drive
• Raid 0: “striped” disk drives without parity or data redundancy.
• Raid 1: Disk mirroring• Raid 2: Sector-stripe with some drives assigned to
store error correcting code information. • No significant advantage over Raid 1 so usually not
supported.
• Raid 3: Sector-stripe with one drive in the group dedicated to storing parity information
• Raid 4: Identical to Raid 3 but large stripes used. No real advantage over Raid 3.
• Raid 5: Rotating Parity Array, avoids write bottleneck caused by dedicating a single drive to parity checks.
Plan Testing
• Plans often become dated, they require periodic maintenance.
• Testing the plan is very important!!• A tape backup system cannot be considered
working until full restoration tests have been conducted – otherwise, how do you know it will work?
• Test plan should be developed and conducted on a periodic and regular basis.
Risk Management
RiskAssessment
RiskMitigation
SecurityManagement
SecurityAuditing
Corrective Actions
Key questions at core of RM
• What could happen (threat event)?
• If it happened, how bad could it be (threat impact)?
• How often could it happen (threat frequency)?
• How certain are the answers to the first 3 questions (recognition of uncertainty)?
What are security assessments
• Assessments are an examination of your current security posture
• Good mechanism to find and fix your holes before someone else finds them
• Keep in mind – someone else is looking for your security holes even if you aren’t
What are security assessments
• Three common terms for security assessments
• Security Audit
• Risk Assessment
• Penetration Test
What are security assessments• Security Audit
• More of a compliance check
• Checklists and standards
• Policies and procedures
• Backups
• Verification
• Are you doing what you are supposed to be doing
• BS 7799 (British Standards Institute Code of Practice for Information Security Management)• Controls and practices
What are security assessments
• Risk Assessment• Often more of an ‘academic’ exercise
• Weighs likelihood against impact
• Weighs cost against benefit
• Much more business oriented
What are security assessments• Penetration Test
• Looks for security vulnerabilities• Unpatched operating system or application
• Known security holes
• Accounts with weak or no passwords
• Examines impact of discovered vulnerabilities
• Targets digital, physical, and personnel (social engineering) security
• Hands on test of your security
• More thorough and effective
Phases of a pen test
• Information gathering• Open source (may include SE)
• Electronic (scans and probes)• Goal is enumeration – determining the systems, their OS and
the services they are running
• Vulnerability research
• Attempted penetration• If user level is obtained, attempt to escalate
• Documentation and Report generation
Vulnerability Assessment
• Another term you will hear, generally refers to:• An External penetration test• An Internal test• A review of the organization’s policies,
procedures, and training.
• Result is a report listing the vulnerabilities and, hopefully, the fixes for them.
