You can create a single comprehensive issp document covering all information security issues.

About the Presentations

The presentations cover the objectives found in the opening of each chapter.

All chapter objectives are listed in the beginning of each presentation.

You may customize the presentations to fit your class needs.

Some figures from the chapters are included. A complete set of images from the book can be found on the Instructor Resources disc.

1

Principles of Incident Response and Disaster Recovery, 2nd Edition

Chapter 01

An Overview of Information

Security and Risk Management

2

2

Objectives

Define and explain information security

Identify and explain the basic concepts of risk management

List and discuss the components of contingency planning

Describe the role of information security policy in the development of contingency plans

Principles of Incident Response and Disaster Recovery, 2nd Edition

3

3

Introduction

Contingency planning

Being ready for incidents and disasters

Example: 1/10 of one percent of online users

Allows for two and a half million potential attackers

Example: World Trade Center (WTC) organizations

Had contingency plans due to February 1993 attack

Example: 2008 Gartner report

2/3 of organizations invoked plans in prior two years

Information security includes contingency planning

Ensures confidentiality, integrity, availability of data

Principles of Incident Response and Disaster Recovery, 2nd Edition

4

4

Information Security

Committee on National Security Systems (CNSS) information security definition

Protection of information and its critical elements

Includes systems and hardware storing, transmitting information

Part of the CNSS model (evolved from C.I.A. triangle)

Conceptual framework for understanding security

Information security (InfoSec)

Protection of confidentiality, integrity, and availability of information

In storage, during processing, and during transmission

Principles of Incident Response and Disaster Recovery, 2nd Edition

5

5

Key Information Security Concepts

Threat: object, person, other entity posing potential risk of loss to an asset

Asset: organizational resource being protected

Logical or physical

Attack: attempt to cause damage to or compromise information of supporting systems

Arises from a threat; intentional or unintentional

Threat-agent: threat instance

Specific and identifiable; exploits asset vulnerabilities

Principles of Incident Response and Disaster Recovery, 2nd Edition

6

6

Key Information Security Concepts (cont’d.)

Vulnerability

Flaw or weakness in system security procedures, design, implementation, internal controls

Results in security breach or security policy violation

Well-known or latent

Exercised accidently or intentionally

Exploit: caused by threat-agent

Can exploit system or information through illegal use

Can create an exploit to target a specific vulnerability

Control/safeguard/countermeasure: prevent attack

Principles of Incident Response and Disaster Recovery, 2nd Edition

7

7

Key Information Security Concepts (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition

8

8

Key Information Security Concepts (cont’d.)

Trespass

Broad category of electronic and human activities

Can breach information confidentiality

Leads to unauthorized real or virtual actions

Results in unauthorized access to premises or system

Software attacks

Malicious code, malicious software, malware

Designed to damage, destroy, deny service to the target systems

Example: hackers

Principles of Incident Response and Disaster Recovery, 2nd Edition

9

9

Key Information Security Concepts (cont’d.)

Common malicious code instances

Viruses and worms, Trojan horses, logic bombs, bots, rootkits, back doors, denial-of-service (DoS) attack, distributed DoS (DDoS) attack

Malicious code threats: sources of confusion

Method of propagation, payload, vector of infection

Viruses

Segments of code that perform malicious actions

Macro virus: embedded automatically in macrocode

Boot virus: infects key operating systems files

Principles of Incident Response and Disaster Recovery, 2nd Edition

10

10

Key Information Security Concepts (cont’d.)

Worms

Replicate themselves constantly

No other program needed

Can replicate until available resources filled

Back doors and trap doors

Installed by virus or worm payload

Provides at will special privilege system access

Polymorphism

Threat changes apparent shape over time

Elude antivirus software detection

Principles of Incident Response and Disaster Recovery, 2nd Edition

11

11

Key Information Security Concepts (cont’d.)

Propagation vectors

Manner by which malicious code spreads can vary

May use social engineering: Trojan horse looks desirable, but is not

May leverage open network connection, file shares or software vulnerability

Malware hoaxes

Well-meaning people send random e-mails warning of fictitious dangerous malware

Wastes a lot of time and energy

Principles of Incident Response and Disaster Recovery, 2nd Edition

12

12

Key Information Security Concepts (cont’d.)

Human error or failure

Introduces acts performed by an authorized user

No malicious intent or purpose

Human error

Small mistakes produce extensive damage with catastrophic results

Human failure

Intentional refusal or unintentional inability to comply with policies, guidelines, and procedures, with a potential loss of information

Principles of Incident Response and Disaster Recovery, 2nd Edition

13

13

Key Information Security Concepts (cont’d.)

Theft

Illegal taking of another’s property

Property: physical, electronic, intellectual

Includes acts of espionage and breach of confidentiality

Methods

Competitive intelligence or industrial espionage

Theft or loss of mobile devices

Phones, tablets, and computers

Stored information more important than devices

Principles of Incident Response and Disaster Recovery, 2nd Edition

14

14

Key Information Security Concepts (cont’d.)

Compromises to intellectual property

FOLDOC intellectual property (IP) definition

The ownership of ideas and control over the tangible or virtual representation of those ideas. Use of another person’s intellectual property may or may not involve royalty payments or permission but should always include proper credit to the source

Includes

Trade secrets, copyrights, trademarks, patents

Exfiltration, or unauthorized removal of information

Software piracy

Principles of Incident Response and Disaster Recovery, 2nd Edition

15

15

Key Information Security Concepts (cont’d.)

Sabotage or vandalism

Destroys asset or damages an organization’s image

Assault on an organization’s Web site

Cyberterrorism (more sinister hacking)

Technical software failures or errors

Software with unknown hidden faults

Code sold before security-related bugs detected

Trap doors

Helpful Web sites

Bugtraq and National Vulnerability Database

Principles of Incident Response and Disaster Recovery, 2nd Edition

16

16

Key Information Security Concepts (cont’d.)

Technical hardware failures or errors

Equipment distributed with known or unknown flaw

System performs outside expected parameters

Errors can be terminal or intermittent

Forces of nature

Known as force majeure, or acts of God

Pose most dangerous threats imaginable

Occur with very little warning

Principles of Incident Response and Disaster Recovery, 2nd Edition

17

17

Key Information Security Concepts (cont’d.)

Deviations in quality of service by service providers

Product or service not delivered as expected

Support systems interrupted by storms, employee illnesses, unforeseen events

Technological obsolescence

Antiquated or outdated infrastructure

Leads to unreliable and untrustworthy systems

Risk loss of data integrity from attacks

Principles of Incident Response and Disaster Recovery, 2nd Edition

18

18

Key Information Security Concepts (cont’d.)

Information extortion

Attacker or trusted insider steals information from a computer system

Demands compensation for its return or for an agreement to not disclose the information

Common in credit card number theft

Other threats

See Table 1-2

Principles of Incident Response and Disaster Recovery, 2nd Edition

19

19

Principles of Incident Response and Disaster Recovery, 2nd Edition

20

20

Overview of Risk Management

Risk management process

Identifying and controlling information asset risks

Security managers play the largest roles

Includes contingency planning

Risk identification process

Examining, documenting, and assessing the security posture of an organization’s IT and the risks it faces

Risk control process

Applying controls to reduce the risks

Principles of Incident Response and Disaster Recovery, 2nd Edition

21

21

Overview of Risk Management (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition

22

22

Overview of Risk Management (cont’d.)

Risk management redefined

Process of identifying vulnerabilities and taking carefully reasoned steps to ensure the confidentiality, integrity, and availability of the information system

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

- Chinese General Sun Tzu

Source: Oxford University Press

Principles of Incident Response and Disaster Recovery, 2nd Edition

23

23

Overview of Risk Management (cont’d.)

Know yourself

Identify, examine, and understand the information and systems currently in place

Asset: information and systems that use, store, and transmit information

Question to ask when protecting assets

What are they?

How do they add value to the organization?

To which vulnerabilities are they susceptible?

Have periodic review, revision, and maintenance of control mechanisms

Principles of Incident Response and Disaster Recovery, 2nd Edition

24

24

Overview of Risk Management (cont’d.)

Know the enemy

Identify, examine, and understand threats

Determine threat aspects affecting the organization and the security of the assets

List threats prioritized by importance

Conduct periodic management reviews

Verify completeness and accuracy of asset inventory

Review and verify identified threats and vulnerabilities

Review current controls and mitigation strategies

Review cost effectiveness and deployment issues

Verify ongoing effectiveness of every control

Principles of Incident Response and Disaster Recovery, 2nd Edition

25

25

Risk Identification

Identify, classify, and prioritize information assets

Threat identification process begins afterwards

Asset examined to identify vulnerabilities

Controls identified

Controls assessed

Regarding capability to limit possible losses should attack occur

Principles of Incident Response and Disaster Recovery, 2nd Edition

26

26

Principles of Incident Response and Disaster Recovery, 2nd Edition

27

27

Asset Identification and Value Assessment

Iterative process of identifying assets and assessing their value

Information asset classification

Classify with respect to security needs

Components must be specific for the creation of various priority levels

Components ranked according to criteria established by the categorization

Use comprehensive and mutually exclusive categories

Establish clear and comprehensive category sets

Principles of Incident Response and Disaster Recovery, 2nd Edition

28

28

Asset Identification and Value Assessment (cont’d.)

Information asset valuation

Is this asset the most critical to the organizations’ success?

Does it generate the most revenue?

Does it generate the most profit?

Would it be the most expensive to replace?

Will it be the most expensive to protect?

If revealed, would it cause the most embarrassment or greatest damage?

Does the law or other regulation require us to protect this asset?

Principles of Incident Response and Disaster Recovery, 2nd Edition

29

29

Asset Identification and Value Assessment (cont’d.)

Answers determine weighting criteria

Used for asset valuation and impact evaluation

Must decide criteria best suited to establish the information asset value

Perform weighted factor analysis

Calculates relative importance of each asset

Assign score from 0.1 to 1.0 for each critical factor

Assign each critical factor a weight from 1 to 100

Identify, document and add company-specific criteria

Principles of Incident Response and Disaster Recovery, 2nd Edition

30

30

Asset Identification and Value Assessment (cont’d.)

Principles of Incident Response and Disaster Recovery, 2nd Edition

31

31

Data Classification and Management (cont’d.)

Data classification schemes

Procedures requiring organizational data to be classified into mutually exclusive categories

Based on need to protect data category confidentiality

Military specialized classification ratings

“Public” to “For Official Use Only” to “Confidential“ to “Secret” to “Top Secret”

Principles of Incident Response and Disaster Recovery, 2nd Edition

32

32

Data Classification and Management (cont’d.)

Alternative information classification scheme

Public: for general public dissemination

For official use: Not particularly sensitive but not for public release

Sensitive: important to the business and could cause embarrassment or loss of market share if revealed

Classified: requires utmost security; disclosure could severely impact the organization

Personnel information security clearances

On a need-to-know basis

Principles of Incident Response and Disaster Recovery, 2nd Edition

33

33

Threat Identification

Conduct a threat assessment

Which threats present a danger to the organization’s assets in the given environment?

Which threats represent the most danger to the organization’s information?

Which threats would cost the most to recover from if there was an attack?

Which threats require the greatest expenditure to prevent?

Principles of Incident Response and Disaster Recovery, 2nd Edition

34

34

Vulnerability Identification

Review each asset and each threat it faces

Create list of vulnerabilities

Examine how each threat could be perpetrated

List organization’s assets and its vulnerabilities

Notes

Threat may yield multiple vulnerabilities

People with diverse backgrounds should participate

Principles of Incident Response and Disaster Recovery, 2nd Edition

35

35

Risk Assessment

Process of assigning a risk rating or score to each information asset

Goal

Determine relative risk of each vulnerability using various factors

Likelihood

Probability that a specific vulnerability will be successfully attacked

Many asset/vulnerability combinations have external references for likelihood values

Principles of Incident Response and Disaster Recovery, 2nd Edition

36

36

Valuation of Information Assets

Assign weighted scores for the value to the organization of each information asset

Re-ask questions described in the “Threat Identification” section

Which of these questions is most important to the protection of the organization’s information?

Examine how current controls can reduce risk faced by specific vulnerabilities

Impossible to know everything about each vulnerability

Principles of Incident Response and Disaster Recovery, 2nd Edition

37

37

Risk Determination

Risk = (likelihood of vulnerability x value) – percent of risk currently controlled + uncertainty of assumptions

Qualitative Risk Management

General categories and ranking used to evaluate risk

Factor Analysis of Information Risk (FAIR) strategy

Promoted by CXOWARE

Residual risk

Remaining risk after control applied

Principles of Incident Response and Disaster Recovery, 2nd Edition

38

38

Identify Possible Controls

Controls, safeguards, and countermeasures

Represent security mechanisms, policies, and procedures that reduce risk

Three types of security policies

Enterprise information security policy

Issue-specific policies

Systems-specific policies

Programs

Activities performed within the organization to improve security

Principles of Incident Response and Disaster Recovery, 2nd Edition

39

39

Risk Control Strategies

Defense approach (preferred approach)

Attempts to prevent vulnerability exploitation

Risk defense methods

Defense through application of policy

Defense through training and education programs

Defense through technology application

Usually requires technical solutions

Eliminate asset exposure

Attempt to reduce risk to an acceptable level

Principles of Incident Response and Disaster Recovery, 2nd Edition

40

40

Risk Control Strategies (cont’d.)

Implement security controls and safeguards

Deflect attacks to minimize the successful probability

Transference

Attempts to shift risk to other assets, processes, organizations

Rethink how services offered

Revise deployment models

Outsource to other organizations

Purchase insurance

Implement service contracts with providers

Principles of Incident Response and Disaster Recovery, 2nd Edition

41

41

Risk Control Strategies (cont’d.)

Mitigation

Attempts to reduce impact caused by the vulnerability exploitation

Through planning and preparation

Includes contingency planning

Business impact analysis

Incident response plan

Disaster recovery plan

Business continuity plan

Requires quick attack detection and response

Relies on existence and quality of the other plans

Principles of Incident Response and Disaster Recovery, 2nd Edition

42

42

Risk Control Strategies (cont’d.)

Acceptance

Do nothing to protect an information asset

Accept the outcome of its potential exploitation

Only valid when the organization has:

Determined the level of risk

Assessed the probability of attack

Estimated potential damage that could occur

Performed a thorough cost-benefit analysis

Evaluated controls

Decided asset did not justify the cost of protection

Principles of Incident Response and Disaster Recovery, 2nd Edition

43

43

Risk Control Strategies (cont’d.)

Termination

Difference from acceptance

Remove asset from the environment representing risk

Two main reasons

Cost of protecting an asset outweighs its value

Too difficult or expensive to protect asset compared to value or advantage asset offers

Termination must be a conscious business decision

Not simple asset abandonment

Principles of Incident Response and Disaster Recovery, 2nd Edition

44

44

Contingency Planning and Its Components

Contingency plan

Used to anticipate, react to, and recover from events threatening events

Restores organization to normal modes of business operations

Four subordinate functions

Business impact assessment (BIA)

Incident response planning (IRP)

Disaster recovery planning (DRP)

Business continuity planning (BCP)

Principles of Incident Response and Disaster Recovery, 2nd Edition

45

45

Business Impact Analysis

Business impact analysis (BIA)

Investigation and assessment of the impact of attacks

Adds detail to prioritized threat and vulnerability list created in the risk management process

Provides detailed scenarios of potential impact of each type of attack

Principles of Incident Response and Disaster Recovery, 2nd Edition

46

46

Incident Response Plan

Incident

Any clearly identified attack on assets

Incident response plan (IRP)

Deals with the identification, classification, response, and recovery from an incident

Assesses the likelihood of imminent damage

Informs key decision makers

Enables the organization to take coordinated action

Principles of Incident Response and Disaster Recovery, 2nd Edition

47

47

Disaster Recovery Plan

Preparation for and recovery from natural or man-made disaster

Includes:

Preparations for the recovery process

Strategies to limit losses during the disaster

Detailed steps to follow after immediate danger

Focus

Preparation before the incident

Actions taken after the incident

Principles of Incident Response and Disaster Recovery, 2nd Edition

48

48

BCP and BRP

Business continuity plan (BCP)

Expresses how to ensure critical business functions continue at an alternate location

After catastrophic incident or disaster

Used when DRP cannot restore primary site operations

Most strategic and long-term plan

Business resumption plan (BRP)

Emerging new concept in contingency planning

Merges the DRP and BCP into a single process

Principles of Incident Response and Disaster Recovery, 2nd Edition

49

49

Contingency Planning Timeline

Steps in contingency planning

IR plan focuses on immediate response

May move to DRP and BCP if disastrous

DR plan focuses on restoring systems at original site

BC runs concurrently with DRP

When major or long-term damage occurs

IRP, DRP, and BCP distinction

When each comes into play during the incident

Principles of Incident Response and Disaster Recovery, 2nd Edition

50

50

Principles of Incident Response and Disaster Recovery, 2nd Edition

51

51

Principles of Incident Response and Disaster Recovery, 2nd Edition

52

52

Contingency Planning Timeline (cont’d.)

Seven steps in NIST SP 800-34, Revision 1

Principles of Incident Response and Disaster Recovery, 2nd Edition

53

53

Role of Information Security Policy in Developing Contingency Plans

Policy needs to enforce information protection requirements

Before, during, and after incident

Quality security programs

Begin and end with policy

Information security

A management problem

Difficulties in shaping policy

Must never conflict with laws; must stand up in court if challenged; must be properly administered

Principles of Incident Response and Disaster Recovery, 2nd Edition

54

54

Key Policy Definitions

Policy

Plan or course of action

Conveys instructions from senior management to those who make decisions, take action, perform duties

Organizational law

Dictates acceptable and unacceptable behavior

Defines penalties for violations

Standard

Detailed statement of what must be done to comply

De facto standard (informal standard)

De jure standard (formal standard)

Principles of Incident Response and Disaster Recovery, 2nd Edition

55

55

Principles of Incident Response and Disaster Recovery, 2nd Edition

56

56

Key Policy Definitions (cont’d.)

Mission

Written statement of an organization’s purpose

Vision

Written statement about organization’s goals

Strategic planning

Process of moving organization toward its vision

Information security policy

Provides rules for protecting information assets

Enterprise information security policy, issue-specific security policy, systems-specific security policy

Principles of Incident Response and Disaster Recovery, 2nd Edition

57

57

Enterprise Information Security Policy

Enterprise information security policy (EISP)

Based on and directly supports the mission, vision, and direction of the organization

Executive-level

Sets strategic direction, scope, and tone for all security efforts

Contains requirements to be met

Defines purpose, scope, constraints, and applicability

Assigns responsibilities

Addresses legal compliance

Principles of Incident Response and Disaster Recovery, 2nd Edition

58

58

Issue-Specific Security Policy

Issue-specific security policy (ISSP)

Addresses specific areas of technology

Three common approaches to creating ISSPs

Independent ISSP documents, each tailored to a specific issue

A single comprehensive ISSP document covering all issues

Modular ISSP document that unifies policy creation and administration while maintaining each specific issue’s requirements

Principles of Incident Response and Disaster Recovery, 2nd Edition

59

59

Principles of Incident Response and Disaster Recovery, 2nd Edition

60

60

Issue-Specific Security Policy (cont’d.)

Statement of policy

Defines scope, responsibility for implementation, technologies and issues being addressed

Authorized access and usage of equipment

Addresses who can use technology and for what it can be used

Defines “fair and responsible use”

Addresses key legal issues

Prohibited usage of equipment

Outlines what technology cannot be used for

Principles of Incident Response and Disaster Recovery, 2nd Edition

61

61

Issue-Specific Security Policy (cont’d.)

Systems management

Focuses on users’ relationship to management

Violations of policy

Specifies penalties and how to report violations

Policy review and modification

Procedures and a timetable for periodic review so users do not circumvent it as it grows obsolete

Limitations of liability

States company will not protect user and is not liable for their actions

Principles of Incident Response and Disaster Recovery, 2nd Edition

62

62

Systems-Specific Policy

Systems-specific security policies (SysSPs)

Standards and procedures used when configuring or maintaining systems

Access control lists (ACLs)

Govern rights and privileges of particular users to particular systems

Configuration rules

Specific configuration codes entered into security systems

Principles of Incident Response and Disaster Recovery, 2nd Edition

63

63

Systems-Specific Policy (cont’d.)

ACL policies

Translated into configuration sets

Controls access to systems

Regulate the who, what, when, and where of access

ACL rules

Known as capability tables, user profiles, user policies

Specify what a user can and cannot do with resources

Rule policies

More specific than ACLs

May or may not deal with users directly

Principles of Incident Response and Disaster Recovery, 2nd Edition

64

64

Policy Management

Policies

Constantly changing and growing

Must be properly disseminated

Security policies must have the following

Individual responsible for creation, revision, distribution, and storage

Schedule of reviews

Mechanism for recommendations for revisions

Policy/revision date; possibly “sunset” expiration date

Policy management software (optional)

Principles of Incident Response and Disaster Recovery, 2nd Edition

65

65

Summary

Information security protects information and its critical elements

C.I.A. triangle: basis for CNSS model

Threat: entity posing potential for loss to an asset

Asset: has value to the organization

Vulnerability: weakness in protection mechanisms

Risk management process: identify vulnerabilities and taking steps to protect assets

Principles of Incident Response and Disaster Recovery, 2nd Edition

66

66

Summary (cont’d.)

Risk identification: process of identifying risks

Risk control: applying controls to reduce risk

Contingency planning: avoidance, transference, mitigation, acceptance strategies

Business impact analysis: assess attack type impact

Incident response plan: actions taken when an incident in progress

Disaster recovery plan: preparation for and recovery from a disaster

Principles of Incident Response and Disaster Recovery, 2nd Edition

67

67

Summary (cont’d.)

Business continuity plan: ensures critical business functions continue after a disaster

Policies: organizational laws dictating behavior

Enterprise information security policy: sets strategic scope, direction, tone

Issue-specific security policy: addresses specific areas of technology

Systems-specific security policy: used when configuring or maintaining systems

Principles of Incident Response and Disaster Recovery, 2nd Edition

68

68

Applied Sciences

Architecture and Design

Biology

Business & Finance

Chemistry

Computer Science

Geography

Geology

Education

Engineering

English

Environmental science

Spanish

Government

History

Human Resource Management

Information Systems

Law

Literature

Mathematics

Nursing

Physics

Political Science

Psychology

Reading

Science

Social Science

Home

Blog

Archive

Contact

google+twitterfacebook

Copyright © 2019 HomeworkMarket.com