Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 4482: Computer Security Management: Assessment and Forensics

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "CSE 4482: Computer Security Management: Assessment and Forensics"— Presentation transcript:

1 CSE 4482: Computer Security Management: Assessment and Forensics
Instructor: Suprakash Datta (datta[at]cse.yorku.ca) ext 77875 Lectures: Tues (CB 122), 7–10 PM Office hours: Wed 3-5 pm (CSEB 3043), or by appointment. Textbooks: 1. "Management of Information Security", M. E. Whitman, H. J. Mattord, Nelson Education / CENGAGE Learning, 2011, 3rd Edition 2. "Guide to Computer Forensics and Investigations", B. Nelson, A. Phillips, F. Enfinger, C. Steuart, Nelson Education / CENGAGE Learning, 2010, 4th Edition. 4/17/2017 1

2 Expected learning outcomes
Upon completion, you should be able to: Identify the roles in organizations that are active in the planning process Explain the principal components of information security system implementation planning in the organizational planning scheme Differentiate between strategic organizational InfoSec and specialized contingency planning Describe the unique considerations and relationships between strategic and contingency plans Many of these slides are adapted from the authors Management of Information Security, 3rd Edition 2

3 Planning Computing a path towards a goal Resemblance with game-playing Plan for expected and unlikely scenarios Risk assessment and management is a big part of security management planning (ch 8,9,10)

4 Introduction High-level view of planning
Figure 2-1 Information Security and Planning Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning 4

5 Successful organizations utilize planning Planning involves
The Role of Planning Successful organizations utilize planning Planning involves Employees Management Stockholders Other outside stakeholders The physical and technological environment The political and legal environment The competitive environment Management of Information Security, 3rd Edition 5

6 The Role of Planning (cont’d.)
Strategic planning includes: Vision statement Mission statement Strategy Coordinated plans for sub units Knowing how the general organizational planning process works helps in the information security planning process Why are these needed? Management of Information Security, 3rd Edition 6

7 Establishes organizational principles
Values Statement Establishes organizational principles Makes organization’s conduct standards clear RWW values commitment, honesty, integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments The values, vision, and mission statements together provide the foundation for planning Management of Information Security, 3rd Edition 7

8 The vision statement expresses what the organization wants to become
Vision statements should be ambitious(?) Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in every machine they use Management of Information Security, 3rd Edition 8

9 Mission Statement Mission statement
Declares the business of the organization and its intended areas of operations Explains what the organization does and for whom Random Widget Works, Inc. designs and manufactures quality widgets and associated equipment and supplies for use in modern business environments Management of Information Security, 3rd Edition 9

10 Figure 2-2 Microsoft’s Mission and Values Statement
Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning

11 Strategic Planning (Ch 2)
Strategy is the basis for long-term direction Strategic planning guides organizational efforts Focuses resources on clearly defined goals “… strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organization is, what it does, and why it does it, with a focus on the future.” Management of Information Security, 3rd Edition 11

12 Creating a Strategic Plan
An organization develops a general strategy Then creates specific strategic plans for major divisions Each level or division translates those objectives into more specific objectives for the level below In order to execute this broad strategy executives must define individual managerial responsibilities Management of Information Security, 3rd Edition 12

13 Top-down vs bottom-up Top down advantages Bottom-up advantages
Management support, funding Better coordination and cohesion accountability Bottom-up advantages Comes from technical people

14 Top-down vs bottom-up contd.
Figure 2-9 Approaches to security implementation Management of Information Security, 3rd Edition Source: Course Technology/Cengage learning 14

15 Strategic goals are translated into tasks
Planning Levels Strategic goals are translated into tasks Objectives should be specific, measurable, achievable, reasonably high and time-bound (SMART) Strategic planning then begins a transformation from general to specific objectives Management of Information Security, 3rd Edition 15

16 Planning Levels (cont’d.)
Figure 2-4 Planning Levels Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning 16

17 Planning Levels (cont’d.)
Tactical Planning Has a shorter focus than strategic planning Usually one to three years Breaks applicable strategic goals into a series of incremental objectives Management of Information Security, 3rd Edition 17

18 Planning Levels (cont’d.)
Operational Planning Used by managers and employees to organize the ongoing, day-to-day performance of tasks Includes clearly identified coordination activities across department boundaries such as: Communications requirements Weekly meetings Summaries Progress reports Management of Information Security, 3rd Edition 18

19 Information Security Governance
Governance of information security is a strategic planning responsibility Importance has grown in recent years Information security objectives must be addressed at the highest levels of an organization's management team To be effective and offer a sustainable approach Management of Information Security, 3rd Edition 19

20 Implementing Information Security Governance
Figure 2-6 General Governance Framework Management of Information Security, 3rd Edition Source: IDEAL is a service mark of Carnegie Mellon University 20

21 Implementing Information Security Governance (cont’d.)
Figure 2-7 The IDEAL model governance framework Management of Information Security, 3rd Edition Source: IDEAL is a service mark of Carnegie Mellon University 21

22 Planning For Information Security Implementation
CISO Job Description Creates a strategic information security plan with a vision for the future of information security Understands the fundamental business activities and suggests appropriate information security solutions to protect these activities Develops action plans, schedules, budgets, and status reports Management of Information Security, 3rd Edition 22

23 Security Systems Development Life Cycle
An SDLC is a methodology for the design and implementation of an information system SDLC-based projects may be initiated by events or planned At the end of each phase, a review occurs to determine if the project should be continued, discontinued, outsourced, or postponed Management of Information Security, 3rd Edition 23

24 Introduction to SecSDLC
SecSDLC methodology is similar to SDLC Identification of specific threats and associated risks Design and implementation of specific controls to counter those threats and manage risks posed to the organization Management of Information Security, 3rd Edition 24

25 Introduction to the SecSDLC - contd.
Investigation directive from management specifying the process, outcomes, and goals of the project and its budget Teams assembled to analyze problems, define scope, specify goals and identify constraints Feasibility analysis: resources, commitment Analysis existing security policies and programs, known threats and current controls relevant legal issues that could affect the design of the security solution Management of Information Security, 3rd Edition 25

26 Introduction to the SecSDLC - contd.
Analysis (cont’d.) Risk management identifying, assessing, and evaluating the levels of risk facing the organization, specifically the threats to the information stored and processed by the organization A threat is an object, person, or other entity that represents a constant danger to an asset Management of Information Security, 3rd Edition 26

27 Risks An attack An exploit A vulnerability
A deliberate act that exploits a vulnerability to achieve the compromise of a controlled system Accomplished by a threat agent that damages or steals an organization’s information or physical assets An exploit A technique or mechanism used to compromise a system A vulnerability An identified weakness of a controlled system in which necessary controls that are not present or are no longer effective Management of Information Security, 3rd Edition 27

28 Table 2-1 Threats to Information Security
Threat types.) Table 2-1 Threats to Information Security Management of Information Security, 3rd Edition Source: Course Technology/Cengage Learning (adapted from Whitman, 2003) 28

29 Common Attacks Malicious code (viruses, worms, Trojan horses, spyware, bots, adware) Back doors Password crack (Brute force, Dictionary) Denial-of-service (DoS) and distributed denial-of-service (DDoS) (zombie) Social engineering (phishing) Buffer overflow DNS cache poisoning (pharming)

30 Common Attacks - contd Spoofing (ingress filtering, egress filtering) Man-in-the-middle (TCP hijacking) Spam Mail bombing Sniffer Timing Hoaxes

31 Planning to protect against attacks
Prioritize the risk posed by each category of threat Identify and assess the value of your information assets Assign a comparative risk rating or score to each specific information asset Design and implementation of SecSDLC : read on your own

32 Figure 2-11 Maintenance model
Maintaining Security Figure 2-11 Maintenance model Source: Course Technology/Cengage learning 32

33 Components of organizational planning Information security governance
Summary Introduction Components of organizational planning Information security governance Planning for information security implementation Introduction to the security systems development life cycle Management of Information Security, 3rd Edition 33

34 Ch 3: Contingency planning
Plan for unexpected scenarios When the use of technology is disrupted and business operations come close to a standstill Procedures are required to permit the organization to continue essential functions if information technology support is interrupted Over 40% of businesses that don't have a disaster plan go out of business after a major loss What scenarios should a company plan for? Management of Information Security, 3rd Edition 34

35 Upon completion of this material, you should be able to:
Objectives Upon completion of this material, you should be able to: Recognize the need for contingency planning Describe the major components of contingency planning Create a simple set of contingency plans, using business impact analysis Prepare and execute a test of contingency plans Explain the combined contingency plan approach Management of Information Security, 3rd ed. 35

36 Contingency Planning fundamentals
Contingency planning (CP) The overall planning for unexpected events preparing for, detecting, reacting to, and recovering from events that threaten the security of information resources and assets Main goal The restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event Management of Information Security, 3rd ed. 36

37 Components of Contingency Planning
Figure 3-1 Contingency planning hierarchies Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 37

38 Contingency Planning Incident response planning (IRP)
immediate response Disaster recovery planning (DRP) restoring operations at the primary site after disasters Business continuity planning (BCP) establishment of operations at an alternate site To ensure continuity planners should Identify the mission- or business-critical functions and the resources that support them Select contingency planning strategies Implement the selected strategy Test and revise contingency plans Management of Information Security, 3rd ed. 38

39 Contingency Planning - contd
the contingency planning policy statement Provides the authority and guidance necessary to develop an effective contingency plan Conduct the BIA identify and prioritize critical IT systems and components Identify preventive controls Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs Develop recovery strategies Ensure that the system may be recovered quickly and effectively following a disruption Management of Information Security, 3rd ed. 39

40 Contingency Planning - contd
Develop an IT contingency plan detailed guidance and procedures for restoring a damaged system Plan testing, training, and exercises Testing the plan identifies planning gaps Training prepares recovery personnel for plan activation Both activities improve plan effectiveness and overall agency preparedness Plan maintenance The plan should be updated regularly to remain current with system enhancements Management of Information Security, 3rd ed. 40

41 Business Impact Analysis (BIA)
Provides the CP team with information about systems and the threats they face A crucial component of the initial planning stages Provides detailed scenarios of each potential attack’s impact BIA is not risk management (which focuses on identifying threats, vulnerabilities, and attacks to determine controls) BIA assumes controls have been bypassed or are ineffective, and attack was successful Management of Information Security, 3rd ed. 41

42 Business Impact Analysis (cont’d.)
Figure 3-2 Major tasks in contingency planning Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 42

43 Table 3-1 Example attack profile
Management of Information Security 3rd ed. Source: Course Technology/Cengage Learning

44 Business Impact Analysis
Create a series of scenarios depicting impact of successful attack on each functional area Attack profiles should include scenarios depicting typical attack including: Methodology Indicators Broad consequences List outcomes (Best case, worst case, and most likely) Estimate the cost of each of these outcomes By preparing an attack scenario end case Allows identification of what must be done to recover from each possible case Management of Information Security, 3rd ed. 44

45 Incident Response Plan
A detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets Procedures commence when an incident is detected When a threat becomes a valid attack, it is classified as an information security incident if: It is directed against information assets It has a realistic chance of success It threatens the confidentiality, integrity, or availability of information assets Incident response is a reactive measure, not a preventative one Management of Information Security, 3rd ed. 45

46 Incident Response Plan details
Develop procedures for tasks that must be performed in advance of the incident Details of data backup schedules Disaster recovery preparation Training schedules Testing plans Copies of service agreements Business continuity plans Management of Information Security, 3rd ed. 46

47 Incident Response Plan (contd.)
Figure 3-3 Incident response planning Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 47

48 Incident Response Plan (contd.)
Incident classification Determine whether an event is an actual incident May be challenging Uses initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators Careful training allows everyone to relay vital information to the IR team Management of Information Security, 3rd ed. 48

49 Incident Response Plan (contd.)
Possible indicators Presence of unfamiliar files Presence or execution of unknown programs or processes Unusual consumption of computing resources Unusual system crashes Probable indicators Activities at unexpected times Presence of new accounts Reported attacks Notification from IDS Definite indicators Use of dormant accounts Changes to logs Presence of hacker tools Notifications by partner or peer Notification by hacker Management of Information Security, 3rd ed. 49

50 Incident Response Plan (contd.)
Occurrences of actual incidents When these occur, the corresponding IR must be immediately activated Loss of availability Loss of integrity Loss of confidentiality Violation of policy Violation of law The essential task of IR is to stop the incident or contain its impact Incident containment strategies focus Stopping the incident Recovering control of the systems Management of Information Security, 3rd ed. 50

51 Containment strategies
Disconnect the affected communication circuits Dynamically apply filtering rules to limit certain types of network access Disabling compromised user accounts Reconfiguring firewalls to block the problem traffic Temporarily disabling the compromised process or service Taking down the conduit application or server Stopping all computers and network devices Management of Information Security, 3rd ed. 51

52 Containment strategies (contd.)
An incident may increase in scope or severity to the point that the IRP cannot adequately contain the incident Each organization will have to determine, during the business impact analysis, the point at which the incident becomes a disaster The organization must also document when to involve outside response Management of Information Security, 3rd ed. 52

53 Containment strategies (contd.)
Once contained and system control regained, incident recovery can begin The IR team must assess the full extent of the damage in order to determine what must be done to restore the systems Incident damage assessment Determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets Those who document the damage must be trained to collect and preserve evidence, in case the incident is part of a crime or results in a civil action Management of Information Security, 3rd ed. 53

54 Recovery process Identify the vulnerabilities that allowed the incident to occur and spread and resolve them Address the safeguards that failed to stop or limit the incident, or were missing from the system; install, replace or upgrade them Evaluate existing monitoring capabilities, install new monitoring capabilities Restore the data from backups as needed Restore the services and processes in use where compromised (and interrupted) services and processes must be examined, cleaned, and then restored Continuously monitor the system Restore the confidence of the members of the organization’s communities of interest Management of Information Security, 3rd ed. 54

55 Recovery process (contd.)
Before returning to routine duties, the IR team must conduct an after-action review (AAR) A detailed examination of the events that occurred All team members review their actions during the incident and identify areas where the IR plan worked, didn’t work, or should improve When an incident violates civil or criminal law, it is the organization’s responsibility to notify the proper authorities Selecting the appropriate law enforcement agency depends on the type of crime committed: Federal, State, or local Management of Information Security, 3rd ed. 55

56 Disaster Recovery Plan
The preparation for and recovery from a disaster, whether natural or man made In general, an incident is a disaster when: The organization is unable to contain or control the impact of an incident, or The level of damage or destruction from an incident is so severe the organization is unable to quickly recover The key role of a DRP is defining how to reestablish operations at the location where the organization is usually located Management of Information Security, 3rd ed. 56

57 Disaster Recovery Plan (cont’d.)
Key points in the DRP Clear delegation of roles and responsibilities Execution of the alert roster and notification of key personnel Clear establishment of priorities Documentation of the disaster Action steps to mitigate the impact Alternative implementations for the various systems components Management of Information Security, 3rd ed. 57

58 Disaster Recovery Plan (cont’d.)
classify disasters as natural disasters vs man-made disasters Rapid onset disasters vs slow onset disasters Scenario development and impact analysis Used to categorize the level of threat of each potential disaster DRP must be tested regularly Management of Information Security, 3rd ed. 58

59 Business Continuity Plan
Ensures critical business functions can continue in a disaster Managed by CEO of the organization Activated and executed concurrently with the DRP when needed While BCP reestablishes critical functions at alternate site, DRP focuses on reestablishment at the primary site Relies on identification of critical business functions and the resources to support them Management of Information Security, 3rd ed. 59

60 Business Continuity Strategies
Exclusive-use options: hot, warm and cold sites Hot Sites: Fully configured computer facility with all services Warm Sites: Like hot site, but software applications not kept fully prepared Cold Sites: Only rudimentary services and facilities kept ready Shared-use options: timeshare, service bureaus, mutual agreements Determining factor is usually cost Management of Information Security, 3rd ed. 60

61 Business Continuity Strategies - 2
Timeshares Like an exclusive use site but leased Service bureaus Agency that provides physical facilities Mutual agreements Contract between two organizations to assist Specialized alternatives Rolling mobile site Externally stored resources Management of Information Security, 3rd ed. 61

62 Data recovery To get any BCP site running quickly organization must be able to recover data Options include: Electronic vaulting Bulk batch-transfer of data to an off-site facility Remote journaling Transfer of live transactions to an off-site facility Database shadowing Storage of duplicate online transaction data Each option adds different risks Management of Information Security, 3rd ed. 62

63 Timing and Sequence of CP Elements
Figure 3-4 Incident response and disaster recovery Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 63

64 Timing and Sequence of CP Elements (cont’d.)
Figure 3-5 Disaster recovery and business continuity planning Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 64

65 Timing and Sequence of CP Elements (cont’d.)
Figure 3-6 Contingency planning implementation timeline Management of Information Security, 3rd ed. Source: Course Technology/Cengage Learning 65

66 Crisis Management A set of focused steps that deal primarily with the people involved during and after a disaster Crisis management team actions Supporting personnel and their loved ones during the crisis Determining the event's impact on normal business operations Making a disaster declaration Keeping the public informed about the event Communicating with outside parties Key tasks of the crisis management team Verifying personnel status Activating the alert roster Management of Information Security, 3rd ed. 66

67 Business Resumption Planning
Because the DRP and BCP are closely related, most organizations prepare them concurrently Components of a simple disaster recovery plan Name of agency, Date of completion Agency staff to be called in the event of a disaster Emergency services to be called (if needed) Locations of in-house emergency equipment, supplies Sources of off-site equipment and supplies Salvage priority list Agency disaster recovery procedures Follow-up assessment Management of Information Security, 3rd ed. 67

68 Table 3-3Contingency plan template
Source: ( Management of Information Security, 3rd ed. 68

69 Testing Contingency Plans
Problems are identified during testing Improvements can be made, resulting in a reliable plan Contingency plan testing strategies Desk check Structured walkthrough Simulation Parallel testing Full interruption testing Management of Information Security, 3rd ed. 69

70 Contingency Planning: Final Thoughts
Iteration results in improvement A formal implementation of this methodology is a process known as continuous process improvement (CPI) Each time the plan is rehearsed it should be improved Constant evaluation and improvement lead to an improved outcome Management of Information Security, 3rd ed. 70

71 What Is Contingency Planning? Components of Contingency Planning
Summary Introduction What Is Contingency Planning? Components of Contingency Planning Putting a Contingency Plan Together Testing Contingency Plans A Single Continuity Plan Management of Information Security, 3rd ed. 71

Download ppt "CSE 4482: Computer Security Management: Assessment and Forensics"

Similar presentations

Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
Information Security Policies and Standards

Information Security Policies and Standards
Management of Information Security Chapter 2: Planning for Security

Management of Information Security Chapter 2: Planning for Security
Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do.

Management of Information Security Chapter 3 Planning for Contingencies Things which you do not hope happen more frequently than things which you do.
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Unit 8: Tests, Training, and Exercises Unit Introduction and Overview Unit objectives:  Define and explain the terms tests, training, and exercises. 

Unit 8: Tests, Training, and Exercises Unit Introduction and Overview Unit objectives:  Define and explain the terms tests, training, and exercises. 
Database Administration

Database Administration
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.
Planning for Contingencies

Planning for Contingencies
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT

Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
Planning for Contingencies

Planning for Contingencies
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Risk Management.

Risk Management.
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Introduction to Network Defense

Introduction to Network Defense
1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.

1 Business Continuity. 2 Continuity strategy Business impact Incident response Disaster recovery Business continuity.

Similar presentations

Ads by Google