SlideShare una empresa de Scribd logo
1 de 118
Descargar para leer sin conexión
2019 CISSP MENTOR
PROGRAM
May 15, 2019
-----------
Class 10 – May 15, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO
I hope everyone is doing well. Looking for questions,
so give me some!
• Check-in.
• How many have read Chapter 1 - 7?
• Questions?
CISSP® MENTOR PROGRAM – SESSION TEN
1
WELCOME BACK!
I mean, it’s good to be back. ;)
115 slides tonight + what I covered Monday
at the 2019 North America ISACA CACS
Conference.
Pretty laid back class tonight, but still quite a bit of content to
get through.
1. During the course of the penetration test: the testers
discover signs of an active compromise of the new
custom-developed three-tier web application. What is
their best source of action?
A. Attempt to contain and eradicate the malicious activity
B. Continue the test
C. Quietly end the test, immediately call the operational IT
contact, and escalate the issue
D. Shut the server down
CISSP® MENTOR PROGRAM – SESSION TEN
2
QUIZ…
Questions, questions, questions…
1. During the course of the penetration test: the testers
discover signs of an active compromise of the new
custom-developed three-tier web application. What is
their best source of action?
A. Attempt to contain and eradicate the malicious activity
B. Continue the test
C. Quietly end the test, immediately call the
operational IT contact, and escalate the issue
D. Shut the server down
CISSP® MENTOR PROGRAM – SESSION TEN
3
QUIZ…
Questions, questions, questions…
2. You would like to have the security firm test the new
web application, but have decided not to share the
underlying source code. What type of test could be
used to help determine the security of the custom web
application?
A. Secure compiler warnings
B. Fuzzing
C. Static testing
D. White box testing
CISSP® MENTOR PROGRAM – SESSION TEN
4
QUIZ…
Questions, questions, questions…
2. You would like to have the security firm test the new
web application, but have decided not to share the
underlying source code. What type of test could be
used to help determine the security of the custom web
application?
A. Secure compiler warnings
B. Fuzzing
C. Static testing
D. White box testing
CISSP® MENTOR PROGRAM – SESSION TEN
5
QUIZ…
Questions, questions, questions…
3. What type of penetration test will result in the most
efficient use of time and hourly consultant expenses?
A. Automated knowledge
B. Full knowledge
C. Partial Knowledge
D. Zero Knowledge
CISSP® MENTOR PROGRAM – SESSION TEN
6
QUIZ…
Questions, questions, questions…
3. What type of penetration test will result in the most
efficient use of time and hourly consultant expenses?
A. Automated knowledge
B. Full knowledge
C. Partial Knowledge
D. Zero Knowledge
CISSP® MENTOR PROGRAM – SESSION TEN
7
QUIZ…
Questions, questions, questions…
4. What term describes a holistic approach for determining
the effectiveness of access control, and has a broad
scope?
A. Security assessment
B. Security audit
C. Penetration test
D. Vulnerability assessment
CISSP® MENTOR PROGRAM – SESSION TEN
8
QUIZ…
Questions, questions, questions…
4. What term describes a holistic approach for determining
the effectiveness of access control, and has a broad
scope?
A. Security assessment
B. Security audit
C. Penetration test
D. Vulnerability assessment
CISSP® MENTOR PROGRAM – SESSION TEN
9
QUIZ…
Questions, questions, questions…
5. What term describes a black-box testing method that
seeks to identify and test all unique combinations of
software inputs?
A. Combinatorial software testing
B. Dynamic testing
C. Misuse case testing
D. Static Testing
CISSP® MENTOR PROGRAM – SESSION TEN
10
QUIZ…
Questions, questions, questions…
5. What term describes a black-box testing method that
seeks to identify and test all unique combinations of
software inputs?
A. Combinatorial software testing
B. Dynamic testing
C. Misuse case testing
D. Static Testing
CISSP® MENTOR PROGRAM – SESSION TEN
11
QUIZ…
Questions, questions, questions…
6. What term describes a no-tech or low-tech method that
uses the human mind to bypass security controls?
A. Fuzzing
B. Social engineering
C. War dialing
D. Zero-knowledge test
CISSP® MENTOR PROGRAM – SESSION TEN
12
QUIZ…
Questions, questions, questions…
6. What term describes a no-tech or low-tech method that
uses the human mind to bypass security controls?
A. Fuzzing
B. Social engineering
C. War dialing
D. Zero-knowledge test
CISSP® MENTOR PROGRAM – SESSION TEN
13
QUIZ…
Questions, questions, questions…
CISSP® MENTOR PROGRAM – SESSION TEN
14
LET’S DO THIS!
Where we left off, we had just talked about incident
management/response…
Page 363 starts the new stuff.
Incident Response Management – Methodology
2. Detection (aka Identification)
• What are all of the inputs into my incident response process?
• Events  Incidents
3. Response (aka Containment)
• Step-by-step, depending upon classification & severity
• Forensic response? Protection of evidence, while containing
damage
• Start root cause analysis
CISSP® MENTOR PROGRAM – SESSION TEN
15
LECTURE
Domain #7: Security Operations
Incident Response Management – Methodology
4. Mitigation (aka Eradication)
• Root cause analysis completed (mostly/hopefully)
• Get rid of the bad things
5. Reporting
• Actually not really a step (happens throughout)
• More formal here; include incident responders (technical and
non-technical)
CISSP® MENTOR PROGRAM – SESSION TEN
16
LECTURE
Domain #7: Security Operations
Incident Response Management – Methodology
6. Recovery
• Restore systems and operations
• Increase monitoring
7. Remediation – broader in context
8. Lessons Learned (aka Post-incident Activity, Post
Mortem, or Reporting) – there’s always lessons
CISSP® MENTOR PROGRAM – SESSION TEN
17
LECTURE
Domain #7: Security Operations
Operational Preventive And Detective Controls
• Intrusion Detection Systems (IDS) and Intrusion
Prevention Systems (IPS)
• True Positive: Conficker worm is spreading on a trusted
network, and NIDS alerts
• True Negative: User surfs the Web to an allowed site, and
NIDS is silent
• False Positive: User surfs the Web to an allowed site, and
NIDS alerts
• False Negative: Conficker worm is spreading on a trusted
network, and NIDS is silent
CISSP® MENTOR PROGRAM – SESSION TEN
18
LECTURE
Domain #7: Security Operations
Operational Preventive And Detective Controls
• NIDS, NIPS, HIDS, and HIPS (detection types)
• Pattern Matching
• Protocol Behavior
• Anomaly Detection
• Security Information and Event Management (SIEM)
• Continuous Monitoring
• Data Loss Prevention (network & host)
CISSP® MENTOR PROGRAM – SESSION TEN
19
LECTURE
Domain #7: Security Operations
Operational Preventive And Detective Controls
• NIDS, NIPS, HIDS, and HIPS
CISSP® MENTOR PROGRAM – SESSION TEN
20
LECTURE
Domain #7: Security Operations
Operational Preventive And Detective Controls
Continuous Monitoring
• Assessing and reassessing as ongoing processes.
• A modern improvement to legacy Certifications and Accreditations.
Data Loss Prevention (DLP)
• Class of solutions used to detect and/or prevent data from leaving
the organization.
• Host-based, network-based, and application-based DLP solutions.
CISSP® MENTOR PROGRAM – SESSION TEN
21
LECTURE
Domain #7: Security Operations
Operational Preventive And Detective Controls
Endpoint Security
• HIDS/HIPS
• Antivirus
• Application Whitelisting
• Removable Media Controls
• Disk Encryption
• Privileged Access
CISSP® MENTOR PROGRAM – SESSION TEN
22
LECTURE
Domain #7: Security Operations
Operational Preventive And Detective Controls
Endpoint Security
• HIDS/HIPS
• Antivirus
• Application Whitelisting
• Removable Media Controls
• Disk Encryption
• Privileged Access
CISSP® MENTOR PROGRAM – SESSION TEN
23
LECTURE
Domain #7: Security Operations
Most effective on the list
Operational Preventive And Detective Controls
Honeypots
• System designed to attract attackers. CAREFUL:
enticement vs. entrapment.
• Learn (or research) attack methods.
• Low-interaction (simulate systems) and high-interaction
(actual systems) honeypots.
Honeynets – real or simulated network of honeypots.
CISSP® MENTOR PROGRAM – SESSION TEN
24
LECTURE
Domain #7: Security Operations
Asset Management (Configuration Management)
The goal is to move beyond the default system configuration to one
that is both hardened and meets the operational requirements of the
organization.
• Hardened baseline configurations
• Center for Internet Security (see: http://www.cisecurity.org/)
• Disabling unnecessary services, removing extraneous programs,
enabling security capabilities such as firewalls, antivirus, and
intrusion detection or prevention systems, and the configuration
of security and audit logs
CISSP® MENTOR PROGRAM – SESSION TEN
25
LECTURE
Domain #7: Security Operations
Asset Management (Configuration Management)
The goal is to move beyond the default system configuration to one
that is both hardened and meets the operational requirements of the
organization.
• Hardened baseline configurations
• Center for Internet Security (see: http://www.cisecurity.org/)
• Disabling unnecessary services, removing extraneous programs,
enabling security capabilities such as firewalls, antivirus, and
intrusion detection or prevention systems, and the configuration
of security and audit logs
CISSP® MENTOR PROGRAM – SESSION TEN
26
LECTURE
Domain #7: Security Operations
Asset Management (Configuration Management)
The goal is to move beyond the default system configuration to one
that is both hardened and meets the operational requirements of the
organization.
• Hardened baseline configurations
• Center for Internet Security (see: http://www.cisecurity.org/)
• Disabling unnecessary services, removing extraneous programs,
enabling security capabilities such as firewalls, antivirus, and
intrusion detection or prevention systems, and the configuration
of security and audit logs
CISSP® MENTOR PROGRAM – SESSION TEN
27
LECTURE
Domain #7: Security Operations
Asset Management (Configuration Management)
The goal is to move beyond the default system configuration to one
that is both hardened and meets the operational requirements of the
organization.
• Hardened baseline configurations
• Center for Internet Security (see: http://www.cisecurity.org/)
• Disabling unnecessary services, removing extraneous programs,
enabling security capabilities such as firewalls, antivirus, and
intrusion detection or prevention systems, and the configuration
of security and audit logs
CISSP® MENTOR PROGRAM – SESSION TEN
28
LECTURE
Domain #7: Security Operations
Basic Principles of Security
1.You can’t secure things if you don’t know you have
them (Asset Management).
2.You can’t secure the things you can’t control
(Configuration Management, Change Control, Access
Control, etc.)
Asset Management (Configuration Management)
Baselining
• The process of capturing a point in time
understanding of the current system security
configuration
• Helpful in responding to a potential security incident
• Continual baselining is important
CISSP® MENTOR PROGRAM – SESSION TEN
29
LECTURE
Domain #7: Security Operations
Asset Management (Configuration Management)
Vulnerability Management
• Vulnerability scanning is a way to discover poor
configurations and missing patches in an environment
• Vulnerability management is used rather than just
vulnerability scanning to emphasize the need for
management of the vulnerability information
• Prioritization and remediation of the vulnerabilities
CISSP® MENTOR PROGRAM – SESSION TEN
30
LECTURE
Domain #7: Security Operations
Asset Management (Configuration Management)
Vulnerability Management
• Vulnerability scanning is a way to discover poor
configurations and missing patches in an environment
• Vulnerability management is used rather than just
vulnerability scanning to emphasize the need for
management of the vulnerability information
• Prioritization and remediation of the vulnerabilities
CISSP® MENTOR PROGRAM – SESSION TEN
31
LECTURE
Domain #7: Security Operations
Asset Management (Configuration
Management)
Vulnerability Management
• Vulnerability scanning is a way to discover poor
configurations and missing patches in an environment
• Vulnerability management is used rather than just
vulnerability scanning to emphasize the need for
management of the vulnerability information
• Prioritization and remediation of the vulnerabilities
CISSP® MENTOR PROGRAM – SESSION TEN
32
LECTURE
Domain #7: Security Operations
Asset Management (Configuration
Management)
Vulnerability Management
CISSP® MENTOR PROGRAM – SESSION TEN
33
LECTURE
Domain #7: Security Operations
Section 12.6 of the ISO/IEC 27002:2013 provides guidance on technical vulnerability
management. A vulnerability management process should be implemented in an effective,
systematic, and repeatable way with measurements taken to confirm its effectiveness.
Vulnerability management starts with asset management, the information required to support
systems technically includes tracking operating system software, version numbers, lists of
software installed, and the person or persons responsible for maintaining the systems.
Additionally, the organization should define and establish the roles and responsibilities
associated with technical vulnerability management, including vulnerability monitoring,
vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities
required thereof.
Asset Management (Configuration Management)
Vulnerability Management
Once a potential technical vulnerability has been identified, the
organization should identify the associated risks and the actions to be
taken - such action could involve the patching of vulnerable systems
and/or applying other controls. Depending on how urgently a technical
vulnerability needs to be addressed, the action taken should be carried
out according to the controls related to change management or by
following information security incident response procedures. Critical-
risk and high-risk systems should be addressed first. Patches should
be tested and evaluated before they are installed to ensure they are
effective and do not result in side effects that cannot be tolerated; if no
patch is available, other controls should be considered. The technical
vulnerability management process should be regularly monitored and
evaluated in order to ensure its effectiveness and efficiency.
CISSP® MENTOR PROGRAM – SESSION TEN
34
LECTURE
Domain #7: Security Operations
Asset Management (Configuration Management)
Zero-Day Vulnerabilities and Zero-Day Exploits
• The average window of time between a patch being released and
an associated exploit being made public is decreasing
• Recent research even suggests that for some vulnerabilities, an
exploit can be created within minutes based simply on the
availability of the unpatched and patched program
• The term for a vulnerability being known before the existence of a
patch (or workaround) is zero day vulnerability.
• A zero-day exploit, rather than vulnerability, refers to the
existence of exploit code for a vulnerability which has yet to be
patched
CISSP® MENTOR PROGRAM – SESSION TEN
35
LECTURE
Domain #7: Security Operations
Change Management
• A system that does not change will become less secure over time
• Not an exact science, every organization will be a little different
• The general flow of the change management process includes:
• Identifying a change
• Proposing a change
• Assessing the risk associated with the change
• Testing the change (backout plan)
• Scheduling the change
• Notifying impacted parties of the change
• Implementing the change
• Reporting results of the change implementation
• Changes must be closely tracked and auditable
CISSP® MENTOR PROGRAM – SESSION TEN
36
LECTURE
Domain #7: Security Operations
Continuity of Operations
Service Level Agreements (SLA)
• Critical where organizations have external entities perform critical
services or host significant assets and applications
• Goal is to stipulate all expectations regarding the behavior of the
department or organization that is responsible for providing
services and the quality of the services provided
• Availability is usually the most critical security consideration of a
service level agreement
• Organizations must negotiate all security terms of a service level
agreement prior to engaging with the company
• Cloud computing
CISSP® MENTOR PROGRAM – SESSION TEN
37
LECTURE
Domain #7: Security Operations
Fault Tolerance
Backup
• Recoverability in the event of a failure
• Magnetic tape media is old technology, but still is the
most common repository of backup data
• Three basic types of backups exist: full backup; the
incremental backup; and the differential backup
CISSP® MENTOR PROGRAM – SESSION TEN
38
LECTURE
Domain #7: Security Operations
Fault Tolerance
Backup
• Full backup - a replica of all allocated data on a hard
disk
• The most costly in terms of media and time to backup
• Often coupled with either incremental or differential backups
to balance the time and media considerations
CISSP® MENTOR PROGRAM – SESSION TEN
39
LECTURE
Domain #7: Security Operations
Fault Tolerance
Backup
• Incremental backup - only archive files that have
changed since the last backup of any kind was
performed
• The most recent full backup and each and every incremental
backup since the full backup is required to initiate a recovery
• Time to perform each incremental backup is extremely short;
however, the downside is that a full restore can require many
tapes, especially if full backups are performed less frequently
• The odds of a failed restoration due to a tape integrity issue
(such as broken tape) rise with each additional tape required
CISSP® MENTOR PROGRAM – SESSION TEN
40
LECTURE
Domain #7: Security Operations
Fault Tolerance
Backup
• Differential - will back up any files that have been
changed since the last full backup
• Only the most recent full backup and most recent differential
backup are required to initiate a full recovery
• As more time passes since the last full backup the length of
time to perform a differential backup will also increase
CISSP® MENTOR PROGRAM – SESSION TEN
41
LECTURE
Domain #7: Security Operations
Fault Tolerance
Redundant Array of Inexpensive Disks (RAID)
• Mitigates the risk associated with hard disk failures
CISSP® MENTOR PROGRAM – SESSION TEN
42
LECTURE
Domain #7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks
(RAID)
Three terms that are important to understand with respect
to RAID are: mirroring; striping; and parity
• Mirroring - used to achieve full data redundancy by
writing the same data to multiple hard disks
• Write times are slower
• Read times are faster
• Most costly in terms of disk usage - at least half of the drives
are used for redundancy
CISSP® MENTOR PROGRAM – SESSION TEN
43
LECTURE
Domain #7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks
(RAID)
Three terms that are important to understand with respect to RAID
are: mirroring; striping; and parity
• Striping - increased the read and write performance by spreading
data across multiple hard disks
• Reads and writes can be performed in parallel across multiple disks
rather than serially on one disk
• Parallelization provides a performance increase, and does not aid in
data redundancy
• Parity - achieve data redundancy without incurring the same
degree of cost as that of mirroring in terms of disk usage and
write performance
CISSP® MENTOR PROGRAM – SESSION TEN
44
LECTURE
Domain #7: Security Operations
Fault Tolerance - Redundant
Array of Inexpensive Disks (RAID)
RAID 0: Striped Set
• Striping to increase the
performance of read and writes
• No data redundancy - poor choice
if recovery of data is the reason for
leveraging RAID
CISSP® MENTOR PROGRAM – SESSION TEN
45
LECTURE
Domain #7: Security Operations
Fault Tolerance - Redundant
Array of Inexpensive Disks (RAID)
RAID 1: Mirrored Set
• Creates/writes an exact duplicate
of all data to an additional disk
• Write performance is decreased
• Read performance can increase
• Highest disk cost
CISSP® MENTOR PROGRAM – SESSION TEN
46
LECTURE
Domain #7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks
(RAID)
RAID 2: Hamming Code
• Not considered commercially viable for hard disks and is not
used
• Requires either 14 or 39 hard disks and a specially designed
hardware controller
• Cost prohibitive
• RAID 2 is not likely to be tested
CISSP® MENTOR PROGRAM – SESSION TEN
47
LECTURE
Domain #7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks
(RAID)
RAID 3: Striped Set with Dedicated Parity (byte level)
• Data, at the byte level, is striped across multiple disks
• An additional disk is leveraged for storage of parity information,
which is used for recovery in the event of a failure
RAID 4: Striped Set with Dedicated Parity (block level)
• Exact same configuration and functionality as that of RAID 3, but
stripes data at the block, rather than byte, level
• Employs a dedicated parity drive rather than having parity data
distributed amongst all disks, as in RAID 5
CISSP® MENTOR PROGRAM – SESSION TEN
48
LECTURE
Domain #7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks
(RAID)
RAID 5: Striped Set with Distributed Parity
• One of the most popular RAID configurations
• Striped Set with Distributed Parity
• Leverages a block level striping
• Writes parity information that is used for recovery purposes
• Distributes the parity information across multiple disks
• Disk cost for redundancy is lower than that of a Mirrored set
• Support for both hardware and software based implementations
• Allows for data recovery in the event that any one disk fails
CISSP® MENTOR PROGRAM – SESSION TEN
49
LECTURE
Domain #7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks
(RAID)
RAID 5: Striped Set with Distributed Parity
• One of the most popular RAID configurations
• Striped Set with Distributed Parity
• Leverages a block level striping
• Writes parity information that is used for recovery purposes
• Distributes the parity information across multiple disks
• Disk cost for redundancy is lower than that of a Mirrored set
• Support for both hardware and software based implementations
• Allows for data recovery in the event that any one disk fails
CISSP® MENTOR PROGRAM – SESSION TEN
50
LECTURE
Domain #7: Security Operations
Fault Tolerance - Redundant Array of Inexpensive Disks
(RAID)
RAID 6: Striped Set with Dual Distributed Parity
• Can allow for the failure of two drives and still function
• Redundancy is achieved by writing the same parity information to two
different disks
RAID 1+0 or RAID 10
• Example of what is known as nested RAID or multi-RAID (one standard
RAID level is encapsulated within another)
• Configuration is a striped set of mirrors
NOTE: There are many and varied RAID configurations which are simply combinations
of the standard RAID levels. Nested RAID solutions are becoming increasingly
common with larger arrays of disks that require a high degree of both reliability and
speed. Some common nested RAID levels include RAID 0+1, 1+0, 5+0, 6+0, and
(1+0)+0, which are also commonly written as RAID 01, 10, 50, 60, and 100,
respectively.
CISSP® MENTOR PROGRAM – SESSION TEN
51
LECTURE
Domain #7: Security Operations
Fault Tolerance - System Redundancy
Redundant Hardware
• Built-in redundancy (power supplies, disk controllers, and NICs
are most common)
• An inventory of spare modules to service the entire datacenter's
servers would be less expensive than having all servers
configured with an installed redundant power supply
Redundant Systems
• Entire systems available in inventory to serve as a means to
recover
• Have an SLA with hardware manufacturers to be able to quickly
procure replacement equipment in a timely fashion
CISSP® MENTOR PROGRAM – SESSION TEN
52
LECTURE
Domain #7: Security Operations
BCP and DRP Overview and Process (used to be
Domain by itself)
Unique terms and definitions
• Business Continuity Plan (BCP)—a long-term plan to ensure
the continuity of business operations
• Continuity of Operations Plan (COOP)—a plan to maintain
operations during a disaster.
• Disaster—any disruptive event that interrupts normal system
operations
• Disaster Recovery Plan (DRP)—a short-term plan to recover
from a disruptive event
• Mean Time Between Failures (MTBF)—quantifies how long a
new or repaired system will run on average before failing
• Mean Time to Repair (MTTR)—describes how long it will take to
recover a failed system.
CISSP® MENTOR PROGRAM – SESSION TEN
53
LECTURE
Domain #7: Security Operations
BCP and DRP Overview and Process
Business Continuity Planning and Disaster Recovery Planning are
two very distinct disciplines
Business Continuity Planning (BCP)
• Goal of a BCP is for ensuring that the business will continue to
operate before, throughout, and after a disaster event is
experienced
• Focus of a BCP is on the business as a whole
• Business Continuity Planning provides a long-term strategy
• Takes into account items such as people, vital records, and
processes in addition to critical systems
CISSP® MENTOR PROGRAM – SESSION TEN
54
LECTURE
Domain #7: Security Operations
BCP and DRP Overview and Process
Business Continuity Planning and Disaster Recovery Planning are
two very distinct disciplines
Disaster Recovery Planning (DRP)
• Disaster Recovery Plan is more tactical in its approach
• Short-term plan for dealing with specific IT-oriented disruptions
• Provides a means for immediate response to disasters
• Does not focus on long-term business impact
CISSP® MENTOR PROGRAM – SESSION TEN
55
LECTURE
Domain #7: Security Operations
BCP and DRP Overview and Process
Business Continuity Planning and Disaster Recovery Planning are
two very distinct disciplines
Relationship between BCP and DRP
• Business Continuity Plan is an umbrella plan that includes
multiple specific plans, most importantly the Disaster Recovery
Plan
• Two plans, which have different scopes, are intertwined
• Disaster Recovery Plan serves as a subset of the overall
Business Continuity Plan
• NIST Special Publication 800-34, provides a visual means for
understanding the interrelatedness of a BCP and a DRP, as well
as Continuity of Operations Plan (COOP), Occupant Emergency
Plan (OEP), and others.
CISSP® MENTOR PROGRAM – SESSION TEN
56
LECTURE
Domain #7: Security Operations
BCP and DRP Overview and Process
Business Continuity Planning and Disaster Recovery Planning are
two very distinct disciplines
Relationship between BCP and DRP
• Business Continuity Plan is an umbrella plan that includes
multiple specific plans, most importantly the Disaster Recovery
Plan
• Two plans, which have different scopes, are intertwined
• Disaster Recovery Plan serves as a subset of the overall
Business Continuity Plan
• NIST Special Publication 800-34, provides a visual means for
understanding the interrelatedness of a BCP and a DRP, as well
as Continuity of Operations Plan (COOP), Occupant Emergency
Plan (OEP), and others.
CISSP® MENTOR PROGRAM – SESSION TEN
57
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Classifications of disasters
• Three common ways of categorizing the causes for disasters are as to whether
the threat agent is natural, human, or environmental in nature
• Natural—the most obvious type of threat that can result in a disaster are naturally
occurring. This category includes such threats as earthquakes, hurricanes, tornadoes,
floods, and some types of fires (closely related to geographical location)
• Human—the human category of threats represents the most common source of
disasters. Human threats can be further classified as to whether they constitute an
intentional or unintentional threat
• Examples of human-intentional threats include terrorists, malware, rogue insider,
Denial of Service, hacktivism, phishing, social engineering, etc.
• Examples of human-unintentional threats are primarily those that involve
inadvertent errors and omissions, in which the person through lack of knowledge,
laziness, or carelessness served as a source of disruption
• Environmental—focused on environment as it pertains to the information systems or
datacenter. This class of threat includes items such as power issues (blackout,
brownout, surge, spike), system component or other equipment failures, application or
software flaws
• Analysis of threats and associated likelihoods is an important part of the BCP and
DRP process
CISSP® MENTOR PROGRAM – SESSION TEN
58
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Classifications of disasters
• Three common ways of categorizing the causes for disasters are as to whether
the threat agent is natural, human, or environmental in nature
• Natural—the most obvious type of threat that can result in a disaster are naturally
occurring. This category includes such threats as earthquakes, hurricanes, tornadoes,
floods, and some types of fires (closely related to geographical location)
• Human—the human category of threats represents the most common source of
disasters. Human threats can be further classified as to whether they constitute an
intentional or unintentional threat
• Examples of human-intentional threats include terrorists, malware, rogue insider,
Denial of Service, hacktivism, phishing, social engineering, etc.
• Examples of human-unintentional threats are primarily those that involve
inadvertent errors and omissions, in which the person through lack of knowledge,
laziness, or carelessness served as a source of disruption
• Environmental—focused on environment as it pertains to the information systems or
datacenter. This class of threat includes items such as power issues (blackout,
brownout, surge, spike), system component or other equipment failures, application or
software flaws
• Analysis of threats and associated likelihoods is an important part of the BCP and
DRP process
CISSP® MENTOR PROGRAM – SESSION TEN
59
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Errors and omissions
• Typically considered the single most common source of disruptive events
• Threat is inadvertently caused by humans, most often in the employ of the
organization, who unintentionally serve as a source of harm
• Data entry mistakes are an example of errors and omissions
Natural Disasters
• Include earthquakes, hurricanes, floods, tsunamis, etc.
• Likelihood of natural threats occurring is largely based upon the geographical
location of the organization's information systems or datacenters
• Generally have a rather low likelihood of occurring
• Impact can be severe
CISSP® MENTOR PROGRAM – SESSION TEN
60
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Errors and omissions
• Typically considered the single most common source of disruptive events
• Threat is inadvertently caused by humans, most often in the employ of the
organization, who unintentionally serve as a source of harm
• Data entry mistakes are an example of errors and omissions
Natural Disasters
• Include earthquakes, hurricanes, floods, tsunamis, etc.
• Likelihood of natural threats occurring is largely based upon the geographical
location of the organization's information systems or datacenters
• Generally have a rather low likelihood of occurring
• Impact can be severe
CISSP® MENTOR PROGRAM – SESSION TEN
61
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Electrical or power Problems
• Much more common than natural disasters
• Considered an environmental disaster
• Uninterruptible power supplies (UPS) and/or backup generators
Temperature and Humidity Failures
• Critical controls that must be managed during a disaster
• Increased server density can provide for significant heat issues
• Mean Time Between Failures (MTBF) for electrical equipment will decrease if
temperature and humidity levels are not within an tolerable range.
CISSP® MENTOR PROGRAM – SESSION TEN
62
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Warfare, terrorism, and sabotage
• Human-intentional threats
• Threat can vary dramatically based on geographic location, industry,
brand value, as well as the interrelatedness with other high-value target
organizations
• Cyber-warfare
• “Aurora” attacks (named after the word “Aurora,” which was found in a
sample of malware used in the attacks). As the New York Times reported
on 2/18/2010: “A series of online attacks on Google and dozens of other
American corporations have been traced to computers at two
educational institutions in China, including one with close ties to the
Chinese military, say people involved in the investigation.”
CISSP® MENTOR PROGRAM – SESSION TEN
63
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Financially-motivated Attackers
• Exfiltration of cardholder data, identity theft, pump-and-dump stock
schemes, bogus anti-malware tools, or corporate espionage, etc.
• Organized crime syndicates
Personnel Shortages
• Another significant source of disruption can come by means of having
staff unavailable
• Most organizations will have some critical processes that are people-
dependent
CISSP® MENTOR PROGRAM – SESSION TEN
64
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Financially-motivated Attackers
• Exfiltration of cardholder data, identity theft, pump-and-dump stock
schemes, bogus anti-malware tools, or corporate espionage, etc.
• Organized crime syndicates
Personnel Shortages
• Another significant source of disruption can come by means of having
staff unavailable
• Most organizations will have some critical processes that are people-
dependent
CISSP® MENTOR PROGRAM – SESSION TEN
65
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Personnel Shortages
• Pandemics and Disease
• Major biological problems such as pandemic flu or highly
communicable infectious disease outbreaks
• A pandemic occurs when an infection spreads through an extremely
large geographical area, while an epidemic is more localized
• Strikes
• Strikes usually are carried out in such a manner that the
organization can plan for the occurrence
• Most strikes are announced and planned in advance, which
provides the organization with some lead time
• Personnel Availability
• Sudden separation from employment of a critical member of the
workforce
CISSP® MENTOR PROGRAM – SESSION TEN
66
LECTURE
Domain #7: Security Operations
Disasters or Disruptive Events
Communications Failure
• Increasing dependence of organizations on call centers, IP
telephony, general Internet access, and providing services via the
Internet
• One of the most common disaster-causing events is
telecommunications lines being inadvertently cut by someone
digging where they are not supposed to
NOTE: One of the eye-opening impacts of Hurricane Katrina was a rather significant
outage of Internet2, which provides high-speed connectivity for education and research
networks. Qwest, which provides the infrastructure for Internet2, suffered an outage in
one of the major long-haul links that ran from Atlanta to Houston. Reportedly, the
outage was due to lack of availability of fuel in the area. In addition to this outage,
which impacted more than just those areas directly affected by the hurricane, there
were substantial outages throughout Mississippi, which at its peak had more than a
third of its public address space rendered unreachable.
CISSP® MENTOR PROGRAM – SESSION TEN
67
LECTURE
Domain #7: Security Operations
The Disaster Recovery Process
The general process of disaster recovery involves responding to the
disruption; activation of the recovery team; ongoing tactical
communication of the status of disaster and its associated recovery;
further assessment of the damage caused by the disruptive event;
and recovery of critical assets and processes in a manner consistent
with the extent of the disaster.
• Different organizations and experts alike might disagree about
the number or names of phases in the process
• Personnel safety remains the top priority
CISSP® MENTOR PROGRAM – SESSION TEN
68
LECTURE
Domain #7: Security Operations
The Disaster Recovery Process
Respond
• Initial response begins the process of assessing the damage
• Speed is essential (initial assessment)
• The initial assessment will determine if the event in question
constitutes a disaster
• The initial response team should be mindful of assessing the
facility's safety for continued personnel usage
Activate Team
If during the initial response to a disruptive event a disaster is
declared, then the team that will be responsible for recovery needs to
be activated.
CISSP® MENTOR PROGRAM – SESSION TEN
69
LECTURE
Domain #7: Security Operations
The Disaster Recovery Process
Communicate
• Ensure that consistent timely status updates are communicated
back to the central team managing the response and recovery
process
• Communication often must occur out-of-band
• The organization must also be prepared to provide external
communications
Assess
• More detailed and thorough assessment
• Assess the extent of the damage and determine the proper steps
to ensure the organization's ability to meet its mission and
Maximum Tolerable Downtime (MTD)
• Team could recommend that the ultimate restoration or
reconstitution occurs at the alternate site
CISSP® MENTOR PROGRAM – SESSION TEN
70
LECTURE
Domain #7: Security Operations
The Disaster Recovery Process
Reconstitution
• Successfully recover critical business operations either at primary
or secondary site
• If an alternate site is leveraged, adequate safety and security
controls must be in place in order to maintain the expected
degree of security the organization typically employs
• A salvage team will be employed to begin the recovery process
at the primary facility that experienced the disaster
CISSP® MENTOR PROGRAM – SESSION TEN
71
LECTURE
Domain #7: Security Operations
Developing a BCP/DRP
• High-level steps, according to NIST 800-34:
• Project Initiation
• Scope the Project
• Business Impact Analysis
• Identify Preventive Controls
• Recovery Strategy
• Plan Design and Development
• Implementation, Training, and Testing
• BCP/DRP Maintenance
• NIST 800-34 is the National Institute of Standards and
Technologies Information Technology Contingency Planning
Guide, which can be found at
http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf.
CISSP® MENTOR PROGRAM – SESSION TEN
72
LECTURE
Domain #7: Security Operations
Project Initiation
In order to develop the BCP/DRP, the scope of the project must be
determined and agreed upon. This involves seven distinct milestones:
1. Develop the contingency planning policy statement: A formal
department or agency policy provides the authority and guidance
necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA): The BIA helps to
identify and prioritize critical IT systems and components. A
template for developing the BIA is also provided to assist the user.
3. Identify preventive controls: Measures taken to reduce the
effects of system disruptions can increase system availability and
reduce contingency life cycle costs.
CISSP® MENTOR PROGRAM – SESSION TEN
73
LECTURE
Domain #7: Security Operations
Project Initiation
In order to develop the BCP/DRP, the scope of the project must be
determined and agreed upon. This involves seven distinct milestones:
4. Develop recovery strategies: Thorough recovery strategies
ensure that the system may be recovered quickly and effectively
following a disruption.
5. Develop an IT contingency plan: The contingency plan should
contain detailed guidance and procedures for restoring a damaged
system.
6. Plan testing, training, and exercises: Testing the plan identifies
planning gaps, whereas training prepares recovery personnel for
plan activation; both activities improve plan effectiveness and
overall agency preparedness.
7. Plan maintenance: The plan should be a living document that is
updated regularly to remain current with system enhancements.
CISSP® MENTOR PROGRAM – SESSION TEN
74
LECTURE
Domain #7: Security Operations
Management Support
“C”-level managers:
• Must agree to any plan set forth
• Must agree to support the action items listed in the plan if an
emergency event occurs
• Refers to people within an organization like the chief executive
officer (CEO), the chief operating officer (COO), the chief
information officer (CIO), and the chief financial officer (CFO)
• Have enough power and authority to speak for the entire
organization when dealing with outside media
• High enough within the organization to commit resources
CISSP® MENTOR PROGRAM – SESSION TEN
75
LECTURE
Domain #7: Security Operations
Other Roles
BCP/DRP Project Manager
• Key Point of Contact for ensuring that a BCP/DRP is completed
and routinely tested
• Must be a good manager and leader in case there is an event
that causes the BCP or DRP to be implemented
• Point of Contact (POC) for every person within the organization
during a crisis
• Must be very organized
• Credibility and enough authority within the organization to make
important, critical decisions with regard to implementing the
BCP/DRP
• Does not need to have in-depth technical skills
CISSP® MENTOR PROGRAM – SESSION TEN
76
LECTURE
Domain #7: Security Operations
Other Roles
Continuity Planning Project Team (CPPT)
• Comprises those personnel that will have responsibilities if/when
an emergency occurs
• Comprised of stakeholders within an organization
• Focuses on identifying who needs to play a role if a specific
emergency event were to occur
• Includes people from the human resources section, public
relations (PR), IT staff, physical security, line managers, essential
personnel for full business effectiveness, and anyone else
responsible for essential functions
CISSP® MENTOR PROGRAM – SESSION TEN
77
LECTURE
Domain #7: Security Operations
Scoping the Project
• Define exactly what assets are protected by the plan,
which emergency events the plan will be able to
address, and determining the resources necessary to
completely create and implement the plan
• “What is in and out of scope for this plan?”
• After receiving C-level approval and input from the
rest of the organization, objectives and deliverables
can be determined
CISSP® MENTOR PROGRAM – SESSION TEN
78
LECTURE
Domain #7: Security Operations
Scoping the Project
• Objectives are usually created as “if/then” statements
• For example, “If there is a hurricane, then the organization
will enact plan H—the Physical Relocation and Employee
Safety Plan.” Plan H is unique to the organization but it does
encompass all the BCP/DRP subplans required
• An objective would be to create this plan and have it
reviewed by all members of the organization by a specific
date.
• The objective will have a number of deliverables required to
create and fully vet this plan: for example, draft documents,
exercise planning meetings, table top preliminary exercises,
etc.
CISSP® MENTOR PROGRAM – SESSION TEN
79
LECTURE
Domain #7: Security Operations
Scoping the Project
• Executive management must at least ensure that support is given
for three BCP/DRP items:
• 1. Executive management support is needed for initiating the
plan.
• 2. Executive management support is needed for final
approval of the plan.
• 3. Executive management must demonstrate due care and
due diligence and be held liable under applicable
laws/regulations.
CISSP® MENTOR PROGRAM – SESSION TEN
80
LECTURE
Domain #7: Security Operations
Assessing the Critical State
• Assessing the critical state can be difficult because
determining which pieces of the IT infrastructure are
critical depends solely on the how it supports the
users within the organization.
• When compiling the critical state and asset list
associated with it, the BCP/DRP project manager
should note how the assets impact the organization in
a section called the “Business Impact” section.
CISSP® MENTOR PROGRAM – SESSION TEN
81
LECTURE
Domain #7: Security Operations
Assessing the Critical State
• Assessing the critical state can be difficult because
determining which pieces of the IT infrastructure are
critical depends solely on the how it supports the
users within the organization.
• When compiling the critical state and asset list
associated with it, the BCP/DRP project manager
should note how the assets impact the organization in
a section called the “Business Impact” section.
CISSP® MENTOR PROGRAM – SESSION TEN
82
LECTURE
Domain #7: Security Operations
Conduct Business Impact Analysis (BIA)
• Formal method for determining how a disruption to the
IT system(s) of an organization will impact the
organization
• An analysis to identify and prioritize critical IT systems
and components
• Enables the BCP/DRP project manager to fully
characterize the IT contingency requirements and
priorities
CISSP® MENTOR PROGRAM – SESSION TEN
83
LECTURE
Domain #7: Security Operations
Conduct Business Impact Analysis (BIA)
• Objective is to correlate the IT system components
with the critical service it supports
• Also aims to quantify the consequence of a disruption
to the system component and how that will affect the
organization
• Determine the Maximum Tolerable Downtime (MTD)
for a specific IT asset
• Also provides information to improve business
processes and efficiencies because it details all of the
organization's policies and implementation efforts
CISSP® MENTOR PROGRAM – SESSION TEN
84
LECTURE
Domain #7: Security Operations
The BIA is comprised of two processes;
Identification of critical assets and a
comprehensive risk assessment.
Conduct Business Impact Analysis (BIA)
Identify Critical Assets
• BIA and Critical State Asset List is conducted for every
IT system within the organization, no matter how trivial
or unimportant, leading to…
• A list of those IT assets that are deemed business-
essential by the organization
Conduct BCP/DRP-focused Risk Assessment
• Determines what risks are inherent to which IT assets
• A vulnerability analysis is also conducted for each IT
system and major application
CISSP® MENTOR PROGRAM – SESSION TEN
85
LECTURE
Domain #7: Security Operations
Conduct Business Impact Analysis (BIA)
Identify Critical Assets
• BIA and Critical State Asset List is conducted for every
IT system within the organization, no matter how trivial
or unimportant, leading to…
• A list of those IT assets that are deemed business-
essential by the organization
Conduct BCP/DRP-focused Risk Assessment
• Determines what risks are inherent to which IT assets
• A vulnerability analysis is also conducted for each IT
system and major application
CISSP® MENTOR PROGRAM – SESSION TEN
86
LECTURE
Domain #7: Security Operations
Determine Maximum Tolerable Downtime
• Describes the total time a system can be inoperable before an
organization is severely impacted
• It is also the maximum time it takes to execute the reconstitution
phase
• Comprised of two metrics; Recovery Time Objective (RTO) and
the Work Recovery Time (WRT)
Alternate terms for MTD
• Depending on the business continuity framework that is used,
other terms may be substituted for Maximum Tolerable
Downtime. These include Maximum Allowable Downtime
(MAD), Maximum Tolerable Outage (MTO), and Maximum
Acceptable Outage (MAO).
CISSP® MENTOR PROGRAM – SESSION TEN
87
LECTURE
Domain #7: Security Operations
Failure and Recovery Metrics
• Used to quantify how frequently systems fail, how long a system
may exist in a failed state, and the maximum time to recover from
failure.
• These metrics include the Recovery Point Objective (RPO),
Recovery Time Objective (RTO), Work Recovery Time (WRT),
Mean Time Between Failures (MTBF), Mean Time to Repair
(MTTR), and Minimum Operating Requirements (MOR).
CISSP® MENTOR PROGRAM – SESSION TEN
88
LECTURE
Domain #7: Security Operations
Recovery Point Objective
• The amount of data loss or system inaccessibility (measured in
time) that an organization can withstand.
• “If you perform weekly backups, someone made a decision that
your company could tolerate the loss of a week's worth of data. If
backups are performed on Saturday evenings and a system fails
on Saturday afternoon, you have lost the entire week's worth of
data. This is the recovery point objective. In this case, the RPO is
1 week.”
• RPO represents the maximum acceptable amount of
data/work loss for a given process because of a disaster or
disruptive event
CISSP® MENTOR PROGRAM – SESSION TEN
89
LECTURE
Domain #7: Security Operations
Recovery Time Objective (RTO) and Work Recovery
Time (WRT)
• Recovery Time Objective (RTO) describes the maximum time
allowed to recover business or IT systems
• RTO is also called the systems recovery time. One part of
Maximum Tolerable Downtime: once the system is physically
running, it must be configured.
• Work Recovery Time (WRT) describes the time required to
configure a recovered system.
• “Downtime consists of two elements, the systems recovery time
and the work recovery time. Therefore, MTD = RTO + WRT.”
CISSP® MENTOR PROGRAM – SESSION TEN
90
LECTURE
Domain #7: Security Operations
Mean Time Between Failures
• Quantifies how long a new or repaired system will run before
failing
• Typically generated by a component vendor and is largely
applicable to hardware as opposed to applications and software.
• A vendor selling LCD computer monitors may run 100 monitors
24 hours a day for 2 weeks and observe just one monitor failure.
The vendor then extrapolates the following:
100 LCD Monitors x 14 days x 24 hours/day = 1 failure/33,600 hours
• The BCP/DRP team determines the correct amount of expected
failures within the IT system during a course of time.
• Calculating the MTBF becomes less reliant when an organization
uses fewer and fewer hardware assets.
CISSP® MENTOR PROGRAM – SESSION TEN
91
LECTURE
Domain #7: Security Operations
Mean Time to Repair (MTTR)
• Describes how long it will take to recover a specific failed system
• Best estimate for reconstituting the IT system so that business
continuity may occur
Minimum Operating Requirements
• Describes the minimum environmental and connectivity
requirements in order to operate computer equipment
• Important to determine and document for each IT-critical asset
because, in the event of a disruptive event or disaster, proper
analysis can be conducted quickly to determine if the IT assets
will be able to function in the emergency environment
CISSP® MENTOR PROGRAM – SESSION TEN
92
LECTURE
Domain #7: Security Operations
Identify Preventive Controls
• Preventive controls prevent disruptive events from having an
impact
• The BIA will identify some risks which may be mitigated
immediately
Recovery Strategy
• Once the BIA is complete, the BCP team knows the Maximum
Tolerable Downtime. This metric, as well as others including the
Recovery Point Objective and Recovery Time Objective, are
used to determine the recovery strategy.
• Always maintain technical, physical, and administrative controls
when using any recovery option
CISSP® MENTOR PROGRAM – SESSION TEN
93
LECTURE
Domain #7: Security Operations
Identify Preventive Controls
• Preventive controls prevent disruptive events from having an
impact
• The BIA will identify some risks which may be mitigated
immediately
Recovery Strategy
• Once the BIA is complete, the BCP team knows the Maximum
Tolerable Downtime. This metric, as well as others including the
Recovery Point Objective and Recovery Time Objective, are
used to determine the recovery strategy.
• Always maintain technical, physical, and administrative controls
when using any recovery option
CISSP® MENTOR PROGRAM – SESSION TEN
94
LECTURE
Domain #7: Security Operations
Recovery Strategy
Supply Chain Management
• In an age of “just in time” shipment of goods,
organizations may fail to acquire adequate
replacement computers.
• Some computer manufactures offer guaranteed
replacement insurance for a specific range of
disasters. The insurance is priced per server, and
includes a service level agreement that specifies the
replacement time. All forms of relevant insurance
should be analyzed by the BCP team.
CISSP® MENTOR PROGRAM – SESSION TEN
95
LECTURE
Domain #7: Security Operations
Recovery Strategy
Telecommunication Management
• Ensures the availability of electronic communications
during a disaster
• Often one of the first processes to fail during a
disaster
• Wired circuits such as T1s, T3s, frame relay, etc.,
need to be specifically addressed
• Power can be provided by generator if necessary.
CISSP® MENTOR PROGRAM – SESSION TEN
96
LECTURE
Domain #7: Security Operations
Recovery Strategy
Utility Management
• Utility management addresses the availability of utilities such as
power, water, gas, etc. during a disaster
• The utility management plan should address all utilities required
by business operations, including power, heating, cooling, and
water.
• Specific sections should address the unavailability of any
required utility.
Recovery options
• Once an organization has determined its maximum tolerable
downtime, the choice of recovery options can be determined. For
example, a 10-day MTD indicates that a cold site may be a
reasonable option. An MTD of a few hours indicates that a
redundant site or hot site is a potential option.
CISSP® MENTOR PROGRAM – SESSION TEN
97
LECTURE
Domain #7: Security Operations
Recovery Strategy
Redundant Site
• A redundant site is an exact production duplicate of a
system that has the capability to seamlessly operate
all necessary IT operations without loss of services to
the end user of the system.
• A redundant site receives data backups in real time so
that in the event of a disaster, the users of the system
have no loss of data.
• The most expensive recovery option
CISSP® MENTOR PROGRAM – SESSION TEN
98
LECTURE
Domain #7: Security Operations
Recovery Strategy
Hot Site
• A hot site is a location that an organization may relocate to
following a major disruption or disaster.
• It is a datacenter with a raised floor, power, utilities, computer
peripherals, and fully configured computers.
• Will have all necessary hardware and critical applications data
mirrored in real time.
• A hot site will have the capability to allow the organization to
resume critical operations within a very short period of time—
sometimes in less than an hour.
• Has all the same physical, technical, and administrative controls
implemented of the production site.
CISSP® MENTOR PROGRAM – SESSION TEN
99
LECTURE
Domain #7: Security Operations
Recovery Strategy
Warm Site
• Has some aspects of a hot site, for example, readily-
accessible hardware and connectivity, but it will have
to rely upon backup data in order to reconstitute a
system after a disruption.
• It is a datacenter with a raised floor, power, utilities,
computer peripherals, and fully configured computers.
• MTD of at least 1-3 days
• The longer the MTD is, the less expensive the
recovery solution will be.
CISSP® MENTOR PROGRAM – SESSION TEN
100
LECTURE
Domain #7: Security Operations
Recovery Strategy
Cold Site
• The least expensive recovery solution to implement.
• Does not include backup copies of data, nor does it contain any
immediately available hardware.
• Longest amount of time of all recovery solutions to implement
and restore critical IT services for the organization
• MTD—usually measured in weeks, not days.
• Typically a datacenter with a raised floor, power, utilities, and
physical security, but not much beyond that.
CISSP® MENTOR PROGRAM – SESSION TEN
101
LECTURE
Domain #7: Security Operations
Recovery Strategy
Reciprocal Agreement
• A bi-directional agreement between two organizations in which
one organization promises another organization that it can move
in and share space if it experiences a disaster.
• Documented in the form of a contract
• Also referred to as Mutual Aid Agreements (MAAs)
CISSP® MENTOR PROGRAM – SESSION TEN
102
LECTURE
Domain #7: Security Operations
Recovery Strategy
Mobile Site
• “datacenters on wheels”: towable trailers that contain racks of
computer equipment, as well as HVAC, fire suppression and
physical security.
• A good fit for disasters such as a datacenter flood
• Typically placed within the physical property lines, and are
protected by defenses such as fences, gates, and security
cameras
CISSP® MENTOR PROGRAM – SESSION TEN
103
LECTURE
Domain #7: Security Operations
Recovery Strategy
Subscription Services
• Some organizations outsource their BCP/DRP planning and/or
implementation by paying another company to perform those
services.
• Effectively transfers the risk to the insurer company.
• Based upon a simple insurance model, and companies such as
IBM have built profit models and offer services for customers
offering BCP/DRP insurance.
CISSP® MENTOR PROGRAM – SESSION TEN
104
LECTURE
Domain #7: Security Operations
Related Plans
The Business Continuity Plan is an umbrella plan that contains others
plans:
• Disaster recovery plan
• Continuity of Operations Plan (COOP)
• Business Resumption/Recovery Plan (BRP)
• Continuity of Support Plan
• Cyber Incident Response Plan
• Occupant Emergency Plan (OEP)
• Crisis Management Plan (CMP)
CISSP® MENTOR PROGRAM – SESSION TEN
105
LECTURE
Domain #7: Security Operations
Related Plans
The Business Continuity Plan is an umbrella plan that contains others
plans:
• Disaster recovery plan
• Continuity of Operations Plan (COOP)
• Business Resumption/Recovery Plan (BRP)
• Continuity of Support Plan
• Cyber Incident Response Plan
• Occupant Emergency Plan (OEP)
• Crisis Management Plan (CMP)
CISSP® MENTOR PROGRAM – SESSION TEN
106
LECTURE
Domain #7: Security Operations
Related Plans
Continuity of Operations Plan (COOP)
• Describes the procedures required to maintain operations during
a disaster
• Includes transfer of personnel to an alternate disaster recovery
site, and operations of that site.
CISSP® MENTOR PROGRAM – SESSION TEN
107
LECTURE
Domain #7: Security Operations
Related Plans
Business Recovery Plan (BRP)
• Also known as the Business Resumption Plan
• Details the steps required to restore normal business operations
after recovering from a disruptive event
• May include switching operations from an alternate site back to a
(repaired) primary site.
• Picks up when the COOP is complete
• Narrow and focused: the BRP is sometimes included as an
appendix to the Business Continuity Plan
CISSP® MENTOR PROGRAM – SESSION TEN
108
LECTURE
Domain #7: Security Operations
Related Plans
Continuity of Support Plan
• Focuses narrowly on support of specific IT systems and
applications
• Also called the IT Contingency Plan, emphasizing IT over general
business support
Cyber Incident Response Plan
• Designed to respond to disruptive cyber events, including
network-based attacks, worms, computer viruses, Trojan horses,
etc.
CISSP® MENTOR PROGRAM – SESSION TEN
109
LECTURE
Domain #7: Security Operations
Related Plans
Occupant Emergency Plan (OEP)
• Provides the “response procedures for occupants of a facility in
the event of a situation posing a potential threat to the health and
safety of personnel, the environment, or property. Such events
would include a fire, hurricane, criminal attack, or a medical
emergency.”
• Facilities-focused, as opposed to business or IT-focused.
• Focused on safety and evacuation, and should describe specific
safety drills, including evacuation drills (also known as fire drills)
• Specific safety roles should be described, including safety
warden and meeting point leader
CISSP® MENTOR PROGRAM – SESSION TEN
110
LECTURE
Domain #7: Security Operations
Related Plans
Crisis Management Plan (CMP)
• Designed to provide coordination among the managers of the
organization in the event of an emergency or disruptive event
• Details the actions management must take to ensure that life and
safety of personnel and property are immediately protected in
case of a disaster
• Crisis Communications Plan
• Component of the Crisis Management Plan
• Sometimes called the communications plan
• A plan for communicating to staff and the public in the event of a
disruptive event
CISSP® MENTOR PROGRAM – SESSION TEN
111
LECTURE
Domain #7: Security Operations
Related Plans
Crisis Management Plan (CMP)
Call Trees
• Used to quickly communicate news throughout an
organization without overburdening any specific person
• Works by assigning each employee a small number of
other employees they are responsible for calling in an
emergency event
• Most effective when there is two-way reporting of
successful communication
• Should contain alternate contact methods, in case the
primary methods are unavailable
CISSP® MENTOR PROGRAM – SESSION TEN
112
LECTURE
Domain #7: Security Operations
Related Plans
Crisis Management Plan (CMP)
Call Trees
• Used to quickly communicate news throughout an
organization without overburdening any specific person
• Works by assigning each employee a small number of
other employees they are responsible for calling in an
emergency event
• Most effective when there is two-way reporting of
successful communication
• Should contain alternate contact methods, in case the
primary methods are unavailable
CISSP® MENTOR PROGRAM – SESSION TEN
113
LECTURE
Domain #7: Security Operations
Related Plans
Crisis Management Plan (CMP)
Automated Call Trees
• Automatically contact all BCP/DRP team members after a
disruptive event
• Tree can be activated by an authorized member, triggered by a
phone call, email, or Web transaction
• Once triggered, all BCP/DRP members are automatically
contacted
• Can require positive verification of receipt of a message, such as
“press 1 to acknowledge receipt.”
• Automated call trees are hosted offsite, and typically supported by
a third-party BCP/DRP provider
CISSP® MENTOR PROGRAM – SESSION TEN
114
LECTURE
Domain #7: Security Operations
Related Plans
Crisis Management Plan (CMP)
Emergency Operations Center (EOC)
• The command post established during or just after an emergency
event
• Placement of the EOC will depend on resources that are available
CISSP® MENTOR PROGRAM – SESSION TEN
115
LECTURE
Domain #7: Security Operations
Related Plans
Crisis Management Plan (CMP)
Vital Records
• Should be stored offsite, at a location and in a format that will
allow access during a disaster
• Have both electronic and hardcopy versions of all vital records
• Include contact information for all critical staff. Additional vital
records include licensing information, support contracts, service
level agreements, reciprocal agreements, telecom circuit IDs, etc.
CISSP® MENTOR PROGRAM – SESSION TEN
116
LECTURE
Domain #7: Security Operations
Please try to catch up in your reading.
• We left off on page 411 in the book.
• Monday (5/20) we’ll start again with “Executive Succession
Planning”
• Come with questions!
• CATCH UP ON READING!
Have a great evening, talk to you Monday!
CISSP® MENTOR PROGRAM – SESSION TEN
117
WE MADE IT THROUGH CLASS 10!
Not the most exciting, but important nonetheless.

Más contenido relacionado

La actualidad más candente

2020 FRSecure CISSP Mentor Program - Class 11
2020 FRSecure CISSP Mentor Program - Class 112020 FRSecure CISSP Mentor Program - Class 11
2020 FRSecure CISSP Mentor Program - Class 11FRSecure
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class OneFRSecure
 
2020 FRSecure CISSP Mentor Program - Class 4
2020 FRSecure CISSP Mentor Program - Class 42020 FRSecure CISSP Mentor Program - Class 4
2020 FRSecure CISSP Mentor Program - Class 4FRSecure
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8FRSecure
 
2020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 22020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 2FRSecure
 
2019 FRSecure CISSP Mentor Program: Class Eight
2019  FRSecure CISSP Mentor Program: Class Eight2019  FRSecure CISSP Mentor Program: Class Eight
2019 FRSecure CISSP Mentor Program: Class EightFRSecure
 
2020 FRSecure CISSP Mentor Program - Class 8
2020 FRSecure CISSP Mentor Program - Class 82020 FRSecure CISSP Mentor Program - Class 8
2020 FRSecure CISSP Mentor Program - Class 8FRSecure
 
2020 FRSecure CISSP Mentor Program - Class 6
2020 FRSecure CISSP Mentor Program - Class 62020 FRSecure CISSP Mentor Program - Class 6
2020 FRSecure CISSP Mentor Program - Class 6FRSecure
 
2020 FRSecure CISSP Mentor Program - Class 5
2020 FRSecure CISSP Mentor Program - Class 52020 FRSecure CISSP Mentor Program - Class 5
2020 FRSecure CISSP Mentor Program - Class 5FRSecure
 
2020 FRSecure CISSP Mentor Program - Class 3
2020 FRSecure CISSP Mentor Program - Class 3 2020 FRSecure CISSP Mentor Program - Class 3
2020 FRSecure CISSP Mentor Program - Class 3 FRSecure
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1FRSecure
 
2019 FRSecure CISSP Mentor Program: Class Four
2019 FRSecure CISSP Mentor Program: Class Four2019 FRSecure CISSP Mentor Program: Class Four
2019 FRSecure CISSP Mentor Program: Class FourFRSecure
 
2018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 92018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 9FRSecure
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2FRSecure
 
2018 FRSecure CISSP Mentor Program Session 11
2018 FRSecure CISSP Mentor Program Session 112018 FRSecure CISSP Mentor Program Session 11
2018 FRSecure CISSP Mentor Program Session 11FRSecure
 
2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6FRSecure
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017FRSecure
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 

La actualidad más candente (20)

2020 FRSecure CISSP Mentor Program - Class 11
2020 FRSecure CISSP Mentor Program - Class 112020 FRSecure CISSP Mentor Program - Class 11
2020 FRSecure CISSP Mentor Program - Class 11
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10
 
2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One2019 FRSecure CISSP Mentor Program: Class One
2019 FRSecure CISSP Mentor Program: Class One
 
2020 FRSecure CISSP Mentor Program - Class 4
2020 FRSecure CISSP Mentor Program - Class 42020 FRSecure CISSP Mentor Program - Class 4
2020 FRSecure CISSP Mentor Program - Class 4
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8
 
2020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 22020 FRSecure CISSP Mentor Program - Class 2
2020 FRSecure CISSP Mentor Program - Class 2
 
2019 FRSecure CISSP Mentor Program: Class Eight
2019  FRSecure CISSP Mentor Program: Class Eight2019  FRSecure CISSP Mentor Program: Class Eight
2019 FRSecure CISSP Mentor Program: Class Eight
 
2020 FRSecure CISSP Mentor Program - Class 8
2020 FRSecure CISSP Mentor Program - Class 82020 FRSecure CISSP Mentor Program - Class 8
2020 FRSecure CISSP Mentor Program - Class 8
 
2020 FRSecure CISSP Mentor Program - Class 6
2020 FRSecure CISSP Mentor Program - Class 62020 FRSecure CISSP Mentor Program - Class 6
2020 FRSecure CISSP Mentor Program - Class 6
 
2020 FRSecure CISSP Mentor Program - Class 5
2020 FRSecure CISSP Mentor Program - Class 52020 FRSecure CISSP Mentor Program - Class 5
2020 FRSecure CISSP Mentor Program - Class 5
 
2020 FRSecure CISSP Mentor Program - Class 3
2020 FRSecure CISSP Mentor Program - Class 3 2020 FRSecure CISSP Mentor Program - Class 3
2020 FRSecure CISSP Mentor Program - Class 3
 
2018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 12018 CISSP Mentor Program Session 1
2018 CISSP Mentor Program Session 1
 
2019 FRSecure CISSP Mentor Program: Class Four
2019 FRSecure CISSP Mentor Program: Class Four2019 FRSecure CISSP Mentor Program: Class Four
2019 FRSecure CISSP Mentor Program: Class Four
 
2018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 92018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 9
 
2018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 22018 CISSP Mentor Program Session 2
2018 CISSP Mentor Program Session 2
 
2018 FRSecure CISSP Mentor Program Session 11
2018 FRSecure CISSP Mentor Program Session 112018 FRSecure CISSP Mentor Program Session 11
2018 FRSecure CISSP Mentor Program Session 11
 
2018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 62018 CISSP Mentor Program- Session 6
2018 CISSP Mentor Program- Session 6
 
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 5 – FRSecure CISSP Mentor Program 2017
 
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 

Similar a 2019 FRSecure CISSP Mentor Program: Class Ten

Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017FRSecure
 
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information securityAnant Shrivastava
 
Security Operations and Response
Security Operations and ResponseSecurity Operations and Response
Security Operations and Responsexband
 
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...Net at Work
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Sigma Software
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofAdrian Sanabria
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security PractitionerAdrian Sanabria
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud securityPeter Wood
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsDamon Small
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessJoAnna Cheshire
 

Similar a 2019 FRSecure CISSP Mentor Program: Class Ten (20)

Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 11 – FRSecure CISSP Mentor Program 2017
 
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramSlide Deck Class Session 11 – FRSecure CISSP Mentor Program
Slide Deck Class Session 11 – FRSecure CISSP Mentor Program
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
Career In Information security
Career In Information securityCareer In Information security
Career In Information security
 
Security Operations and Response
Security Operations and ResponseSecurity Operations and Response
Security Operations and Response
 
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"Дмитро Терещенко, "How to secure your application with Secure SDLC"
Дмитро Терещенко, "How to secure your application with Secure SDLC"
 
Ten security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard ofTen security product categories you've (probably) never heard of
Ten security product categories you've (probably) never heard of
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
The future of cloud security
The future of cloud securityThe future of cloud security
The future of cloud security
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
 
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SCCyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
Cyber Security for Non-Technical Executives (SC GMIS) Columbia, SC
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 

Más de FRSecure

2020 FRSecure CISSP Mentor Program - Class 7
2020 FRSecure CISSP Mentor Program - Class 72020 FRSecure CISSP Mentor Program - Class 7
2020 FRSecure CISSP Mentor Program - Class 7FRSecure
 
2019 FRSecure CISSP Mentor Program: Class Seven
2019 FRSecure CISSP Mentor Program: Class Seven2019 FRSecure CISSP Mentor Program: Class Seven
2019 FRSecure CISSP Mentor Program: Class SevenFRSecure
 
2019 FRSecure CISSP Mentor Program: Class Six
2019 FRSecure CISSP Mentor Program: Class Six2019 FRSecure CISSP Mentor Program: Class Six
2019 FRSecure CISSP Mentor Program: Class SixFRSecure
 
2018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 72018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 7FRSecure
 
2018 FRSecure CISSP Mentor Program- Session 5
2018 FRSecure CISSP Mentor Program-  Session 52018 FRSecure CISSP Mentor Program-  Session 5
2018 FRSecure CISSP Mentor Program- Session 5FRSecure
 
2018 FRecure CISSP Mentor Program- Session 4
2018 FRecure CISSP Mentor Program- Session 42018 FRecure CISSP Mentor Program- Session 4
2018 FRecure CISSP Mentor Program- Session 4FRSecure
 

Más de FRSecure (6)

2020 FRSecure CISSP Mentor Program - Class 7
2020 FRSecure CISSP Mentor Program - Class 72020 FRSecure CISSP Mentor Program - Class 7
2020 FRSecure CISSP Mentor Program - Class 7
 
2019 FRSecure CISSP Mentor Program: Class Seven
2019 FRSecure CISSP Mentor Program: Class Seven2019 FRSecure CISSP Mentor Program: Class Seven
2019 FRSecure CISSP Mentor Program: Class Seven
 
2019 FRSecure CISSP Mentor Program: Class Six
2019 FRSecure CISSP Mentor Program: Class Six2019 FRSecure CISSP Mentor Program: Class Six
2019 FRSecure CISSP Mentor Program: Class Six
 
2018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 72018 FRSecure CISSP Mentor Program- Session 7
2018 FRSecure CISSP Mentor Program- Session 7
 
2018 FRSecure CISSP Mentor Program- Session 5
2018 FRSecure CISSP Mentor Program-  Session 52018 FRSecure CISSP Mentor Program-  Session 5
2018 FRSecure CISSP Mentor Program- Session 5
 
2018 FRecure CISSP Mentor Program- Session 4
2018 FRecure CISSP Mentor Program- Session 42018 FRecure CISSP Mentor Program- Session 4
2018 FRecure CISSP Mentor Program- Session 4
 

Último

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 

Último (20)

Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 

2019 FRSecure CISSP Mentor Program: Class Ten

  • 1. 2019 CISSP MENTOR PROGRAM May 15, 2019 ----------- Class 10 – May 15, 2019 Instructors: • Brad Nigh, FRSecure Director of Professional Services & Innovation • Evan Francen, FRSecure & SecurityStudio CEO
  • 2. I hope everyone is doing well. Looking for questions, so give me some! • Check-in. • How many have read Chapter 1 - 7? • Questions? CISSP® MENTOR PROGRAM – SESSION TEN 1 WELCOME BACK! I mean, it’s good to be back. ;) 115 slides tonight + what I covered Monday at the 2019 North America ISACA CACS Conference. Pretty laid back class tonight, but still quite a bit of content to get through.
  • 3. 1. During the course of the penetration test: the testers discover signs of an active compromise of the new custom-developed three-tier web application. What is their best source of action? A. Attempt to contain and eradicate the malicious activity B. Continue the test C. Quietly end the test, immediately call the operational IT contact, and escalate the issue D. Shut the server down CISSP® MENTOR PROGRAM – SESSION TEN 2 QUIZ… Questions, questions, questions…
  • 4. 1. During the course of the penetration test: the testers discover signs of an active compromise of the new custom-developed three-tier web application. What is their best source of action? A. Attempt to contain and eradicate the malicious activity B. Continue the test C. Quietly end the test, immediately call the operational IT contact, and escalate the issue D. Shut the server down CISSP® MENTOR PROGRAM – SESSION TEN 3 QUIZ… Questions, questions, questions…
  • 5. 2. You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application? A. Secure compiler warnings B. Fuzzing C. Static testing D. White box testing CISSP® MENTOR PROGRAM – SESSION TEN 4 QUIZ… Questions, questions, questions…
  • 6. 2. You would like to have the security firm test the new web application, but have decided not to share the underlying source code. What type of test could be used to help determine the security of the custom web application? A. Secure compiler warnings B. Fuzzing C. Static testing D. White box testing CISSP® MENTOR PROGRAM – SESSION TEN 5 QUIZ… Questions, questions, questions…
  • 7. 3. What type of penetration test will result in the most efficient use of time and hourly consultant expenses? A. Automated knowledge B. Full knowledge C. Partial Knowledge D. Zero Knowledge CISSP® MENTOR PROGRAM – SESSION TEN 6 QUIZ… Questions, questions, questions…
  • 8. 3. What type of penetration test will result in the most efficient use of time and hourly consultant expenses? A. Automated knowledge B. Full knowledge C. Partial Knowledge D. Zero Knowledge CISSP® MENTOR PROGRAM – SESSION TEN 7 QUIZ… Questions, questions, questions…
  • 9. 4. What term describes a holistic approach for determining the effectiveness of access control, and has a broad scope? A. Security assessment B. Security audit C. Penetration test D. Vulnerability assessment CISSP® MENTOR PROGRAM – SESSION TEN 8 QUIZ… Questions, questions, questions…
  • 10. 4. What term describes a holistic approach for determining the effectiveness of access control, and has a broad scope? A. Security assessment B. Security audit C. Penetration test D. Vulnerability assessment CISSP® MENTOR PROGRAM – SESSION TEN 9 QUIZ… Questions, questions, questions…
  • 11. 5. What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs? A. Combinatorial software testing B. Dynamic testing C. Misuse case testing D. Static Testing CISSP® MENTOR PROGRAM – SESSION TEN 10 QUIZ… Questions, questions, questions…
  • 12. 5. What term describes a black-box testing method that seeks to identify and test all unique combinations of software inputs? A. Combinatorial software testing B. Dynamic testing C. Misuse case testing D. Static Testing CISSP® MENTOR PROGRAM – SESSION TEN 11 QUIZ… Questions, questions, questions…
  • 13. 6. What term describes a no-tech or low-tech method that uses the human mind to bypass security controls? A. Fuzzing B. Social engineering C. War dialing D. Zero-knowledge test CISSP® MENTOR PROGRAM – SESSION TEN 12 QUIZ… Questions, questions, questions…
  • 14. 6. What term describes a no-tech or low-tech method that uses the human mind to bypass security controls? A. Fuzzing B. Social engineering C. War dialing D. Zero-knowledge test CISSP® MENTOR PROGRAM – SESSION TEN 13 QUIZ… Questions, questions, questions…
  • 15. CISSP® MENTOR PROGRAM – SESSION TEN 14 LET’S DO THIS! Where we left off, we had just talked about incident management/response… Page 363 starts the new stuff.
  • 16. Incident Response Management – Methodology 2. Detection (aka Identification) • What are all of the inputs into my incident response process? • Events  Incidents 3. Response (aka Containment) • Step-by-step, depending upon classification & severity • Forensic response? Protection of evidence, while containing damage • Start root cause analysis CISSP® MENTOR PROGRAM – SESSION TEN 15 LECTURE Domain #7: Security Operations
  • 17. Incident Response Management – Methodology 4. Mitigation (aka Eradication) • Root cause analysis completed (mostly/hopefully) • Get rid of the bad things 5. Reporting • Actually not really a step (happens throughout) • More formal here; include incident responders (technical and non-technical) CISSP® MENTOR PROGRAM – SESSION TEN 16 LECTURE Domain #7: Security Operations
  • 18. Incident Response Management – Methodology 6. Recovery • Restore systems and operations • Increase monitoring 7. Remediation – broader in context 8. Lessons Learned (aka Post-incident Activity, Post Mortem, or Reporting) – there’s always lessons CISSP® MENTOR PROGRAM – SESSION TEN 17 LECTURE Domain #7: Security Operations
  • 19. Operational Preventive And Detective Controls • Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) • True Positive: Conficker worm is spreading on a trusted network, and NIDS alerts • True Negative: User surfs the Web to an allowed site, and NIDS is silent • False Positive: User surfs the Web to an allowed site, and NIDS alerts • False Negative: Conficker worm is spreading on a trusted network, and NIDS is silent CISSP® MENTOR PROGRAM – SESSION TEN 18 LECTURE Domain #7: Security Operations
  • 20. Operational Preventive And Detective Controls • NIDS, NIPS, HIDS, and HIPS (detection types) • Pattern Matching • Protocol Behavior • Anomaly Detection • Security Information and Event Management (SIEM) • Continuous Monitoring • Data Loss Prevention (network & host) CISSP® MENTOR PROGRAM – SESSION TEN 19 LECTURE Domain #7: Security Operations
  • 21. Operational Preventive And Detective Controls • NIDS, NIPS, HIDS, and HIPS CISSP® MENTOR PROGRAM – SESSION TEN 20 LECTURE Domain #7: Security Operations
  • 22. Operational Preventive And Detective Controls Continuous Monitoring • Assessing and reassessing as ongoing processes. • A modern improvement to legacy Certifications and Accreditations. Data Loss Prevention (DLP) • Class of solutions used to detect and/or prevent data from leaving the organization. • Host-based, network-based, and application-based DLP solutions. CISSP® MENTOR PROGRAM – SESSION TEN 21 LECTURE Domain #7: Security Operations
  • 23. Operational Preventive And Detective Controls Endpoint Security • HIDS/HIPS • Antivirus • Application Whitelisting • Removable Media Controls • Disk Encryption • Privileged Access CISSP® MENTOR PROGRAM – SESSION TEN 22 LECTURE Domain #7: Security Operations
  • 24. Operational Preventive And Detective Controls Endpoint Security • HIDS/HIPS • Antivirus • Application Whitelisting • Removable Media Controls • Disk Encryption • Privileged Access CISSP® MENTOR PROGRAM – SESSION TEN 23 LECTURE Domain #7: Security Operations Most effective on the list
  • 25. Operational Preventive And Detective Controls Honeypots • System designed to attract attackers. CAREFUL: enticement vs. entrapment. • Learn (or research) attack methods. • Low-interaction (simulate systems) and high-interaction (actual systems) honeypots. Honeynets – real or simulated network of honeypots. CISSP® MENTOR PROGRAM – SESSION TEN 24 LECTURE Domain #7: Security Operations
  • 26. Asset Management (Configuration Management) The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. • Hardened baseline configurations • Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs CISSP® MENTOR PROGRAM – SESSION TEN 25 LECTURE Domain #7: Security Operations
  • 27. Asset Management (Configuration Management) The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. • Hardened baseline configurations • Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs CISSP® MENTOR PROGRAM – SESSION TEN 26 LECTURE Domain #7: Security Operations
  • 28. Asset Management (Configuration Management) The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. • Hardened baseline configurations • Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs CISSP® MENTOR PROGRAM – SESSION TEN 27 LECTURE Domain #7: Security Operations
  • 29. Asset Management (Configuration Management) The goal is to move beyond the default system configuration to one that is both hardened and meets the operational requirements of the organization. • Hardened baseline configurations • Center for Internet Security (see: http://www.cisecurity.org/) • Disabling unnecessary services, removing extraneous programs, enabling security capabilities such as firewalls, antivirus, and intrusion detection or prevention systems, and the configuration of security and audit logs CISSP® MENTOR PROGRAM – SESSION TEN 28 LECTURE Domain #7: Security Operations Basic Principles of Security 1.You can’t secure things if you don’t know you have them (Asset Management). 2.You can’t secure the things you can’t control (Configuration Management, Change Control, Access Control, etc.)
  • 30. Asset Management (Configuration Management) Baselining • The process of capturing a point in time understanding of the current system security configuration • Helpful in responding to a potential security incident • Continual baselining is important CISSP® MENTOR PROGRAM – SESSION TEN 29 LECTURE Domain #7: Security Operations
  • 31. Asset Management (Configuration Management) Vulnerability Management • Vulnerability scanning is a way to discover poor configurations and missing patches in an environment • Vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information • Prioritization and remediation of the vulnerabilities CISSP® MENTOR PROGRAM – SESSION TEN 30 LECTURE Domain #7: Security Operations
  • 32. Asset Management (Configuration Management) Vulnerability Management • Vulnerability scanning is a way to discover poor configurations and missing patches in an environment • Vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information • Prioritization and remediation of the vulnerabilities CISSP® MENTOR PROGRAM – SESSION TEN 31 LECTURE Domain #7: Security Operations
  • 33. Asset Management (Configuration Management) Vulnerability Management • Vulnerability scanning is a way to discover poor configurations and missing patches in an environment • Vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information • Prioritization and remediation of the vulnerabilities CISSP® MENTOR PROGRAM – SESSION TEN 32 LECTURE Domain #7: Security Operations
  • 34. Asset Management (Configuration Management) Vulnerability Management CISSP® MENTOR PROGRAM – SESSION TEN 33 LECTURE Domain #7: Security Operations Section 12.6 of the ISO/IEC 27002:2013 provides guidance on technical vulnerability management. A vulnerability management process should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. Vulnerability management starts with asset management, the information required to support systems technically includes tracking operating system software, version numbers, lists of software installed, and the person or persons responsible for maintaining the systems. Additionally, the organization should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required thereof.
  • 35. Asset Management (Configuration Management) Vulnerability Management Once a potential technical vulnerability has been identified, the organization should identify the associated risks and the actions to be taken - such action could involve the patching of vulnerable systems and/or applying other controls. Depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management or by following information security incident response procedures. Critical- risk and high-risk systems should be addressed first. Patches should be tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls should be considered. The technical vulnerability management process should be regularly monitored and evaluated in order to ensure its effectiveness and efficiency. CISSP® MENTOR PROGRAM – SESSION TEN 34 LECTURE Domain #7: Security Operations
  • 36. Asset Management (Configuration Management) Zero-Day Vulnerabilities and Zero-Day Exploits • The average window of time between a patch being released and an associated exploit being made public is decreasing • Recent research even suggests that for some vulnerabilities, an exploit can be created within minutes based simply on the availability of the unpatched and patched program • The term for a vulnerability being known before the existence of a patch (or workaround) is zero day vulnerability. • A zero-day exploit, rather than vulnerability, refers to the existence of exploit code for a vulnerability which has yet to be patched CISSP® MENTOR PROGRAM – SESSION TEN 35 LECTURE Domain #7: Security Operations
  • 37. Change Management • A system that does not change will become less secure over time • Not an exact science, every organization will be a little different • The general flow of the change management process includes: • Identifying a change • Proposing a change • Assessing the risk associated with the change • Testing the change (backout plan) • Scheduling the change • Notifying impacted parties of the change • Implementing the change • Reporting results of the change implementation • Changes must be closely tracked and auditable CISSP® MENTOR PROGRAM – SESSION TEN 36 LECTURE Domain #7: Security Operations
  • 38. Continuity of Operations Service Level Agreements (SLA) • Critical where organizations have external entities perform critical services or host significant assets and applications • Goal is to stipulate all expectations regarding the behavior of the department or organization that is responsible for providing services and the quality of the services provided • Availability is usually the most critical security consideration of a service level agreement • Organizations must negotiate all security terms of a service level agreement prior to engaging with the company • Cloud computing CISSP® MENTOR PROGRAM – SESSION TEN 37 LECTURE Domain #7: Security Operations
  • 39. Fault Tolerance Backup • Recoverability in the event of a failure • Magnetic tape media is old technology, but still is the most common repository of backup data • Three basic types of backups exist: full backup; the incremental backup; and the differential backup CISSP® MENTOR PROGRAM – SESSION TEN 38 LECTURE Domain #7: Security Operations
  • 40. Fault Tolerance Backup • Full backup - a replica of all allocated data on a hard disk • The most costly in terms of media and time to backup • Often coupled with either incremental or differential backups to balance the time and media considerations CISSP® MENTOR PROGRAM – SESSION TEN 39 LECTURE Domain #7: Security Operations
  • 41. Fault Tolerance Backup • Incremental backup - only archive files that have changed since the last backup of any kind was performed • The most recent full backup and each and every incremental backup since the full backup is required to initiate a recovery • Time to perform each incremental backup is extremely short; however, the downside is that a full restore can require many tapes, especially if full backups are performed less frequently • The odds of a failed restoration due to a tape integrity issue (such as broken tape) rise with each additional tape required CISSP® MENTOR PROGRAM – SESSION TEN 40 LECTURE Domain #7: Security Operations
  • 42. Fault Tolerance Backup • Differential - will back up any files that have been changed since the last full backup • Only the most recent full backup and most recent differential backup are required to initiate a full recovery • As more time passes since the last full backup the length of time to perform a differential backup will also increase CISSP® MENTOR PROGRAM – SESSION TEN 41 LECTURE Domain #7: Security Operations
  • 43. Fault Tolerance Redundant Array of Inexpensive Disks (RAID) • Mitigates the risk associated with hard disk failures CISSP® MENTOR PROGRAM – SESSION TEN 42 LECTURE Domain #7: Security Operations
  • 44. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) Three terms that are important to understand with respect to RAID are: mirroring; striping; and parity • Mirroring - used to achieve full data redundancy by writing the same data to multiple hard disks • Write times are slower • Read times are faster • Most costly in terms of disk usage - at least half of the drives are used for redundancy CISSP® MENTOR PROGRAM – SESSION TEN 43 LECTURE Domain #7: Security Operations
  • 45. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) Three terms that are important to understand with respect to RAID are: mirroring; striping; and parity • Striping - increased the read and write performance by spreading data across multiple hard disks • Reads and writes can be performed in parallel across multiple disks rather than serially on one disk • Parallelization provides a performance increase, and does not aid in data redundancy • Parity - achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance CISSP® MENTOR PROGRAM – SESSION TEN 44 LECTURE Domain #7: Security Operations
  • 46. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 0: Striped Set • Striping to increase the performance of read and writes • No data redundancy - poor choice if recovery of data is the reason for leveraging RAID CISSP® MENTOR PROGRAM – SESSION TEN 45 LECTURE Domain #7: Security Operations
  • 47. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 1: Mirrored Set • Creates/writes an exact duplicate of all data to an additional disk • Write performance is decreased • Read performance can increase • Highest disk cost CISSP® MENTOR PROGRAM – SESSION TEN 46 LECTURE Domain #7: Security Operations
  • 48. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 2: Hamming Code • Not considered commercially viable for hard disks and is not used • Requires either 14 or 39 hard disks and a specially designed hardware controller • Cost prohibitive • RAID 2 is not likely to be tested CISSP® MENTOR PROGRAM – SESSION TEN 47 LECTURE Domain #7: Security Operations
  • 49. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 3: Striped Set with Dedicated Parity (byte level) • Data, at the byte level, is striped across multiple disks • An additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure RAID 4: Striped Set with Dedicated Parity (block level) • Exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level • Employs a dedicated parity drive rather than having parity data distributed amongst all disks, as in RAID 5 CISSP® MENTOR PROGRAM – SESSION TEN 48 LECTURE Domain #7: Security Operations
  • 50. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 5: Striped Set with Distributed Parity • One of the most popular RAID configurations • Striped Set with Distributed Parity • Leverages a block level striping • Writes parity information that is used for recovery purposes • Distributes the parity information across multiple disks • Disk cost for redundancy is lower than that of a Mirrored set • Support for both hardware and software based implementations • Allows for data recovery in the event that any one disk fails CISSP® MENTOR PROGRAM – SESSION TEN 49 LECTURE Domain #7: Security Operations
  • 51. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 5: Striped Set with Distributed Parity • One of the most popular RAID configurations • Striped Set with Distributed Parity • Leverages a block level striping • Writes parity information that is used for recovery purposes • Distributes the parity information across multiple disks • Disk cost for redundancy is lower than that of a Mirrored set • Support for both hardware and software based implementations • Allows for data recovery in the event that any one disk fails CISSP® MENTOR PROGRAM – SESSION TEN 50 LECTURE Domain #7: Security Operations
  • 52. Fault Tolerance - Redundant Array of Inexpensive Disks (RAID) RAID 6: Striped Set with Dual Distributed Parity • Can allow for the failure of two drives and still function • Redundancy is achieved by writing the same parity information to two different disks RAID 1+0 or RAID 10 • Example of what is known as nested RAID or multi-RAID (one standard RAID level is encapsulated within another) • Configuration is a striped set of mirrors NOTE: There are many and varied RAID configurations which are simply combinations of the standard RAID levels. Nested RAID solutions are becoming increasingly common with larger arrays of disks that require a high degree of both reliability and speed. Some common nested RAID levels include RAID 0+1, 1+0, 5+0, 6+0, and (1+0)+0, which are also commonly written as RAID 01, 10, 50, 60, and 100, respectively. CISSP® MENTOR PROGRAM – SESSION TEN 51 LECTURE Domain #7: Security Operations
  • 53. Fault Tolerance - System Redundancy Redundant Hardware • Built-in redundancy (power supplies, disk controllers, and NICs are most common) • An inventory of spare modules to service the entire datacenter's servers would be less expensive than having all servers configured with an installed redundant power supply Redundant Systems • Entire systems available in inventory to serve as a means to recover • Have an SLA with hardware manufacturers to be able to quickly procure replacement equipment in a timely fashion CISSP® MENTOR PROGRAM – SESSION TEN 52 LECTURE Domain #7: Security Operations
  • 54. BCP and DRP Overview and Process (used to be Domain by itself) Unique terms and definitions • Business Continuity Plan (BCP)—a long-term plan to ensure the continuity of business operations • Continuity of Operations Plan (COOP)—a plan to maintain operations during a disaster. • Disaster—any disruptive event that interrupts normal system operations • Disaster Recovery Plan (DRP)—a short-term plan to recover from a disruptive event • Mean Time Between Failures (MTBF)—quantifies how long a new or repaired system will run on average before failing • Mean Time to Repair (MTTR)—describes how long it will take to recover a failed system. CISSP® MENTOR PROGRAM – SESSION TEN 53 LECTURE Domain #7: Security Operations
  • 55. BCP and DRP Overview and Process Business Continuity Planning and Disaster Recovery Planning are two very distinct disciplines Business Continuity Planning (BCP) • Goal of a BCP is for ensuring that the business will continue to operate before, throughout, and after a disaster event is experienced • Focus of a BCP is on the business as a whole • Business Continuity Planning provides a long-term strategy • Takes into account items such as people, vital records, and processes in addition to critical systems CISSP® MENTOR PROGRAM – SESSION TEN 54 LECTURE Domain #7: Security Operations
  • 56. BCP and DRP Overview and Process Business Continuity Planning and Disaster Recovery Planning are two very distinct disciplines Disaster Recovery Planning (DRP) • Disaster Recovery Plan is more tactical in its approach • Short-term plan for dealing with specific IT-oriented disruptions • Provides a means for immediate response to disasters • Does not focus on long-term business impact CISSP® MENTOR PROGRAM – SESSION TEN 55 LECTURE Domain #7: Security Operations
  • 57. BCP and DRP Overview and Process Business Continuity Planning and Disaster Recovery Planning are two very distinct disciplines Relationship between BCP and DRP • Business Continuity Plan is an umbrella plan that includes multiple specific plans, most importantly the Disaster Recovery Plan • Two plans, which have different scopes, are intertwined • Disaster Recovery Plan serves as a subset of the overall Business Continuity Plan • NIST Special Publication 800-34, provides a visual means for understanding the interrelatedness of a BCP and a DRP, as well as Continuity of Operations Plan (COOP), Occupant Emergency Plan (OEP), and others. CISSP® MENTOR PROGRAM – SESSION TEN 56 LECTURE Domain #7: Security Operations
  • 58. BCP and DRP Overview and Process Business Continuity Planning and Disaster Recovery Planning are two very distinct disciplines Relationship between BCP and DRP • Business Continuity Plan is an umbrella plan that includes multiple specific plans, most importantly the Disaster Recovery Plan • Two plans, which have different scopes, are intertwined • Disaster Recovery Plan serves as a subset of the overall Business Continuity Plan • NIST Special Publication 800-34, provides a visual means for understanding the interrelatedness of a BCP and a DRP, as well as Continuity of Operations Plan (COOP), Occupant Emergency Plan (OEP), and others. CISSP® MENTOR PROGRAM – SESSION TEN 57 LECTURE Domain #7: Security Operations
  • 59. Disasters or Disruptive Events Classifications of disasters • Three common ways of categorizing the causes for disasters are as to whether the threat agent is natural, human, or environmental in nature • Natural—the most obvious type of threat that can result in a disaster are naturally occurring. This category includes such threats as earthquakes, hurricanes, tornadoes, floods, and some types of fires (closely related to geographical location) • Human—the human category of threats represents the most common source of disasters. Human threats can be further classified as to whether they constitute an intentional or unintentional threat • Examples of human-intentional threats include terrorists, malware, rogue insider, Denial of Service, hacktivism, phishing, social engineering, etc. • Examples of human-unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person through lack of knowledge, laziness, or carelessness served as a source of disruption • Environmental—focused on environment as it pertains to the information systems or datacenter. This class of threat includes items such as power issues (blackout, brownout, surge, spike), system component or other equipment failures, application or software flaws • Analysis of threats and associated likelihoods is an important part of the BCP and DRP process CISSP® MENTOR PROGRAM – SESSION TEN 58 LECTURE Domain #7: Security Operations
  • 60. Disasters or Disruptive Events Classifications of disasters • Three common ways of categorizing the causes for disasters are as to whether the threat agent is natural, human, or environmental in nature • Natural—the most obvious type of threat that can result in a disaster are naturally occurring. This category includes such threats as earthquakes, hurricanes, tornadoes, floods, and some types of fires (closely related to geographical location) • Human—the human category of threats represents the most common source of disasters. Human threats can be further classified as to whether they constitute an intentional or unintentional threat • Examples of human-intentional threats include terrorists, malware, rogue insider, Denial of Service, hacktivism, phishing, social engineering, etc. • Examples of human-unintentional threats are primarily those that involve inadvertent errors and omissions, in which the person through lack of knowledge, laziness, or carelessness served as a source of disruption • Environmental—focused on environment as it pertains to the information systems or datacenter. This class of threat includes items such as power issues (blackout, brownout, surge, spike), system component or other equipment failures, application or software flaws • Analysis of threats and associated likelihoods is an important part of the BCP and DRP process CISSP® MENTOR PROGRAM – SESSION TEN 59 LECTURE Domain #7: Security Operations
  • 61. Disasters or Disruptive Events Errors and omissions • Typically considered the single most common source of disruptive events • Threat is inadvertently caused by humans, most often in the employ of the organization, who unintentionally serve as a source of harm • Data entry mistakes are an example of errors and omissions Natural Disasters • Include earthquakes, hurricanes, floods, tsunamis, etc. • Likelihood of natural threats occurring is largely based upon the geographical location of the organization's information systems or datacenters • Generally have a rather low likelihood of occurring • Impact can be severe CISSP® MENTOR PROGRAM – SESSION TEN 60 LECTURE Domain #7: Security Operations
  • 62. Disasters or Disruptive Events Errors and omissions • Typically considered the single most common source of disruptive events • Threat is inadvertently caused by humans, most often in the employ of the organization, who unintentionally serve as a source of harm • Data entry mistakes are an example of errors and omissions Natural Disasters • Include earthquakes, hurricanes, floods, tsunamis, etc. • Likelihood of natural threats occurring is largely based upon the geographical location of the organization's information systems or datacenters • Generally have a rather low likelihood of occurring • Impact can be severe CISSP® MENTOR PROGRAM – SESSION TEN 61 LECTURE Domain #7: Security Operations
  • 63. Disasters or Disruptive Events Electrical or power Problems • Much more common than natural disasters • Considered an environmental disaster • Uninterruptible power supplies (UPS) and/or backup generators Temperature and Humidity Failures • Critical controls that must be managed during a disaster • Increased server density can provide for significant heat issues • Mean Time Between Failures (MTBF) for electrical equipment will decrease if temperature and humidity levels are not within an tolerable range. CISSP® MENTOR PROGRAM – SESSION TEN 62 LECTURE Domain #7: Security Operations
  • 64. Disasters or Disruptive Events Warfare, terrorism, and sabotage • Human-intentional threats • Threat can vary dramatically based on geographic location, industry, brand value, as well as the interrelatedness with other high-value target organizations • Cyber-warfare • “Aurora” attacks (named after the word “Aurora,” which was found in a sample of malware used in the attacks). As the New York Times reported on 2/18/2010: “A series of online attacks on Google and dozens of other American corporations have been traced to computers at two educational institutions in China, including one with close ties to the Chinese military, say people involved in the investigation.” CISSP® MENTOR PROGRAM – SESSION TEN 63 LECTURE Domain #7: Security Operations
  • 65. Disasters or Disruptive Events Financially-motivated Attackers • Exfiltration of cardholder data, identity theft, pump-and-dump stock schemes, bogus anti-malware tools, or corporate espionage, etc. • Organized crime syndicates Personnel Shortages • Another significant source of disruption can come by means of having staff unavailable • Most organizations will have some critical processes that are people- dependent CISSP® MENTOR PROGRAM – SESSION TEN 64 LECTURE Domain #7: Security Operations
  • 66. Disasters or Disruptive Events Financially-motivated Attackers • Exfiltration of cardholder data, identity theft, pump-and-dump stock schemes, bogus anti-malware tools, or corporate espionage, etc. • Organized crime syndicates Personnel Shortages • Another significant source of disruption can come by means of having staff unavailable • Most organizations will have some critical processes that are people- dependent CISSP® MENTOR PROGRAM – SESSION TEN 65 LECTURE Domain #7: Security Operations
  • 67. Disasters or Disruptive Events Personnel Shortages • Pandemics and Disease • Major biological problems such as pandemic flu or highly communicable infectious disease outbreaks • A pandemic occurs when an infection spreads through an extremely large geographical area, while an epidemic is more localized • Strikes • Strikes usually are carried out in such a manner that the organization can plan for the occurrence • Most strikes are announced and planned in advance, which provides the organization with some lead time • Personnel Availability • Sudden separation from employment of a critical member of the workforce CISSP® MENTOR PROGRAM – SESSION TEN 66 LECTURE Domain #7: Security Operations
  • 68. Disasters or Disruptive Events Communications Failure • Increasing dependence of organizations on call centers, IP telephony, general Internet access, and providing services via the Internet • One of the most common disaster-causing events is telecommunications lines being inadvertently cut by someone digging where they are not supposed to NOTE: One of the eye-opening impacts of Hurricane Katrina was a rather significant outage of Internet2, which provides high-speed connectivity for education and research networks. Qwest, which provides the infrastructure for Internet2, suffered an outage in one of the major long-haul links that ran from Atlanta to Houston. Reportedly, the outage was due to lack of availability of fuel in the area. In addition to this outage, which impacted more than just those areas directly affected by the hurricane, there were substantial outages throughout Mississippi, which at its peak had more than a third of its public address space rendered unreachable. CISSP® MENTOR PROGRAM – SESSION TEN 67 LECTURE Domain #7: Security Operations
  • 69. The Disaster Recovery Process The general process of disaster recovery involves responding to the disruption; activation of the recovery team; ongoing tactical communication of the status of disaster and its associated recovery; further assessment of the damage caused by the disruptive event; and recovery of critical assets and processes in a manner consistent with the extent of the disaster. • Different organizations and experts alike might disagree about the number or names of phases in the process • Personnel safety remains the top priority CISSP® MENTOR PROGRAM – SESSION TEN 68 LECTURE Domain #7: Security Operations
  • 70. The Disaster Recovery Process Respond • Initial response begins the process of assessing the damage • Speed is essential (initial assessment) • The initial assessment will determine if the event in question constitutes a disaster • The initial response team should be mindful of assessing the facility's safety for continued personnel usage Activate Team If during the initial response to a disruptive event a disaster is declared, then the team that will be responsible for recovery needs to be activated. CISSP® MENTOR PROGRAM – SESSION TEN 69 LECTURE Domain #7: Security Operations
  • 71. The Disaster Recovery Process Communicate • Ensure that consistent timely status updates are communicated back to the central team managing the response and recovery process • Communication often must occur out-of-band • The organization must also be prepared to provide external communications Assess • More detailed and thorough assessment • Assess the extent of the damage and determine the proper steps to ensure the organization's ability to meet its mission and Maximum Tolerable Downtime (MTD) • Team could recommend that the ultimate restoration or reconstitution occurs at the alternate site CISSP® MENTOR PROGRAM – SESSION TEN 70 LECTURE Domain #7: Security Operations
  • 72. The Disaster Recovery Process Reconstitution • Successfully recover critical business operations either at primary or secondary site • If an alternate site is leveraged, adequate safety and security controls must be in place in order to maintain the expected degree of security the organization typically employs • A salvage team will be employed to begin the recovery process at the primary facility that experienced the disaster CISSP® MENTOR PROGRAM – SESSION TEN 71 LECTURE Domain #7: Security Operations
  • 73. Developing a BCP/DRP • High-level steps, according to NIST 800-34: • Project Initiation • Scope the Project • Business Impact Analysis • Identify Preventive Controls • Recovery Strategy • Plan Design and Development • Implementation, Training, and Testing • BCP/DRP Maintenance • NIST 800-34 is the National Institute of Standards and Technologies Information Technology Contingency Planning Guide, which can be found at http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf. CISSP® MENTOR PROGRAM – SESSION TEN 72 LECTURE Domain #7: Security Operations
  • 74. Project Initiation In order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones: 1. Develop the contingency planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan. 2. Conduct the business impact analysis (BIA): The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to assist the user. 3. Identify preventive controls: Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs. CISSP® MENTOR PROGRAM – SESSION TEN 73 LECTURE Domain #7: Security Operations
  • 75. Project Initiation In order to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones: 4. Develop recovery strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption. 5. Develop an IT contingency plan: The contingency plan should contain detailed guidance and procedures for restoring a damaged system. 6. Plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness. 7. Plan maintenance: The plan should be a living document that is updated regularly to remain current with system enhancements. CISSP® MENTOR PROGRAM – SESSION TEN 74 LECTURE Domain #7: Security Operations
  • 76. Management Support “C”-level managers: • Must agree to any plan set forth • Must agree to support the action items listed in the plan if an emergency event occurs • Refers to people within an organization like the chief executive officer (CEO), the chief operating officer (COO), the chief information officer (CIO), and the chief financial officer (CFO) • Have enough power and authority to speak for the entire organization when dealing with outside media • High enough within the organization to commit resources CISSP® MENTOR PROGRAM – SESSION TEN 75 LECTURE Domain #7: Security Operations
  • 77. Other Roles BCP/DRP Project Manager • Key Point of Contact for ensuring that a BCP/DRP is completed and routinely tested • Must be a good manager and leader in case there is an event that causes the BCP or DRP to be implemented • Point of Contact (POC) for every person within the organization during a crisis • Must be very organized • Credibility and enough authority within the organization to make important, critical decisions with regard to implementing the BCP/DRP • Does not need to have in-depth technical skills CISSP® MENTOR PROGRAM – SESSION TEN 76 LECTURE Domain #7: Security Operations
  • 78. Other Roles Continuity Planning Project Team (CPPT) • Comprises those personnel that will have responsibilities if/when an emergency occurs • Comprised of stakeholders within an organization • Focuses on identifying who needs to play a role if a specific emergency event were to occur • Includes people from the human resources section, public relations (PR), IT staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions CISSP® MENTOR PROGRAM – SESSION TEN 77 LECTURE Domain #7: Security Operations
  • 79. Scoping the Project • Define exactly what assets are protected by the plan, which emergency events the plan will be able to address, and determining the resources necessary to completely create and implement the plan • “What is in and out of scope for this plan?” • After receiving C-level approval and input from the rest of the organization, objectives and deliverables can be determined CISSP® MENTOR PROGRAM – SESSION TEN 78 LECTURE Domain #7: Security Operations
  • 80. Scoping the Project • Objectives are usually created as “if/then” statements • For example, “If there is a hurricane, then the organization will enact plan H—the Physical Relocation and Employee Safety Plan.” Plan H is unique to the organization but it does encompass all the BCP/DRP subplans required • An objective would be to create this plan and have it reviewed by all members of the organization by a specific date. • The objective will have a number of deliverables required to create and fully vet this plan: for example, draft documents, exercise planning meetings, table top preliminary exercises, etc. CISSP® MENTOR PROGRAM – SESSION TEN 79 LECTURE Domain #7: Security Operations
  • 81. Scoping the Project • Executive management must at least ensure that support is given for three BCP/DRP items: • 1. Executive management support is needed for initiating the plan. • 2. Executive management support is needed for final approval of the plan. • 3. Executive management must demonstrate due care and due diligence and be held liable under applicable laws/regulations. CISSP® MENTOR PROGRAM – SESSION TEN 80 LECTURE Domain #7: Security Operations
  • 82. Assessing the Critical State • Assessing the critical state can be difficult because determining which pieces of the IT infrastructure are critical depends solely on the how it supports the users within the organization. • When compiling the critical state and asset list associated with it, the BCP/DRP project manager should note how the assets impact the organization in a section called the “Business Impact” section. CISSP® MENTOR PROGRAM – SESSION TEN 81 LECTURE Domain #7: Security Operations
  • 83. Assessing the Critical State • Assessing the critical state can be difficult because determining which pieces of the IT infrastructure are critical depends solely on the how it supports the users within the organization. • When compiling the critical state and asset list associated with it, the BCP/DRP project manager should note how the assets impact the organization in a section called the “Business Impact” section. CISSP® MENTOR PROGRAM – SESSION TEN 82 LECTURE Domain #7: Security Operations
  • 84. Conduct Business Impact Analysis (BIA) • Formal method for determining how a disruption to the IT system(s) of an organization will impact the organization • An analysis to identify and prioritize critical IT systems and components • Enables the BCP/DRP project manager to fully characterize the IT contingency requirements and priorities CISSP® MENTOR PROGRAM – SESSION TEN 83 LECTURE Domain #7: Security Operations
  • 85. Conduct Business Impact Analysis (BIA) • Objective is to correlate the IT system components with the critical service it supports • Also aims to quantify the consequence of a disruption to the system component and how that will affect the organization • Determine the Maximum Tolerable Downtime (MTD) for a specific IT asset • Also provides information to improve business processes and efficiencies because it details all of the organization's policies and implementation efforts CISSP® MENTOR PROGRAM – SESSION TEN 84 LECTURE Domain #7: Security Operations The BIA is comprised of two processes; Identification of critical assets and a comprehensive risk assessment.
  • 86. Conduct Business Impact Analysis (BIA) Identify Critical Assets • BIA and Critical State Asset List is conducted for every IT system within the organization, no matter how trivial or unimportant, leading to… • A list of those IT assets that are deemed business- essential by the organization Conduct BCP/DRP-focused Risk Assessment • Determines what risks are inherent to which IT assets • A vulnerability analysis is also conducted for each IT system and major application CISSP® MENTOR PROGRAM – SESSION TEN 85 LECTURE Domain #7: Security Operations
  • 87. Conduct Business Impact Analysis (BIA) Identify Critical Assets • BIA and Critical State Asset List is conducted for every IT system within the organization, no matter how trivial or unimportant, leading to… • A list of those IT assets that are deemed business- essential by the organization Conduct BCP/DRP-focused Risk Assessment • Determines what risks are inherent to which IT assets • A vulnerability analysis is also conducted for each IT system and major application CISSP® MENTOR PROGRAM – SESSION TEN 86 LECTURE Domain #7: Security Operations
  • 88. Determine Maximum Tolerable Downtime • Describes the total time a system can be inoperable before an organization is severely impacted • It is also the maximum time it takes to execute the reconstitution phase • Comprised of two metrics; Recovery Time Objective (RTO) and the Work Recovery Time (WRT) Alternate terms for MTD • Depending on the business continuity framework that is used, other terms may be substituted for Maximum Tolerable Downtime. These include Maximum Allowable Downtime (MAD), Maximum Tolerable Outage (MTO), and Maximum Acceptable Outage (MAO). CISSP® MENTOR PROGRAM – SESSION TEN 87 LECTURE Domain #7: Security Operations
  • 89. Failure and Recovery Metrics • Used to quantify how frequently systems fail, how long a system may exist in a failed state, and the maximum time to recover from failure. • These metrics include the Recovery Point Objective (RPO), Recovery Time Objective (RTO), Work Recovery Time (WRT), Mean Time Between Failures (MTBF), Mean Time to Repair (MTTR), and Minimum Operating Requirements (MOR). CISSP® MENTOR PROGRAM – SESSION TEN 88 LECTURE Domain #7: Security Operations
  • 90. Recovery Point Objective • The amount of data loss or system inaccessibility (measured in time) that an organization can withstand. • “If you perform weekly backups, someone made a decision that your company could tolerate the loss of a week's worth of data. If backups are performed on Saturday evenings and a system fails on Saturday afternoon, you have lost the entire week's worth of data. This is the recovery point objective. In this case, the RPO is 1 week.” • RPO represents the maximum acceptable amount of data/work loss for a given process because of a disaster or disruptive event CISSP® MENTOR PROGRAM – SESSION TEN 89 LECTURE Domain #7: Security Operations
  • 91. Recovery Time Objective (RTO) and Work Recovery Time (WRT) • Recovery Time Objective (RTO) describes the maximum time allowed to recover business or IT systems • RTO is also called the systems recovery time. One part of Maximum Tolerable Downtime: once the system is physically running, it must be configured. • Work Recovery Time (WRT) describes the time required to configure a recovered system. • “Downtime consists of two elements, the systems recovery time and the work recovery time. Therefore, MTD = RTO + WRT.” CISSP® MENTOR PROGRAM – SESSION TEN 90 LECTURE Domain #7: Security Operations
  • 92. Mean Time Between Failures • Quantifies how long a new or repaired system will run before failing • Typically generated by a component vendor and is largely applicable to hardware as opposed to applications and software. • A vendor selling LCD computer monitors may run 100 monitors 24 hours a day for 2 weeks and observe just one monitor failure. The vendor then extrapolates the following: 100 LCD Monitors x 14 days x 24 hours/day = 1 failure/33,600 hours • The BCP/DRP team determines the correct amount of expected failures within the IT system during a course of time. • Calculating the MTBF becomes less reliant when an organization uses fewer and fewer hardware assets. CISSP® MENTOR PROGRAM – SESSION TEN 91 LECTURE Domain #7: Security Operations
  • 93. Mean Time to Repair (MTTR) • Describes how long it will take to recover a specific failed system • Best estimate for reconstituting the IT system so that business continuity may occur Minimum Operating Requirements • Describes the minimum environmental and connectivity requirements in order to operate computer equipment • Important to determine and document for each IT-critical asset because, in the event of a disruptive event or disaster, proper analysis can be conducted quickly to determine if the IT assets will be able to function in the emergency environment CISSP® MENTOR PROGRAM – SESSION TEN 92 LECTURE Domain #7: Security Operations
  • 94. Identify Preventive Controls • Preventive controls prevent disruptive events from having an impact • The BIA will identify some risks which may be mitigated immediately Recovery Strategy • Once the BIA is complete, the BCP team knows the Maximum Tolerable Downtime. This metric, as well as others including the Recovery Point Objective and Recovery Time Objective, are used to determine the recovery strategy. • Always maintain technical, physical, and administrative controls when using any recovery option CISSP® MENTOR PROGRAM – SESSION TEN 93 LECTURE Domain #7: Security Operations
  • 95. Identify Preventive Controls • Preventive controls prevent disruptive events from having an impact • The BIA will identify some risks which may be mitigated immediately Recovery Strategy • Once the BIA is complete, the BCP team knows the Maximum Tolerable Downtime. This metric, as well as others including the Recovery Point Objective and Recovery Time Objective, are used to determine the recovery strategy. • Always maintain technical, physical, and administrative controls when using any recovery option CISSP® MENTOR PROGRAM – SESSION TEN 94 LECTURE Domain #7: Security Operations
  • 96. Recovery Strategy Supply Chain Management • In an age of “just in time” shipment of goods, organizations may fail to acquire adequate replacement computers. • Some computer manufactures offer guaranteed replacement insurance for a specific range of disasters. The insurance is priced per server, and includes a service level agreement that specifies the replacement time. All forms of relevant insurance should be analyzed by the BCP team. CISSP® MENTOR PROGRAM – SESSION TEN 95 LECTURE Domain #7: Security Operations
  • 97. Recovery Strategy Telecommunication Management • Ensures the availability of electronic communications during a disaster • Often one of the first processes to fail during a disaster • Wired circuits such as T1s, T3s, frame relay, etc., need to be specifically addressed • Power can be provided by generator if necessary. CISSP® MENTOR PROGRAM – SESSION TEN 96 LECTURE Domain #7: Security Operations
  • 98. Recovery Strategy Utility Management • Utility management addresses the availability of utilities such as power, water, gas, etc. during a disaster • The utility management plan should address all utilities required by business operations, including power, heating, cooling, and water. • Specific sections should address the unavailability of any required utility. Recovery options • Once an organization has determined its maximum tolerable downtime, the choice of recovery options can be determined. For example, a 10-day MTD indicates that a cold site may be a reasonable option. An MTD of a few hours indicates that a redundant site or hot site is a potential option. CISSP® MENTOR PROGRAM – SESSION TEN 97 LECTURE Domain #7: Security Operations
  • 99. Recovery Strategy Redundant Site • A redundant site is an exact production duplicate of a system that has the capability to seamlessly operate all necessary IT operations without loss of services to the end user of the system. • A redundant site receives data backups in real time so that in the event of a disaster, the users of the system have no loss of data. • The most expensive recovery option CISSP® MENTOR PROGRAM – SESSION TEN 98 LECTURE Domain #7: Security Operations
  • 100. Recovery Strategy Hot Site • A hot site is a location that an organization may relocate to following a major disruption or disaster. • It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers. • Will have all necessary hardware and critical applications data mirrored in real time. • A hot site will have the capability to allow the organization to resume critical operations within a very short period of time— sometimes in less than an hour. • Has all the same physical, technical, and administrative controls implemented of the production site. CISSP® MENTOR PROGRAM – SESSION TEN 99 LECTURE Domain #7: Security Operations
  • 101. Recovery Strategy Warm Site • Has some aspects of a hot site, for example, readily- accessible hardware and connectivity, but it will have to rely upon backup data in order to reconstitute a system after a disruption. • It is a datacenter with a raised floor, power, utilities, computer peripherals, and fully configured computers. • MTD of at least 1-3 days • The longer the MTD is, the less expensive the recovery solution will be. CISSP® MENTOR PROGRAM – SESSION TEN 100 LECTURE Domain #7: Security Operations
  • 102. Recovery Strategy Cold Site • The least expensive recovery solution to implement. • Does not include backup copies of data, nor does it contain any immediately available hardware. • Longest amount of time of all recovery solutions to implement and restore critical IT services for the organization • MTD—usually measured in weeks, not days. • Typically a datacenter with a raised floor, power, utilities, and physical security, but not much beyond that. CISSP® MENTOR PROGRAM – SESSION TEN 101 LECTURE Domain #7: Security Operations
  • 103. Recovery Strategy Reciprocal Agreement • A bi-directional agreement between two organizations in which one organization promises another organization that it can move in and share space if it experiences a disaster. • Documented in the form of a contract • Also referred to as Mutual Aid Agreements (MAAs) CISSP® MENTOR PROGRAM – SESSION TEN 102 LECTURE Domain #7: Security Operations
  • 104. Recovery Strategy Mobile Site • “datacenters on wheels”: towable trailers that contain racks of computer equipment, as well as HVAC, fire suppression and physical security. • A good fit for disasters such as a datacenter flood • Typically placed within the physical property lines, and are protected by defenses such as fences, gates, and security cameras CISSP® MENTOR PROGRAM – SESSION TEN 103 LECTURE Domain #7: Security Operations
  • 105. Recovery Strategy Subscription Services • Some organizations outsource their BCP/DRP planning and/or implementation by paying another company to perform those services. • Effectively transfers the risk to the insurer company. • Based upon a simple insurance model, and companies such as IBM have built profit models and offer services for customers offering BCP/DRP insurance. CISSP® MENTOR PROGRAM – SESSION TEN 104 LECTURE Domain #7: Security Operations
  • 106. Related Plans The Business Continuity Plan is an umbrella plan that contains others plans: • Disaster recovery plan • Continuity of Operations Plan (COOP) • Business Resumption/Recovery Plan (BRP) • Continuity of Support Plan • Cyber Incident Response Plan • Occupant Emergency Plan (OEP) • Crisis Management Plan (CMP) CISSP® MENTOR PROGRAM – SESSION TEN 105 LECTURE Domain #7: Security Operations
  • 107. Related Plans The Business Continuity Plan is an umbrella plan that contains others plans: • Disaster recovery plan • Continuity of Operations Plan (COOP) • Business Resumption/Recovery Plan (BRP) • Continuity of Support Plan • Cyber Incident Response Plan • Occupant Emergency Plan (OEP) • Crisis Management Plan (CMP) CISSP® MENTOR PROGRAM – SESSION TEN 106 LECTURE Domain #7: Security Operations
  • 108. Related Plans Continuity of Operations Plan (COOP) • Describes the procedures required to maintain operations during a disaster • Includes transfer of personnel to an alternate disaster recovery site, and operations of that site. CISSP® MENTOR PROGRAM – SESSION TEN 107 LECTURE Domain #7: Security Operations
  • 109. Related Plans Business Recovery Plan (BRP) • Also known as the Business Resumption Plan • Details the steps required to restore normal business operations after recovering from a disruptive event • May include switching operations from an alternate site back to a (repaired) primary site. • Picks up when the COOP is complete • Narrow and focused: the BRP is sometimes included as an appendix to the Business Continuity Plan CISSP® MENTOR PROGRAM – SESSION TEN 108 LECTURE Domain #7: Security Operations
  • 110. Related Plans Continuity of Support Plan • Focuses narrowly on support of specific IT systems and applications • Also called the IT Contingency Plan, emphasizing IT over general business support Cyber Incident Response Plan • Designed to respond to disruptive cyber events, including network-based attacks, worms, computer viruses, Trojan horses, etc. CISSP® MENTOR PROGRAM – SESSION TEN 109 LECTURE Domain #7: Security Operations
  • 111. Related Plans Occupant Emergency Plan (OEP) • Provides the “response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a fire, hurricane, criminal attack, or a medical emergency.” • Facilities-focused, as opposed to business or IT-focused. • Focused on safety and evacuation, and should describe specific safety drills, including evacuation drills (also known as fire drills) • Specific safety roles should be described, including safety warden and meeting point leader CISSP® MENTOR PROGRAM – SESSION TEN 110 LECTURE Domain #7: Security Operations
  • 112. Related Plans Crisis Management Plan (CMP) • Designed to provide coordination among the managers of the organization in the event of an emergency or disruptive event • Details the actions management must take to ensure that life and safety of personnel and property are immediately protected in case of a disaster • Crisis Communications Plan • Component of the Crisis Management Plan • Sometimes called the communications plan • A plan for communicating to staff and the public in the event of a disruptive event CISSP® MENTOR PROGRAM – SESSION TEN 111 LECTURE Domain #7: Security Operations
  • 113. Related Plans Crisis Management Plan (CMP) Call Trees • Used to quickly communicate news throughout an organization without overburdening any specific person • Works by assigning each employee a small number of other employees they are responsible for calling in an emergency event • Most effective when there is two-way reporting of successful communication • Should contain alternate contact methods, in case the primary methods are unavailable CISSP® MENTOR PROGRAM – SESSION TEN 112 LECTURE Domain #7: Security Operations
  • 114. Related Plans Crisis Management Plan (CMP) Call Trees • Used to quickly communicate news throughout an organization without overburdening any specific person • Works by assigning each employee a small number of other employees they are responsible for calling in an emergency event • Most effective when there is two-way reporting of successful communication • Should contain alternate contact methods, in case the primary methods are unavailable CISSP® MENTOR PROGRAM – SESSION TEN 113 LECTURE Domain #7: Security Operations
  • 115. Related Plans Crisis Management Plan (CMP) Automated Call Trees • Automatically contact all BCP/DRP team members after a disruptive event • Tree can be activated by an authorized member, triggered by a phone call, email, or Web transaction • Once triggered, all BCP/DRP members are automatically contacted • Can require positive verification of receipt of a message, such as “press 1 to acknowledge receipt.” • Automated call trees are hosted offsite, and typically supported by a third-party BCP/DRP provider CISSP® MENTOR PROGRAM – SESSION TEN 114 LECTURE Domain #7: Security Operations
  • 116. Related Plans Crisis Management Plan (CMP) Emergency Operations Center (EOC) • The command post established during or just after an emergency event • Placement of the EOC will depend on resources that are available CISSP® MENTOR PROGRAM – SESSION TEN 115 LECTURE Domain #7: Security Operations
  • 117. Related Plans Crisis Management Plan (CMP) Vital Records • Should be stored offsite, at a location and in a format that will allow access during a disaster • Have both electronic and hardcopy versions of all vital records • Include contact information for all critical staff. Additional vital records include licensing information, support contracts, service level agreements, reciprocal agreements, telecom circuit IDs, etc. CISSP® MENTOR PROGRAM – SESSION TEN 116 LECTURE Domain #7: Security Operations
  • 118. Please try to catch up in your reading. • We left off on page 411 in the book. • Monday (5/20) we’ll start again with “Executive Succession Planning” • Come with questions! • CATCH UP ON READING! Have a great evening, talk to you Monday! CISSP® MENTOR PROGRAM – SESSION TEN 117 WE MADE IT THROUGH CLASS 10! Not the most exciting, but important nonetheless.