Certified Information Security Manager (CISM)

Domain 04 – Information Security Incident

Management
Slide 1

Lesson 1: Incident Management Overview

Incident management and response can be

considered:
 The emergency operations part of risk management
 Could be from unanticipated attacks
 Losses
 Theft, accidents
 Or other unexpected adverse actions

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2

Incident Management Overview

The purpose of Incident Management:

 To identify and respond to unexpected and disruptive events.
 Having the objective of controlling impacts with acceptable levels.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3

Types of Events

Types of events:
 Technical:
 Malware
 DoS
 System Intrusion
 Accidental
 System or Process Failure

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4

Types of Events Continued

Physical:
 Theft
 Social Engineering
 Natural Disasters

Basically, anything that can cause a loss would be an

event that should be responded to.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5

Goals of Incident Management

These are activities taken that either serve to:

 Minimize the possibility of occurrences
 Lessen the impact
 Or both.

As with all planning:

 Risk and business impacts should be done for prioritization.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6

Goals of Incident Management Continued

BCP & DRP
 First Responders
 Planned Response
 Detect incidents quickly
 Diagnose accurately
 Manage properly
 Contain and Minimize
 Restore services
 Determine Root Causes
 Prevent recurrence
 Document and report

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7

Goals of Incident Management Continued

The goal should be thought of as:

 Trying to make the difference between an inconvenience or a
disaster.
 Could lower overall security costs
 Creating Baselines

This takes planning

Management Support

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8

Lesson 2: Incident Response Procedures

Importance of incident management

Outcomes of incident management
Incident management
Concepts
Incident Management Systems

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9

Incidence Response Procedures

Remember:
 With the best planning there are no guarantees.
 Security breaches
 Power outages
 Natural disasters

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10

Importance of Incident Management

More and More organizations are reliant on

Information Services.
 Any impact can be of significance.
 Trends are showing an increased occurrence and loss
 Increases in attack vectors
 Failure of security controls
 Growing sophistication and capabilities of tools

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11

Outcomes of Incident Management

This is a term that includes:

 Incident Response
 Proactive efforts to limit or prevent an incident
 Where in Management the incident response part of that plan is to
be a reactive management.
The outcome of good Incident Management:
 An organization that can have sufficient detection, and monitoring
ability
 To effectively respond, reduce loss, perhaps lessen costs

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12

Incident Management

The information Security Manager:

 At minimum is a first responder
 May have a part of creating the BCP/DRP
 Must have at least adequate of the BCP/DRP process

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13

Concepts

Incident Handling: one service that involves all the

processes or tasks associated with handling events
and incidents.
 Detection and reporting
 Triage
 Analysis
 Incident Response

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14

Concepts Continued

Effective Incident Management: will ensure that

incidents are:
 Detected
 Recorded
 Make sure no aspect is overlooked
 Needed for proper documentation
 Managed to limit impacts.
 Must be classified to properly be:
 Prioritized
 Checked against known errors and problems

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15

Concepts Continued

Incident Response: This is the last step in an

incident handling process:
 Planning
 Coordination
 Execution of any mitigation
 Recovery Actions

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16

Incident Management Systems

 Systems must be used to be able to deal with the sheer
amount of information that must be gathered.
 These systems automate the gathering of information
 Network Devices – Routers/Switches
 Security Systems – Firewalls, HIPS, HIDS
 Operating Systems – Windows Servers

 These systems can analyze this data

 Will analyze across all platforms to provide information of potentially malicious
activity.
 Correlates this information.
 Prioritize incidents
 Provide Tracking Management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17

Incident Management Systems Continued

Potential efficiencies and cost savings can be used:

 Operating Costs:
 Cheaper to have automation and correlation over manual reviewing of
logs.
 Correlations over multiple platforms
 Recovery Costs:
 Can detect and escalate incidents much quicker.
 Controls amount of damage with faster response.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18

Lesson 3: Incident Management Organization

Incident Management Organization

Responsibilities
Senior Management Commitment

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19

Incident Management Organization

This is analogous to being the fire department and
ambulance service for the organizations IS.
 Like these organizations they must respond to a variety of different
incidents.
 Poorly managed and these incidents can be come more disastrous.

This means that like the analogy:

 We need properly equipped and trained personnel.
 The security Manager should plan for the range of incidents.

Incident management is usually a component of

risk management.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20

Incident Management Organization Continued

This organization should also be working with

outside groups.
 Civil Services
 Law enforcement

The goal is to know what can be expected for

inter-agency responses.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21

Responsibilities

Typically there are a number of incident

management responsibilities that the security
manager should undertake:
 Develop IS incident management and response plans
 Handling and coordinating IS incident response activities
 Effectively and efficiently
 Validating, verifying, and reporting of protective or other
countermeasures
 Planning, budgeting, and program development

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22

Responsibilities Continued

The approach to incident response may vary:

 Containing the effects to lower or contain costs.
 Notifying appropriate people for response
 Quick Recovery
 Responding systematically to help prevent recurrence
 Dealing with legal and law enforcement

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23

Responsibilities Continued

The IS security manager also needs to define what

is a security related incident:
 Malicious code
 Unauthorized access to resources
 Unauthorized changes
 Misuse
 Hoaxes

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24

Senior Management Commitment

Commitment is crucial to the success of incident

management and response.
 Hopefully to be able to lower costs.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25

Lesson 4: Incident Management Resources

Policies and Standards

Incident Response Technology Concepts
Personnel
Roles and Responsibilities
Skills
Awareness and Training
Audits
Outsourced Providers

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26

Policies and Standards

An incident response plan should be backed by:

 Policies
 Standards
 Procedures

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27

Incident Response Technology Concepts

 The following concepts and technologies should be included into the
IRT:
 Basic Security Principles
 CIA
 Non-Repudiation
 Compliance

 Vulnerabilities/weaknesses
 Physical
 Technical
 Configuration

 Internet Protocols
 Operating Systems
 Malicious Code
 Programming Skills

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28

Personnel

The Incident Management Team:

 Team members should be permanent and dedicated
 Should have a dedicated chain-of-command

The IRT Organization:

 Central IRT
 Distributed IRT
 Coordinating IRT
 Outsource IRT

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29

Roles and Responsibilities (eNotes)

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30

Skills

 The IRT should have members with skills from a variety of

technologies.
 Personal skills
 Such as communication skills (interpersonal, email)
 Leadership
 Presentation
 Team

 Technical Skills
 Depending on the type of technology in use
 Making decision points
 Use of supporting skills

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31

Awareness and Education

Organizations may have to:

 Hire or train experts within the organization
 May have to outsource to technical experts.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32

Audits

Internal:
 Done by experts within the organization
 Try to test assumptions of security
 Determine state of compliance

External:
 Usually with an outsourced 3rd party.
 Same goals but from a trusted un-biased point of view.

Both types are important for an organization

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33

Lesson 5: Incident Management Objectives

Defining Objectives
The Desired State
Strategic Alignment
Risk Management
Assurance Process Integration
Value Delivery
Resource Management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34

Defining Objectives

The typical objectives for this are:

 Handle incidents when they occur:
 Limiting and containing exposure
 Preventing previous incidents from recurring
 Through documenting and learning from the past
 Deploy proactive countermeasures to prevent incidents

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35

The Desired State

This is typically more difficult to address:

 Must address those desired states whether they be:
 Technical
 Physical
 Administrative

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36

Strategic Alignment

Incident Management must be aligned with the

business needs:
 Constituency: Who does the IMT provide services for?
 Mission: Defines the purpose of the team.
 Services: IMT services should be clearly defined.
 Organizational Structure: the IMT should support the
organizational structure
 Resources: Sufficient staffing
 Funding: There may be needs for specialized tools
 Management buy-in: Senior management must be involved.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37

Other Concerns

Risk Management
Assurance Process Integration
 Physical security, legal, and HR

Value Delivery
 Integration with business processes and structures as seamlessly as
possible
 Integrate with BCP
 Become part of the overall strategy

Resource Management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38

Lesson 6: Incident Management Metrics and

Indicators
 Implementation of the Security Program Management
 Management Metrics and Monitoring
 Other Security Monitoring Efforts

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39

Implementation of the Security Program

Management
 Whether security department is a new one, or already established,
there are many considerations that information security manager should
be aware of such as:
 No defined responsibilities
 Technical responsibilities such as firewalls or virus detection
 The organizational structure – the chain of command
 Existing ways of doing business

 The security program should have effective documentation such as:

 Policies, standards, procedures
 Version control

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40

Management Metrics and Monitoring

 Metrics can be categorized in a variety of ways such as:
 Strategic – “Navigational”
 Management – “Compliance, Risk”
 Operational – “Technical”

 Quantitative metrics might be useful for activities such as:

 CMM
 KGI
 KPI
 BSC
 Six Sigma quality indicators
 ISO 9001 quality indicators

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41

Management Metrics and Monitoring

Continued
 Information security manager should develop a consistent and reliable method
of monitoring the effectiveness of the security program
 This may mean ongoing risk assessments
 Scanning and penetration testing
 Vulnerability assessments
 SMART ( Specific, Measurable, Attainable, Repeatable, and Time-dependent)
 Business applications should also be monitored within the infrastructure
 Often this is a 24/7 operation
 Continuous monitoring of intrusion detection systems and other security devices can give
real-time information
 How successful are the investments of information security
 The security manager should be able to evaluate the effectiveness of their investment into
security
 Often this can be done through KPI’s
 The use of metrics or monitoring can also help verify how effective security control may be

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42

Other Security Monitoring Efforts

 Controls should go through regular monitoring and testing to determine if
they are good at status quo or need some modifications
 Regular change control management should be involved with any type of modifications to
be made to avoid any potential additional risks
 This means that any change should go through a normal approval process
 Reviews should be conducted of outsourced service providers
 Outsourcing may be of resources or service
 Outsourcing often occurs because of financial constraints, and consideration should be
given for these security issues:
 Loss of skills
 Lack of management visibility into the outsourced provider
 Introduction of new risks
 Increasing complexity of response management
 Differences of culture or ethics

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43

Lesson 7: Current State of Incident Response

Capability
Threats
Vulnerabilities

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44

Threats
 This is any event that may cause harm to an organization’s
assets, operations, or personnel.
 Environmental:
 Natural Disasters – Can be over time
 Planning Examples for Natural Disasters

 Technical:
 Fire
 HVAC
 Power

 Man-Made:
 Mal-ware
 Disgruntled Employees

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45

Vulnerabilities

This is a weakness in a:
 System
 Technology
 Process
 Control

With Incident Management you should:

 Identify the Vulnerabilities proactively
 Monitor Vulnerabilities
 Patch Vulnerabilities.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 46

Lesson 8: Developing an Incident Response

Plan
Elements of an Incident Response Plan
Gap Analysis
BIA
Escalation Process
Help Desk Process
Organizing, Training, and Equipping the Staff
Incident Notification Process
Challenges in incident management

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 47

Elements of an Incident Response Plan

 Preparation: Planning on developing this plan prior to an
incident
 Identification: How to determine if an incident has
occurred
 Containment: Consider who to contact, how to limit
exposure
 Eradication: Determine root cause and eliminate it
 Recovery: Restoring systems or services back to
production
 Lessons Learned: Reporting and Discussions

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 48

Gap Analysis

This is gathering information between the current

response capabilities with the desired level
 Process that need to be improved
 More efficient or effective

 Resources needed to achieve the objectives

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 49

BIA

A way of reporting the impact an incident could

have
BIA’s three primary goals
 Criticality or prioritization
 Downtime estimation
 MTD/MTO
 Resource requirements

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 50

BIA Continued

BIA Activities
 Gathering assessment material (prioritization)
 Analyzing the information compiled
 Documenting the results
 Presenting the recommendations.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 51

Escalation Process for Effective IM

 The Security Manager should implement an escalation

process to establish the events to be managed
 One incident could lead to other incidents
 Each event should have a list of actions and the sequence to be performed
 This should also include responsible parties.

 Each action, if completed successfully, should move to the “end of

emergency” section
 If not complete, at the maximum allowed time then go to the next action
 Since each action takes time, if the max time is reached then you move to an
alert status.
 If alert responses fail, it may move to disaster.

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 52

Help Desk Processes for Identifying Security

Incidents
The Security Manager should have a process
for the help desk
 Routing Help-Desk Call
 Is it a Security Incident?

The goal: Prompt recognition

 Help-Desk should have process in place to make
notification

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 53

Incident Management and Response Teams

Examples:
 Emergency action team
 Damage assessment team
 Emergency management team
 Relocation team
 Security team

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 54

Organizing, Training, and Equipping the

Response Staff
 All response plans should be tested. This includes with the members of
the different teams.
 Training of the teams should include:
 Introduction to the IMT
 Monitoring team members
 Roles
 Responsibilities
 Procedures

 OJT
 Formal Training

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 55

Incident Notification Process

 Notification is the first, most important step.
 This is the most critical competent
 Manual or Automated

 Who should be notified?

 Risk Management
 HR
 Legal
 PR
 Network Operations
 And of course the IRT

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 56

Challenges in making an Incident Management

Plan
 Lack of management “buy-in”
 Lack of organizational consensus
 May be from a lack of regular meetings

 Mismatch to organizational goals

 IMT member turnover
 Ineffective communications (under/over)
 Complex and wide plan

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 57

Lesson 9: BCP/DRP
 Goals of Recovery Operations Continued
 Choosing a Site Selection
 Implementing the Strategy
 Network Service High-availability
 Risk Transference
 Other Response Recovery Plan Options
 Testing Response and Recovery Plans

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 58

Goals of Recovery Operations

 Recovery strategies may depend on the size and complexity of the
organization as well as the severity of the incident but in general they
should consider the following:
 Intimation or neutralization of the threat
 Minimizing the likelihood of the threat occurring
 Minimizing the effects the threat does occur

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 59

Goals of Recovery Operations Continued

 Some recovery solutions may have temporary fixes until a full recovery
can be accomplished. One of these temporary solutions could be in the
use of recovery sites
 Hot sites
 Warm sites
 Cold sites
 Mobile sites
 Duplicate sites
 Mirrored sites
 Reciprocal agreements
 Vendor or third-party
 Off the shelf

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 60

Choosing a Site Selection

 Use of a temporary site, and the type of site needed depends a lot on
the needs of the recovery time. Some of the criteria for selection might
include:
 Maximum interruption allowed
 RTO
 RPO
 SDO
 MTO
 Distance to site as well as location
 Type disruptions planned for

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 61

Implementing the Strategy

 Depending on the type of response and recovery strategy that
management uses, a detailed recovery plan should be developed on that
choice. Some of the factors that should be considered might be:
 Preparedness
 Evacuation procedures
 How to declare a disaster
 Listing those processes and resources to be recovered
 Roles and responsibilities
 Contacting responsible parties
 Planning logistics for personnel and housing

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 62

Incident Management Response Teams

 Many of the assigned responsibilities can be categorized as:
 Emergency action team
 Damage assessment team
 Emergency management team
 Relocation team
 Security team

 The incident management response should have the following

information available to them:
 Notification requirements
 Information about supplies
 Communication networks

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 63

Network Service High-availability

 There are many plans that can be used to achieve continuity of network
medications such as:
 Redundancy
 Alternate routes
 Diverse routing
 Long-haul diversity
 Last mile circuit protection
 Voice recovery

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 64

Storage High-availability
 There are many mechanisms available to maintain availability to storage
locations such as:
 RAID
 SAN
 Load-balancing
 Clustering
 UPS

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 65

Risk Transference
 One means of dealing with risk for an organization is to transfer the
risk to a third-party. This is often found in the form of insurance
 Types of insurance coverage:
 Equipment and facilities
 Media reconstruction
 Added expenses
 Business interruption
 Valuable papers and records
 Errors and omissions
 Fidelity coverage
 Media protection

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 66

Other Response Recovery Plan Options

 Because of change to any organization or department, there should be
corresponding plans for updating the BCP/DRP
 Documenting response recovery practices
 Include meetings with emergency management officials and government agencies
 The goal of these meetings is to understand what services, facilities they can offer

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 67

Lesson 10: Testing Response and Recovery

Plans
 As with any plan, there should be a thorough test conducted to ensure that
all factors are considered to achieve the goal of the successful recovery
 The purpose of testing should be to discover:
 Gap analysis
 Testing assumptions
 Timeline analysis
 How good are the strategies
 Confirming personnel response
 Accuracy of the plan

 Care should be taken that the conducting of the response recovery plans
doesn’t interfere with business or have little to no impact on the
organization

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 68

Periodic Testing
 Whatever the structure of the test or whatever makes up the response
and recovery plan, the security information manager should make
certain that the plan is tested up to the point of a disaster declaration
 Some of the goals of testing will be:
 Having test objectives
 Executing and evaluating the test
 Making recommendations for improvement
 Following up on recommendations

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 69

Periodic Testing Continued

 As the information security manager, you should be certain that your
technology and architecture are a part of the recovery plan that will be
tested
 The IT infrastructure is a large part of most current organizations

 Types of tests that should be conducted

 Checklist
 Structured walk-through
 Simulation
 Parallel test
 Full interruption test

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 70

Analyzing Test Results

 At the minimum, the test should accomplish:
 Verifying completeness/precision of the plan
 Evaluating personnel performance
 Discovering everyone’s training and awareness levels
 Determining if backup operations work adequately
 Could vital records be retrieved
 Was the backup of sufficient quality to be relocated to the recovery site
 Prior to any test should there should be plans for the following test phases:
 Pretest
 Test
 Posttest
 Paper tests
 Preparedness tests
 Full operation test

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 71

Measuring the Test Results

 As with every element of information in security management, there
must be ways to apply measurements and metrics to the results of the
test
 The measurements that should be sought after are:
 Elapsed time
 Amount of work done at the backup site
 Percent of completeness for backups and restores
 Accuracy of the data at the recovery site

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 72

Lesson 11: Executing the Plan

 The best conditions to test a recovery plan should be to test in realistic
conditions
 In a real situation, the amount of chaos can easily cause confusion; therefore, the
more practiced the response, the better the results will be
 During an actual test, we must be certain that everyone understands the roles and
responsibilities and have the proper coordination of events

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 73

Updating the Plan

 As with every security strategy, as change is introduced into the
architecture, then the recovery plan should also undergo a review
 You may need an update based on some of these factors:
 Organizational change
 New applications
 An updated business strategy
 Changes within the IT infrastructure
 Change of physical or environmental circumstances

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 74

Intrusion Detection Policies

 Some of the basic requirements for an intrusion detection policy
process would be:
 Systems running IDS are fault tolerant
 Adequate training for those managing IDS
 IDS software and hardware constantly running as well as being updated
 IDS capable of changing when needed to adapt to the new environment
 Minimum disruption of services through IDS
 Well tuned IDS system

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 75

Who to Notify about an Incident

 The following functions should be alerted to the security incident team
when they occur:
 Risk management
 HR – if involving employees
 Legal
 Public relations
 Network operations

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 76

Recovery Operations
 Part of the business continuity plan should address some of the
following scenarios:
 How to return to the primary site
 How to replace the primary site
 Relocation strategies

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 77

Other Recovery Operations

 Documenting events
 This is good for later review of the entire process
 May also be needed by legal teams

 Creating other procedures such as:

 Data preservation procedure
 Chain of custody
 Adhering to the rules of evidence

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 78

Forensic Investigation
 Remember the term forensic is making evidence usable in court. Any
good practices should be followed for this purpose such as:
 Chain of custody
 Technicians trained in forensics
 Proper date/case logs
 Investigative reports
 Proper lab facilities

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 79

Hacker / Penetration Methodology

Reconnaissance

Enumeration

Attack

Denial of Service Escalation of Privilege

Create Backdoor

Pivot Point

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:

1. Which of the following are types of events that should be planned for with
Incident Management? (Choose all that apply)
A. Technical
B. Physical
C. Social
D. Political

2. What type of plan should be put in place to recover from a server failure?
A. DRP
B. BCP
C. MTO
D. MTR

3. The Information Security Manager should be involved with the Incident

Management to what degree?
A. Have a part of making the BCP/DRP
B. Must have at least adequate knowledge of the BCP/DRP
C. Should at minimum be a first responder
D. Should make the BCP plans

4. When responding to an incident, the IRT should categorize which event is the
most important, and then treat those events in proper priority. This is known as
what?
A. Detection
B. Reporting
C. Analysis
D. Triage

5. Typically Incident Management should be working with some outside groups.

Examples of those may be? (Choose all that apply)
A. Civil Services
B. Law Enforcement
C. Competitors
D. Known Hacking Groups
6. The change management procedure most likely to cause concern to the
information security manager is when:
A. Fallback processes are tested the weekend immediately prior to when the
changes are made
B. Users are notified of major scheduled system changes via electronic mail
C. A manual process is used by operations for comparing program versions
D. Development managers have final authority for releasing new programs
into production

7. Which of the following would indicate that an automated production scheduling

system has inadequate security controls?
A. Control statements are frequently changed to point to test libraries
B. Failure of a process automatically initiates resetting of parameters
C. Developers have read access to both production and test schedules
D. Scheduling personnel have the ability to initiate an emergency override

8. When a trading partner who has access to the corporate internal network refuses
to follow corporate security policies, the information security manager should
initiate which of the following?
A. Revoke their access
B. Provide minimal access
C. Send a breach of contract letter
D. Contact the partner’s external auditors

9. The most important aspect in writing good information security policies is to

ensure that they:
A. Are easy to read and understand
B. Allow for flexible interpretation
C. Capture the intent of management
D. Change whenever operating systems are upgraded

10. Which of the following would be the best approach when conducting a security
awareness campaign?
A. Provide technical details on exploits
B. Target system administrators and the help desk
C. Provide customized messages for different groups
D. Target senior managers and business process owners
11. The most appropriate metric to measure how well information security is
managing the administration of user access is the percent of user IDs with
corresponding:
A. Active records in the identity management system
B. Active records in the payroll system
C. Records in the customer account system
D. Records in the process owner’s entitlement system

12. Of these uses for security metrics, which allows an information security manager
to demonstrate that control objectives are met?
A. Demonstrating policy compliance
B. Charting frequency of failed hacking attempts
C. Satisfying requests from IT audit
D. Posting quarterly security activity
Answer Key:

1. A, B.
Both Technical events, such as malware and hacks, and Physical events, such
as theft or natural disasters, should be a part of Incident Management.

2. B
Answer B: Business Continuity Plans should be in place to restore needed
services as quickly as possible.

3. C
They should be at least one of the first responders.

4. D
Sorting the events in a priority order is known as Triage.

5. A, B.
Both of these organizations can be important to have a liaison with, depending
on the type of incident.

6. D
Development managers should not have final authority for releasing new
programs into production.

7. A
Frequently having production control statements point to test libraries is a
problem since test libraries are not subject to the same level of security controls.

8. B
To preserve the business relationship, it would be inappropriate to revoke access
or contact the partner’s external auditors.

9. C
The most important aspect in writing good information security policies is that
they capture the intent, direction and expectations of management.

10. C
Different groups have differing levels of expertise, and accordingly, each should
receive a customized message based on their role and level of understanding.
11. A
The percent of user IDs with corresponding records in the identity management
system is the best measure of how well administration is being managed,
because this shows that the information security manager created an
infrastructure designed for identifying valid accounts.

12. A
Metrics that demonstrate compliance with a stated policy may also be used to
demonstrate that the control objective for which the policy was written is being
met.