(Download PDF) Principles of Incident Response and Disaster Recovery 2Nd Edition Version Full Chapter PDF

Principles of Incident Response and
Disaster Recovery 2nd Edition – Ebook

PDF Version
Visit to download the full and correct content document:
https://ebookmass.com/product/principles-of-incident-response-and-disaster-recovery
-2nd-edition-ebook-pdf-version/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
eTextbook 978-1111138059 Principles of Incident

Response and Disaster Recovery
https://ebookmass.com/product/etextbook-978-1111138059-
principles-of-incident-response-and-disaster-recovery/
Principles of Incident Response & Disaster Recovery

(MindTap Course List) 3rd Edition Michael E. Whitman &
Herbert J. Mattord
https://ebookmass.com/product/principles-of-incident-response-
disaster-recovery-mindtap-course-list-3rd-edition-michael-e-
whitman-herbert-j-mattord/
Disaster Response and Recovery: Strategies and Tactics

for Resilience 2nd Edition, (Ebook PDF)
https://ebookmass.com/product/disaster-response-and-recovery-
strategies-and-tactics-for-resilience-2nd-edition-ebook-pdf/
National Incident Management System: Principles and

Practice 2nd Edition, (Ebook PDF)
https://ebookmass.com/product/national-incident-management-
system-principles-and-practice-2nd-edition-ebook-pdf/
Preparedness and Response for Catastrophic Disasters –
Ebook PDF Version
https://ebookmass.com/product/preparedness-and-response-for-
catastrophic-disasters-ebook-pdf-version/
Introduction to 80×86 Assembly Language and Computer

Architecture – Ebook PDF Version
https://ebookmass.com/product/introduction-to-8086-assembly-
language-and-computer-architecture-ebook-pdf-version/
Principles of Biochemistry (5th Edition – Ebook PDF

Version) 5th Edition – Ebook PDF Version
https://ebookmass.com/product/principles-of-biochemistry-5th-
edition-ebook-pdf-version-5th-edition-ebook-pdf-version/
Principles of Structural Design: Wood, Steel, and

Concrete, Second Edition – Ebook PDF Version 2nd
https://ebookmass.com/product/principles-of-structural-design-
wood-steel-and-concrete-second-edition-ebook-pdf-version-2nd/
Emergency Public Health: Preparedness and Response 1st

Edition – Ebook PDF Version
https://ebookmass.com/product/emergency-public-health-
preparedness-and-response-1st-edition-ebook-pdf-version/
Copyright 2013 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
Table of Contents
PREFACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
CHAPTER 1
An Overview of Information Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Opening Case Scenario: Pernicious Proxy Probing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Key Information Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Overview of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Know Yourself. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Know the Enemy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Risk Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Contingency Planning and Its Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Business Impact Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Incident Response Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Business Continuity Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Contingency Planning Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Role of Information Security Policy in Developing Contingency Plans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Key Policy Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Enterprise Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Issue-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Systems-Specific Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Ethical Considerations in the Use of Information Security Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Closing Case Scenario: Pondering People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
CHAPTER 2
Planning for Organizational Readiness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Opening Case Scenario: Proper Planning Prevents Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Beginning the Contingency Planning Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Commitment and Support of Senior Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Elements Required to Begin Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Contingency Planning Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
A Sample Generic Policy and High-Level Procedures for Contingency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . 55
vii
viii Table of Contents
Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Determine Mission/Business Processes and Recovery Criticality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Identify Resource Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Identify System Resource Recovery Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
BIA Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Online Questionnaires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Facilitated Data-Gathering Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Process Flows and Interdependency Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Risk Assessment Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
IT Application or System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Financial Reports and Departmental Budgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Audit Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Production Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Budgeting for Contingency Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Incident Response Budgeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Disaster Recovery Budgeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Business Continuity Budgeting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Crisis Management Budgeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Closing Case Scenario: Outrageously Odd Outages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
CHAPTER 3
Contingency Strategies for IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Opening Scenario: Panicking over Powder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Data and Application Resumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Online Backups and the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Disk to Disk to Other: Delayed Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Redundancy-Based Backup and Recovery Using RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Database Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Application Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Backup and Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Real-Time Protection, Server Recovery, and Application Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Site Resumption Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Exclusive Site Resumption Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Shared-Site Resumption Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Service Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Hands-On Project 3-1: Command-line Backup Using rdiff-backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Hands-On Project 3-2: Copying Virtual Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Closing Case Scenario: Disaster Denied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Table of Contents ix
CHAPTER 4
Incident Response: Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Opening Case Scenario: DDoS Dilemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
The IR Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Forming the IR Planning Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Developing the Incident Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Building the Computer Security Incident Response Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Incident Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Information for attack success end case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Planning for the Response During the Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Planning for “After the Incident”. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Reaction!. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Planning for “Before the Incident”. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
The CCDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Assembling and Maintaining the Final IR Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Closing Case Scenario: The Never-Ending Story . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
CHAPTER 5
Incident Response: Detection and Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Opening Case Scenario: Oodles of Open Source Opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Detecting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Possible Indicators of an Incident. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Probable Indicators of an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Technical Details: Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Definite Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Identifying Real Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Technical Details: Processes and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
IDPS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Why Use an IDPS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
IDPS Network Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Technical Details: Ports and Port Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
IDPS Detection Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Automated Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Incident Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Collection of Data to Aid in Detecting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Challenges in Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
x Table of Contents

Closing Case Scenario: Jokes with JJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
CHAPTER 6
Incident Response: Organizing and Preparing the CSIRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Opening Case Scenario: Trouble in Tuscaloosa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Building the CSIRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Step 1: Obtaining Management Support and Buy-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Step 2: Determining the CSIRT Strategic Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Step 3: Gathering Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Step 4: Designing the CSIRT Vision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
A Sample Generic Policy and High-Level Procedures for Contingency Plans . . . . . . . . . . . . . . . . . . . . . . . . . 243
Step 5: Communicating the CSIRT’s Vision and Operational Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Step 6: Beginning CSIRT Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Step 7: Announce the operational CSIRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Step 8: Evaluating CSIRT Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Final Thoughts on CSIRT Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Outsourcing Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Current and Future Quality of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Division of Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Sensitive Information Revealed to the Contractor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Lack of Organization-Specific Knowledge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Lack of Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Handling Incidents at Multiple Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Maintaining IR Skills In-House . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Closing Case Scenario: Proud to Participate in Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
CHAPTER 7
Incident Response: Response Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Opening Case Scenario: Viral Vandal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
IR Response Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Response Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Incident Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
The Cuckoo’s Egg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Incident Eradication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Incident Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Incident Containment and Eradication Strategies for Specific Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Egghead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Handling Denial of Service (DoS) Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Table of Contents xi
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Unauthorized Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Inappropriate Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Hybrid or Multicomponent Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Automated IR Response Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Closing Case Scenario: Worrisome Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
CHAPTER 8
Incident Response: Recovery and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Opening Case Scenario: Wily Worms Wake Workers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Identify and Resolve Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Restore Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Restore Services and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Restore Confidence across the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
After-Action Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Plan Review and Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Rehearsal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Law Enforcement Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Reporting to Upper Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Loss Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Sample Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Incident Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Legal Issues in Digital Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Digital Forensics Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Technical Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Digital Forensics Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
eDiscovery and Anti-Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Closing Case Scenario: Bureaucratic Blamestorms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
CHAPTER 9
Disaster Recovery: Preparation and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Opening Case Scenario: Flames Force Fan Fury . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Disaster Classifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
xii Table of Contents
Forming the Disaster Recovery Team. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Organization of the DR Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Special Documentation and Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Disaster Recovery Planning Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Develop the DR Planning Policy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Review the Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Identify Preventive Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Develop Recovery Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Develop the DR Plan Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Plan Testing, Training, and Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Plan Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Information Technology Contingency Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Client/Server Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Data Communications Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Mainframe Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Sample Disaster Recovery Plans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
The Business Resumption Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
The DR Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Closing Case Scenario: Proactively Pondering Potential Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
CHAPTER 10
Disaster Recovery: Operation and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Opening Case Scenario: Dastardly Disaster Drives Dialing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Facing Key Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Preparation: Training the DR Team and the Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Plan Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Plan Triggers and Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Disaster Recovery Planning as Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
DR Training and Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
DR Plan Testing and Rehearsal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Rehearsal and Testing of the Alert Roster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Disaster Response Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Recovery Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Resumption Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Restoration Phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Repair or Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Restoration of the Primary Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Relocation from Temporary Offices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Resumption at the Primary Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Standing Down and the After-Action Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Table of Contents xiii

Closing Case Scenario: Smart Susan Starts Studying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
CHAPTER 11
Business Continuity Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Opening Case Scenario: Lovely Local Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Business Continuity Team. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
BC Team Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Special Documentation and Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Business Continuity Policy and Plan Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Develop the BC Planning Policy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Review the BIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Identify Preventive Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Create BC Contingency (Relocation) Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Develop the BC Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Ensure BC Plan Testing, Training, and Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Ensure BC Plan Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Sample Business Continuity Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Implementing the BC Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Preparation for BC Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Returning to a Primary Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
BC After-Action Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Continuous Improvement of the BC Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Improving the BC Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Improving the BC Staff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Maintaining the BC Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Periodic BC Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
BC Plan Archivist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Closing Case Scenario: Exciting Emergency Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
CHAPTER 12
Crisis Management and International Standards inIR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Opening Case Scenario: Terrible Tragedy Today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Crisis Management in the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Crisis Terms and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Crisis Misconceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Preparing for Crisis Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
General Preparation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Organizing the Crisis Management Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
xiv Table of Contents
Crisis Management Critical Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Developing the Crisis Management Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Crisis Management Training and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Ongoing Case: Alert Roster Test at HAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Post-crisis Trauma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Posttraumatic Stress Disorder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Employee Assistance Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Immediately after the Crisis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Getting People Back to Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Dealing with Loss. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Law Enforcement Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Federal Agencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Local Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Managing Crisis Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Crisis Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
The 11 Steps Of Crisis Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Avoiding Unnecessary Blame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Succession Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Elements of Succession Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Succession Planning Approaches for Crisis Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
International Standards in IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
NIST Standards and Publications in IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
ISO Standards and Publications in IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Other Standards and Publications in IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Closing Case Scenario: Boorish Board Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
APPENDIX A
Sample Business Continuity Plan for ABC Co. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
APPENDIX B
Contingency Plan Template from the Computer Security Resource Center at
the National Institute of Standards and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
APPENDIX C
Sample Crisis Management Plan for Hierarchical Access, Ltd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Preface
As global networks expand the interconnection of the world’s technically complex infra-
structure, communication and computing systems gain added importance. Information secu-
rity has gained in importance as a professional practice, and information security has
emerged as an academic discipline. Recent events, such as malware attacks and successful
hacking efforts, have pointed out the weaknesses inherent in unprotected systems and
exposed the need for heightened security of these systems. In order to secure technologically
advanced systems and networks, both education and the infrastructure to deliver that educa-
tion are needed to prepare the next generation of information technology and information
security professionals to develop a more secure and ethical computing environment. There-
fore, improved tools and more sophisticated techniques are needed to prepare students to
recognize the threats and vulnerabilities present in existing systems and to design and
develop the secure systems needed in the near future. Many years have passed since the
need for improved information security education has been recognized, and as Dr. Ernest
McDuffie of NIST points out:
While there is no doubt that technology has changed the way we live, work, and
play, there are very real threats associated with the increased use of technology
and our growing dependence on cyberspace….
Education can prepare the general public to identify and avoid risks in cyber-
space; education will ready the cybersecurity workforce of tomorrow; and
xv
xvi Preface
education can keep today’s cybersecurity professionals at the leading edge of the latest
technology and mitigation strategies.
Source: NIST
The need for improvements in information security education is so great that the U.S. National Secu-
rity Agency (NSA) has established Centers of Academic Excellence in Information Assurance, as
described in Presidential Decision Directive 63, “The Policy on Critical Infrastructure Protection,”
May 1998:
The program goal is to reduce vulnerabilities in our National Information Infrastructure
by promoting higher education in information assurance, and producing a growing num-
ber of professionals with IA expertise in various disciplines.
Source: National Security Agency
The technical nature of the dominant texts on the market does not meet the needs of students who
have a major other than computer science, computer engineering, or electronic engineering. This is
a key concern for academics who wish to focus on delivering skilled undergraduates to the commer-
cial information technology (IT) sector. Specifically, there is a clear need for information security,
information systems, criminal justice, political science, and accounting information systems students
to gain a clear understanding of the foundations of information security.
Approach
This book provides an overview of contingency operations and its components as well as a thorough
treatment of the administration of the planning process for incident response, disaster recovery, and
business continuity. It can be used to support course delivery for information-security-driven programs
targeted at information technology students, as well as IT management and technology management
curricula aimed at business or technical management students.
Learning Support—Each chapter includes a Chapter Summary and a set of open-ended Review
Questions. These are used to reinforce learning of the subject matter presented in the chapter.
Chapter Scenarios—Each chapter opens and closes with a case scenario that follows the same fic-
tional company as it encounters various contingency planning or operational issues. The closing sce-
nario also includes a few discussion questions. These questions give the student and the instructor
an opportunity to discuss the issues that underlie the content.
Hands-On Learning—At the end of each chapter, Real-World Exercises and Hands-On Projects are
provided. These give students the opportunity to examine the contingency planning arena outside
the classroom. Using these exercises, students can pursue the learning objectives listed at the begin-
ning of each chapter and deepen their understanding of the text material.
Boxed Examples—These supplemental sections, which feature examples not associated with the
ongoing case study, are included to illustrate key learning objectives or extend the coverage of
plans and policies.
New to This Edition

This edition provides a greater level of detail than the previous edition, specifically in the examination of
incident response activities. It incorporates new approaches and methods that have been developed at
NIST. Although the material on disaster recovery, business continuity, and crisis management has not
Preface xvii
been reduced, the text’s focus now follows that of the IT industry in shifting to the prevention, detection,
reaction to, and recovery from computer-based incidents and avoidance of threats to the security of infor-
mation. We are fortunate to have had the assistance of a reviewer who worked as a contributing author
for NIST, ensuring alignment between this text and the methods recommended by NIST.
Author Team
Long-time college professors and information security professionals Michael Whitman and Herbert
Mattord have jointly developed this text to merge knowledge from the world of academic study
with practical experience from the business world. Professor Andrew Green has been added to this
proven team to add a new dimension of practical experience.
Michael Whitman, Ph.D., CISM, CISSP Michael Whitman is a professor of information security
and assurance in the Information Systems Department, Michael J. Coles College of Business at Ken-
nesaw State University, Kennesaw, Georgia, where he is the director of the KSU Center for Informa-
tion Security Education (infosec.kennesaw.edu). Dr. Whitman has over 20 years of experience in
higher education, with over 12 years of experience in designing and teaching information security
courses. He is an active researcher in information security, fair and responsible use policies, and
computer-use ethics. He currently teaches graduate and undergraduate courses in information secu-
rity. He has published articles in the top journals in his field, including Information Systems
Research, Communications of the ACM, Information and Management, Journal of International
Business Studies, and Journal of Computer Information Systems. He is a member of the Association
for Computing Machinery and the Association for Information Systems. Under Dr. Whitman’s lead-
ership, Kennesaw State University has been recognized by the National Security Agency and the
Department of Homeland Security as a National Center of Academic Excellence in Information
Assurance Education three times; the university’s coursework has been reviewed by national-level
information assurance subject matter experts and determined to meet the national training standard
for information systems security professionals. Dr. Whitman is also the coauthor of Principles of
Information Security, 4th edition; Management of Information Security, 4th edition; Readings and
Cases in the Management of Information Security; Readings and Cases in Information Security:
Law and Ethics; The Hands-On Information Security Lab Manual, 3rd edition; Roadmap to the
Management of Information Security for IT and Information Security Professionals; Guide to Fire-
walls and VPNs, 3rd edition; Guide to Firewalls and Network Security, 2nd edition; and Guide to
Network Security, all published by Course Technology. In 2012, Dr. Whitman was selected by the
Colloquium for Information Systems Security Education as the recipient of the 2012 Information
Assurance Educator of the Year award.
Herbert Mattord, Ph.D. CISM, CISSP Herbert Mattord completed 24 years of IT industry experi-
ence as an application developer, database administrator, project manager, and information security
practitioner before joining the faculty of Kennesaw State University in 2002. Dr. Mattord is an
assistant professor of information security and assurance and the coordinator for the Bachelor of
Business Administration in Information Security and Assurance program. He is the operations man-
ager of the KSU Center for Information Security Education and Awareness (infosec.kennesaw.edu)
as well as the coordinator for the KSU certificate in Information Security and Assurance. During
his career as an IT practitioner, Dr. Mattord has been an adjunct professor at: Kennesaw State Uni-
versity; Southern Polytechnic State University in Marietta, Georgia; Austin Community College in
Austin, Texas; and Texas State University: San Marcos. He currently teaches undergraduate courses
in information security, data communications, local area networks, database technology, project
management, systems analysis and design, and information resources management and policy. He
xviii Preface
was formerly the manager of corporate information technology security at Georgia-Pacific Corpora-
tion, where much of the practical knowledge found in this textbook was acquired. Professor Mat-
tord is also the coauthor of Principles of Information Security, 4th edition; Management of Informa-
tion Security, 4th edition; Readings and Cases in the Management of Information Security; Readings
and Cases in Information Security: Law and Ethics; The Hands-On Information Security Lab Man-
ual, 3rd edition; Roadmap to the Management of Information Security for IT and Information
Security Professionals; Guide to Firewalls and VPNs, 3rd edition; Guide to Firewalls and Network
Security, 2nd edition; and Guide to Network Security, all published by Course Technology.
Andrew Green, MSIS Andrew Green is a lecturer of information security and assurance in the Informa-
tion Systems Department, Michael J. Coles College of Business at Kennesaw State University, Kennesaw,
Georgia. Mr. Green has over a decade of experience in information security. Prior to entering academia
full time, he worked as an information security consultant, focusing primarily on the needs of small
and medium-sized businesses. Prior to that, he worked in the healthcare IT field, where he developed and
supported transcription interfaces for medical facilities throughout the United States. Mr. Green is also a
full-time Ph.D. student at Nova Southeastern University, where he is studying information systems with
a concentration in information security. He is the coauthor of Guide to Firewalls and VPNs, 3rd edition
and Guide to Network Security, both published by Course Technology.
Structure
The textbook is organized into 12 chapters and 3 appendices. Here are summaries of each chapter’s
contents:
Chapter 1. An Overview of Information Security and Risk Management This chapter defines the
concepts of information security and risk management and explains how they are integral to the
management processes used for incident response and contingency planning.
Chapter 2. Planning for Organizational Readiness The focus of this chapter is on how an organiza-
tion can plan for and develop organizational processes and staffing appointments needed for suc-
cessful incident response and contingency plans.
Chapter 3. Contingency Strategies for IR/DR/BC This chapter explores the relationships between
contingency planning and the subordinate elements of incident response, business resumption, disas-
ter recovery, and business continuity planning. It also explains the techniques used for data and
application backup and recovery.
Chapter 4. Incident Response: Planning This chapter expands on the incident response planning
process to include processes and activities that are needed as well as the skills and techniques used
to develop such plans.
Chapter 5. Incident Response: Detection and Decision Making This chapter describes how incidents
are detected and how decision making regarding incident escalation and plan activation occur.
Chapter 6. Incident Response: Organizing and Preparing the CSIRT This chapter presents the
details of the actions that the CSIRT performs and how they are designed and developed.
Chapter 7. Incident Response: Response Strategies This chapter describes IR reaction strategies and
how they are applied to incidents.
Preface xix
Chapter 8. Incident Response: Recovery and Maintenance This chapter describes how an organiza-
tion plans for and executes the recovery process when an incident occurs; it also expands on the
steps involved in the ongoing maintenance of the IR plan.
Chapter 9. Disaster Recovery: Preparation and Implementation This chapter explores how organi-
zations prepare for disasters and recovery from disasters.
Chapter 10. Disaster Recovery: Operation and Maintenance This chapter presents the challenges an
organization faces when engaged in DR operations and how such challenges are met.
Chapter 11. Business Continuity Planning This chapter covers how organizations ensure continu-
ous operations even when the primary facilities used by the organization are not available.
Chapter 12. Crisis Management and International Standards in IR/DR/BC This chapter covers the
role of crisis management and recommends the elements of a plan to prepare for crisis response. The
chapter also covers the key international standards that affect IR, DR, and BC.
Appendices. The three appendices present sample BC and crisis management plans and templates.
Text and Graphic Conventions

Wherever appropriate, additional information and exercises have been added to this book to help
you better understand what is being discussed in the chapter. Icons throughout the text alert you to
additional materials. The icons used in this textbook are described here:
Notes present additional helpful material related to the subject being

described.
Offline boxes offer material that expands on the chapter’s contents but that
may not be central to the learning objectives of the chapter.
Technical Details boxes provide additional technical information on informa-

tion security topics.
Real World Exercises are structured activities to allow students to enrich their
understanding of selected topics presented in the chapter by exploring Web-
based or other widely available resources.
Hands-On Projects offer students the chance to explore the technical aspects
of the theories presented in the chapter.
xx Preface
Instructor’s Materials
The following supplemental materials are available for use in a classroom setting. All the supple-
ments available with this book are provided to the instructor on a single CD-ROM (ISBN:
9781111138066) and online at the textbook’s Web site.
Please visit login.cengage.com and log in to access instructor-specific resources.
To access additional course materials, please visit www.cengagebrain.com. At the CengageBrain.com
home page, search for the ISBN of your title (from the back cover of your book) using the search
box at the top of the page. This will take you to the product page, where these resources can be found.
Additional materials designed especially for you might be available for your course online. Go to
www.cengage.com/coursetechnology and search for this book title periodically for more details.
Electronic Instructor’s Manual—The Instructor’s Manual that accompanies this textbook includes
additional instructional material to assist in class preparation, including suggestions for classroom
activities, discussion topics, and additional projects.
Solution Files—The Solution Files include answers to selected end-of-chapter materials, including the
Review Questions and some of the Hands-On Projects.
ExamView—This textbook is accompanied by ExamView, a powerful testing software package that
allows instructors to create and administer printed, computer (LAN-based), and Internet exams.
ExamView includes hundreds of questions that correspond to the topics covered in this text,
enabling students to generate detailed study guides that include page references for further review.
The computer-based and Internet testing components allow students to take exams at their compu-
ters, and also save the instructor time by grading each exam automatically.
PowerPoint Presentations—This book comes with Microsoft PowerPoint slides for each chapter.
These are included as a teaching aid for classroom presentation. They can also be made available to
students on the network for chapter review, or they can be printed for classroom distribution. Instruc-
tors, feel free to add your own slides for additional topics you introduce to the class.
Information Security Community Site—Stay Secure with the Information Security Community Site!
Connect with students, professors, and professionals from around the world, and stay on top of this
ever-changing field.
● Visit www.cengage.com/community/infosec.
● Download resources such as instructional videos and labs.
● Ask authors, professors, and students the questions that are on your mind in our Discussion
Forums.
● See up-to-date news, videos, and articles.
● Read author blogs.
● Listen to podcasts on the latest Information Security topics.
Acknowledgments
The authors would like to thank their families for their support and understanding for the many
hours dedicated to this project, hours taken in many cases from family activities. Special thanks to
Karen Scarfone, coauthor of several NIST SPs. Her reviews and suggestions resulted in a more read-
able manuscript. Additionally, the authors would like to thank Doug Burks, primary developer of
Preface xxi
the Security Onion project used in this textbook. Doug’s insight and suggestions for the Hands-On
Projects helped make them more robust and practical for students to use.
Reviewers
We are indebted to the following individuals for their respective contributions of perceptive feed-
back on the initial proposal, the project outline, and the individual chapters of the text:
Karen Scarfone, Scarfone Cybersecurity
Gary Kessler, Embry-Riddle Aeronautical University
Special Thanks
The authors wish to thank the editorial and production teams at Course Technology. Their diligent
and professional efforts greatly enhanced the final product:
Michelle Ruelos Cannistraci, Senior Product Manager
Kent Williams, Developmental Editor
Nick Lombardi, Acquisitions Editor
Andrea Majot, Senior Content Project Manager
Nicole Ashton Spoto, Technical Editor
In addition, several professional and commercial organizations and individuals have aided the
development of the textbook by providing information and inspiration, and the authors wish to
acknowledge their contribution:
Bernstein Crisis Management
Continuity Central
Information Systems Security Associations
Institute for Crisis Management
National Institute of Standards and Technology
Oracle, Inc.
Purdue University
Rothstein Associates, Inc.
SunGard
Our colleagues in the Department of Information Systems and the Michael J. Coles College of
Business, Kennesaw State University
Dr. Amy Woszczynski, Interim Chair of the Department of Information Systems, Michael J. Coles
College of Business, Kennesaw State University
Dr. Kathy Schwaig, Dean of the Michael J. Coles College of Business, Kennesaw State University
Our Commitment
The authors are committed to serving the needs of the adopters and readers. We would be pleased
and honored to receive feedback on the textbook and its supporting materials. You can contact us
through Course Technology.
chapter 1
An Overview of Information
Security and Risk Management
An ounce of prevention is worth a pound of cure. —Benjamin Franklin
Upon completion of this material, you should be able to:

● Define and explain information security
● Identify and explain the basic concepts of risk management
● List and discuss the components of contingency planning
● Describe the role of information security policy in the development of contingency plans
2 Chapter 1 An Overview of Information Security and Risk Management
Opening Case Scenario: Pernicious Proxy Probing
Paul Alexander and his boss Amanda Wilson were sitting in Amanda’s office
discussing the coming year’s budget when they heard a commotion in the hall.
Hearing his name mentioned, Paul stuck his head out the door and saw Jonathon
Jasper (“JJ” to his friends) walking quickly toward him.
“Paul!” JJ called again, relieved to see Paul waiting in Amanda’s office.
“Hi, Amanda,” JJ said, then, looking at Paul, he added, “We have a problem.” JJ was
one of the systems administrators at Hierarchical Access LTD (HAL), a Georgia-based
Internet service provider that serves the northwest region of metropolitan Atlanta.
Paul stepped out into the hall, closing Amanda’s door behind him.
“What’s up, JJ?”
“I think we’ve got someone sniffing around the e-mail server,” JJ replied. “I just
looked at the log files, and there is an unusual number of failed login attempts on
accounts that normally just don’t have that many, like yours!”
Paul paused a moment.
“But the e-mail server’s proxied,” he finally said to JJ, “which means it must be an
internal probe.”
“Yeah, that’s why it’s a problem,” JJ replied. “We haven’t gotten this kind of thing
since we installed the proxy and moved the Web and e-mail servers inside the DMZ.
It’s got to be someone in-house.”
JJ looked exasperated. “And after all that time I spent conducting awareness training!”
“Don’t worry just yet,” Paul told him. “Let’s make a few calls, and then we’ll go
from there. Grab your incident response book and meet me in the conference room
in 10 minutes. Grab Tina in network operations on the way.”
Introduction
This book is about being prepared for the unexpected, being ready for such events as
incidents and disasters. We call this contingency planning, and the sad fact is that most
organizations don’t incorporate it into their day-to-day business activities. Such organi-
zations are often not well prepared to offer the proper response to a disaster or security
incident. By July 2012, Internet World Stats estimated that there were over 2.4 billion
people online,1 representing one third of the world’s 6.9 billion population. Each one of
those online users is a potential threat to any online system. The vast majority of Inter-
net users will not intentionally probe, monitor, attack, or attempt to access an organiza-
tion’s information without authorization; however, that potential does exist. If even less
than 1/10 of 1 percent of online users make the effort, the result would be almost two
and a half million potential attackers.
Information Security 3
In the weeks that followed the September 11, 2001 attacks in New York, Pennsylvania, and
Washington D.C., the media reported on the disastrous losses that various organizations 1
were suffering. Still, many organizations were able to continue conducting business. Why?
The reason is that those organizations were prepared for unexpected events. The cataclysm in
2001 was not the first attack on the World Trade Center (WTC). On February 26, 1993, a
car bomb exploded beneath one of the WTC towers, killing 6 and injuring over 1000. The
attack was limited in its devastation only because the attackers weren’t able to acquire all the
components for a coordinated bomb and cyanide gas attack.2
Still, this attack was a wake-up call for the hundreds of organizations that conducted business
in the WTC. Many began asking the question, “What would we have done if the attack had
been more successful?” As a direct result, many of the organizations occupying the WTC on
September 11, 2001 had developed contingency plans. Although thousands of people lost
their lives in the attack, many were able to evacuate, and many organizations were prepared
to resume their businesses in the aftermath of the devastation.
A 2008 Gartner report found that two out of three organizations surveyed had to invoke their
disaster recovery or business continuity plans in the two years preceding the study.3 Consider-
ing that nearly 80 percent of businesses affected by a disaster either never reopen or close
within 18 months of the event, having a disaster recovery and business continuity plan is
vital to sustaining operations when disasters strike.4 Considering the risks, it is imperative
that management teams create, implement, and test effective plans to deal with incidents and
disasters. For this reason, the field of information security has been steadily growing and is
taken seriously by more and more organizations, not only in the United States but throughout
the world.
Before we can discuss contingency planning in detail, we must introduce some critical con-
cepts of which contingency planning is an integral part. The first of these, which serves as the
overall disciplinary umbrella, is information security. This refers to many interlinked programs
and activities that work together to ensure the confidentiality, integrity, and availability of the
information used by organizations. This includes steps to ensure the protection of organiza-
tional information systems, specifically during incidents and disasters. Because information
security is a complex subject, which includes risk management as well as information security
policy, it is important to have an overview of that broad field and an understanding of these
major components. Contingency planning is an important element of information security, but
before management can plan for contingencies, it should have an overall strategic plan for
information security in place, including risk management processes to guide the appropriate
managerial and technical controls. This chapter serves as an overview of information security,
with special consideration given to risk management and the role that contingency planning
plays in (1) information security in general and (2) risk management in particular.
Information Security
The Committee on National Security Systems (CNSS) has defined information security as
the protection of information and its critical elements, including the systems and hard-
ware that use, store, and transmit that information. This definition is part of the CNSS
model (see Figure 1-1), which serves as the conceptual framework for understanding
information security. The model evolved from a similar model developed within the
computer security industry, known as the C.I.A. triangle. An industry standard for com-
puter security since the development of the mainframe, the C.I.A. triangle illustrates the
three most critical characteristics of information used within information systems: confi-
dentiality, integrity, and availability.
Information assets have the characteristics of confidentiality when only those persons or com-
puter systems with the rights and privileges to access it are able to do so. Information assets
have integrity when they are not exposed (while being stored, processed, or transmitted) to
corruption, damage, destruction, or other disruption of their authentic states; in other words,
the information is whole, complete, and uncorrupted. Finally, information assets have
availability when authorized users—persons or computer systems—are able to access them in
the specified format without interference or obstruction. In other words, the information is
there when it is needed, from where it is supposed to be, and in the format expected.
gy
nolo
Tech
tion
yE duca
Polic
Confidentiality Confidentiality
gy
olo
hn
ec
nT
tio
ca
Integrity Integrity
du
yE
lic
Po
Availability Availability
Storage Processing Transmission Storage Processing Transmission

© Cengage Learning 2014
Figure 1-1 The CNSS security model
In summary, information security (InfoSec) is the protection of the confidentiality, integrity,

and availability of information, whether in storage, during processing, or in transmission.
Such protection is achieved through the application of policy, education and training, and
technology.
Key Information Security Concepts

In general, a threat is an object, person, or other entity that is a potential risk of loss to
an asset, which is the organizational resource being protected. An asset can be logical,
such as a Web site, information, or data, or it can be physical, such as a person, com-
puter system, or other tangible object. A threat can become the basis for an attack—an
intentional or unintentional attempt to cause damage to or otherwise compromise the
information or the systems that support it. A threat-agent is a specific and identifiable
instance of a general threat that exploits vulnerabilities set up to protect the asset. NIST
defines a vulnerability as “a flaw or weakness in system security procedures, design,
implementation, or internal controls that could be exercised (accidentally triggered or
intentionally exploited) and result in a security breach or violation of the system’s secu-
rity policy.”5 Vulnerabilities that have been examined, documented, and published are
referred to as well-known vulnerabilities. Some vulnerabilities are latent and thus not
revealed until they are discovered and made known.
There are two common uses of the term exploit in information security. First, threat-agents
are said to exploit a system or information asset by using it illegally for their personal 1
gains. Second, threat-agents can create an exploit, or means to target a specific vulnerabil-
ity, usually found in software, to formulate an attack. A defender tries to prevent attacks
by applying a control, a safeguard, or a countermeasure; these terms, all synonymous with
control, represent security mechanisms, policies, or procedures that can successfully counter
attacks, reduce risk, resolve vulnerabilities, and generally improve the security within an
organization.
The results of a 2012 study that collected, categorized, and ranked the identifiable threats to
information security are shown in Table 1-1. The study compared its findings with a prior
study conducted by one of its researchers.
Threat Category 2010 Ranking Prior Ranking

Espionage or trespass
1 4
Software attacks 2 1
Human error or failure 3 3
Theft 4 7
Compromises to intellectual property 5 9
Sabotage or vandalism 6 5
Technical software failures or errors 7 2
Technical hardware failures or errors 8 6
Forces of nature 9 8
Deviations in quality of service from service providers 10 10
Technological obsolescence 11 11
Information extortion 12 12
Source: 2003 Study © Communications of the ACM used with permission
Table 1-1 Threats to information security6
The threat categories shown in Table 1-1 are explained in detail in the following sections.
Trespass Trespass is a broad category of electronic and human activities that can
breach the confidentiality of information. When an unauthorized individual gains access
to the information an organization is trying to protect, that act is categorized as a deliber-
ate act of trespass. In the opening scenario of this chapter, the IT staff members at HAL
were more disappointed than surprised to find someone poking around their mail server,
looking for a way in. Acts of trespass can lead to unauthorized real or virtual actions
that enable information gatherers to enter premises or systems they have not been autho-
rized to enter.
The classic perpetrator of deliberate acts of espionage or trespass is the hacker. In this text,
hackers are people who bypass legitimate controls placed on information systems in order to
gain access to data or information against the intent of the owner. More specifically, a hacker
is someone who uses skill, guile, or fraud to attempt to bypass the controls placed around
information that belongs to someone else.
Software Attacks Deliberate software attacks occur when an individual or group

designs software to attack a system. This software is referred to as malicious code, mali-
cious software, or malware. These software components or programs are designed to
damage, destroy, or deny service to the target systems. Some of the more common
instances of malicious code are viruses and worms, Trojan horses, logic bombs, bots,
rootkits, and back doors. Equally prominent among the recent incidences of malicious
code are the denial-of-service attacks conducted by attackers on popular e-commerce
sites. A denial-of-service (DoS) attack seeks to deny legitimate users access to services
by either tying up a server’s available resources or causing it to shut down. A variation
on the DoS attack is the distributed DoS (DDoS) attack, in which an attacker compro-
mises a number of systems, then uses these systems (called zombies or bots) to attack
an unsuspecting target.
A potential source of confusion when it comes to threats posed by malicious code are the
differences between the method of propagation (worm versus virus), the payload (what the
malware does once it is in place, such as deny service or install a back door), and the vector
of infection (how the code is transmitted from system to system, whether through social
engineering or by technical means, such as an open network share). Various concepts related
to the topic of malicious code are discussed in the following sections.
Viruses Computer viruses are segments of code that perform malicious actions. The code
attaches itself to an existing program and takes control of that program’s access to the
targeted computer. The virus-controlled target program then carries out the virus’s plan by
replicating itself and inserting itself into additional targeted systems.
Opening an infected e-mail or some other seemingly trivial action can cause anything from
random messages popping up on a user’s screen to the destruction of entire hard drives of
data. Viruses are passed from machine to machine via physical media, e-mail, or other
forms of computer data transmission. When these viruses infect a machine, they may immedi-
ately scan the local machine for e-mail applications; they may even send themselves to every
user in the e-mail address book.
There are several types of viruses. One type is the macro virus, which is embedded in auto-
matically executing macrocode, common in word-processed documents, spreadsheets, and
database applications. Another type, the boot virus, infects the key operating systems files
located in a computer’s boot sector.
Worms Named for the tapeworm in John Brunner’s novel The Shockwave Rider, worms
are malicious programs that replicate themselves constantly without requiring another pro-
gram to provide a safe environment for replication. Worms can continue replicating them-
selves until they completely fill available resources, such as memory, hard drive space, and
network bandwidth. These complex behaviors can be invoked with or without the
user downloading or executing the file. Once the worm has infected a computer, it can redis- 1
tribute itself to all e-mail addresses found on the infected system. Further, a worm can
deposit copies of itself onto all Web servers that the infected system can reach, so that users
who subsequently visit those sites become infected themselves. Worms also take advantage of
open shares found on the network in which an infected system is located, placing working
copies of the worm code onto the server so that users of those shares are likely to become
infected.
Back Doors and Trap Doors A virus or worm can have a payload that installs a back
door or trap door component in a system, which allows the attacker to access a system, at
will, with special privileges. Examples of these kinds of payloads are SubSeven, Back Orifice,
and Flashfake.
Polymorphism One of the biggest ongoing problems in fighting viruses and worms are
polymorphic threats. A polymorphic threat is one that changes its apparent shape over time,
making it undetectable by techniques that look for preconfigured signatures. These viruses
and worms actually evolve, changing their size and appearance to elude detection by antivi-
rus software programs. This means that an e-mail generated by the virus may not match
previous examples, making detection more of a challenge.
Propagation Vectors The way that malicious code is spread from one system to another
can vary widely. One common way is through a social engineering attack—that is, getting
the computer user to perform an action that enables the infection. An example of this is the
Trojan horse, often simply called a Trojan. A Trojan is something that looks like a desirable
program or tool but is in fact a malicious entity. Other propagation vectors do not require
human interaction, leveraging open network connections, file shares, or software vulnerabil-
ities to spread themselves.
Malware Hoaxes As frustrating as viruses and worms are, perhaps more time and money
is spent on resolving malware hoaxes. Well-meaning people can disrupt the harmony and
flow of an organization when they send random e-mails warning of dangerous malware that
is fictitious. While these individuals feel they are helping out by warning their coworkers of a
threat, much time and energy is wasted as everyone forwards the message to everyone they
know, posts the message on social media sites, and begins updating antivirus protection
software. By teaching its employees how to verify whether a malware threat is real, the
organization can reduce the impact of this type of threat.
Human Error or Failure This threat category includes acts performed by an

authorized user, usually without malicious intent or purpose. When people use information
systems, mistakes sometimes happen as a result of inexperience, improper training, incorrect
assumptions, and so forth. Unfortunately, small mistakes can produce extensive damage
with catastrophic results. This is what is meant by human error. Human failure, on the
other hand, is the intentional refusal or unintentional inability to comply with policies,
guidelines, and procedures, with a potential loss of information. An organization may be
doing its part to protect information, but if an individual employee fails to follow estab-
lished protocols, information can still be put at risk.
Theft The threat of theft—the illegal taking of another’s property—is a constant prob-
lem. Within an organization, property can be physical, electronic, or intellectual. The
value of information assets suffer when they are copied and taken away without the own-
er’s knowledge. This threat category also includes acts of espionage, given that an attacker
is often looking for information to steal. Any breach of confidentiality can be construed as
an act of theft.
Attackers can use many different methods to access the information stored in an information
system. Some information gathering is quite legal—for example, when doing research. Such
techniques are collectively referred to as competitive intelligence. When information gathering
employs techniques that cross the threshold of what is considered legal or ethical, it becomes
known as industrial espionage.
Also of concern in this category is the theft or loss of mobile devices, including phones,
tablets, and computers. Although the devices themselves are of value, perhaps even more valu-
able is the information stored within. Users who have been issued company equipment may
establish (and save) VPN-connection information, passwords, access credentials, company
records, customer information, and the like. This valuable information becomes a target for
information thieves. In fact, it has become commonplace to find lost or stolen devices in the
trash, with the hard drives or data cards (like phone SIMs) removed or the data having been
copied and erased The information is more valuable and easier to conceal than the actual
device itself.
Users who travel or use their devices away from home should be extremely careful when leav-
ing the device unattended at a restaurant table, conference room, or hotel room. Actually,
most globally engaged organizations now have explicit policy directives that prohibit taking
these portable devices to certain countries and direct employees required to travel to take
sanitized, almost disposable, devices that are not allowed contact with internal company net-
works or technology.
Compromises to Intellectual Property Many organizations create or support the

development of intellectual property as part of their business operations. FOLDOC, an
online dictionary of computing, defines intellectual property (IP) this way:
The ownership of ideas and control over the tangible or virtual representation of those
ideas. Use of another person’s intellectual property may or may not involve royalty
payments or permission but should always include proper credit to the source.7
Source: FOLDOC
IP includes trade secrets, copyrights, trademarks, and patents, all of which employees use to
conduct day-to-day business. Once an organization has properly identified its IP, breaches in
the controls placed to control access to it constitute a threat to the security of this
information.
Often, an organization purchases or leases the IP of other organizations and must therefore
abide by the purchase or licensing agreement for its fair and responsible use.
Of equal concern is the exfiltration, or unauthorized removal of information, from an

organization. Most commonly associated with disgruntled employees, the protection of 1
intellectual property from unauthorized disclosure to third parties further illustrates the
severity of this issue. Theft of organizational IP, such as trade secrets or trusted informa-
tion like customer personal and financial records, is a commonplace issue. Data
exfiltration is also being made tougher to combat because of the increasing popularity
of “bring your own device” (or BYOD) systems, which allow employees to attach their
own personal devices to the corporate network. These devices are frequently not as
secure as the systems owned and maintained by the organization. If compromised by
attackers prior to attaching to the corporate network, BYOD systems can easily be used
as conduits to allow data to be exfiltrated. Additionally, unhappy employees can use
these devices to copy data, then leave the organization with that valuable asset in their
hands and no one the wiser.
Among the most common IP breaches is the unlawful use or duplication of software-based
intellectual property, more commonly known as software piracy. Because most software is
licensed to a particular purchaser, its use is restricted to a single user or to a designated user
in an organization. If the user copies the program to another computer without securing
another license or transferring the license, he or she has violated the copyright. Software
licenses are strictly enforced by a number of regulatory and private organizations, and soft-
ware publishers use several control mechanisms to prevent copyright infringement. In addition
to the laws surrounding software piracy, two watchdog organizations investigate allegations
of software abuse: the Software & Information Industry Association (SIIA), the Web site for
which can be found at www.siia.net, and the Business Software Alliance (BSA), which can be
found at www.bsa.org.
Sabotage or Vandalism This threat category involves the deliberate sabotage of a

computer system or business or acts of vandalism to either destroy an asset or damage an
organization’s image. The acts can range from petty vandalism by employees to organized
sabotage by outsiders. A frequently encountered threat is the assault on an organization’s
electronic profile—its Web site.
A much more sinister form of hacking is cyberterrorism. Cyberterrorists hack systems
to conduct terrorist activities through network or Internet pathways. The United States
and other governments are developing security measures intended to protect the critical
computing and communications networks as well as the physical and power utility
infrastructures.
Technical Software Failures or Errors This threat category stems from purchasing
software with unknown hidden faults. Large quantities of computer code are written, pub-
lished, and sold before all the significant security-related bugs are detected and resolved.
Also, combinations of particular software and hardware may reveal new bugs. While most
bugs are not a security threat, some may be exploitable and may result in potential loss or
damage to information used by those programs. In addition to bugs, there may be untested
failure conditions or purposeful subversions of the security controls built into systems. These
may be oversights or intentional shortcuts left by programmers for benign or malign rea-
sons. Collectively, shortcut access routes into programs that bypass security checks are
called trap doors; they can cause serious security breaches.
Software bugs are so commonplace that entire Web sites are dedicated to documenting
them—for example, Bugtraq (www.securityfocus.com) and the National Vulnerability Data-
base (http://nvd.nist.gov). These resources provide up-to-the-minute information on the latest
security vulnerabilities and a very thorough archive of past bugs.
Technical Hardware Failures or Errors Technical hardware failures or errors

occur when a manufacturer distributes equipment containing a known or unknown flaw.
These defects can cause the system to perform outside of expected parameters, resulting in
unreliable service or lack of availability. Some errors are terminal, in that they result in the
unrecoverable loss of the equipment. Some errors are intermittent, in that they only periodi-
cally manifest themselves, resulting in faults that are not easily identified. For example,
equipment can sometimes stop working or can work in unexpected ways. Murphy’s Law
says that if something can possibly go wrong, it will. In other words, it’s not whether some-
thing will fail but when.
Forces of Nature Forces of nature, also known as force majeure, or acts of God, pose
some of the most dangerous threats imaginable because they often occur with very little warn-
ing. Fire, flood, earthquake, lightning, volcanic eruptions, even animal or insect infestation—
these threats disrupt not only the lives of individuals but also the storage, transmission, and
use of information.
Deviations in Quality of Service by Service Providers This threat category

covers situations in which a product or service is not delivered to the organization as
expected. Utility companies, service providers, and other value-added organizations form a
vast web of interconnected services. An organization’s information system depends on the
successful operation of such interdependent support systems, including power grids, telecom
networks, parts suppliers, service vendors, and even the janitorial staff and garbage haulers.
Any one of these support systems can be interrupted by storms, employee illnesses, or other
unforeseen events.
An example of this threat category occurs when a construction crew damages a fiber-optic
link for an ISP. The backup provider may be online and in service but may only be able to
supply a fraction of the bandwidth the organization needs for full service. This degradation
of service is a form of availability disruption. Internet service, communications, and power
irregularities can dramatically affect the availability of information and systems.
Technological Obsolescence This threat category involves antiquated or outdated

infrastructure that leads to unreliable and untrustworthy systems. Management must recog-
nize that when technology becomes outdated, there is a risk of a loss of data integrity from
attacks. Strategic planning should always include an analysis of the technology that is
currently in use. Ideally, proper planning will prevent the risks stemming from technology
obsolesce, but when obsolescence is identified, management must take immediate action. IT
professionals play a large role in the identification of obsolescence.
Information Extortion The threat of information extortion is the possibility that an

attacker or trusted insider will steal information from a computer system and demand
compensation for its return or for an agreement to not disclose the information. Extortion
is common in credit card number theft. Unfortunately, organized crime is increasingly

involved in this area. 1
Other Threats Listings The Computer Security Institute conducts an annual study of
computer crime, the results for which are shown in Table 1-2. Malware attacks continue to
cause the most financial loss, and malware continues to be the most frequently cited attack
(with a reported loss of over $42 million in 2009 alone). Nearly 70 percent of respondents
noted that they had experienced one or more malware attacks in the 12-month reporting
period—and that doesn’t include companies that are unwilling to report attacks. The fact
is, almost every company has been attacked. Whether or not that attack was successful
depends on the company’s security efforts.
Type of Attack or Misuse 2010/11 2008 2006 2004 2002 2000

Malware infection (revised after 2008) 67% 50% 65% 78% 85% 85%
Being fraudulently represented as sender of 39% 31% (new category)

phishing message
Laptop/mobile hardware theft/loss 34% 42% 47% 49% 55% 60%
Bots/zombies in organization 29% 20% (new category
Insider abuse of Internet access or e-mail 25% 44% 42% 59% 78% 79%
Denial of service 17% 21% 25% 39% 40% 27%
Unauthorized access or privilege escalation 13% 15% (revised category)

by insider
Password sniffing 11% 9% (new category)
System penetration by outsider 11% (revised category)
Exploit of client Web browser 10% (new category)
Other Attacks/Misuse categories with less than 10% responses not listed above include
(listed in decreasing order of occurrence/reporting):
Financial fraud
Web site defacement
Exploit of wireless network
Other exploit of public-facing Web site
Theft of or unauthorized access to PII or PHI due to all other causes
Instant Messaging misuse
Theft of or unauthorized access to IP due to all other causes
Exploit of user’s social network profile
Theft of or unauthorized access to IP due to mobile device theft/loss
Theft of or unauthorized access to PII or PHI due to mobile device theft/loss
Exploit of DNS Server
Extortion or blackmail associated with threat of attack or release of stolen data
Source CSI/FBI surveys 2000 to 2010/11 (www.gocsi.com)
Table 1-2 Top Ten CSI/FBI survey results for types of attack or misuse (2000-2011)8
Another random document with
no related content on Scribd:
pleased at having found and taken the treasure city that he let them
live—for the time at least.
At his command his followers ransacked the castle in search of the
treasure. Nor were they disappointed, for the riches of Bohun were
great. There was gold in the hills of the Valley of the Sepulcher and
there were precious stones to be found there, also. For seven and a
half centuries the slaves of the Sepulcher and of Nimmr had been
washing gold from the creek beds and salvaging precious stones
from the same source. The real value of such was not to the men of
the Sepulcher and Nimmr what it would be to men of the outer world.
They but esteemed these things as trinkets, yet they liked them and
saved them and even bartered for them on occasion, but they did not
place them in vaults under lock and key. Why should they in a land
where such things were not stolen? Their women and their horses
they guarded, but not their gold or their jewels.
And so Ibn Jad gathered a great sack full of treasure, enough to
satisfy his wildest imaginings of cupidity. He gathered all that he
could find in the castle of King Bohun, more than he had hoped to
find in this fabled city; and then a strange thing happened. Having
more wealth than he possibly could use he wanted more. No, not so
strange after all, for Ibn Jad was human.
He spent the night with his followers in the castle of King Bohun and
during the night he planned, for he had seen a wide valley stretching
far away to other mountains and at the base of those mountains he
had seen that which appeared to be a city. "Perhaps," thought Ibn
Jad, "it is a richer city than this. I shall start on the morrow to see."
CHAPTER XVIII
The Black Knight

Down the field thundered the two chargers. Silence fell upon the
stands. They were almost met when Sir Guy realized that his
adversary bore no shield. But what of that? He had been sent into
the lists by his own people—the responsibility was theirs, the
advantage Sir Guy's. Had they sent him in without a sword Sir Guy
might still have slain him without besmirching his knightly honor, for
such were the laws of the Great Tourney.
Yet his discovery had its effect upon the Knight of the Sepulcher as
just for an instant it had distracted his attention from the thought that
should have been uppermost in his mind—gaining the primary
advantage by the skill of his opening attack.
He saw his antagonist's horse swing out just before they met. He
stood in his stirrups, as had Sir Malud, to deliver a terrific cut; then
Blake threw his horse straight into the shoulder of Sir Guy's. The
latter's sword fell and with a loud, clanging noise slipped harmlessly
from the blade of the Knight of Nimmr. Guy had raised his buckler to
protect his own head and neck and could not see Sir James. Guy's
horse stumbled and nearly fell. As it recovered itself Blake's blade
slipped beneath the buckler of the Knight of the Sepulcher and its
point pierced the gorget of his adversary and passed through his
throat.
With a cry that ended in a blood choked gurgle Sir Guy of the
Sepulcher toppled backward upon his horse's rump and rolled upon
the ground while the south stands went mad with joy.
The laws of the Great Tourney account the knight who is unhorsed
as slain, so the coup-de-grace is never given and no knight is killed
unnecessarily. The victor rides to the tilt of the vanquished, wheels
about and gallops to his own tilt, the full length of the lists, where he
waits until a herald of the opposing side fetches the prize to him.
And so it was that as Blake swung from his saddle, sword in hand,
and approached the fallen Sir Guy, a gasp arose from the south
stands and a roar of angry protest from the north.
Marshals and heralds galloped madly from the tilt of the fallen
Backer and, seeing this, Sir Richard, fearing that Blake would be set
upon and slain, led a similar party from his end of the field.
Blake approached the fallen knight, who lay upon his back, feebly
struggling to arise, and when the spectators looked to see him run
Sir Guy through with his sword they saw him instead toss the
weapon to the ground and kneel beside the wounded man.
With an arm beneath Sir Guy's shoulders he raised him and held him
against his knee while he tore off his helm and gorget, and when the
marshals and the heralds and the others drew rein beside him Blake
was trying to staunch the flow of blood.
"Quick!" he cried to them, "a chirurgeon! His jugular is not touched,
but this flow of blood must be stopped."
Several of the knights dismounted and gathered about, and among
them was Sir Richard. A herald of Sir Guy's faction kneeled and took
the youth from Blake's arms.
"Come!" said Richard. "Leave the sir knight to his own friends."
Blake arose. He saw how peculiar were the expressions upon the
faces of the knights about him, but as he drew away one of them
spoke. An older man, who was one of Bohun's marshals.
"Thou art a generous and chivalrous knight," he said to Blake, "and a
courageous one too who would thus set at naught the laws of the
Great Tourney and the customs of centuries."
Blake faced him squarely. "I do not give a damn for your laws or your
customs," he said. "Where I come from a decent man wouldn't let a
yellow dog bleed to death without trying to save him, much less a
brave and gallant boy like this, and because he fell by my hand, by
the customs of my country I should be compelled to aid him."
"Yes," explained Sir Richard, "as otherwise he would be punished
with a raspberry."
The winning of the first event of the day was but a forerunner of a
series of successes on the part of the Knights of Nimmr until, at the
opening of the last event, the score showed four hundred fifty-two
points for them against four hundred forty-eight for their opponents.
A margin of four points, however, was as nothing at this stage of the
tourney, as the final event held one hundred points which Fate might
allot almost entirely to one side.
This was the most spectacular event of the whole tourney and one
which the spectators always looked forward to with the greatest
anticipation. Two hundred knights were engaged in it, one hundred
Knights of Nimmr against one hundred Knights of the Sepulcher.
They formed at opposite ends of the lists and as the trumpets
sounded the signal they charged with lances, and thus they fought
until all of one side had been unhorsed or had retired from the field
because of wounds. Broken lances could be replaced as a polo
player may ride out and obtain a fresh mallet when he breaks his.
Otherwise there were few rules to govern this concluding number of
the Great Tourney, which more nearly approximated a battle scene
than any other event of the three days of conflict.
Blake had won his fifteen points for the Knights of Nimmr in the
opening event of the day and again with four other comrades, pitted
against five mounted swordsmen from the north, he had helped to
add still further points to the growing score of the Fronters.
He was entered in the last event largely because the marshals
appreciated the value of his horsemanship and felt that it would more
than compensate for his inexperience with the lance.
The two hundred mailed knights had paraded for the final event and
were forming line at opposite ends of the lists, one hundred Knights
of the Sepulcher at one end and one hundred Knights of Nimmr at
the other. Their chargers, especially selected for this encounter, were
powerful and fleet, chosen for their courage as were the youths who
bestrode them.
The knights, with few exceptions, were youths in their twenties, for to
youth went the laurels of this great sport of the Middle Ages as they
still do in the sports of today. Here and there was a man of middle
age, a hardened veteran whose heart and hand had withstood the
march of years and whose presence exerted a steadying influence
upon the young knights the while it spurred them to their utmost
efforts, for these were champions whose deeds were sung by
minstrels in the great halls of the castles of Nimmr.
In proud array, with upright lances and fluttering pennons, the
sunlight glinting from burnished mail and bit and boss and shining
brightly upon the gorgeous housings of their mounts, the two
hundred presented a proud and noble spectacle as they awaited the
final summons of the trumpet.
Rearing and plunging, eager to be off, many a war horse broke the
line as will a thoroughbred at the barrier, while at one side and
opposite the center of the lists a herald waited for the moment that
both lines should be formed before he gave the signal that would
send these iron men hurtling into combat.
Blake found himself well toward the center of the line of Nimmr's
knights, beneath him a great black that fretted to be off, before him
the flower of the knighthood of the Sepulcher. In his right hand he
grasped a heavy, iron-shod lance, the butt of which rested in a boot
at his stirrup, and upon his left arm he bore a great shield, nor had
he any wish to discard it in the face of all those sturdy, iron-tipped
lances.
As he looked down the long length of the lists upon the hundred
knights that would presently be racing toward him in solid array with
lance points projecting far ahead of their horses, Blake felt that his
shield was entirely inadequate and he experienced a certain
nervousness that reminded him of similar moments of tense waiting
for the referee's whistle during his football days—those seemingly
long gone days of another life that he sensed now as a remote and
different incarnation.
At last came the signal! He saw the herald raise his sword on high.
With the two hundred he gathered his restive charger and couched
his lance. The sword fell! From the four corners of the lists trumpets
blared; from two hundred throats rose the cri de guerre; four hundred
spurs transmitted the awaited signal from man to horse.
The thundering lines bore down the field while a score of heralds
raced along the flanks and rear to catch any infraction of the sole
regulation that bore upon the final tumultuous collision. Each knight
must engage the foe upon his bridle hand, for to couch his lance
upon the one to his right was an unknightly act, since thus a single
knight might have two lances set upon him at once, against which
there could be no defence.
From above the rim of his shield Blake saw the solid front of lances,
iron-shod chargers and great shields almost upon him. The speed,
the weight, the momentum seemed irresistible and, metaphorically,
with deep respect Blake took his hat off to the knights of old.
Now the two lines were about to meet! The spectators sat in
spellbound silence; the riders, grim-jawed, with tight set lips, were
voiceless now.
Blake, his lance across his horse's withers, picked the knight racing
toward him upon his left hand; for an instant he caught the other's
eyes and then each crouched behind his shield as the two lines
came together with a deafening crash.
Blake's shield smashed back against his face and body with such
terrific force that he was almost carried from his saddle. He felt his
own lance strike and splinter and then, half stunned, he was through
the iron line, his charger, frantic and uncontrolled, running wildly
toward the tilts of Bohun's knights.
With an effort Blake pulled himself together, gathered his reins and
finally managed to get his horse under control, and it was not until he
had reined him about that he got his first glimpse of the result of the
opening encounter. A half dozen chargers were scrambling to their
feet and nearly a score more were galloping, riderless, about the
lists. A full twenty-five knights lay upon the field and twice that many
squires and serving men were running in on foot to succor their
masters.
Already several of the knights had again set their lances against an
enemy and Blake saw one of the Knights of the Sepulcher bearing
down upon him, but he raised his broken spear shaft above his head
to indicate that he was momentarily hors de combat and galloped
swiftly back to his own end of the lists where Edward was awaiting
him with a fresh weapon.
"Thou didst nobly well, beloved master," cried Edward.
"Did I get my man?" asked Blake.
"That thou didst, sir," Edward assured him, beaming with pride and
pleasure, "and al be thou breakest thy lance upon his shield thou
didst e'en so unhorse him."
Armed anew Blake turned back toward the center of the lists where
many individual encounters were taking place. Already several more
knights were down and the victors looking for new conquests in
which the stands were assisting with hoarse cries and advice, and as
Blake rode back into the lists he was espied by many in the north
stands occupied by the knights and followers of the Sepulcher.
"The black knight!" they cried. "Here! Here! Sir Wildred! Here is the
black knight that overthrew Sir Guy. Have at him, Sir Wildred!"
Sir Wildred, a hundred yards away, couched his lance. "Have at
thee, Sir Black Knight!" he shouted.
"You're on!" Blake shouted back, putting spurs to the great black.
Sir Wildred was a large man and he bestrode a raw-boned roan with
the speed of a deer and the heart of a lion. The pair would have
been a match for the best of Nimmr's knighthood.
Perhaps it was as well for Blake's peace of mind that Wildred
appeared to him like any other knight and that he did not know that
he was the most sung of all the heroes of the Sepulcher.
As a matter of fact, any knight looked formidable to Blake, who was
still at a loss to understand how he had unhorsed his man in the first
encounter of this event.
"The bird must have lost both stirrups," is what he had mentally
assured himself when Edward had announced his victory.
But he couched his lance like a good sir knight and true and bore
down upon the redoubtable Sir Wildred. The Knight of the Sepulcher
was charging diagonally across the field from the south stands.
Beyond him Blake caught a glimpse of a slim, girlish figure standing
in the central loge. He could not see her eyes, but he knew that they
were upon him.
"For my Princess!" he whispered as Sir Wildred loomed large before
him.
Lance smote on shield as the two knights crashed together with
terrific force and Blake felt himself lifted clear of his saddle and
hurled heavily to the ground. He was neither stunned nor badly hurt
and as he sat up a sudden grin wreathed his face, for there, scarce a
lance length from him, sat Sir Wildred. But Sir Wildred did not smile.
"'Sdeath!" he cried. "Thou laughest at me, sirrah?"
"If I look as funny as you do," Blake assured him, "you've got a laugh
coming too."
Sir Wildred knit his brows. "Ods blud!" he exclaimed. "An thou beest
a knight of Nimmr I be a Saracen! Who beest thou? Thy speech
savoreth not of the Valley."
Blake had arisen. "Hurt much?" he asked stepping forward. "Here, I'll
give you a hand up."
"Thou art, of a certainty, a strange sir knight," said Wildred. "I recall
now that thou didst offer succor to Sir Guy when thou hadst fairly
vanquished him."
"Well, what's wrong with that?" asked Blake. "I haven't anything
against you. We've had a bully good scrap and are out of it. Why
should we sit here and make faces at one another?"
Sir Wildred shook his head. "Thou are beyond my comprehension,"
he admitted.
By this time their squires and a couple of serving men had arrived,
but neither of the fallen knights was so badly injured that he could
not walk without assistance. As they started for their respective tilts
Blake turned and smiled at Wildred.
"So long, old man!" he cried cheerily. "Hope we meet again some
day."
Still shaking his head Sir Wildred limped away, followed by the two
who had come to assist him.
At his tilt Blake learned that the outcome of the Great Tourney still
hung in the balance and it was another half hour before the last of
the Knights of Nimmr went down in defeat, leaving two Knights of the
Sepulcher victorious upon the field. But this was not enough to
overcome the lead of four points that the Fronters had held at the
opening of the last event and a moment later the heralds announced
that the Knights of Nimmr had won the Great Tourney by the close
margin of two points.
Amidst the shouting of the occupants of the stands at the south the
Knights of Nimmr who had taken part in the tourney and had won
points for the Fronters formed to ride upon the lists and claim the
grand prize. Not all were there, as some had been killed or wounded
in encounters that had followed their victories, though the toll on both
sides had been much smaller than Blake had imagined that it would
be. Five men were dead and perhaps twenty too badly injured to
ride, the casualties being about equally divided.
As the Knights of Nimmr rode down the field to claim the five
maidens from the City of the Sepulcher, Bohun gathered all his
knights at his side of the lists as though preparing to ride back to his
camp. At the same time a Knight of the Sepulcher, wearing the
leopard skin bassinet of Nimmr, entered the stands upon the south
side of the field and made his way toward the loge of Prince Gobred.
Bohun watched. The Knights of Nimmr were at the far end of the
field engrossed in the ritualistic rites that the laws of the Great
Tourney prescribed for the reception of the five maidens.
Close beside Bohun two young knights sat their chargers, their eyes
upon their king, and one of them held the bridle of a riderless horse.
Suddenly Bohun raised his hand and spurred across the field
followed by his knights. They moved a little toward the end of the
field where the Knights of Nimmr were congregated so that the bulk
of them were between this end of the field and Gobred's loge.
The young knight who had sat close beside Bohun, and his
companion leading the riderless horse, spurred at a run straight for
the stands of Nimmr and the loge of the Prince. As they drew in
abreast of it a knight leaped into the loge from the rear, swept
Guinalda into his arms, tossed her quickly to the young knight
waiting to receive her, sprang to the edge of the rail and leaped into
the saddle of the spare horse being held in readiness for him; then
they both wheeled and spurred away before the surprised Gobred or
those about him could raise a hand to stay them. Behind them swept
Bohun and the Knights of the Sepulcher, out toward the camp
among the oaks.
Instantly all was pandemonium. A trumpeter in Gobred's loge
sounded the alarm; the prince ran from the stands to the spot where
his horse was being held by a groom; the Knights of Nimmr, ignorant
of what had occurred, not knowing where to rally or against whom,
milled about the lists for a few moments.
Then Gobred came, spurring swiftly before them. "Bohun has stolen
the Princess Guinalda!" he cried. "Knights of Nimmr—" but before he
could say more, or issue orders to his followers, a black knight on a
black charger spurred roughly through the ranks of surrounding men
and was away after the retreating Knights of the Sepulcher.
CHAPTER XIX
Lord Tarzan
There was a nasty smile upon Tollog's lips as he thought how neatly
he had foiled Ateja, who would have warned the Nasrany of the plot
to slay him, and he thanked Allah that chance had placed him in a
position to intercept her before she had been able to ruin them all.
Even as Tollog, the brother of the sheik, smiled in his beard a hand
reached out of the darkness behind him and seized him by the throat
—fingers grasped him and he was dragged away.
Into the beyt that had been Zeyd's and which had been set up for the
Nasrany, Tollog was dragged. He struggled and tried to scream for
help, but he was powerless in the grip of steel that held him and
choked him.
Inside the beyt a voice whispered in his ear. "Cry out, Tollog," it said,
"and I shall have to kill you." Then the grasp upon his throat relaxed,
but Tollog did not call for help, for he had recognized the voice that
spoke and he knew that it had made no idle threat.
He lay still while the bonds were drawn tight about his wrists and
ankles and a gag fastened securely in his mouth. He felt the folds of
his burnous drawn across his face and then—silence.
He heard Stimbol creep into the beyt, but he thought that it was still
he who had bound him. And thus died Tollog, the brother of Ibn Jad,
died as he had planned that Tarzan of the Apes should die.
And, knowing that he would die thus, there was a smile upon the lips
of the ape-man as he swung through the forest toward the
southeast.
Tarzan's quest was not for Beduins but for Blake. Having assured
himself that the white man in the menzil of Ibn Jad was Stimbol and
that none knew the whereabouts of the other American, he was
hastening back to the locality where Blake's boys had told him their
bwana had disappeared, in the hope of picking up his trail and, if
unable to assist him, at least to learn what fate had overtaken him.
Tarzan moved swiftly and his uncanny senses of sight and smell
aided him greatly in wresting its secrets from the jungle, yet it was
three days before he found the spot where Ara the lightning had
struck down Blake's gun bearer.
Here he discovered Blake's faint spoor leading toward the north.
Tarzan shook his head, for he knew that there was a stretch of
uninhabited forest laying between this place and the first Galla
villages. Also he knew that if Blake survived hunger and the menace
of wild beasts he might only live to fall victim to a Galla spear.
For two days Tarzan followed a spoor that no other human eye might
have discerned. On the afternoon of the second day he came upon a
great stone cross built directly in the center of an ancient trail. Tarzan
saw the cross from the concealment of bushes for he moved as
beasts of prey moved, taking advantage of every cover, suspicious
of every strange object, always ready for flight or battle as occasion
might demand.
So it was that he did not walk blindly into the clutches of the two
men-at-arms that guarded the outer way to the City of Nimmr. To his
keen ears was borne the sound of their voices long before he saw
them.
Even as Sheeta or Numa approach their prey, so Tarzan of the Apes
crept through the brush until he lay within a few yards of the men-at-
arms. To his vast astonishment he heard them conversing in a quaint
form of English that, while understandable to him, seemed yet a
foreign tongue. He marvelled at their antiquated costumes and
obsolete weapons, and in them he saw an explanation of Blake's
disappearance and a suggestion of his fate.
For a time Tarzan lay watching the two with steady, unblinking eyes
—it might have been Numa, himself, weighing the chances of a
sudden charge. He saw that each was armed with a sturdy pike and
a sword. They could speak English, after a fashion, therefore, he
argued, they might be able to give him word of Blake. But would they
receive him in a friendly spirit or would they attempt to set upon and
slay him?
He determined that he could never ascertain what their attitude
would be by lying hidden among the brush, and so he gathered
himself, as Numa does when he is about to spring.
The two blacks were idly gossiping, their minds as far from thoughts
of danger as it were possible they could be, when suddenly without
warning Tarzan launched himself full upon the back of the nearer,
hurling him to the ground. Before the other could gather his wits the
ape-man had dragged his victim into the concealment of the bush
from which he had sprung, while the fellow's companion turned and
fled in the direction of the tunnel.
The man in Tarzan's grasp fought and struggled to be free but the
ape-man held him as easily as he might have held a child.
"Lie still," he advised, "I shall not harm you."
"Ods blud!" cried the black. "What manner of creature be thou?"
"One who will not harm you if you will tell him the truth," replied
Tarzan.
"What wouldst thou know?" demanded the black.
"A white man came this way many weeks ago. Where is he?"
"Thou speakest of Sir James?" asked the soldier.
"Sir James!" mused Tarzan and then he recollected that Blake's first
name was James. "His name was James," he replied, "James
Blake."
"Verily, 'tis the same," said the soldier.
"You have seen him? Where is he now?"
"He be defending the honor of Our Lord Jesus and the Knights of
Nimmr in the Great Tourney in the lists upon the plain below the city,
and have ye come to wreak dispite upon our good Sir James thou
wilt find many doughty knights and men-at-arms who wilt take up the
gage in his behalf."
"I am his friend," said Tarzan.
"Then why didst thou leap upon me thus, if thou beest a friend to Sir
James?" demanded the man.
"I did not know how you had received him or how you would receive
me."
"A friend of Sir James will be received well in Nimmr," said the man.
Tarzan took the man's sword from him and permitted him to rise—his
pike he had dropped before being dragged among the bushes.
"Go before me and lead me to your master," commanded the ape-
man, "and remember that your life will be the forfeit that you must
pay for treachery."
"Do not make me leave the road unguarded against the Saracens,"
begged the man. "Soon my companion will return with others and
then I shall beg them to take thee where thou wilt."
"Very well," agreed the ape-man. They had not waited long before he
heard the sound of hastening footsteps and a strange jingling and
clanking that might have been caused by the shaking of many chains
and the striking against them of objects of metal.
Shortly afterward he was surprised to see a white man clothed in
chain mail and carrying a sword and buckler descending the trail at a
trot, a dozen pike-men at his back.
"Tell them to halt!" commanded Tarzan, placing the point of the
man's sword in the small of his back. "Tell them I would talk with
them before they approach too closely."
"Stop, I pray thee!" cried the fellow. "This be a friend of Sir James,
but he wilt run me through with my own sword an' ye press him too
close. Parley with him, most noble sir knight, for I wouldst live at
least to know the result of the Great Tourney."
The knight halted a few paces from Tarzan and looked him up and
down from feet to head. "Thou art truly a friend to Sir James?" he
demanded.
Tarzan nodded. "I have been seeking him for days."
"And some mishap befell thee and thou lost thy apparel."
The ape-man smiled. "I go thus, in the jungle," he said.
"Art thou a sir knight and from the same country as Sir James?"
"I am an Englishman," replied Tarzan of the Apes.
"An Englishman! Thrice welcome then to Nimmr! I be Sir Bertram
and a good friend to Sir James."
"And I am called Tarzan," said the ape-man.
"And thy rank?" inquired Sir Bertram.
Tarzan was mystified by the strange manners and garb of his
seemingly friendly inquisitor, but he sensed that whatever the man
might be he took himself quite seriously and would be more
impressed if he knew that Tarzan was a man of position, and so he
answered him truthfully, in his quiet way.
"A Viscount," he said.
"A peer of the realm!" exclaimed Sir Bertram. "Prince Gobred wilt be
o'er pleased to greet thee, Lord Tarzan. Come thou with me and I
wilt furnish thee with apparel that befits thee."
At the outer barbican Bertram took Tarzan into the quarters reserved
for the knight commanding the warders and kept him there while he
sent his squire to the castle to fetch raiment and a horse, and while
they waited Bertram told Tarzan all that had befallen Blake since his
arrival in Nimmr and, too, much of the strange history of this
unknown British colony.
When the squire returned with the clothing it was found that it fitted
the ape-man well, for Bertram was a large man, and presently
Tarzan of the Apes was garbed as a Knight of Nimmr and was riding
down toward the castle with Sir Bertram. Here the knight announced
him at the gate as the Lord Viscount Tarzan. Once within he
introduced him to another knight whom he persuaded to relieve him
at the gate while he conducted Tarzan to the lists that he might be
presented to Gobred and witness the final scenes of the tourney,
were it not concluded before they arrived.
And so it was that Tarzan of the Apes, clad in chain mail, and armed
with lance and sword, rode down into the Valley of the Sepulcher just
as Bohun put his foul scheme into execution and carried off the
Princess Guinalda.
Long before they reached the lists Bertram was aware that
something was amiss, for they could see the dust clouds racing
rapidly north away from the lists as though one body of knights
pursued another. He put spur to his mount and Tarzan followed suit,
and so they came at a stiff run to the lists and there they found all
pandemonium.
The women were mounting preparatory to riding back to Nimmr
under escort of a few knights that Gobred had sent back to guard
them. The men-at-arms were forming themselves into companies,
but all was being done in a confused manner since every now and
then a great part of the company would rush to the highest part of
the stands and peer off toward the north after the clouds of dust that
revealed nothing to them.
Sir Bertram accosted one of his fellows. "What hath befallen?" he
demanded.
"Bohun hath seized the Princess Guinalda and carried her away,"
came the astounding reply.
"Zounds!" cried Bertram, reining about. "Wilt ride with me in the
service of our princess, Lord Tarzan?"
For answer Tarzan spurred his horse alongside of Bertram's and
stirrup to stirrup the two set out across the plain, while far ahead of
them Blake drew gradually closer and closer to the fleeing Knights of
the Sepulcher. So thick the cloud of dust they threw up that they
were hid from their pursuer even as he was hid from them and so
were unaware that Blake was near them.
The American carried no lance nor shield, but his sword clattered
and clashed at his side and at his right hip swung his forty-five.
Whenever he had been armed, since he entered Nimmr, he had
carried this weapon of another world and another age. To their
queries he had answered that it was but a lucky talisman that he
carried, but in his heart was the thought that some day it might stand
him in better stead than these simple knights and ladies could
dream.
He knew that he would never use it except in battle, or as a last
resort against overwhelming odds or unfair tactics, but he was glad
that he carried it today as it might mean the difference between
liberty and captivity for the woman he loved.
Slowly he drew closer to the rearmost Knights of the Sepulcher.
Their mounts bred and trained to the utmost endurance and to carry
the great weight of man and mail kept to a brisk canter even after the
first long spurt of speed that had carried them away from the lists of
Nimmr.
The dust rolled up in clouds from iron-shod feet. Through it Blake
groped, catching vague glimpses of mounted men just ahead. The
black, powerful, fleet, courageous, showed no sign of fatigue. The
rider carried his sword in his hand, ready. He was no longer a black
knight, but a gray. Bassinet, hauberk, all the rich caparisons of his
horse, the horse itself, were gray with dust.
Blake glimpsed a knight toward whom he was slowly drawing closer.
This knight was gray! Like a flash Blake realized the value of the
camouflage that chance had laid upon him. He might ride among
them and they would not suspect that he was not of them!
Instantly he sheathed his sword and pressed forward, but he edged
off a little from the knight before he passed him. Urging the black
ever a little faster Blake crept up through the ranks of Bohun's
knights. Somewhere a knight was carrying double and this knight he
sought.
The nearer the head of the column he forged the greater became the
danger of discovery, for now the dust was less thick and men could
see farther, but yet his own armor, his face, the leopard skin of his
bassinet were coated thick with gray and though knights peered
intently at him as he passed none recognized him.
Once one hailed him. "Is't thou, Percival?" he demanded.
"Nay," replied Blake and spurred on a trifle faster.
Now, dimly, just ahead, he saw several knights bunched close and
once he thought he glimpsed the fluttering garments of a woman in
their midst. Pressing on, he drew close behind these and there,
surrounded by knights, he saw a woman held before one of the
riders.
Drawing his sword he spurred straight between two knights who rode
close behind he who carried Guinalda, and as Blake passed he cut
to the right and left and the two knights rolled from their saddles.
At a touch of the spurs the black leaped abreast the young knight
that was bearing off the princess. So quickly was the thing
accomplished that the knights who rode scarce an arm's length from
him had not the time to realize what was occurring and prevent it.
Blake slipped his left arm about the girl and at the same time thrust
to the left above his left fore-arm, driving his blade far into the body
of the youthful knight. Then he spurred forward carrying Guinalda
from the dead arms as the knight pitched headlong from his saddle.
Blake's sword was wrenched from his grasp, so far had he driven it
into the body of the man who dared commit this wrong against the
woman Blake loved.
Cries of rage arose about him as knights spurred in pursuit and the
black ran free with no guiding hand upon the reins. A huge fellow
loomed just at Blake's rear and another was closing in from the other
side. The first man swung his sword as he stood in his stirrups and
the second was already reaching for Blake with his point.
Strange oaths were on their lips and their countenances were
contorted by rage as they strove to have the life of the rash man who
had almost thwarted them in their design, but that he could succeed
they had not the remotest belief, for he was one against a thousand.
Then something happened the like of which had never been known
to them or their progenitors. A blue barreled forty-five flashed from
the holster at Blake's hip, there was a loud report and the knight
upon Blake's right rear lunged head foremost to the ground. Blake
turned in his saddle and shot the knight upon his other side between
the eyes.
Terrified, the horses of other knights close by, who might have
menaced him, bolted, as did the great black that Blake bestrode; but
while the American was trying to replace his weapon in its holster
and gather the reins in his right hand he leaned to the left and thus
forced the horse slowly around toward the direction he wished him to
go, Blake's plan being to cut across the front of the Knights of the
Sepulcher and then turn southward toward Nimmr.
He was sure that Gobred and his followers must be close in pursuit,
and that it would be but a matter of minutes before he would have
Guinalda safe behind a thousand or more knights, any one of whom
would lay down his life for her.
But the Knights of the Sepulcher had spread out over a greater front
than Blake had anticipated, and now he saw them coming rapidly
upon his left and was forced to swerve in a more northerly direction.
Closer and closer they came and once more the American found it
necessary to drop his reins and draw his forty-five. One shot sent the
horses of the menacing knights rearing and plunging away from the
terrifying sound, and it sent the black into a new paroxysm of terror
that almost resulted in Blake and the girl being unhorsed.
When the man finally brought the animal again under control the
dust cloud that marked the position of the Knights of the Sepulcher
was far behind, and close upon Blake's left was a great forest,
whose dark depths offered concealment for the moment at least.
Reining quickly within Sir James drew up and gently lowered
Guinalda to the ground. Then he dismounted and tied the black to a
tree, for Blake was spent after what he had been through this day
since his first entry upon the lists, and the black was spent as well.
He slipped the housing and the heavy saddle from the horse's back
and took the great bit from his mouth, replacing a portion of the
housing to serve as a cooler until the horse should be less heated,
nor once did he glance at the princess until he had finished caring for
his horse.
Then he turned and faced her. She was standing leaning against a
tree, looking at him.
"Thou art a brave, sir knight," she said softly, and then added,
arrogantly, "but still a boor."
Blake smiled, wanly. He was very tired and had no wish to argue.
"I'm sorry to ask you to do it," he said, ignoring what she had said to
him, "but Sir Galahad here will have to be kept moving about a bit
until he cools off and I'm too fagged to do it."
The Princess Guinalda looked at him in wide-eyed amazement. "Ye
—ye," she stammered, "ye mean that I should lead the beast? I, a
princess!"
"I can't do it Guinalda," replied Blake. "I tell you I'm just about all in,
lugging all these skid chains about since sun rise. I guess you'll have
to do it."
"Have to! Durst thou command, knave?"
"Snap out of it girl!" advised Blake curtly. "I'm responsible for your
safety and it may all depend on this horse. Get busy, and do as I tell
you! Lead him back and forth slowly."
There were tears of rage in the eyes of the Princess Guinalda as she
prepared to make an angry retort, but there was something in
Blake's eyes that silenced her. She looked at him for a long moment
and then turned and walked to the black. Untying the rope that
tethered him to the tree she led him slowly to and fro, while Blake sat
with his back against a great tree and watched out across the plain
for the first sign of pursuit.
But there was no pursuit, for the knights of Nimmr had overtaken the
Knights of the Sepulcher and the two forces were engaging in a
running fight that was leading them farther and farther away toward
the City of the Sepulcher upon the north side of the valley.
Guinalda led the black for half an hour. She led him in silence and in
silence Blake sat gazing out across the valley. Presently he turned
toward the girl and rose to his feet.
"That'll be good," he said, approaching her. "Thank you. I'll rub him a
bit now. I was too exhausted to do it before."
Without a word she turned the black over to him and with dry leaves
he rubbed the animal from muzzle to dock. When he had finished he
threw the housing over him again and came and sat down beside the
girl.
He let his eyes wander to her profile—to her straight nose, her short
upper lip, her haughty chin. "She is beautiful," thought Blake, "but
selfish, arrogant and cruel." But when she turned her eyes toward
him, even though they passed over him as though he had not been
there, they seemed to belie all the other evidence against her.
He noticed that her eyes were never quiet. Her glances roved from
place to place, but most often into the depths of the wood and
upward among the branches of the trees. Once she started and
turned suddenly to gaze intently into the forest.
"What is it?" asked Blake.

(Download PDF) Principles of Incident Response and Disaster Recovery 2Nd Edition Version Full Chapter PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Download PDF) Principles of Incident Response and Disaster Recovery 2Nd Edition Version Full Chapter PDF

Uploaded by

Copyright:

Available Formats

Principles of Incident Response and

Disaster Recovery 2nd Edition – Ebook

eTextbook 978-1111138059 Principles of Incident

Principles of Incident Response & Disaster Recovery

Disaster Response and Recovery: Strategies and Tactics

National Incident Management System: Principles and

Introduction to 80×86 Assembly Language and Computer

Principles of Biochemistry (5th Edition – Ebook PDF

Principles of Structural Design: Wood, Steel, and

Emergency Public Health: Preparedness and Response 1st

Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Forming the Disaster Recovery Team. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

Crisis Management Critical Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

New to This Edition

Text and Graphic Conventions

Notes present additional helpful material related to the subject being

Technical Details boxes provide additional technical information on informa-

An ounce of prevention is worth a pound of cure. —Benjamin Franklin

Upon completion of this material, you should be able to:

Opening Case Scenario: Pernicious Proxy Probing

Storage Processing Transmission Storage Processing Transmission

In summary, information security (InfoSec) is the protection of the confidentiality, integrity,

Key Information Security Concepts

Threat Category 2010 Ranking Prior Ranking

Human error or failure 3 3

Compromises to intellectual property 5 9

Technical software failures or errors 7 2

Technical hardware failures or errors 8 6

Deviations in quality of service from service providers 10 10

Software Attacks Deliberate software attacks occur when an individual or group

Human Error or Failure This threat category includes acts performed by an

Compromises to Intellectual Property Many organizations create or support the

Of equal concern is the exfiltration, or unauthorized removal of information, from an

Sabotage or Vandalism This threat category involves the deliberate sabotage of a

Technical Hardware Failures or Errors Technical hardware failures or errors

Deviations in Quality of Service by Service Providers This threat category

Technological Obsolescence This threat category involves antiquated or outdated

Information Extortion The threat of information extortion is the possibility that an

is common in credit card number theft. Unfortunately, organized crime is increasingly

Type of Attack or Misuse 2010/11 2008 2006 2004 2002 2000

Being fraudulently represented as sender of 39% 31% (new category)

Laptop/mobile hardware theft/loss 34% 42% 47% 49% 55% 60%

Bots/zombies in organization 29% 20% (new category

Denial of service 17% 21% 25% 39% 40% 27%

Unauthorized access or privilege escalation 13% 15% (revised category)

Password sniffing 11% 9% (new category)

System penetration by outsider 11% (revised category)

Exploit of client Web browser 10% (new category)

The Black Knight

You might also like