Principles of Incident Response and Disaster Recovery,Item Preview
Principles of Incident Response and Disaster Recovery presents methods to identify vulnerabilities and take appropriate countermeasures to prevent and mitigate failure risks for an organization. Not only does book present a foundation in disaster recovery principles and planning, but it also emphasizes the importance of incident response 12/03/ · View flipping ebook version of Download[⚡PDF⚡] Principles of Incident Response and Disaster Recovery, Loose-leaf Version published by txvwraflmb on 28/03/ · Description PRINCIPLES OF INCIDENT RESPONSE & DISASTER RECOVERY, 2nd Edition presents methods to identify vulnerabilities within computer networks and the 28/03/ · PRINCIPLES OF INCIDENT RESPONSE & DISASTER RECOVERY, 2nd Edition presents methods to identify vulnerabilities within computer networks and the An icon used to represent a menu that can be toggled by interacting with this icon ... read more
For valuable information on pricing, previous editions, changes to current editions, and alternate formats, please visit www. Copyright Cengage Learning. Whitman, Herbert J. No part of this work covered by the copyright herein may be reproduced, transmitted, stored or used in any form or by any means graphic, electronic, or mechanical, including but not limited to photocopying, recording, scanning, digitizing, taping, Web distribution, information networks, or information storage and retrieval systems, except as permitted under Section or of the United States Copyright Act, without the prior written permission of the publisher.
com Library of Congress Control Number: ISBN ISBN Course Technology 20 Channel Center Street Boston, MA USA Cengage Learning is a leading provider of customized learning solutions with office locations around the globe, including Singapore, the United Kingdom, Australia, Mexico, Brazil, and Japan. Locate your local office at: international. For your lifelong learning solutions, visit www. com Visit our corporate website at cengage. Some of the product names and company names used in this book have been used for identification purposes only and may be trademarks or registered trademarks of their respective manufacturers and sellers.
Any fictional data related to persons or companies or URLs used throughout this book is intended for instructional purposes only. At the time this book was printed, any such data was fictional and not belonging to any real persons or companies. Course Technology and the Course Technology logo are registered trademarks used under license. Course Technology, a part of Cengage Learning, reserves the right to revise this publication and make changes from time to time in its content without notice. The programs in this book are for instructional purposes only. They have been tested with care, but are not guaranteed for any particular intent beyond educational purposes. The author and the publisher do not offer any warranties or representations, nor do they accept any liabilities with respect to the programs. Printed in the United States of America 1 2 3 4 5 6 7 16 15 14 13 Copyright Cengage Learning.
To Rhonda, Rachel, Alex, and Meghan, thank you for your loving support. Always stay strong. Brief Contents PREFACE. xv CHAPTER 1 An Overview of Information Security and Risk Management. Table of Contents PREFACE. Know Yourself. Know the Enemy. Risk Identification. Risk Assessment. Risk Control Strategies. Business Impact Analysis. Incident Response Plan. Disaster Recovery Plan. Business Continuity Plan. Contingency Planning Timeline. Key Policy Definitions. Enterprise Information Security Policy. Issue-Specific Security Policy. Systems-Specific Policy. Policy Management. viii Table of Contents Business Impact Analysis. Identify Resource Requirements. Identify System Resource Recovery Priorities. Online Questionnaires. Facilitated Data-Gathering Sessions. Process Flows and Interdependency Studies. Risk Assessment Research. IT Application or System Logs. Financial Reports and Departmental Budgets.
Audit Documentation. Production Schedules. Incident Response Budgeting. Disaster Recovery Budgeting. Business Continuity Budgeting. Crisis Management Budgeting. Exclusive Site Resumption Strategies. Shared-Site Resumption Strategies. Service Agreements. ix Table of Contents CHAPTER 4 Incident Response: Planning. IDPS Terminology. Why Use an IDPS? IDPS Network Placement. x Table of Contents Real-World Exercises. Step 1: Obtaining Management Support and Buy-In. Step 2: Determining the CSIRT Strategic Plan. Step 3: Gathering Relevant Information. Step 4: Designing the CSIRT Vision. Step 6: Beginning CSIRT Implementation. Step 7: Announce the operational CSIRT. Step 8: Evaluating CSIRT Effectiveness. Final Thoughts on CSIRT Development. Current and Future Quality of Work. Division of Responsibilities. Sensitive Information Revealed to the Contractor. Lack of Organization-Specific Knowledge. Lack of Correlation. Handling Incidents at Multiple Locations.
Maintaining IR Skills In-House. xi Table of Contents Malware. Unauthorized Access. Inappropriate Use. Hybrid or Multicomponent Incidents. Identify and Resolve Vulnerabilities. Restore Data. Restore Services and Processes. Restore Confidence across the Organization. After-Action Review. Plan Review and Maintenance. Law Enforcement Involvement. Reporting to Upper Management. Loss Analysis. xii Table of Contents Forming the Disaster Recovery Team. Develop the DR Planning Policy Statement. Review the Business Impact Analysis. Identify Preventive Controls. Develop Recovery Strategies. Develop the DR Plan Document. Plan Testing, Training, and Exercises. Plan Maintenance.
Data Communications Systems. Mainframe Systems. Plan Distribution. Plan Triggers and Notification. Disaster Recovery Planning as Preparation. DR Training and Awareness. DR Plan Testing and Rehearsal. Rehearsal and Testing of the Alert Roster. Repair or Replacement. Restoration of the Primary Site. Relocation from Temporary Offices. Resumption at the Primary Site. Standing Down and the After-Action Review. Table of Contents xiii Real-World Exercises. Develop the BC Planning Policy Statement. Review the BIA. Create BC Contingency Relocation Strategies. Develop the BC Plan. Ensure BC Plan Testing, Training, and Exercises. Ensure BC Plan Maintenance. Sample Business Continuity Plans. Preparation for BC Actions. Returning to a Primary Site. BC After-Action Review. xiv Table of Contents Crisis Management Critical Success Factors. Posttraumatic Stress Disorder. Employee Assistance Programs. Immediately after the Crisis.
Information security has gained in importance as a professional practice, and information security has emerged as an academic discipline. Recent events, such as malware attacks and successful hacking efforts, have pointed out the weaknesses inherent in unprotected systems and exposed the need for heightened security of these systems. In order to secure technologically advanced systems and networks, both education and the infrastructure to deliver that education are needed to prepare the next generation of information technology and information security professionals to develop a more secure and ethical computing environment. Therefore, improved tools and more sophisticated techniques are needed to prepare students to recognize the threats and vulnerabilities present in existing systems and to design and develop the secure systems needed in the near future. Many years have passed since the need for improved information security education has been recognized, and as Dr.
Ernest McDuffie of NIST points out: While there is no doubt that technology has changed the way we live, work, and play, there are very real threats associated with the increased use of technology and our growing dependence on cyberspace…. Education can prepare the general public to identify and avoid risks in cyberspace; education will ready the cybersecurity workforce of tomorrow; and xv Copyright Cengage Learning. Source: NIST The need for improvements in information security education is so great that the U. Source: National Security Agency The technical nature of the dominant texts on the market does not meet the needs of students who have a major other than computer science, computer engineering, or electronic engineering. This is a key concern for academics who wish to focus on delivering skilled undergraduates to the commercial information technology IT sector.
Specifically, there is a clear need for information security, information systems, criminal justice, political science, and accounting information systems students to gain a clear understanding of the foundations of information security. Approach This book provides an overview of contingency operations and its components as well as a thorough treatment of the administration of the planning process for incident response, disaster recovery, and business continuity. It can be used to support course delivery for information-security-driven programs targeted at information technology students, as well as IT management and technology management curricula aimed at business or technical management students. Learning Support—Each chapter includes a Chapter Summary and a set of open-ended Review Questions. These are used to reinforce learning of the subject matter presented in the chapter. Chapter Scenarios—Each chapter opens and closes with a case scenario that follows the same fictional company as it encounters various contingency planning or operational issues.
The closing scenario also includes a few discussion questions. These questions give the student and the instructor an opportunity to discuss the issues that underlie the content. Hands-On Learning—At the end of each chapter, Real-World Exercises and Hands-On Projects are provided. These give students the opportunity to examine the contingency planning arena outside the classroom. Using these exercises, students can pursue the learning objectives listed at the beginning of each chapter and deepen their understanding of the text material. Boxed Examples—These supplemental sections, which feature examples not associated with the ongoing case study, are included to illustrate key learning objectives or extend the coverage of plans and policies.
New to This Edition This edition provides a greater level of detail than the previous edition, specifically in the examination of incident response activities. It incorporates new approaches and methods that have been developed at NIST. Although the material on disaster recovery, business continuity, and crisis management has not Copyright Cengage Learning. We are fortunate to have had the assistance of a reviewer who worked as a contributing author for NIST, ensuring alignment between this text and the methods recommended by NIST. Author Team Long-time college professors and information security professionals Michael Whitman and Herbert Mattord have jointly developed this text to merge knowledge from the world of academic study with practical experience from the business world. Professor Andrew Green has been added to this proven team to add a new dimension of practical experience. Michael Whitman, Ph.
Coles College of Business at Kennesaw State University, Kennesaw, Georgia, where he is the director of the KSU Center for Information Security Education infosec. Whitman has over 20 years of experience in higher education, with over 12 years of experience in designing and teaching information security courses. He is an active researcher in information security, fair and responsible use policies, and computer-use ethics. He currently teaches graduate and undergraduate courses in information security. He has published articles in the top journals in his field, including Information Systems Research, Communications of the ACM, Information and Management, Journal of International Business Studies, and Journal of Computer Information Systems.
He is a member of the Association for Computing Machinery and the Association for Information Systems. Under Dr. Whitman is also the coauthor of Principles of Information Security, 4th edition; Management of Information Security, 4th edition; Readings and Cases in the Management of Information Security; Readings and Cases in Information Security: Law and Ethics; The Hands-On Information Security Lab Manual, 3rd edition; Roadmap to the Management of Information Security for IT and Information Security Professionals; Guide to Firewalls and VPNs, 3rd edition; Guide to Firewalls and Network Security, 2nd edition; and Guide to Network Security, all published by Course Technology.
In , Dr. Whitman was selected by the Colloquium for Information Systems Security Education as the recipient of the Information Assurance Educator of the Year award. Herbert Mattord, Ph. CISM, CISSP Herbert Mattord completed 24 years of IT industry experience as an application developer, database administrator, project manager, and information security practitioner before joining the faculty of Kennesaw State University in Mattord is an assistant professor of information security and assurance and the coordinator for the Bachelor of Business Administration in Information Security and Assurance program. He is the operations manager of the KSU Center for Information Security Education and Awareness infosec. edu as well as the coordinator for the KSU certificate in Information Security and Assurance.
During his career as an IT practitioner, Dr. Mattord has been an adjunct professor at: Kennesaw State University; Southern Polytechnic State University in Marietta, Georgia; Austin Community College in Austin, Texas; and Texas State University: San Marcos. He currently teaches undergraduate courses in information security, data communications, local area networks, database technology, project management, systems analysis and design, and information resources management and policy. He Copyright Cengage Learning. xviii Preface was formerly the manager of corporate information technology security at Georgia-Pacific Corporation, where much of the practical knowledge found in this textbook was acquired.
Professor Mattord is also the coauthor of Principles of Information Security, 4th edition; Management of Information Security, 4th edition; Readings and Cases in the Management of Information Security; Readings and Cases in Information Security: Law and Ethics; The Hands-On Information Security Lab Manual, 3rd edition; Roadmap to the Management of Information Security for IT and Information Security Professionals; Guide to Firewalls and VPNs, 3rd edition; Guide to Firewalls and Network Security, 2nd edition; and Guide to Network Security, all published by Course Technology. Andrew Green, MSIS Andrew Green is a lecturer of information security and assurance in the Information Systems Department, Michael J. Coles College of Business at Kennesaw State University, Kennesaw, Georgia. Green has over a decade of experience in information security. Prior to entering academia full time, he worked as an information security consultant, focusing primarily on the needs of small and medium-sized businesses.
Prior to that, he worked in the healthcare IT field, where he developed and supported transcription interfaces for medical facilities throughout the United States. Green is also a full-time Ph. student at Nova Southeastern University, where he is studying information systems with a concentration in information security. He is the coauthor of Guide to Firewalls and VPNs, 3rd edition and Guide to Network Security, both published by Course Technology. Structure The textbook is organized into 12 chapters and 3 appendices. An Overview of Information Security and Risk Management This chapter defines the concepts of information security and risk management and explains how they are integral to the management processes used for incident response and contingency planning.
Chapter 2. Planning for Organizational Readiness The focus of this chapter is on how an organization can plan for and develop organizational processes and staffing appointments needed for successful incident response and contingency plans. Chapter 3. It also explains the techniques used for data and application backup and recovery. Chapter 4. Incident Response: Planning This chapter expands on the incident response planning process to include processes and activities that are needed as well as the skills and techniques used to develop such plans. Chapter 5. Incident Response: Detection and Decision Making This chapter describes how incidents are detected and how decision making regarding incident escalation and plan activation occur.
Chapter 6. Incident Response: Organizing and Preparing the CSIRT This chapter presents the details of the actions that the CSIRT performs and how they are designed and developed. Chapter 7. Incident Response: Response Strategies This chapter describes IR reaction strategies and how they are applied to incidents. Preface xix Chapter 8. Incident Response: Recovery and Maintenance This chapter describes how an organization plans for and executes the recovery process when an incident occurs; it also expands on the steps involved in the ongoing maintenance of the IR plan. Chapter 9. Disaster Recovery: Preparation and Implementation This chapter explores how organizations prepare for disasters and recovery from disasters. Chapter Disaster Recovery: Operation and Maintenance This chapter presents the challenges an organization faces when engaged in DR operations and how such challenges are met.
Business Continuity Planning This chapter covers how organizations ensure continuous operations even when the primary facilities used by the organization are not available. The chapter also covers the key international standards that affect IR, DR, and BC. The three appendices present sample BC and crisis management plans and templates. Text and Graphic Conventions Wherever appropriate, additional information and exercises have been added to this book to help you better understand what is being discussed in the chapter. Icons throughout the text alert you to additional materials. The icons used in this textbook are described here: Notes present additional helpful material related to the subject being described. Technical Details boxes provide additional technical information on information security topics.
Real World Exercises are structured activities to allow students to enrich their understanding of selected topics presented in the chapter by exploring Webbased or other widely available resources. Hands-On Projects offer students the chance to explore the technical aspects of the theories presented in the chapter. Please visit login. com and log in to access instructor-specific resources. To access additional course materials, please visit www. At the CengageBrain. com home page, search for the ISBN of your title from the back cover of your book using the search box at the top of the page. This will take you to the product page, where these resources can be found. Additional materials designed especially for you might be available for your course online.
Go to www. Solution Files—The Solution Files include answers to selected end-of-chapter materials, including the Review Questions and some of the Hands-On Projects. ExamView—This textbook is accompanied by ExamView, a powerful testing software package that allows instructors to create and administer printed, computer LAN-based , and Internet exams. ExamView includes hundreds of questions that correspond to the topics covered in this text, enabling students to generate detailed study guides that include page references for further review. The computer-based and Internet testing components allow students to take exams at their computers, and also save the instructor time by grading each exam automatically. PowerPoint Presentations—This book comes with Microsoft PowerPoint slides for each chapter.
These are included as a teaching aid for classroom presentation. They can also be made available to students on the network for chapter review, or they can be printed for classroom distribution. Instructors, feel free to add your own slides for additional topics you introduce to the class. Information Security Community Site—Stay Secure with the Information Security Community Site! Connect with students, professors, and professionals from around the world, and stay on top of this ever-changing field. Acknowledgments The authors would like to thank their families for their support and understanding for the many hours dedicated to this project, hours taken in many cases from family activities.
Special thanks to Karen Scarfone, coauthor of several NIST SPs. Her reviews and suggestions resulted in a more readable manuscript. Additionally, the authors would like to thank Doug Burks, primary developer of Copyright Cengage Learning. Preface xxi the Security Onion project used in this textbook. Reviewers We are indebted to the following individuals for their respective contributions of perceptive feedback on the initial proposal, the project outline, and the individual chapters of the text: Karen Scarfone, Scarfone Cybersecurity Gary Kessler, Embry-Riddle Aeronautical University Special Thanks The authors wish to thank the editorial and production teams at Course Technology. Their diligent and professional efforts greatly enhanced the final product: Michelle Ruelos Cannistraci, Senior Product Manager Kent Williams, Developmental Editor Nick Lombardi, Acquisitions Editor Andrea Majot, Senior Content Project Manager Nicole Ashton Spoto, Technical Editor In addition, several professional and commercial organizations and individuals have aided the development of the textbook by providing information and inspiration, and the authors wish to acknowledge their contribution: Bernstein Crisis Management Continuity Central Information Systems Security Associations Institute for Crisis Management National Institute of Standards and Technology Oracle, Inc.
Purdue University Rothstein Associates, Inc. SunGard Our colleagues in the Department of Information Systems and the Michael J. Coles College of Business, Kennesaw State University Dr. Amy Woszczynski, Interim Chair of the Department of Information Systems, Michael J. Kathy Schwaig, Dean of the Michael J. Coles College of Business, Kennesaw State University Our Commitment The authors are committed to serving the needs of the adopters and readers. We would be pleased and honored to receive feedback on the textbook and its supporting materials. You can contact us through Course Technology. chapter 1 An Overview of Information Security and Risk Management An ounce of prevention is worth a pound of cure.
Grab your incident response book and meet me in the conference room in 10 minutes. Grab Tina in network operations on the way. Such organizations are often not well prepared to offer the proper response to a disaster or security incident. By July , Internet World Stats estimated that there were over 2. Each one of those online users is a potential threat to any online system. Information Security 3 In the weeks that followed the September 11, attacks in New York, Pennsylvania, and Washington D. Still, many organizations were able to continue conducting business. The reason is that those organizations were prepared for unexpected events.
The cataclysm in was not the first attack on the World Trade Center WTC. On February 26, , a car bomb exploded beneath one of the WTC towers, killing 6 and injuring over Although thousands of people lost their lives in the attack, many were able to evacuate, and many organizations were prepared to resume their businesses in the aftermath of the devastation. A Gartner report found that two out of three organizations surveyed had to invoke their disaster recovery or business continuity plans in the two years preceding the study. For this reason, the field of information security has been steadily growing and is taken seriously by more and more organizations, not only in the United States but throughout the world. Before we can discuss contingency planning in detail, we must introduce some critical concepts of which contingency planning is an integral part. The first of these, which serves as the overall disciplinary umbrella, is information security.
This refers to many interlinked programs and activities that work together to ensure the confidentiality, integrity, and availability of the information used by organizations. This includes steps to ensure the protection of organizational information systems, specifically during incidents and disasters. Because information security is a complex subject, which includes risk management as well as information security policy, it is important to have an overview of that broad field and an understanding of these major components.
Contingency planning is an important element of information security, but before management can plan for contingencies, it should have an overall strategic plan for information security in place, including risk management processes to guide the appropriate managerial and technical controls. This chapter serves as an overview of information security, with special consideration given to risk management and the role that contingency planning plays in 1 information security in general and 2 risk management in particular. Information Security The Committee on National Security Systems CNSS has defined information security as the protection of information and its critical elements, including the systems and hardware that use, store, and transmit that information. This definition is part of the CNSS model see Figure , which serves as the conceptual framework for understanding information security.
The model evolved from a similar model developed within the Copyright Cengage Learning. An industry standard for computer security since the development of the mainframe, the C. triangle illustrates the three most critical characteristics of information used within information systems: confidentiality, integrity, and availability. Information assets have the characteristics of confidentiality when only those persons or computer systems with the rights and privileges to access it are able to do so. Information assets have integrity when they are not exposed while being stored, processed, or transmitted to corruption, damage, destruction, or other disruption of their authentic states; in other words, the information is whole, complete, and uncorrupted.
Finally, information assets have availability when authorized users—persons or computer systems—are able to access them in the specified format without interference or obstruction. In other words, the information is there when it is needed, from where it is supposed to be, and in the format expected. tion duca gy nolo Tech yE Polic Confidentiality ca tio nT ec hn olo gy Confidentiality Integrity lic yE du Integrity Po 4 Availability Availability Storage Processing Transmission Storage Processing Transmission © Cengage Learning Figure The CNSS security model In summary, information security InfoSec is the protection of the confidentiality, integrity, and availability of information, whether in storage, during processing, or in transmission. Such protection is achieved through the application of policy, education and training, and technology. Key Information Security Concepts In general, a threat is an object, person, or other entity that is a potential risk of loss to an asset, which is the organizational resource being protected.
An asset can be logical, such as a Web site, information, or data, or it can be physical, such as a person, computer system, or other tangible object. A threat can become the basis for an attack—an intentional or unintentional attempt to cause damage to or otherwise compromise the information or the systems that support it. A threat-agent is a specific and identifiable instance of a general threat that exploits vulnerabilities set up to protect the asset. Some vulnerabilities are latent and thus not revealed until they are discovered and made known. Information Security 5 There are two common uses of the term exploit in information security. First, threat-agents are said to exploit a system or information asset by using it illegally for their personal gains. Second, threat-agents can create an exploit, or means to target a specific vulnerability, usually found in software, to formulate an attack.
A defender tries to prevent attacks by applying a control, a safeguard, or a countermeasure; these terms, all synonymous with control, represent security mechanisms, policies, or procedures that can successfully counter attacks, reduce risk, resolve vulnerabilities, and generally improve the security within an organization. The results of a study that collected, categorized, and ranked the identifiable threats to information security are shown in Table The study compared its findings with a prior study conducted by one of its researchers. Threat Category Ranking Prior Ranking 1 4 Software attacks 2 1 Human error or failure 3 3 Theft 4 7 Compromises to intellectual property 5 9 Sabotage or vandalism 6 5 Technical software failures or errors 7 2 Technical hardware failures or errors 8 6 Forces of nature 9 8 Deviations in quality of service from service providers 10 10 Technological obsolescence 11 11 12 12 Espionage or trespass Information extortion Table Threats to information security6 Source: Study © Communications of the ACM used with permission The threat categories shown in Table are explained in detail in the following sections.
Trespass Trespass is a broad category of electronic and human activities that can breach the confidentiality of information. When an unauthorized individual gains access to the information an organization is trying to protect, that act is categorized as a deliberate act of trespass. In the opening scenario of this chapter, the IT staff members at HAL were more disappointed than surprised to find someone poking around their mail server, looking for a way in. Acts of trespass can lead to unauthorized real or virtual actions that enable information gatherers to enter premises or systems they have not been authorized to enter. In this text, hackers are people who bypass legitimate controls placed on information systems in order to gain access to data or information against the intent of the owner.
More specifically, a hacker is someone who uses skill, guile, or fraud to attempt to bypass the controls placed around information that belongs to someone else. Software Attacks Deliberate software attacks occur when an individual or group designs software to attack a system. This software is referred to as malicious code, malicious software, or malware. These software components or programs are designed to damage, destroy, or deny service to the target systems. Some of the more common instances of malicious code are viruses and worms, Trojan horses, logic bombs, bots, rootkits, and back doors. Equally prominent among the recent incidences of malicious code are the denial-of-service attacks conducted by attackers on popular e-commerce sites.
A variation on the DoS attack is the distributed DoS DDoS attack, in which an attacker compromises a number of systems, then uses these systems called zombies or bots to attack an unsuspecting target. A potential source of confusion when it comes to threats posed by malicious code are the differences between the method of propagation worm versus virus , the payload what the malware does once it is in place, such as deny service or install a back door , and the vector of infection how the code is transmitted from system to system, whether through social engineering or by technical means, such as an open network share. Various concepts related to the topic of malicious code are discussed in the following sections.
Viruses Computer viruses are segments of code that perform malicious actions. Viruses are passed from machine to machine via physical media, e-mail, or other forms of computer data transmission. When these viruses infect a machine, they may immediately scan the local machine for e-mail applications; they may even send themselves to every user in the e-mail address book. There are several types of viruses. One type is the macro virus, which is embedded in automatically executing macrocode, common in word-processed documents, spreadsheets, and database applications. Worms can continue replicating themselves until they completely fill available resources, such as memory, hard drive space, and Copyright Cengage Learning.
Information Security 7 network bandwidth. These complex behaviors can be invoked with or without the user downloading or executing the file. Once the worm has infected a computer, it can redistribute itself to all e-mail addresses found on the infected system. Further, a worm can deposit copies of itself onto all Web servers that the infected system can reach, so that users who subsequently visit those sites become infected themselves. Worms also take advantage of open shares found on the network in which an infected system is located, placing working copies of the worm code onto the server so that users of those shares are likely to become infected. Back Doors and Trap Doors A virus or worm can have a payload that installs a back door or trap door component in a system, which allows the attacker to access a system, at will, with special privileges. Examples of these kinds of payloads are SubSeven, Back Orifice, and Flashfake. Polymorphism One of the biggest ongoing problems in fighting viruses and worms are polymorphic threats.
A polymorphic threat is one that changes its apparent shape over time, making it undetectable by techniques that look for preconfigured signatures. These viruses and worms actually evolve, changing their size and appearance to elude detection by antivirus software programs. This means that an e-mail generated by the virus may not match previous examples, making detection more of a challenge. Propagation Vectors The way that malicious code is spread from one system to another can vary widely. One common way is through a social engineering attack—that is, getting the computer user to perform an action that enables the infection.
An example of this is the Trojan horse, often simply called a Trojan. A Trojan is something that looks like a desirable program or tool but is in fact a malicious entity. Other propagation vectors do not require human interaction, leveraging open network connections, file shares, or software vulnerabilities to spread themselves. Malware Hoaxes As frustrating as viruses and worms are, perhaps more time and money is spent on resolving malware hoaxes. Well-meaning people can disrupt the harmony and flow of an organization when they send random e-mails warning of dangerous malware that is fictitious. While these individuals feel they are helping out by warning their coworkers of a threat, much time and energy is wasted as everyone forwards the message to everyone they know, posts the message on social media sites, and begins updating antivirus protection software.
By teaching its employees how to verify whether a malware threat is real, the organization can reduce the impact of this type of threat. Human Error or Failure This threat category includes acts performed by an authorized user, usually without malicious intent or purpose. When people use information systems, mistakes sometimes happen as a result of inexperience, improper training, incorrect assumptions, and so forth. Unfortunately, small mistakes can produce extensive damage with catastrophic results. This is what is meant by human error. Human failure, on the other hand, is the intentional refusal or unintentional inability to comply with policies, guidelines, and procedures, with a potential loss of information. An organization may be Copyright Cengage Learning. Within an organization, property can be physical, electronic, or intellectual.
This threat category also includes acts of espionage, given that an attacker is often looking for information to steal. Any breach of confidentiality can be construed as an act of theft. Attackers can use many different methods to access the information stored in an information system. Some information gathering is quite legal—for example, when doing research. Such techniques are collectively referred to as competitive intelligence. When information gathering employs techniques that cross the threshold of what is considered legal or ethical, it becomes known as industrial espionage.
Also of concern in this category is the theft or loss of mobile devices, including phones, tablets, and computers. Although the devices themselves are of value, perhaps even more valuable is the information stored within. Users who have been issued company equipment may establish and save VPN-connection information, passwords, access credentials, company records, customer information, and the like. This valuable information becomes a target for information thieves. In fact, it has become commonplace to find lost or stolen devices in the trash, with the hard drives or data cards like phone SIMs removed or the data having been copied and erased The information is more valuable and easier to conceal than the actual device itself.
Users who travel or use their devices away from home should be extremely careful when leaving the device unattended at a restaurant table, conference room, or hotel room. Actually, most globally engaged organizations now have explicit policy directives that prohibit taking these portable devices to certain countries and direct employees required to travel to take sanitized, almost disposable, devices that are not allowed contact with internal company networks or technology. Compromises to Intellectual Property Many organizations create or support the development of intellectual property as part of their business operations. FOLDOC, an online dictionary of computing, defines intellectual property IP this way: The ownership of ideas and control over the tangible or virtual representation of those ideas.
Once an organization has properly identified its IP, breaches in the controls placed to control access to it constitute a threat to the security of this information. Often, an organization purchases or leases the IP of other organizations and must therefore abide by the purchase or licensing agreement for its fair and responsible use. Information Security 9 Of equal concern is the exfiltration, or unauthorized removal of information, from an organization. Most commonly associated with disgruntled employees, the protection of intellectual property from unauthorized disclosure to third parties further illustrates the severity of this issue.
Theft of organizational IP, such as trade secrets or trusted information like customer personal and financial records, is a commonplace issue. These devices are frequently not as secure as the systems owned and maintained by the organization. If compromised by attackers prior to attaching to the corporate network, BYOD systems can easily be used as conduits to allow data to be exfiltrated. Additionally, unhappy employees can use these devices to copy data, then leave the organization with that valuable asset in their hands and no one the wiser. Among the most common IP breaches is the unlawful use or duplication of software-based intellectual property, more commonly known as software piracy.
Because most software is licensed to a particular purchaser, its use is restricted to a single user or to a designated user in an organization. If the user copies the program to another computer without securing another license or transferring the license, he or she has violated the copyright. Software licenses are strictly enforced by a number of regulatory and private organizations, and software publishers use several control mechanisms to prevent copyright infringement. net, and the Business Software Alliance BSA , which can be found at www. The acts can range from petty vandalism by employees to organized sabotage by outsiders. A much more sinister form of hacking is cyberterrorism. Cyberterrorists hack systems to conduct terrorist activities through network or Internet pathways. The United States and other governments are developing security measures intended to protect the critical computing and communications networks as well as the physical and power utility infrastructures.
Technical Software Failures or Errors This threat category stems from purchasing software with unknown hidden faults. Large quantities of computer code are written, published, and sold before all the significant security-related bugs are detected and resolved. Also, combinations of particular software and hardware may reveal new bugs. While most bugs are not a security threat, some may be exploitable and may result in potential loss or damage to information used by those programs. In addition to bugs, there may be untested failure conditions or purposeful subversions of the security controls built into systems. These may be oversights or intentional shortcuts left by programmers for benign or malign reasons. Collectively, shortcut access routes into programs that bypass security checks are called trap doors; they can cause serious security breaches.
These resources provide up-to-the-minute information on the latest security vulnerabilities and a very thorough archive of past bugs. Technical Hardware Failures or Errors Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. Some errors are terminal, in that they result in the unrecoverable loss of the equipment. Some errors are intermittent, in that they only periodically manifest themselves, resulting in faults that are not easily identified. For example, equipment can sometimes stop working or can work in unexpected ways. Forces of Nature Forces of nature, also known as force majeure, or acts of God, pose some of the most dangerous threats imaginable because they often occur with very little warning. Fire, flood, earthquake, lightning, volcanic eruptions, even animal or insect infestation— these threats disrupt not only the lives of individuals but also the storage, transmission, and use of information.
Deviations in Quality of Service by Service Providers This threat category covers situations in which a product or service is not delivered to the organization as expected. Utility companies, service providers, and other value-added organizations form a vast web of interconnected services. Any one of these support systems can be interrupted by storms, employee illnesses, or other unforeseen events. An example of this threat category occurs when a construction crew damages a fiber-optic link for an ISP. The backup provider may be online and in service but may only be able to supply a fraction of the bandwidth the organization needs for full service. This degradation of service is a form of availability disruption. Internet service, communications, and power irregularities can dramatically affect the availability of information and systems. Technological Obsolescence This threat category involves antiquated or outdated infrastructure that leads to unreliable and untrustworthy systems.
Management must recognize that when technology becomes outdated, there is a risk of a loss of data integrity from attacks. Strategic planning should always include an analysis of the technology that is currently in use. Ideally, proper planning will prevent the risks stemming from technology obsolesce, but when obsolescence is identified, management must take immediate action. IT professionals play a large role in the identification of obsolescence. Information Extortion The threat of information extortion is the possibility that an attacker or trusted insider will steal information from a computer system and demand compensation for its return or for an agreement to not disclose the information. Extortion Copyright Cengage Learning. Unfortunately, organized crime is increasingly involved in this area.
Other Threats Listings The Computer Security Institute conducts an annual study of computer crime, the results for which are shown in Table The fact is, almost every company has been attacked. All managers are expected to play a role in the risk management process, but information security managers are expected to play the largest roles. Very often, the chief information officer CIO will delegate much of the responsibility for risk management to the chief information security officer CISO. Given that contingency planning is considered part of the risk management process, it is important to fully understand how risk management works and how contingency planning fits within that process. Risk management consists of two major undertakings: risk identification and risk control.
The various components of risk management and their relationships to one another are shown in Figure Risk management Risk identification Risk control Risk assessment is the documented result of the risk identification process. The IT community must serve the information technology needs of the broader organization and, at the same Copyright Cengage Learning. Overview of Risk Management 13 time, leverage the special skills and insights of the information security community. The information security team must lead the way with skill, professionalism, and flexibility as it works with the other communities of interest to appropriately balance the usefulness and security of the information system.
Each of the three elements in the C. When the organization depends on ITbased systems to remain viable, information security and the discipline of risk management move beyond theoretical discussions and become an integral part of the economic basis for making business decisions. These decisions are based on trade-offs between the costs of applying information systems controls and the benefits realized from the operation of secured, available systems. An observation made over years ago by Chinese General Sun Tzu is relevant to information security today: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle. Information security managers and technicians are the defenders of information. The many threats mentioned earlier are constantly attacking the defenses surrounding information assets.
Defenses are built in layers, by placing safeguard upon safeguard. You attempt to detect, prevent, and recover from attack after attack after attack. Moreover, organizations are legally prevented from switching to offense, and the attackers themselves have no need to expend their resources on defense. To be victorious, you must therefore know yourself and know the enemy. Know Yourself First, you must identify, examine, and understand the information and systems currently in place within your organization. To protect assets, which are defined here as information and the systems that use, store, and transmit information, you must understand what they are, how they add value to the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because you have a control in place to protect an asset does not necessarily mean that the asset is protected.
Frequently, organizations implement control mechanisms but then neglect to periodically perform the necessary review, revision, and maintenance of their own systems. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they are still effective. This means identifying, examining, and understanding the threats facing the organization. You can then use your understanding of these aspects to create a list of threats prioritized by how important each asset is to the organization. It is essential that all stakeholders conduct periodic management reviews. The first focus of management review is asset inventory. On a regular basis, management must verify the completeness and accuracy of the asset inventory.
In addition, organizations must review and verify the threats and vulnerabilities that have been identified as dangerous to the asset inventory, as well as the current controls and mitigation strategies. The cost effectiveness of each control should be reviewed as well and the decisions on deployment of controls revisited. For example, a sales manager might assess control procedures by going through the office before the workday starts and picking up all the papers from every desk in the sales department. When the workers show up, the manager could inform them that a fire drill is underway—that all their papers have been destroyed and that each worker must now follow the disaster recovery procedures.
The effectiveness of the procedures can then be assessed and corrections made. Once that has been done, the threat identification process begins. Each information asset is examined to identify vulnerabilities, and when vulnerabilities are found, controls are identified and assessed regarding their capability to limit possible losses should an attack occur. The components of this process are shown in Figure The assets are then classified and categorized, with details added as the analysis goes deeper. Information Asset Classification In addition to identifying the assets, it is advisable to classify them with respect to their security needs.
For example, data could be classified as confidential data, internal data, and public data. Likewise, the individuals authorized to view the data could be classified using a personnel security clearance structure. No matter how an organization chooses to classify the components of its system, the components must be specific enough to allow the creation of various priority levels. The components then can be ranked according to criteria established by the categorization. The categories themselves should be comprehensive and mutually exclusive. Comprehensive means that all the information assets should fit in the list somewhere; mutually exclusive means that each information asset should fit in only one category. For example, when Copyright Cengage Learning.
Overview of Risk Management 15 1 Plan and organize the process. Categorize system components. Risk identification Inventory and categorize assets. Identify threats. Specify vulnerable assets. Assign value to attack on assets. Assess likelihood of attack on vulnerabilities. Risk assessment Calculate relative risk factor for assets. Review possible controls. Document findings. It is a matter of professional judgment. To add consistency and simplify the categorization of elements when there is ambiguity, it is essential to establish a clear and comprehensive set of categories.
Does the law or other regulation require us to protect this asset? Before beginning the inventory process, the organization should decide which criteria are best suited to establish the value of the information assets. In addition to the criteria just listed, company-specific criteria should be identified, documented, and added to the process. To finalize this step of the information asset identification process, the organization should assign a weight to each asset based on the answers to the various questions. Once the process of inventorying and assessing value is complete, you can calculate the relative importance of each asset using a straightforward process known as weighted factor analysis, which is shown in Table In this process, each information asset is assigned a score for each critical factor. In the example shown, these scores may range from 0. Information Asset Criterion Weight 1— must total Criterion 1: Impact on Revenue 30 Criterion 2: Impact on Profitability 40 Criterion 3: Impact on Image Weighted Score 30 EDI Document Set 1—Logistics BOL to outsourcer outbound 0.
For example, at one time Georgia-Pacific, an American pulp and paper company, used a data classification scheme in which information owners throughout the company were expected to classify the information assets for which they were responsible. At least once a year, they would review these classifications to ensure that the information was still classified correctly and the appropriate access controls were in place. A simple classification scheme would allow an organization to protect such sensitive information as its marketing or Copyright Cengage Learning. Overview of Risk Management 17 research data, its personnel data, its customer data, and its general internal communications. In organizations that require security clearances, each user of data is assigned an authorization level that indicates the data he or she is authorized to view. This is usually accomplished by assigning each employee a named role— such as data entry clerk, development programmer, information security analyst, or even CIO—and a security clearance associated with that role.
Employees are not simply allowed to view any and all data that falls within their level of clearance. Before someone can access a specific set of data, the need-to-know requirement must be met. This extra level of protection ensures that the confidentiality of information is properly maintained. An organization faces a wide variety of threats; the realistic ones need to be investigated further, while the unimportant threats are set aside. Each of the threat categories identified in Table must be assessed regarding its potential to endanger the organization. This is known as a threat assessment. By answering these questions, you can establish a framework for discussing threat assessment. The list may not cover everything, however. If an organization has specific guidelines or policies, these may require the posing of additional questions. The list is easily expanded to include additional requirements.
You should then examine how each of the threats could be perpetrated. Improving Information Security Risk Analysis Practices for Small and Medium-Sized Enterprises: A Research Agenda. Management Technologies Overview of Digital Business Security Issues. CYBERLAW by CIJIC edição n. A Concise Handbook of Mathematics, Physics, and Engineering Sciences. Group Assignment 1 Session 4. Book Library security and user attitudes: a case study of the Regent University of Science and Technology - A Dissertation. Principles of Incident Response and Disaster Recovery Michael E. Whitman, Herbert J. Mattord, Andrew Green Principles of Incident Response and Disaster Recovery Michael E. From market-leading content on contingency planning, to effective techniques that minimize downtime in an emergency, to curbing losses after a breach, this text is the resource needed in case of a network intrusion.
Download Principles of Incident Response and Disaster Recov pdf Read Online Principles of Incident Response and Disaster Rec Mattord, Andrew Green From reader reviews: Errol Sawyer: Have you spare time for any day? What do you do when you have considerably more or little spare time? Yep, you can choose the suitable activity intended for spend your time. Any person spent their particular spare time to take a wander, shopping, or went to the particular Mall. How about open as well as read a book allowed Principles of Incident Response and Disaster Recovery? Maybe it is to become best activity for you. You understand beside you can spend your time along with your favorite's book, you can wiser than before. Do you agree with its opinion or you have additional opinion?
Larry Tatro: This book untitled Principles of Incident Response and Disaster Recovery to be one of several books which best seller in this year, that's because when you read this e-book you can get a lot of benefit into it. You will easily to buy this particular book in the book shop or you can order it via online. The publisher in this book sells the e-book too. It makes you easier to read this book, as you can read this book in your Touch screen phone. So there is no reason for you to past this book from your list.
Marilyn Urquhart: Reading can called head hangout, why? Because when you find yourself reading a book mainly book entitled Principles of Incident Response and Disaster Recovery your head will drift away trough every dimension, wandering in each aspect that maybe unidentified for but surely can become your mind friends. Imaging just about every word written in a guide then become one application form conclusion and explanation that maybe you never get ahead of. The Principles of Incident Response and Disaster Recovery giving you one more experience more than blown away the mind but also giving you useful details for your better life within this era.
So now let us present to you the relaxing pattern is your body and mind is going to be pleased when you are finished reading through it, like winning a. Do you want to try this extraordinary shelling out spare time activity? Thelma Cobb: Many people spending their time by playing outside having friends, fun activity with family or just watching TV all day every day. You can have new activity to shell out your whole day by studying a book. Ugh, ya think reading a book can actually hard because you have to take the book everywhere? It ok you can have the e-book, getting everywhere you want in your Cell phone. Like Principles of Incident Response and Disaster Recovery which is having the e-book version. So , try out this book? Let's view. Download and Read Online Principles of Incident Response and Disaster Recovery Michael E. Mattord, Andrew Green for online ebook Principles of Incident Response and Disaster Recovery by Michael E.
Mattord, Andrew Green Free PDF d0wnl0ad, audio books, books to read, good books to read, cheap books, good books, online books, books online, book reviews epub, read books online, books to read online, online library, greatbooks to read, PDF best books to read, top books to read Principles of Incident Response and Disaster Recovery by Michael E. Mattord, Andrew Green books to read online. Online Principles of Incident Response and Disaster Recovery by Michael E. Mattord, Andrew Green ebook PDF download Principles of Incident Response and Disaster Recovery by Michael E.
Mattord, Andrew Green Doc Principles of Incident Response and Disaster Recovery by Michael E. Mattord, Andrew Green Mobipocket Principles of Incident Response and Disaster Recovery by Michael E. Mattord, Andrew Green EPub. RELATED PAPERS. R CSE. Berlin Symposium on Outer Space and the End of Utopia in the s. JNTUH B. Tech 3 Year CSE R16 Syllabus. IMPACT Best Practice Guide: Metadata for Text Digitisation and OCR. Proceedings of the 10th International Scientific Conference "eLearning and Software for Education" Bucharest, April 24 - 25, eLSE Conference Proceedings A 43 years history, passing from the Gutenberg project initiative to the Open Educational Resources movement.
Nineteenth Century Literature ROW. Honey Pot Intrusion Detection System. Security Information Flow in the South African Public Sector. The Impact of E-Readers on the Literacy Among Students Author: Teimuraz Baratashvili. What is your password? Information Systems Education Journal Information Systems Curricula:A Fifty Year Journey.
English Pages Year DOWNLOAD FILE. Incident response is critical for the active defense of any network, and incident responders need up-to-date, immediatel. Provides an overview of the various types of disasters that may occur, the myriad of actors that are involved in emergen. Incident response and digital forensics require a balancing act to get right, but both are essential when an information. Computer Incident Response and Product Security The practical guide to building and running incident response and prod. Computer Incident Response and Forensics Team Managementprovides security professionals with a complete handbook of comp.
The definitive guide to incident response--updated for the first time in a decade! Thoroughly revised to cover the lates. s SharePoint platform is a complex, diverse technical tool designed to meet a range of business needs and uses. Explore and learn the key building blocks of Microsoft Azure services and tools for implementing a disaster-recovery sol. Table of contents : Cover Page 1 Title Page 2 Statement Page 3 Copyright Page 4 Dedication Page 5 Brief Contents Page 7 Table of Contents Page 9 Preface Page 17 Upon Completion of This Material, You Should Be Able to Page 25 Introduction Page 26 Information Security Page 27 Overview of Risk Management Page 36 Contingency Planning and Its Components Page 47 Role of Information Security Policy in Developing Contingency Plans Page 53 Chapter Summary Page 58 Review Questions Page 60 Hands-On Projects Page 61 Endnotes Page 69 Upon Completion of This Material, You Should Be Able to Page 71 Beginning the Contingency Planning Process Page 73 Elements Required to Begin Contingency Planning Page 76 Contingency Planning Policy Page 78 Business Impact Analysis Page 81 BIA Data Collection Page 88 Budgeting for Contingency Operations Page Chapter Summary Page Review Questions Page Real-World Exercises Page Hands-On Projects Page Endnotes Page Upon Completion of This Material, You Should Be Able to Page Introduction Page Data and Application Resumption Page Site Resumption Strategies Page The IR Planning Process Page Developing the Incident Response Policy Page Incident Response Planning Page Assembling and Maintaining the Final IR Plan Page Detecting Incidents Page Intrusion Detection and Prevention Systems Page Incident Decision Making Page Building the CSIRT Page Outsourcing Incident Response Page IR Response Strategies Page Incident Containment and Eradication Strategies for Specific Attacks Page Recovery Page Maintenance Page Incident Forensics Page eDiscovery and Anti-Forensics Page Disaster Classifications Page Forming the Disaster Recovery Team Page Disaster Recovery Planning Functions Page Information Technology Contingency Planning Considerations Page Sample Disaster Recovery Plans Page The DR Plan Page Facing Key Challenges Page Preparation: Training the DR Team and the Users Page Disaster Response Phase Page Resumption Phase Page Restoration Phase Page Business Continuity Team Page Business Continuity Policy and Plan Functions Page Implementing the BC Plan Page Continuous Improvement of the BC Process Page Maintaining the BC Plan Page Crisis Management in the Organization Page Preparing for Crisis Management Page Post-crisis Trauma Page Getting People Back to Work Page Law Enforcement Involvement Page Managing Crisis Communications Page Succession Planning Page Appendix A: Sample Business Continuity Plan for ABC Co Page Appendix B: Contingency Plan Template from the Computer Security Resource Center at the National Institute of Standards and Technology Page Appendix C: Sample Crisis Management Plan for Hierarchical Access, Ltd Page Glossary Page Index Page Principles of Incident Response and Disaster Recovery Second Edition Michael E.
Whitman Ph. Mattord Ph. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. This is an electronic version of the print textbook. Due to electronic rights restrictions, some third party content may be suppressed. Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. The publisher reserves the right to remove content from this title at any time if subsequent rights restrictions require it. For valuable information on pricing, previous editions, changes to current editions, and alternate formats, please visit www.
[FREE] [DOWNLOAD] Principles of Incident Response and Disaster Recovery Full-Acces,Principles of Incident Response and Disaster Recovery
Title: Principles of Incident Response and Disaster Recovery 1 Principles of Incident Response and Disaster Recovery. Chapter 6 ; Contingency Strategies for Business 28/03/ · PRINCIPLES OF INCIDENT RESPONSE & DISASTER RECOVERY, 2nd Edition presents methods to identify vulnerabilities within computer networks and the A Gartner report found that two out of three organizations surveyed had to invoke their disaster recovery or business continuity plans in the two years preceding the study.3 28/03/ · Description PRINCIPLES OF INCIDENT RESPONSE & DISASTER RECOVERY, 2nd Edition presents methods to identify vulnerabilities within computer networks and the 01/04/ · Principles of Incident Response and Disaster Recovery presents methods to identify vulnerabilities and take appropriate countermeasures to prevent and mitigate failure 12/03/ · View flipping ebook version of Download[⚡PDF⚡] Principles of Incident Response and Disaster Recovery, Loose-leaf Version published by txvwraflmb on ... read more
Employee Assistance Programs. Go to www. It can be used to support course delivery for information-security-driven programs targeted at information technology students, as well as IT management and technology management curricula aimed at business or technical management students. A variation on the DoS attack is the distributed DoS DDoS attack, in which an attacker compromises a number of systems, then uses these systems called zombies or bots to attack an unsuspecting target. To browse Academia. Page The DR Plan This threat category also includes acts of espionage, given that an attacker is often looking for information to steal.
In fact, the outcome of the typical CP process is often new policy. The primary tool to be used in the Hands-On Projects is Security Onion. It is essential that all stakeholders conduct periodic management reviews. Whenever possible, use external references for likelihood values that have been reviewed and adjusted for your specific circumstances. Group Assignment 1 Session 4.
No comments:
Post a Comment