Fluent Essays

Discussion -  Project -  PFA Discussion – Info Security and Risk Management Chapter : 9-15 from textbook Managing Risk in Information Systems In week 7, analyze the impact that business continuity planning has on risk management.  You must use at least one scholarly resource. Every discussion posting must be properly APA formatted. PPT attached Text Book: Title: Managing Risk in Information Systems ISBN: 9781284193602 Authors: Darril Gibson, Andy Igonor Publisher: Jones & Bartlett Learning Publication Date: 2021 Edition: 3rd edition Info Security and Risk Management Project Part 5: Final Risk Management Plan This project is divided into several parts, each with a deliverable. The first four parts are drafts. These documents should resemble business reports in that they are organized by headings, include source citations (if any), be readable, and be free from typos and grammatical errors. However, they are not final, polished reports. Project Part 5: Final Risk Management Plan Compile all project parts into a single risk management plan document. Reduce redundant text, if any. Incorporate instructor feedback on the previous submissions in the final risk management plan. Submission Requirements · Format: Microsoft Word (or compatible) · Font: Arial, size 12, double-space · Citation style: Your school’s preferred style guide · Estimated length: 6–10 pages CHAPTER 15 Mitigating Risk with a Computer Incident Response Team Plan Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Learning Objective(s) and Key Concepts Perform business continuity, disaster, and incident response planning. Definition of a computer incident response team (CIRT) plan Purpose of a CIRT plan Elements of a CIRT plan How a CIRT plan can mitigate an organization’s risk Best practices for implementing a CIRT plan Learning Objective(s) Key Concepts Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Computer Security Incident Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com A violation or imminent threat of a violation of a security policy or security practice Examples Denial of service (DoS) attack Malicious code Unauthorized access Inappropriate usage Multiple component What Is a Computer Incident Response Team Plan? Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Computer incident response team (CIRT) A group of people who respond to incidents A CIRT plan Formal document that outlines an organization’s response to computer incidents Formally defines a security incident May designate the CIRT team Purpose of a CIRT Plan Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Helps organizations identify and prepare for computer incidents Applies critical thinking to solve potential problems Helps develop best responses to reduce damage Outlines the purpose of the response effort The five Ws: what, where, who, when, and why Growth of Incidents 1988 – one incident was news 2003 – 137,529 incidents Today – off the charts Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Elements of a CIRT Plan CIRT members IT staff and security professionals who understand risks and threats posed to networks and systems Roles, responsibilities, and accountabilities CIRT policies Incident handling process Communication escalation procedures Incident handling procedures Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com CIRT Members Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Team leader Information security members Network administrators Physical security personnel Legal Human resources (HR) Communications Responsibilities Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Developing incident response procedures Investigating incidents Determining the cause of incidents Recommending controls to prevent future incidents Protecting collected evidence Using a chain of custody Accountabilities Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Accountable to the organization to provide a proactive response to any incident Expected to minimize the impact of any incident Expected to keep up to date on security threats and possible responses Dedication on the part of each team member CIRT Policies May be simple statements or contained in appendixes at the end of the plan Provide the team with guidance in the midst of an incident Primary policy to consider: whether or not CIRT members can attack back Best practice is not to escalate an attack into a two-sided conflict Leave retribution to law enforcement. Other policies may be related to: Evidence Communications Safety Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Incident Handling Process Four phases defined by NIST SP 800-61 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Handling DoS Attack Incidents DoS attacks attempt to prevent a system or network from providing a service by overwhelming it to consume its resources. Indications that a DoS attack is occurring: User reports of system unavailability Intrusion detection system (IDS) alerts on the attack Increased resource usage on the attacked system Increased traffic through the firewall to the attacked system Unexplained connection losses Unexplained system crashes Suspected attack can be confirmed by reviewing available logs Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Handling DoS Attack Incidents (Cont.) Distributed denial of service (DDoS) attack from a botnet What are the implications on the attacked server? Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Handling Malware Incidents Primary protection is antivirus software Secondary protection is to train and educate users Create checklists that identify what users should do if their systems are infected If malware infects an email server, isolate the server Configure web browsers and email readers to prevent the execution of malicious mobile code Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Viruses Worms Mobile code Trojan horses Handling Unauthorized Access Incidents Examples: Viewing or copying sensitive data without authorization Using social engineering Guessing or cracking passwords and logging on with these credentials Running a packet sniffer, such as Wireshark, to capture data transmitted on the network Hardening steps: Reducing the attack surface Keeping systems up to date Enabling firewalls Enabling IDSs Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Handling Inappropriate Usage Incidents Examples: Spamming coworkers Accessing websites that are prohibited Circumventing security policies Using file sharing or P2P programs Sending files with sensitive data outside the organization Launching attacks from within the organization against other computers Means of prevention: Security policies and acceptable use policies (AUPs) Alerts Log reviews Reports by other users Data loss prevention (DLP) software Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Handling Multiple Component Incidents Multiple component incident is a single incident that includes two or more other incidents, which are related to each other but not always immediately apparent Steps to take: Identify the root cause of an incident. Remote the root cause, if possible. Example: Incident 1: A user opens a malicious email attachment infects the system. Incident 2: The malware releases a worm that infects other computers on the network. Incident 3: The malware contacts a server, which forms a botnet. Infected systems on the network find other systems to infect. Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Communication Escalation Procedures Escalation When someone determines an event is an incident and declares it One of the first steps is to recall one or more CIRT members If the incident is worse than expected: CIRT member can escalate the response Organization can activate the full CIRT If ordinary communications are hampered: CIRT members can be issued push-to-talk phones or walkie-talkies A war room can be set up for face-to-face communications Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Incident Handling Procedures Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Calculating the impact and priority Using a generic checklist Handling DoS attack incidents Handling malware incidents Handling unauthorized access incidents Handling inappropriate usage incidents Calculating the Impact and Priority (Example) Current effect rating Minimal because the attack is currently affecting only one web server in the web farm. Score of 10. This rating will be used for 25 percent, or one-quarter, of the overall impact score (10 × .25 = 2.5). Projected effect rating Medium because the attack has the potential to spread to more web servers in the web farm. Score of 50. This rating will be used for 25 percent, or one-quarter, of the overall impact score (50 × .25 = 12.5). Criticality rating Medium because the web server does affect a mission-critical system in a single location. Score of 50. This rating will be used for 50 percent, or one-half, of the overall impact score (50 × .50 = 25). Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Calculating the Impact and Priority (Example) (Cont.) The following formula can then be used to determine the impact: (Current effect rating × .25) + (Projected effect rating × .25) + (Criticality rating × .50) (10 × .25) + (50 × .25) + (50 × .50) 2.5 + 12.5 + 25 Incident impact score = 40 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Using a Generic Checklist Verify that an incident has occurred Determine the type of incident Determine the impact or potential impact of the incident Report the incident Acquire any available evidence on the incident Contain the incident Eradicate the incident Recover from the incident Document the incident Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Handling DoS Attack Incidents Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Containment Add filters at routers or firewalls to block the traffic based on the IP address, port, or protocol used in the attack Recovery Repair and test the affected system Contact the Internet service provider (ISP) Eradication Identify vulnerabilities and take steps to mitigate them Handling Malware Incidents Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Containment Identify infected systems Eradication Run full scans on systems Recovery Replace deleted or quarantined files needed for system operation Disconnect them from the network Determine why antivirus software didn’t detect the malware Remove all elements of the malware from the system Disinfect, quarantine, or delete infected files Verify the system is no longer infected Run another full scan before returning the system to operation Handling Unauthorized Access Incidents Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Containment Eradication Recovery Identify and isolate attacked system from the network Block all traffic at firewall; log attempts to connect Disable internal account (if source) and verify least privilege Identify weaknesses that allowed attack to succeed Verify system hardening Disable/delete addl accounts created during attack Resolve vulnerabilities Reconnect, verify, and test systems Consider adding monitoring, such as an IDS Handling Inappropriate Usage Incidents Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Containment Eradication Recovery Disable user’s account until management takes action Require specific user training before access is returned Document activity in employee’s record Enable account after appropriate action has been completed How Does a CIRT Plan Mitigate an Organization’s Risk? Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Quick and focused response to incidents Clearly defined roles and responsibilities Enhanced understanding of needed skills Enhanced ability to respond to threats and attacks Best Practices for Implementing a CIRT Plan Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com Define a computer security incident Include policies in CIRT plan to guide members Provide training Develop CIRT checklists Subscribe to security notifications Summary Definition of a computer incident response team (CIRT) plan Purpose of a CIRT plan Elements of a CIRT plan How a CIRT plan can mitigate an organization’s risk Best practices for implementing a CIRT plan Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com 10/11/2020 30