2019 FRSecure CISSP Mentor Program: Class Ten

2019 CISSP MENTOR
PROGRAM
May 15, 2019
-----------
Class 10 – May 15, 2019
Instructors:
• Brad Nigh, FRSecure Director of Professional Services & Innovation
• Evan Francen, FRSecure & SecurityStudio CEO

I hope everyone is doing well. Looking for questions,
so give me some!
• Check-in.
• How many have read Chapter 1 - 7?
• Questions?
CISSP® MENTOR PROGRAM – SESSION TEN
1
WELCOME BACK!
I mean, it’s good to be back. ;)
115 slides tonight + what I covered Monday
at the 2019 North America ISACA CACS
Conference.
Pretty laid back class tonight, but still quite a bit of content to
get through.

1. During the course of the penetration test: the testers
discover signs of an active compromise of the new
custom-developed three-tier web application. What is
their best source of action?
A. Attempt to contain and eradicate the malicious activity
B. Continue the test
C. Quietly end the test, immediately call the operational IT
contact, and escalate the issue
D. Shut the server down
2
QUIZ…
Questions, questions, questions…

1. During the course of the penetration test: the testers
discover signs of an active compromise of the new
custom-developed three-tier web application. What is
their best source of action?
A. Attempt to contain and eradicate the malicious activity
B. Continue the test
C. Quietly end the test, immediately call the
operational IT contact, and escalate the issue
D. Shut the server down
3
QUIZ…

2. You would like to have the security firm test the new
web application, but have decided not to share the
underlying source code. What type of test could be
used to help determine the security of the custom web
application?
A. Secure compiler warnings
B. Fuzzing
C. Static testing
D. White box testing
4
QUIZ…

2. You would like to have the security firm test the new
web application, but have decided not to share the
underlying source code. What type of test could be
used to help determine the security of the custom web
application?
A. Secure compiler warnings
B. Fuzzing
C. Static testing
D. White box testing
5
QUIZ…

3. What type of penetration test will result in the most
efficient use of time and hourly consultant expenses?
A. Automated knowledge
B. Full knowledge
C. Partial Knowledge
D. Zero Knowledge
6
QUIZ…

3. What type of penetration test will result in the most
efficient use of time and hourly consultant expenses?
A. Automated knowledge
B. Full knowledge
C. Partial Knowledge
D. Zero Knowledge
7
QUIZ…

4. What term describes a holistic approach for determining
the effectiveness of access control, and has a broad
scope?
A. Security assessment
B. Security audit
C. Penetration test
D. Vulnerability assessment
8
QUIZ…

4. What term describes a holistic approach for determining
the effectiveness of access control, and has a broad
scope?
A. Security assessment
B. Security audit
C. Penetration test
D. Vulnerability assessment
9
QUIZ…

5. What term describes a black-box testing method that
seeks to identify and test all unique combinations of
software inputs?
A. Combinatorial software testing
B. Dynamic testing
C. Misuse case testing
D. Static Testing
10
QUIZ…

5. What term describes a black-box testing method that
seeks to identify and test all unique combinations of
software inputs?
A. Combinatorial software testing
B. Dynamic testing
C. Misuse case testing
D. Static Testing
11
QUIZ…

6. What term describes a no-tech or low-tech method that
uses the human mind to bypass security controls?
A. Fuzzing
B. Social engineering
C. War dialing
D. Zero-knowledge test
12
QUIZ…

6. What term describes a no-tech or low-tech method that
uses the human mind to bypass security controls?
A. Fuzzing
B. Social engineering
C. War dialing
D. Zero-knowledge test
13
QUIZ…

14
LET’S DO THIS!
Where we left off, we had just talked about incident
management/response…
Page 363 starts the new stuff.

Incident Response Management – Methodology
2. Detection (aka Identification)
• What are all of the inputs into my incident response process?
• Events  Incidents
3. Response (aka Containment)
• Step-by-step, depending upon classification & severity
• Forensic response? Protection of evidence, while containing
damage
• Start root cause analysis
15
LECTURE
Domain #7: Security Operations

4. Mitigation (aka Eradication)
• Root cause analysis completed (mostly/hopefully)
• Get rid of the bad things
5. Reporting
• Actually not really a step (happens throughout)
• More formal here; include incident responders (technical and
non-technical)
16
LECTURE

6. Recovery
• Restore systems and operations
• Increase monitoring
7. Remediation – broader in context
8. Lessons Learned (aka Post-incident Activity, Post
Mortem, or Reporting) – there’s always lessons
17
LECTURE

Operational Preventive And Detective Controls
• Intrusion Detection Systems (IDS) and Intrusion
Prevention Systems (IPS)
• True Positive: Conficker worm is spreading on a trusted
network, and NIDS alerts
• True Negative: User surfs the Web to an allowed site, and
NIDS is silent
• False Positive: User surfs the Web to an allowed site, and
NIDS alerts
• False Negative: Conficker worm is spreading on a trusted
network, and NIDS is silent
18
LECTURE

• NIDS, NIPS, HIDS, and HIPS (detection types)
• Pattern Matching
• Protocol Behavior
• Anomaly Detection
• Security Information and Event Management (SIEM)
• Continuous Monitoring
• Data Loss Prevention (network & host)
19
LECTURE

• NIDS, NIPS, HIDS, and HIPS
20
LECTURE

Continuous Monitoring
• Assessing and reassessing as ongoing processes.
• A modern improvement to legacy Certifications and Accreditations.
Data Loss Prevention (DLP)
• Class of solutions used to detect and/or prevent data from leaving
the organization.
• Host-based, network-based, and application-based DLP solutions.
21
LECTURE

Endpoint Security
• HIDS/HIPS
• Antivirus
• Application Whitelisting
• Removable Media Controls
• Disk Encryption
• Privileged Access
22
LECTURE

Endpoint Security
• HIDS/HIPS
• Antivirus
• Application Whitelisting
• Removable Media Controls
• Disk Encryption
• Privileged Access
23
LECTURE
Most effective on the list

Honeypots
• System designed to attract attackers. CAREFUL:
enticement vs. entrapment.
• Learn (or research) attack methods.
• Low-interaction (simulate systems) and high-interaction
(actual systems) honeypots.
Honeynets – real or simulated network of honeypots.
24
LECTURE

Asset Management (Configuration Management)
The goal is to move beyond the default system configuration to one
that is both hardened and meets the operational requirements of the
organization.
• Hardened baseline configurations
• Center for Internet Security (see: http://www.cisecurity.org/)
• Disabling unnecessary services, removing extraneous programs,
enabling security capabilities such as firewalls, antivirus, and
intrusion detection or prevention systems, and the configuration
of security and audit logs
25
LECTURE

organization.
26
LECTURE

organization.
27
LECTURE

organization.
28
LECTURE
Basic Principles of Security
1.You can’t secure things if you don’t know you have
them (Asset Management).
2.You can’t secure the things you can’t control
(Configuration Management, Change Control, Access
Control, etc.)

Baselining
• The process of capturing a point in time
understanding of the current system security
configuration
• Helpful in responding to a potential security incident
• Continual baselining is important
29
LECTURE

Vulnerability Management
• Vulnerability scanning is a way to discover poor
configurations and missing patches in an environment
• Vulnerability management is used rather than just
vulnerability scanning to emphasize the need for
management of the vulnerability information
• Prioritization and remediation of the vulnerabilities
30
LECTURE

31
LECTURE

Asset Management (Configuration
Management)
32
LECTURE

Asset Management (Configuration
Management)
33
LECTURE
Section 12.6 of the ISO/IEC 27002:2013 provides guidance on technical vulnerability
management. A vulnerability management process should be implemented in an effective,
systematic, and repeatable way with measurements taken to confirm its effectiveness.
Vulnerability management starts with asset management, the information required to support
systems technically includes tracking operating system software, version numbers, lists of
software installed, and the person or persons responsible for maintaining the systems.
Additionally, the organization should define and establish the roles and responsibilities
associated with technical vulnerability management, including vulnerability monitoring,
vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities
required thereof.

Once a potential technical vulnerability has been identified, the
organization should identify the associated risks and the actions to be
taken - such action could involve the patching of vulnerable systems
and/or applying other controls. Depending on how urgently a technical
vulnerability needs to be addressed, the action taken should be carried
out according to the controls related to change management or by
following information security incident response procedures. Critical-
risk and high-risk systems should be addressed first. Patches should
be tested and evaluated before they are installed to ensure they are
effective and do not result in side effects that cannot be tolerated; if no
patch is available, other controls should be considered. The technical
vulnerability management process should be regularly monitored and
evaluated in order to ensure its effectiveness and efficiency.
34
LECTURE

Zero-Day Vulnerabilities and Zero-Day Exploits
• The average window of time between a patch being released and
an associated exploit being made public is decreasing
• Recent research even suggests that for some vulnerabilities, an
exploit can be created within minutes based simply on the
availability of the unpatched and patched program
• The term for a vulnerability being known before the existence of a
patch (or workaround) is zero day vulnerability.
• A zero-day exploit, rather than vulnerability, refers to the
existence of exploit code for a vulnerability which has yet to be
patched
35
LECTURE

Change Management
• A system that does not change will become less secure over time
• Not an exact science, every organization will be a little different
• The general flow of the change management process includes:
• Identifying a change
• Proposing a change
• Assessing the risk associated with the change
• Testing the change (backout plan)
• Scheduling the change
• Notifying impacted parties of the change
• Implementing the change
• Reporting results of the change implementation
• Changes must be closely tracked and auditable
36
LECTURE

Continuity of Operations
Service Level Agreements (SLA)
• Critical where organizations have external entities perform critical
services or host significant assets and applications
• Goal is to stipulate all expectations regarding the behavior of the
department or organization that is responsible for providing
services and the quality of the services provided
• Availability is usually the most critical security consideration of a
service level agreement
• Organizations must negotiate all security terms of a service level
agreement prior to engaging with the company
• Cloud computing
37
LECTURE

Fault Tolerance
Backup
• Recoverability in the event of a failure
• Magnetic tape media is old technology, but still is the
most common repository of backup data
• Three basic types of backups exist: full backup; the
incremental backup; and the differential backup
38
LECTURE

Fault Tolerance
Backup
• Full backup - a replica of all allocated data on a hard
disk
• The most costly in terms of media and time to backup
• Often coupled with either incremental or differential backups
to balance the time and media considerations
39
LECTURE

Fault Tolerance
Backup
• Incremental backup - only archive files that have
changed since the last backup of any kind was
performed
• The most recent full backup and each and every incremental
backup since the full backup is required to initiate a recovery
• Time to perform each incremental backup is extremely short;
however, the downside is that a full restore can require many
tapes, especially if full backups are performed less frequently
• The odds of a failed restoration due to a tape integrity issue
(such as broken tape) rise with each additional tape required
40
LECTURE

Fault Tolerance
Backup
• Differential - will back up any files that have been
changed since the last full backup
• Only the most recent full backup and most recent differential
backup are required to initiate a full recovery
• As more time passes since the last full backup the length of
time to perform a differential backup will also increase
41
LECTURE

Fault Tolerance
Redundant Array of Inexpensive Disks (RAID)
• Mitigates the risk associated with hard disk failures
42
LECTURE

Fault Tolerance - Redundant Array of Inexpensive Disks
(RAID)
Three terms that are important to understand with respect
to RAID are: mirroring; striping; and parity
• Mirroring - used to achieve full data redundancy by
writing the same data to multiple hard disks
• Write times are slower
• Read times are faster
• Most costly in terms of disk usage - at least half of the drives
are used for redundancy
43
LECTURE

(RAID)
Three terms that are important to understand with respect to RAID
are: mirroring; striping; and parity
• Striping - increased the read and write performance by spreading
data across multiple hard disks
• Reads and writes can be performed in parallel across multiple disks
rather than serially on one disk
• Parallelization provides a performance increase, and does not aid in
data redundancy
• Parity - achieve data redundancy without incurring the same
degree of cost as that of mirroring in terms of disk usage and
write performance
44
LECTURE

Fault Tolerance - Redundant
Array of Inexpensive Disks (RAID)
RAID 0: Striped Set
• Striping to increase the
performance of read and writes
• No data redundancy - poor choice
if recovery of data is the reason for
leveraging RAID
45
LECTURE

Fault Tolerance - Redundant
Array of Inexpensive Disks (RAID)
RAID 1: Mirrored Set
• Creates/writes an exact duplicate
of all data to an additional disk
• Write performance is decreased
• Read performance can increase
• Highest disk cost
46
LECTURE

(RAID)
RAID 2: Hamming Code
• Not considered commercially viable for hard disks and is not
used
• Requires either 14 or 39 hard disks and a specially designed
hardware controller
• Cost prohibitive
• RAID 2 is not likely to be tested
47
LECTURE

(RAID)
RAID 3: Striped Set with Dedicated Parity (byte level)
• Data, at the byte level, is striped across multiple disks
• An additional disk is leveraged for storage of parity information,
which is used for recovery in the event of a failure
RAID 4: Striped Set with Dedicated Parity (block level)
• Exact same configuration and functionality as that of RAID 3, but
stripes data at the block, rather than byte, level
• Employs a dedicated parity drive rather than having parity data
distributed amongst all disks, as in RAID 5
48
LECTURE

(RAID)
RAID 5: Striped Set with Distributed Parity
• One of the most popular RAID configurations
• Striped Set with Distributed Parity
• Leverages a block level striping
• Writes parity information that is used for recovery purposes
• Distributes the parity information across multiple disks
• Disk cost for redundancy is lower than that of a Mirrored set
• Support for both hardware and software based implementations
• Allows for data recovery in the event that any one disk fails
49
LECTURE

(RAID)
RAID 5: Striped Set with Distributed Parity
• One of the most popular RAID configurations
• Striped Set with Distributed Parity
• Leverages a block level striping
• Writes parity information that is used for recovery purposes
• Distributes the parity information across multiple disks
• Disk cost for redundancy is lower than that of a Mirrored set
• Support for both hardware and software based implementations
• Allows for data recovery in the event that any one disk fails
50
LECTURE

(RAID)
RAID 6: Striped Set with Dual Distributed Parity
• Can allow for the failure of two drives and still function
• Redundancy is achieved by writing the same parity information to two
different disks
RAID 1+0 or RAID 10
• Example of what is known as nested RAID or multi-RAID (one standard
RAID level is encapsulated within another)
• Configuration is a striped set of mirrors
NOTE: There are many and varied RAID configurations which are simply combinations
of the standard RAID levels. Nested RAID solutions are becoming increasingly
common with larger arrays of disks that require a high degree of both reliability and
speed. Some common nested RAID levels include RAID 0+1, 1+0, 5+0, 6+0, and
(1+0)+0, which are also commonly written as RAID 01, 10, 50, 60, and 100,
respectively.
51
LECTURE

Fault Tolerance - System Redundancy
Redundant Hardware
• Built-in redundancy (power supplies, disk controllers, and NICs
are most common)
• An inventory of spare modules to service the entire datacenter's
servers would be less expensive than having all servers
configured with an installed redundant power supply
Redundant Systems
• Entire systems available in inventory to serve as a means to
recover
• Have an SLA with hardware manufacturers to be able to quickly
procure replacement equipment in a timely fashion
52
LECTURE

BCP and DRP Overview and Process (used to be
Domain by itself)
Unique terms and definitions
• Business Continuity Plan (BCP)—a long-term plan to ensure
the continuity of business operations
• Continuity of Operations Plan (COOP)—a plan to maintain
operations during a disaster.
• Disaster—any disruptive event that interrupts normal system
operations
• Disaster Recovery Plan (DRP)—a short-term plan to recover
from a disruptive event
• Mean Time Between Failures (MTBF)—quantifies how long a
new or repaired system will run on average before failing
• Mean Time to Repair (MTTR)—describes how long it will take to
recover a failed system.
53
LECTURE

BCP and DRP Overview and Process
Business Continuity Planning and Disaster Recovery Planning are
two very distinct disciplines
Business Continuity Planning (BCP)
• Goal of a BCP is for ensuring that the business will continue to
operate before, throughout, and after a disaster event is
experienced
• Focus of a BCP is on the business as a whole
• Business Continuity Planning provides a long-term strategy
• Takes into account items such as people, vital records, and
processes in addition to critical systems
54
LECTURE

Disaster Recovery Planning (DRP)
• Disaster Recovery Plan is more tactical in its approach
• Short-term plan for dealing with specific IT-oriented disruptions
• Provides a means for immediate response to disasters
• Does not focus on long-term business impact
55
LECTURE

Relationship between BCP and DRP
• Business Continuity Plan is an umbrella plan that includes
multiple specific plans, most importantly the Disaster Recovery
Plan
• Two plans, which have different scopes, are intertwined
• Disaster Recovery Plan serves as a subset of the overall
Business Continuity Plan
• NIST Special Publication 800-34, provides a visual means for
understanding the interrelatedness of a BCP and a DRP, as well
as Continuity of Operations Plan (COOP), Occupant Emergency
Plan (OEP), and others.
56
LECTURE

Relationship between BCP and DRP
• Business Continuity Plan is an umbrella plan that includes
multiple specific plans, most importantly the Disaster Recovery
Plan
• Two plans, which have different scopes, are intertwined
• Disaster Recovery Plan serves as a subset of the overall
Business Continuity Plan
• NIST Special Publication 800-34, provides a visual means for
understanding the interrelatedness of a BCP and a DRP, as well
as Continuity of Operations Plan (COOP), Occupant Emergency
Plan (OEP), and others.
57
LECTURE

Disasters or Disruptive Events
Classifications of disasters
• Three common ways of categorizing the causes for disasters are as to whether
the threat agent is natural, human, or environmental in nature
• Natural—the most obvious type of threat that can result in a disaster are naturally
occurring. This category includes such threats as earthquakes, hurricanes, tornadoes,
floods, and some types of fires (closely related to geographical location)
• Human—the human category of threats represents the most common source of
disasters. Human threats can be further classified as to whether they constitute an
intentional or unintentional threat
• Examples of human-intentional threats include terrorists, malware, rogue insider,
Denial of Service, hacktivism, phishing, social engineering, etc.
• Examples of human-unintentional threats are primarily those that involve
inadvertent errors and omissions, in which the person through lack of knowledge,
laziness, or carelessness served as a source of disruption
• Environmental—focused on environment as it pertains to the information systems or
datacenter. This class of threat includes items such as power issues (blackout,
brownout, surge, spike), system component or other equipment failures, application or
software flaws
• Analysis of threats and associated likelihoods is an important part of the BCP and
DRP process
58
LECTURE

Classifications of disasters
• Three common ways of categorizing the causes for disasters are as to whether
the threat agent is natural, human, or environmental in nature
• Natural—the most obvious type of threat that can result in a disaster are naturally
occurring. This category includes such threats as earthquakes, hurricanes, tornadoes,
floods, and some types of fires (closely related to geographical location)
• Human—the human category of threats represents the most common source of
disasters. Human threats can be further classified as to whether they constitute an
intentional or unintentional threat
• Examples of human-intentional threats include terrorists, malware, rogue insider,
Denial of Service, hacktivism, phishing, social engineering, etc.
• Examples of human-unintentional threats are primarily those that involve
inadvertent errors and omissions, in which the person through lack of knowledge,
laziness, or carelessness served as a source of disruption
• Environmental—focused on environment as it pertains to the information systems or
datacenter. This class of threat includes items such as power issues (blackout,
brownout, surge, spike), system component or other equipment failures, application or
software flaws
• Analysis of threats and associated likelihoods is an important part of the BCP and
DRP process
59
LECTURE

Errors and omissions
• Typically considered the single most common source of disruptive events
• Threat is inadvertently caused by humans, most often in the employ of the
organization, who unintentionally serve as a source of harm
• Data entry mistakes are an example of errors and omissions
Natural Disasters
• Include earthquakes, hurricanes, floods, tsunamis, etc.
• Likelihood of natural threats occurring is largely based upon the geographical
location of the organization's information systems or datacenters
• Generally have a rather low likelihood of occurring
• Impact can be severe
60
LECTURE

Errors and omissions
• Typically considered the single most common source of disruptive events
• Threat is inadvertently caused by humans, most often in the employ of the
organization, who unintentionally serve as a source of harm
• Data entry mistakes are an example of errors and omissions
Natural Disasters
• Include earthquakes, hurricanes, floods, tsunamis, etc.
• Likelihood of natural threats occurring is largely based upon the geographical
location of the organization's information systems or datacenters
• Generally have a rather low likelihood of occurring
• Impact can be severe
61
LECTURE

Electrical or power Problems
• Much more common than natural disasters
• Considered an environmental disaster
• Uninterruptible power supplies (UPS) and/or backup generators
Temperature and Humidity Failures
• Critical controls that must be managed during a disaster
• Increased server density can provide for significant heat issues
• Mean Time Between Failures (MTBF) for electrical equipment will decrease if
temperature and humidity levels are not within an tolerable range.
62
LECTURE

Warfare, terrorism, and sabotage
• Human-intentional threats
• Threat can vary dramatically based on geographic location, industry,
brand value, as well as the interrelatedness with other high-value target
organizations
• Cyber-warfare
• “Aurora” attacks (named after the word “Aurora,” which was found in a
sample of malware used in the attacks). As the New York Times reported
on 2/18/2010: “A series of online attacks on Google and dozens of other
American corporations have been traced to computers at two
educational institutions in China, including one with close ties to the
Chinese military, say people involved in the investigation.”
63
LECTURE

Financially-motivated Attackers
• Exfiltration of cardholder data, identity theft, pump-and-dump stock
schemes, bogus anti-malware tools, or corporate espionage, etc.
• Organized crime syndicates
Personnel Shortages
• Another significant source of disruption can come by means of having
staff unavailable
• Most organizations will have some critical processes that are people-
dependent
64
LECTURE

Financially-motivated Attackers
• Exfiltration of cardholder data, identity theft, pump-and-dump stock
schemes, bogus anti-malware tools, or corporate espionage, etc.
• Organized crime syndicates
Personnel Shortages
• Another significant source of disruption can come by means of having
staff unavailable
• Most organizations will have some critical processes that are people-
dependent
65
LECTURE

Personnel Shortages
• Pandemics and Disease
• Major biological problems such as pandemic flu or highly
communicable infectious disease outbreaks
• A pandemic occurs when an infection spreads through an extremely
large geographical area, while an epidemic is more localized
• Strikes
• Strikes usually are carried out in such a manner that the
organization can plan for the occurrence
• Most strikes are announced and planned in advance, which
provides the organization with some lead time
• Personnel Availability
• Sudden separation from employment of a critical member of the
workforce
66
LECTURE

Communications Failure
• Increasing dependence of organizations on call centers, IP
telephony, general Internet access, and providing services via the
Internet
• One of the most common disaster-causing events is
telecommunications lines being inadvertently cut by someone
digging where they are not supposed to
NOTE: One of the eye-opening impacts of Hurricane Katrina was a rather significant
outage of Internet2, which provides high-speed connectivity for education and research
networks. Qwest, which provides the infrastructure for Internet2, suffered an outage in
one of the major long-haul links that ran from Atlanta to Houston. Reportedly, the
outage was due to lack of availability of fuel in the area. In addition to this outage,
which impacted more than just those areas directly affected by the hurricane, there
were substantial outages throughout Mississippi, which at its peak had more than a
third of its public address space rendered unreachable.
67
LECTURE

The Disaster Recovery Process
The general process of disaster recovery involves responding to the
disruption; activation of the recovery team; ongoing tactical
communication of the status of disaster and its associated recovery;
further assessment of the damage caused by the disruptive event;
and recovery of critical assets and processes in a manner consistent
with the extent of the disaster.
• Different organizations and experts alike might disagree about
the number or names of phases in the process
• Personnel safety remains the top priority
68
LECTURE

Respond
• Initial response begins the process of assessing the damage
• Speed is essential (initial assessment)
• The initial assessment will determine if the event in question
constitutes a disaster
• The initial response team should be mindful of assessing the
facility's safety for continued personnel usage
Activate Team
If during the initial response to a disruptive event a disaster is
declared, then the team that will be responsible for recovery needs to
be activated.
69
LECTURE

Communicate
• Ensure that consistent timely status updates are communicated
back to the central team managing the response and recovery
process
• Communication often must occur out-of-band
• The organization must also be prepared to provide external
communications
Assess
• More detailed and thorough assessment
• Assess the extent of the damage and determine the proper steps
to ensure the organization's ability to meet its mission and
Maximum Tolerable Downtime (MTD)
• Team could recommend that the ultimate restoration or
reconstitution occurs at the alternate site
70
LECTURE

Reconstitution
• Successfully recover critical business operations either at primary
or secondary site
• If an alternate site is leveraged, adequate safety and security
controls must be in place in order to maintain the expected
degree of security the organization typically employs
• A salvage team will be employed to begin the recovery process
at the primary facility that experienced the disaster
71
LECTURE

Developing a BCP/DRP
• High-level steps, according to NIST 800-34:
• Project Initiation
• Scope the Project
• Business Impact Analysis
• Identify Preventive Controls
• Recovery Strategy
• Plan Design and Development
• Implementation, Training, and Testing
• BCP/DRP Maintenance
• NIST 800-34 is the National Institute of Standards and
Technologies Information Technology Contingency Planning
Guide, which can be found at
http://csrc.nist.gov/publications/nistpubs/800-34/sp800-34.pdf.
72
LECTURE

Project Initiation
In order to develop the BCP/DRP, the scope of the project must be
determined and agreed upon. This involves seven distinct milestones:
1. Develop the contingency planning policy statement: A formal
department or agency policy provides the authority and guidance
necessary to develop an effective contingency plan.
2. Conduct the business impact analysis (BIA): The BIA helps to
identify and prioritize critical IT systems and components. A
template for developing the BIA is also provided to assist the user.
3. Identify preventive controls: Measures taken to reduce the
effects of system disruptions can increase system availability and
reduce contingency life cycle costs.
73
LECTURE

Project Initiation
In order to develop the BCP/DRP, the scope of the project must be
determined and agreed upon. This involves seven distinct milestones:
4. Develop recovery strategies: Thorough recovery strategies
ensure that the system may be recovered quickly and effectively
following a disruption.
5. Develop an IT contingency plan: The contingency plan should
contain detailed guidance and procedures for restoring a damaged
system.
6. Plan testing, training, and exercises: Testing the plan identifies
planning gaps, whereas training prepares recovery personnel for
plan activation; both activities improve plan effectiveness and
overall agency preparedness.
7. Plan maintenance: The plan should be a living document that is
updated regularly to remain current with system enhancements.
74
LECTURE

Management Support
“C”-level managers:
• Must agree to any plan set forth
• Must agree to support the action items listed in the plan if an
emergency event occurs
• Refers to people within an organization like the chief executive
officer (CEO), the chief operating officer (COO), the chief
information officer (CIO), and the chief financial officer (CFO)
• Have enough power and authority to speak for the entire
organization when dealing with outside media
• High enough within the organization to commit resources
75
LECTURE

Other Roles
BCP/DRP Project Manager
• Key Point of Contact for ensuring that a BCP/DRP is completed
and routinely tested
• Must be a good manager and leader in case there is an event
that causes the BCP or DRP to be implemented
• Point of Contact (POC) for every person within the organization
during a crisis
• Must be very organized
• Credibility and enough authority within the organization to make
important, critical decisions with regard to implementing the
BCP/DRP
• Does not need to have in-depth technical skills
76
LECTURE

Other Roles
Continuity Planning Project Team (CPPT)
• Comprises those personnel that will have responsibilities if/when
an emergency occurs
• Comprised of stakeholders within an organization
• Focuses on identifying who needs to play a role if a specific
emergency event were to occur
• Includes people from the human resources section, public
relations (PR), IT staff, physical security, line managers, essential
personnel for full business effectiveness, and anyone else
responsible for essential functions
77
LECTURE

Scoping the Project
• Define exactly what assets are protected by the plan,
which emergency events the plan will be able to
address, and determining the resources necessary to
completely create and implement the plan
• “What is in and out of scope for this plan?”
• After receiving C-level approval and input from the
rest of the organization, objectives and deliverables
can be determined
78
LECTURE

Scoping the Project
• Objectives are usually created as “if/then” statements
• For example, “If there is a hurricane, then the organization
will enact plan H—the Physical Relocation and Employee
Safety Plan.” Plan H is unique to the organization but it does
encompass all the BCP/DRP subplans required
• An objective would be to create this plan and have it
reviewed by all members of the organization by a specific
date.
• The objective will have a number of deliverables required to
create and fully vet this plan: for example, draft documents,
exercise planning meetings, table top preliminary exercises,
etc.
79
LECTURE

Scoping the Project
• Executive management must at least ensure that support is given
for three BCP/DRP items:
• 1. Executive management support is needed for initiating the
plan.
• 2. Executive management support is needed for final
approval of the plan.
• 3. Executive management must demonstrate due care and
due diligence and be held liable under applicable
laws/regulations.
80
LECTURE

Assessing the Critical State
• Assessing the critical state can be difficult because
determining which pieces of the IT infrastructure are
critical depends solely on the how it supports the
users within the organization.
• When compiling the critical state and asset list
associated with it, the BCP/DRP project manager
should note how the assets impact the organization in
a section called the “Business Impact” section.
81
LECTURE

Assessing the Critical State
• Assessing the critical state can be difficult because
determining which pieces of the IT infrastructure are
critical depends solely on the how it supports the
users within the organization.
• When compiling the critical state and asset list
associated with it, the BCP/DRP project manager
should note how the assets impact the organization in
a section called the “Business Impact” section.
82
LECTURE

Conduct Business Impact Analysis (BIA)
• Formal method for determining how a disruption to the
IT system(s) of an organization will impact the
organization
• An analysis to identify and prioritize critical IT systems
and components
• Enables the BCP/DRP project manager to fully
characterize the IT contingency requirements and
priorities
83
LECTURE

• Objective is to correlate the IT system components
with the critical service it supports
• Also aims to quantify the consequence of a disruption
to the system component and how that will affect the
organization
• Determine the Maximum Tolerable Downtime (MTD)
for a specific IT asset
• Also provides information to improve business
processes and efficiencies because it details all of the
organization's policies and implementation efforts
84
LECTURE
The BIA is comprised of two processes;
Identification of critical assets and a
comprehensive risk assessment.

Identify Critical Assets
• BIA and Critical State Asset List is conducted for every
IT system within the organization, no matter how trivial
or unimportant, leading to…
• A list of those IT assets that are deemed business-
essential by the organization
Conduct BCP/DRP-focused Risk Assessment
• Determines what risks are inherent to which IT assets
• A vulnerability analysis is also conducted for each IT
system and major application
85
LECTURE

Identify Critical Assets
• BIA and Critical State Asset List is conducted for every
IT system within the organization, no matter how trivial
or unimportant, leading to…
• A list of those IT assets that are deemed business-
essential by the organization
Conduct BCP/DRP-focused Risk Assessment
• Determines what risks are inherent to which IT assets
• A vulnerability analysis is also conducted for each IT
system and major application
86
LECTURE

Determine Maximum Tolerable Downtime
• Describes the total time a system can be inoperable before an
organization is severely impacted
• It is also the maximum time it takes to execute the reconstitution
phase
• Comprised of two metrics; Recovery Time Objective (RTO) and
the Work Recovery Time (WRT)
Alternate terms for MTD
• Depending on the business continuity framework that is used,
other terms may be substituted for Maximum Tolerable
Downtime. These include Maximum Allowable Downtime
(MAD), Maximum Tolerable Outage (MTO), and Maximum
Acceptable Outage (MAO).
87
LECTURE

Failure and Recovery Metrics
• Used to quantify how frequently systems fail, how long a system
may exist in a failed state, and the maximum time to recover from
failure.
• These metrics include the Recovery Point Objective (RPO),
Recovery Time Objective (RTO), Work Recovery Time (WRT),
Mean Time Between Failures (MTBF), Mean Time to Repair
(MTTR), and Minimum Operating Requirements (MOR).
88
LECTURE

Recovery Point Objective
• The amount of data loss or system inaccessibility (measured in
time) that an organization can withstand.
• “If you perform weekly backups, someone made a decision that
your company could tolerate the loss of a week's worth of data. If
backups are performed on Saturday evenings and a system fails
on Saturday afternoon, you have lost the entire week's worth of
data. This is the recovery point objective. In this case, the RPO is
1 week.”
• RPO represents the maximum acceptable amount of
data/work loss for a given process because of a disaster or
disruptive event
89
LECTURE

Recovery Time Objective (RTO) and Work Recovery
Time (WRT)
• Recovery Time Objective (RTO) describes the maximum time
allowed to recover business or IT systems
• RTO is also called the systems recovery time. One part of
Maximum Tolerable Downtime: once the system is physically
running, it must be configured.
• Work Recovery Time (WRT) describes the time required to
configure a recovered system.
• “Downtime consists of two elements, the systems recovery time
and the work recovery time. Therefore, MTD = RTO + WRT.”
90
LECTURE

Mean Time Between Failures
• Quantifies how long a new or repaired system will run before
failing
• Typically generated by a component vendor and is largely
applicable to hardware as opposed to applications and software.
• A vendor selling LCD computer monitors may run 100 monitors
24 hours a day for 2 weeks and observe just one monitor failure.
The vendor then extrapolates the following:
100 LCD Monitors x 14 days x 24 hours/day = 1 failure/33,600 hours
• The BCP/DRP team determines the correct amount of expected
failures within the IT system during a course of time.
• Calculating the MTBF becomes less reliant when an organization
uses fewer and fewer hardware assets.
91
LECTURE

Mean Time to Repair (MTTR)
• Describes how long it will take to recover a specific failed system
• Best estimate for reconstituting the IT system so that business
continuity may occur
Minimum Operating Requirements
• Describes the minimum environmental and connectivity
requirements in order to operate computer equipment
• Important to determine and document for each IT-critical asset
because, in the event of a disruptive event or disaster, proper
analysis can be conducted quickly to determine if the IT assets
will be able to function in the emergency environment
92
LECTURE

Identify Preventive Controls
• Preventive controls prevent disruptive events from having an
impact
• The BIA will identify some risks which may be mitigated
immediately
Recovery Strategy
• Once the BIA is complete, the BCP team knows the Maximum
Tolerable Downtime. This metric, as well as others including the
Recovery Point Objective and Recovery Time Objective, are
used to determine the recovery strategy.
• Always maintain technical, physical, and administrative controls
when using any recovery option
93
LECTURE

Identify Preventive Controls
• Preventive controls prevent disruptive events from having an
impact
• The BIA will identify some risks which may be mitigated
immediately
Recovery Strategy
• Once the BIA is complete, the BCP team knows the Maximum
Tolerable Downtime. This metric, as well as others including the
Recovery Point Objective and Recovery Time Objective, are
used to determine the recovery strategy.
• Always maintain technical, physical, and administrative controls
when using any recovery option
94
LECTURE

Recovery Strategy
Supply Chain Management
• In an age of “just in time” shipment of goods,
organizations may fail to acquire adequate
replacement computers.
• Some computer manufactures offer guaranteed
replacement insurance for a specific range of
disasters. The insurance is priced per server, and
includes a service level agreement that specifies the
replacement time. All forms of relevant insurance
should be analyzed by the BCP team.
95
LECTURE

Recovery Strategy
Telecommunication Management
• Ensures the availability of electronic communications
during a disaster
• Often one of the first processes to fail during a
disaster
• Wired circuits such as T1s, T3s, frame relay, etc.,
need to be specifically addressed
• Power can be provided by generator if necessary.
96
LECTURE

Recovery Strategy
Utility Management
• Utility management addresses the availability of utilities such as
power, water, gas, etc. during a disaster
• The utility management plan should address all utilities required
by business operations, including power, heating, cooling, and
water.
• Specific sections should address the unavailability of any
required utility.
Recovery options
• Once an organization has determined its maximum tolerable
downtime, the choice of recovery options can be determined. For
example, a 10-day MTD indicates that a cold site may be a
reasonable option. An MTD of a few hours indicates that a
redundant site or hot site is a potential option.
97
LECTURE

Recovery Strategy
Redundant Site
• A redundant site is an exact production duplicate of a
system that has the capability to seamlessly operate
all necessary IT operations without loss of services to
the end user of the system.
• A redundant site receives data backups in real time so
that in the event of a disaster, the users of the system
have no loss of data.
• The most expensive recovery option
98
LECTURE

Recovery Strategy
Hot Site
• A hot site is a location that an organization may relocate to
following a major disruption or disaster.
• It is a datacenter with a raised floor, power, utilities, computer
peripherals, and fully configured computers.
• Will have all necessary hardware and critical applications data
mirrored in real time.
• A hot site will have the capability to allow the organization to
resume critical operations within a very short period of time—
sometimes in less than an hour.
• Has all the same physical, technical, and administrative controls
implemented of the production site.
99
LECTURE

Recovery Strategy
Warm Site
• Has some aspects of a hot site, for example, readily-
accessible hardware and connectivity, but it will have
to rely upon backup data in order to reconstitute a
system after a disruption.
• It is a datacenter with a raised floor, power, utilities,
computer peripherals, and fully configured computers.
• MTD of at least 1-3 days
• The longer the MTD is, the less expensive the
recovery solution will be.
100
LECTURE

Recovery Strategy
Cold Site
• The least expensive recovery solution to implement.
• Does not include backup copies of data, nor does it contain any
immediately available hardware.
• Longest amount of time of all recovery solutions to implement
and restore critical IT services for the organization
• MTD—usually measured in weeks, not days.
• Typically a datacenter with a raised floor, power, utilities, and
physical security, but not much beyond that.
101
LECTURE

Recovery Strategy
Reciprocal Agreement
• A bi-directional agreement between two organizations in which
one organization promises another organization that it can move
in and share space if it experiences a disaster.
• Documented in the form of a contract
• Also referred to as Mutual Aid Agreements (MAAs)
102
LECTURE

Recovery Strategy
Mobile Site
• “datacenters on wheels”: towable trailers that contain racks of
computer equipment, as well as HVAC, fire suppression and
physical security.
• A good fit for disasters such as a datacenter flood
• Typically placed within the physical property lines, and are
protected by defenses such as fences, gates, and security
cameras
103
LECTURE

Recovery Strategy
Subscription Services
• Some organizations outsource their BCP/DRP planning and/or
implementation by paying another company to perform those
services.
• Effectively transfers the risk to the insurer company.
• Based upon a simple insurance model, and companies such as
IBM have built profit models and offer services for customers
offering BCP/DRP insurance.
104
LECTURE

Related Plans
The Business Continuity Plan is an umbrella plan that contains others
plans:
• Disaster recovery plan
• Continuity of Operations Plan (COOP)
• Business Resumption/Recovery Plan (BRP)
• Continuity of Support Plan
• Cyber Incident Response Plan
• Occupant Emergency Plan (OEP)
• Crisis Management Plan (CMP)
105
LECTURE

Related Plans
The Business Continuity Plan is an umbrella plan that contains others
plans:
• Disaster recovery plan
• Continuity of Operations Plan (COOP)
• Business Resumption/Recovery Plan (BRP)
• Continuity of Support Plan
• Cyber Incident Response Plan
• Occupant Emergency Plan (OEP)
• Crisis Management Plan (CMP)
106
LECTURE

Related Plans
Continuity of Operations Plan (COOP)
• Describes the procedures required to maintain operations during
a disaster
• Includes transfer of personnel to an alternate disaster recovery
site, and operations of that site.
107
LECTURE

Related Plans
Business Recovery Plan (BRP)
• Also known as the Business Resumption Plan
• Details the steps required to restore normal business operations
after recovering from a disruptive event
• May include switching operations from an alternate site back to a
(repaired) primary site.
• Picks up when the COOP is complete
• Narrow and focused: the BRP is sometimes included as an
appendix to the Business Continuity Plan
108
LECTURE

Related Plans
Continuity of Support Plan
• Focuses narrowly on support of specific IT systems and
applications
• Also called the IT Contingency Plan, emphasizing IT over general
business support
Cyber Incident Response Plan
• Designed to respond to disruptive cyber events, including
network-based attacks, worms, computer viruses, Trojan horses,
etc.
109
LECTURE

Related Plans
Occupant Emergency Plan (OEP)
• Provides the “response procedures for occupants of a facility in
the event of a situation posing a potential threat to the health and
safety of personnel, the environment, or property. Such events
would include a fire, hurricane, criminal attack, or a medical
emergency.”
• Facilities-focused, as opposed to business or IT-focused.
• Focused on safety and evacuation, and should describe specific
safety drills, including evacuation drills (also known as fire drills)
• Specific safety roles should be described, including safety
warden and meeting point leader
110
LECTURE

Related Plans
Crisis Management Plan (CMP)
• Designed to provide coordination among the managers of the
organization in the event of an emergency or disruptive event
• Details the actions management must take to ensure that life and
safety of personnel and property are immediately protected in
case of a disaster
• Crisis Communications Plan
• Component of the Crisis Management Plan
• Sometimes called the communications plan
• A plan for communicating to staff and the public in the event of a
disruptive event
111
LECTURE

Related Plans
Call Trees
• Used to quickly communicate news throughout an
organization without overburdening any specific person
• Works by assigning each employee a small number of
other employees they are responsible for calling in an
emergency event
• Most effective when there is two-way reporting of
successful communication
• Should contain alternate contact methods, in case the
primary methods are unavailable
112
LECTURE

Related Plans
Call Trees
• Used to quickly communicate news throughout an
organization without overburdening any specific person
• Works by assigning each employee a small number of
other employees they are responsible for calling in an
emergency event
• Most effective when there is two-way reporting of
successful communication
• Should contain alternate contact methods, in case the
primary methods are unavailable
113
LECTURE

Related Plans
Automated Call Trees
• Automatically contact all BCP/DRP team members after a
disruptive event
• Tree can be activated by an authorized member, triggered by a
phone call, email, or Web transaction
• Once triggered, all BCP/DRP members are automatically
contacted
• Can require positive verification of receipt of a message, such as
“press 1 to acknowledge receipt.”
• Automated call trees are hosted offsite, and typically supported by
a third-party BCP/DRP provider
114
LECTURE

Related Plans
Emergency Operations Center (EOC)
• The command post established during or just after an emergency
event
• Placement of the EOC will depend on resources that are available
115
LECTURE

Related Plans
Vital Records
• Should be stored offsite, at a location and in a format that will
allow access during a disaster
• Have both electronic and hardcopy versions of all vital records
• Include contact information for all critical staff. Additional vital
records include licensing information, support contracts, service
level agreements, reciprocal agreements, telecom circuit IDs, etc.
116
LECTURE

Please try to catch up in your reading.
• We left off on page 411 in the book.
• Monday (5/20) we’ll start again with “Executive Succession
Planning”
• Come with questions!
• CATCH UP ON READING!
Have a great evening, talk to you Monday!
117
WE MADE IT THROUGH CLASS 10!
Not the most exciting, but important nonetheless.

2019 FRSecure CISSP Mentor Program: Class Ten

More Related Content

What's hot (20)

Similar to 2019 FRSecure CISSP Mentor Program: Class Ten (19)

Recently uploaded (20)

2019 FRSecure CISSP Mentor Program: Class Ten