ISACA CISM – Domain 04 – Information Security Incident Management Part 2

7. Goals of Incident Management Part2

I hope in many ways. I’ve already talked about the goals then of incident management. And a part of the goal. And this is, by the way, going to be coming from your business impact assessment or analysis, from your risk assessment or analysis studies that you do, is that you’re going to come up with what’s important, right, that’s you have to figure out what is the crucial bit of your network, of your company, of your, whatever it is, physical location, whatever the case may be. What’s the most crucial thing that keeps this company running? And so what we’re going to do is using that information, come up with plans, come up with ideas, as I said, either lower the loss or restore as quick as we can to try to keep from hitting that magical figure we came up with that we haven’t talked about, which is maximum tolerable downtime.

And so what we see is we have a couple of studies that we might do, one’s a business continuity, one’s a disaster recovery plan. In any event, the first thing that we’re going to take a look at as far as how do we respond to this is we have to have first responders responders. That’s going to be the incident response team that we’ll talk about. The incident response team is that group of people, person, whatever it is that we determines a part of our team that was designed to come into play. It’s kind of like saying that this is the ambulance or the fire truck that’s going to respond to our emergency. Now we would hope that they have a planned response. By planned response. All that simply means is that great, all right? If an ambulance shows up to help you out because you had some medical emergency and let’s say it’s me, you’re in trouble.

Because outside of a Band Aid, maybe some antibiotic ointment, I’m not going to do much for you because I haven’t been trained in medical care and I probably don’t even have a planned response. I would know, do I check for vitals? I would just start asking questions while you’re sitting there suffering saying hey, please reduce the loss for me. So we want to also know that part of our goals is that there is a planned response. So as an example, if a server goes down, let’s say you have a server crash of some kind. I’m sure that most of you who are listening to me probably have some sort of planned response. Number one, you probably have who you’re going to notify and they’re going to say, okay, well hey, we’ve got a backup server. Maybe it’s a virtual machine, move it to a new host.

Maybe they have backups that they can restore. So again, they have a plan of how they’re going to take care of those problems. We need to see that as well as part of our goals. A big, big part of this is that we need to be able to find a way to detect these incidences quickly. And I’ve already talked about that. I use the example of the help desk. If the help desk is listening to somebody’s problem saying, hey, I can’t update a customer account and they start asking some questions, they might suddenly make the realization that, hey, sounds like there’s a network problem. All right, network connectivity problem could be an incident that we want to respond to quickly rather than helped us saying, okay, well, did you reboot your computer? Did you log in? Okay.

All of these types of quick template responses that we see, we need to make sure that we can respond quickly because obviously the quicker we respond, the less loss that we have. But at the same time, we also have to be able to know how to diagnose these issues as accurately as possible. We’ll talk a little bit more about it, but basically you want to get to the root of the problem. There should be methods of management. Management could also come into ways of talking about escalation, right. As far as knowing when we need to escalate a situation from maybe being an incident to an alert or maybe to a full fledged disaster, we’re going to talk more about having, as a part of our plan a way to contain and again minimize.

We could ask the question about, let’s say we have a hacker that we’ve discovered that’s inside of our network. And the question is, do I want to allow the hacker to continue and try to catch them? Do I want to stop and block their access? What does it take for the idea of containing and minimizing as well as whether or not, again to do an escalation? I guess I kind of already gave away the root causes that were coming up to it here. But we also have to have an implant how to restore services. Obviously, that could be if it was data through a backup that you could restore. Let’s say you lost an entire facility. That means you might have a hot site, another building that is equipped with what you need to be able to move into and to start doing the work.

If you’re making Widgets, that hot site could be a backup fabrication unit that you want to use. Notice again, as I talk about this, I’m trying to make sure I talk about technology, talk about physical aspects, about all of the different things that make up an event. I don’t want anybody here listening to me to think that I’m only worried about hackers. I mean, that’s what makes the big news, I realize, but that’s not what we’re doing, remember? I’m just going to write it down here again. Business needs right prioritization what it is that we are most worried about to keep this company running. All right, so I already kind of hit the determined root causes as I put that as kind of a part of the diagnostics.

All right, so then did we learn anything from this incident? Meaning if we learn something from it, can we prevent it from happening again? That’s a big issue as well, because we want to learn from the mistakes. We don’t want to do what some people say is repeat history, and that’s a big aspect as well. And finally, how do we learn for people that follow in the future through documentations and reports, being able to present the information and that presentation might be something that we use as data to come back up here to our goals of creating the business continuity plan or the disaster recovery plan.

8. Goals of Incident Management Part3

So the ultimate goal then of incident Management. And let me remind you, we are talking about this as an overview. I’ve been giving you a big 30,000 foot view of all of these different parts of the Incident Management plan. And we’re going to get into more details as we’re going through there. But the goal should be thought of as I, as it says here, trying to make the difference between something that’s inconvenient or a disaster. All right? I don’t want a disaster. I would rather it be an inconvenience. It could be a disaster if we had no plans. I think of as an example of a company I worked with many, many years ago, in fact, in the very late 90s, maybe very close to the year 2000.

And I know some of you are thinking, that doesn’t sound so long ago in the world of technology, that is. And they were using an old sequel, Six Five Server, and the hard drive crashed. So they lost the server. And I tell this story because they had never tested and that’s a big thing here. That’s another part of what we’re going to talk about. At some point in these plans, they had never tested their backups. They lost one year’s worth of data because they had nothing to use other than their paper records and having to recreate all of those entries manually into the repaired SQL Server. All right? So that to me went from what should have been an inconvenience, oh, got to get a new server and restore it to a complete disaster. And so that’s what our goal is, is that we’re trying to make that difference between the two.

Now, if you think about it, if we plan correctly, we could see a gain by lowering our overall security costs. Now, I know that sounds kind of an interesting way of saying it because you might be thinking to yourself, well, you know, if I need to have a Ups or a generator, that sounds like it’s going to be pretty expensive. Okay, but if you think about security costs in the overall function of what would happen if you were down, maybe that’s, I guess some of you might call it that return on investment of what we’ve done. The other goal is to create baselines, right? What do we think is at least best practiced for security? Again, remember, security is not just technical, it’s physical and everything else. And by creating a baseline, we have something we can test against.

And I like that idea that we can come back six months later and start maybe doing a review, maybe doing a test, maybe whatever the case may be. An audit, I guess we would say. And we can take that current audit and compare it against our baselines, and we can determine if we have at least met that minimum level. That’s what I look at as a baseline, a minimum level. And if we are better than the minimum level, maybe that becomes a new baseline. But again, that’s part of our incident management. All right? So in order for this to work, it does take planning. And it’s not just one person. It’s got to be a team of people. It’s got to be, as we’ll talk about later, the whole organization. And by saying the whole organization, that means we also need management support. Because if we don’t have management support, then we’re going to have a tough time being able to implement any of these plans.

9. Lesson 2: Incident Response Procedures Part1

Now, in this lesson, we’re going to start looking at incident response procedures. So we’re going to describe the importance of incidents management, if I haven’t already done that for you. What we are looking for, for some of the outcomes of incident management. And then we’ll talk about the whole concept of incident management as it is. And we’ll also talk about some of the incident management systems that you want to look at.

10. Incident Response Procedures Part2

When we take a look at incident response procedures, one of the things I want you to remember is that even with the best planning, there’s no guarantee that you’re going to survive this incident, depending on what it is. I mean, I shouldn’t say it that way. It sounds like, why even bother? For a high number of the different types of events that occur by having an incident response procedure in place, then we can begin to immediately react, as we’ve said before, to lessen the impact of what’s going to happen. Now, like I said, we might talk about security breaches, but there’s all numbers of different types of security breaches, whether technical or physical, that we have to account for.

You know, on the technical side, we always talk about, you know, and when we talk about hacking specific, we talk about this concept of zero day attacks. Those are types of attacks, usually malware or vulnerabilities, that nobody in the industry knows exist except for the hackers who’ve discovered them, or if they are known to exist. There’s no current patch or fix to be able to get this type of vulnerability taken care of. So often we have to come up with things like workarounds to try to be able to lower the chances of these attacks occurring to us. And that’s where, again, we can’t plan for those things we don’t know exist. Power outages again. Now we can do some things to plan as far as an instant response procedure. Part of that would probably be in your business continuity.

As an example, I’ve worked with some large banking organizations that are around the different states in the United States, and they have three data centers. This one particular one that I’m thinking of, one on the West Coast, one in the middle of the country, and then another one down towards the southeast part of the country. Why? Well, the goal is that they want to be able to survive any type of an incident by being able to continue having business run. If they were to use the one in the southeast and they experience a hurricane, they can shut that down and have their mirrored site. By the way, when I say data centers, they’re all mirrored sites. The mirrored site in the Mid East or in the Midwest can take over, and they can reroute all of the traffic from all of the different branches and customers easily over to that new location, or if there’s an earthquake, or if there’s a power grid.

I remember many years ago, one little power grid incident in Toronto took out not only most of Ontario, Canada’s power, but most of the northeastern US. Almost eight or nine states. Can you survive that? Do you have a plan? And you might say, well, yeah, I’ve got generators. Okay, great. But if your service provider is also down because they don’t have any power, then you’re still not really surviving that type of an incident. So now that’s an extreme, I realize, to have the kind of finances and money to be able to have multiple mirrored data sites. But that’s what I’m trying to say is that there’s no guarantee. And again, natural disaster, same thing.

The other issue on a natural disaster might be you can say to yourself, well, hey, I’ve got some backup facilities. Whether the disaster with an earthquake or a flood or whatever the case may be, you might say, well, we have this. But you got to ask the other question. What about the infrastructure? Can those employees get to the other location? I mean, all of these are little contingencies that are tough to be able to plan for. So again, there’s no guarantee that you’re going to get it all. But if you have a plan in place and you have a team and you know what those teams responsibilities are, we can at least begin to react quicker and maybe have a better chance at surviving.

11. Importance of Incident Management

So let’s take a look at the importance of incident management. And I sometimes feel like I’m repeating myself as we go through here and we talk about this because I think I’ve already relayed that it is important. But if you think about it, more and more organizations are really reliant on information services. I mean, everything that we see going on today is being used on what I guess we sometimes call bring your own device, you know, the smartphones, the tablets, ways of communicating, social media, marketing, advertisement being done through social media, everything being internet based. And that’s not only for just advertisement, but also for users, customers for orders. I mean, how many people have you seen get on their tablet here, get on the Internet and order pizza? I mean, for just a small company like that, that can be a tremendous amount of sales and then you could take it onto the big scale again to the banks and the department stores.

Now here’s the thing. When we think about what is important or the importance of incident management is that if something goes down, if there’s some connection that fails, whether it’s small or large or whatever the case, any impact could be of significance to you. And that is a big deal to us because again, for most of us, except for government agencies, and I’m not saying bad about government agencies, but most of us are in a for profit type of a business and if we start losing sales, it could be significant to us. And there’s all these other intangibles that we have to consider about why we want to have incident management. The intangible, let’s say if you did lose internet connectivity and your customer couldn’t place an order, what’s to keep? That customer who is trying to get to your company but can’t get there might say, well, you have a competitor, let’s go over to that competitor and order whatever it is that we want.

And then suddenly that employee says, hey, I kind of like that. And so they just continue to order and you’ve just lost a customer or if it’s a breach of your information and this user’s credit card has been compromised and they say to themselves, well, I’m certainly not going to use that store anymore. So again, there’s all of these types of intangibles that can make anything that might seem small be really of significance to you. Okay, so in our trends right now, we’re seeing a trend anyway of seeing an increased occurrence or a number of occurrences as well as escalating losses that deal with information security. So I am now talking mostly about hackers. I guess recently a large department store through the holiday season had some, I can’t even remember what the total millions of customer credit cards that were stolen and lost and that really affected their sales, probably going to affect their future sales.

So they had certainly a significant loss. But then the next week we heard another department store getting hit by loss of customers credit cards. So what’s the other issue? The other issue is what I just brought up about the reliance on information systems and that is the increase in attack vectors. Because now we do have people on their tablets and smartphones that are capable of launching attacks. We’re offering more services. More of you are now web oriented in many ways. That’s just another place for you to be attacked. I mean, if you were in a traditional brick and mortar type of a store, bad trying to make a flat roof there, let me try to do that again for all of you watching. All right, so here’s our store. And traditionally we had the front door and whatever display windows that we had for our business.

And our concerns were that you would come to our store. So maybe we were worried about the culprit who was going to throw a brick through the window and start stealing our products. That was a physical type of an attack. But now we have this business wired to the World Wide Web. Again, because not everybody wants to drive up. Maybe it’s bad driving conditions, but that user can say, oh, I can go here now from the comfort of my home. Well, unfortunately, so can the attacker. So that’s why I was saying we’re seeing this increase in the attack vectors, failure of security controls, which we get the security controls to prevent the different types of attacks that come in. And security controls could be something like a firewall. We all talk about firewalls. It could be intrusion prevention systems. It could just be the way in which you manage permissions.

Again, I’ll call them perms. Here the permissions. Because if you think about the permissions and you have that disgruntled employee that’s inside, that employee may have permissions to get into different files, different records, and start altering them, changing them, maybe doing embezzlement and they’re doing it maybe from the inside. But is that a failure of a security control? Well, not necessarily. In that last little example, security control was doing just fine. It was a failure in our trust of internal employees. But at the same time, we know that none of these other hardware software types of security controls are going to be perfect, especially because of the sophistication and capabilities of tools. Just as an example. And we’re going to go down to what’s the weakest link? But you can download a tool. One of them I think was called Phoenix.

And this tool, even if you were what we call a script kiddie, would create a web server for you, right on your own computer. And then it would send out emails to potential suspects and the email would ask that person who received it to go visit your web server with a link, right? So there’d be a little hyperlink in there. And that web server would then automatically try to download malicious software onto your systems. When I last looked at this tool, Phoenix, they were boasting a 15% success rate against Windows Seven users. Now, why was it the 15%? You might say, well, that doesn’t sound so bad, but if I send out 10,000 emails to all of the 10,000 employees in your company, and I got 15% of them that I have now owned their machine, that sounds like a big problem.

And the sad thing is that tool, it was free and anybody could download it. They could do a Google or a Bing search or Yahoo search or search engine of your choice and set this type of attack up. It was very easy, very sophisticated type of a tool, and the capabilities of it were very strong. So that’s another issue that we have to deal with when we think about how we want to manage those incidences when we see them and why it’s important. Because, let’s say I just got through talking about the fact that nothing’s perfect, but if any one of these things were to happen to you, how quickly can you respond? How quickly can you contain it? If you don’t have a plan, then you’re going to start doing a lot of guesswork and you’re nobody’s going to really get to the root cause and help really lessen the impact.

• Category: Uncategorized