Credit: Post based on CISSP course presented by Dennis Lee, November 2018
In this post we will look at three approaches to Disaster Recovery and Business Continuity Planning.
The Umbrella Approach puts Business Continuity Management over all other types of continuity/recovery planning:
The Escalation Approach assumes that as the issue gets worse, you move from one type of plans to the next.
The Compartmental Approach is where both BCP and DR plans work in partnership:
Business Continuity Plans
Disaster Recovery Plans
Run by Business Units
Run by Infrastructure (e.g. IT, Facilities, etc.)
Planning steps include:
Analyze Business
Asses risks to business
Develop recovery strategy
Develop & document the plan
Implement the plan
Test & rehearse the plan
Maintain & update the plan
Note that you should implement the plan first before you test so that people have the script by which to test.
To summarize:
Risk Management
Business Continuity Management
Key Starting Method
Risk Analysis
Business Impact Analysis
Key Elements
Assets , Threats (Impacts & Likelihood)
Assets , Threats (Impacts & Likelihood), Time
Types of Incidents
All relevant types
Incidents causing Significant Business Disruption
Common Terminology
Maximum Tolerable/ Allowable Downtime – Max amount of time a business can tolerate an outage before it cripples the business.
Recovery Point Objective – minimum staffing, assets, & infrastructure needed to get the critical business running, starting from a certain rollback point.
Recovery Time Objective – time needed to get the critical business running before the maximum tolerable down time is exceeded. For example:
Credit: Post based on CISSP course presented by Dennis Lee, November 2018
After last week’s blog on Risk Analysis, let’s consider some criteria on selecting countermeasures to mitigate risks.
Perform a cost/benefit analysis
Determine accountability of the countermeasure – who’s in charge of the safeguard?
Don’t rely on design secrecy as the only form of protection. Security through obscurity alone is not enough.
Ensure countermeasures are universally applied – especially for tools used in monitoring. You must apply them fairly & consistently to all employees and/or customers.
Provide a defense in depth – multiple layers of protection – don’t rely on just one countermeasure!
Apply the least common mechanism – don’t always place all solutions in one location. I.e. try to eliminate single points of failure & recognize that you don’t always get the best of breed from all solutions.
Get acceptance from your employees and/or customers – users always struggle between security vs. convenience.
Minimize human intervention – for things that can be automated (e.g. anti-virus updates)
So what types of controls are available? Control types include:
Technical / Logical (e.g. a network firewall or a captcha puzzle)
Physical (e.g. a security fence or camera)
Administrative (e.g. Reviewing logs)
Preventative – goal is to stop unwanted activity or behavior (e.g. Intrusion Prevention System (IPS))
Corrective – goal is to mitigate an incident & reduce damage (e.g. a fire extinguisher)
Directive – administrative control focused on management aspects (e.g. requiring managerial approval)
Deterrent – controls focused on consequences
Recovery – controls focused on restoration
Compensating – an alternative when the best controls are not available or feasible (e.g. using an Endpoint Detection & Response (EDR) solution to monitor OS files vs. using a traditional File Integrity Monitoring (FIM) solution)
You can also combine controls, for example:
Preventative + Technical = IDS or Firewall
Detective + Administrative = Reviewing logs, reporting on penetration tests
Credit: Post based on CISSP course presented by Dennis Lee, November 2018
This is the first in a series of blog posts on studying for the Certified Information System Security Professional (CISSP) exam. In this post we cover Qualitative vs. Quantitative Risk Analysis vocabulary, calculations, and then application to a real-world example.
First, we need some basic vocabulary definitions so we’re working off the same understanding:
Threat – something that could harm an asset
Asset – something of value to the organization
Exposure – actual or anticipated damage from a threat (this is measurable)
Vulnerability – a weakness or a lack of a countermeasure that could be exploited
Countermeasures / Safeguards – defenses against threats
Risk – Impact and likelihood of a threat
Risk Management – Goal is to reduce or mitigate potential threats. Activities include: Risk Analysis, Cost/Benefit Analysis, Deployment of countermeasures / safeguards, audit of safeguards, insurance, business continuity, training, etc.
Risk Analysis / Assessment – goal is to ID assets and their potential threats
Qualitative Risk
There are three cyclical phases of Risk Management:
Risk Analysis – Identification of assets and their threats
Risk Response – Solving some of the threats
Evaluation and Assurance – Verifying solutions are working / effective
Qualitative Risk Analysis is subjective, no numbers required, it is quick to do, but takes thought to make meaningful and accurate.
Quantitative Risk Analysis is objective and has numbers, takes time & research, and you may not have the requisite numbers to be able to calculate. The standard formulae for Quantitative Risk Analysis include:
Asset Value x Exposure Factor = Single Loss Expectancy (impact)
E.g. $10M x 60% were destroyed = $6M in losses
Num. of Incidents / # of Years = Annual Rate of Occurrence (likelihood)
E.g. 1 incident every 2 years = 50% ARO
Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO) = Annualized Loss Expectancy (ALE)
E.g. $6M x 50% = $3M
From a budgeting perspective, you can use ALE to set your spending caps. When working with these calculations, always start by figuring out the asset value and as always – watch your units!
Once you’ve identified your risks, you have a couple of possibilities on how to handle them, including:
Risk Transference or Sharing – Sharing your risk with another entity (e.g. insurance or outsourcing)
Risk Avoidance – Removing technology or activity to remove risk
Risk Acceptance – Taking the loss using no countermeasures
So let’s walk through an example!
Suppose you’re the IT Manager at a hotel and the hotel owner comes to you and says they think it would be a great marketing idea to install an Amazon Alexa device in every guest room.
First, let’s consider some risks:
If the hotel logs into the Alexa device with their own credentials, how will you keep the guests from stealing the hotel credentials?
If a guest logs in with their own Amazon credentials, how are you going to ensure that the device wipes them before the next guest arrives?
Someone could hack the device and eavesdrop on a guest, causing a security incident.
Someone could use the Alexa device to harass someone else, potentially traceable back to your hotel.
So how would you handle these risks using the possibilities listed above?
You could attempt to deploy management software that would allow you to centrally manage all of the Alexa devices, segment them from talking to anything except Amazon directly, remotely reset them between each guest, etc.
You could see if anyone offers cyber insurance to cover IoT device breaches where the devices are publicly (hotel guest) facing (good luck!)
You could find an IT company with a pre-built solution and have them manage the devices for you.
You could convince the owner it will be a nightmare for you to try and manage this risk.
You could say nothing and hope that no one missuses the devices.