Continuity Planning

Bal Ram Khadka

 Continuity planning
• A key role for all managers is contingency planning. Managers usually
called on to provide strategic planning to assure the continuous
availability of information systems
• Unfortunately for managers, the probability that some form of attack will
occur from inside or outside, intentional or accidental, human or
nonhuman, annoying or catastrophic.
• Thus, managers must be ready to act when a successful attack occurs.
• There are various types of contingency plans for events of this type:
incident response plans, disaster recovery plans, and business
continuity plans. To handled planning, functions that differ in scope,
applicability, and design.
• A contingency plan is prepared by the organization to anticipate, react
to, and recover from events, to restore the organization to normal modes
of business operations.
Figure: components of contingency planning
• An incident is any clearly identified attack on the
organization’s information assets that would threaten the
assets’ confidentiality, integrity, or availability.
• A BIA is an investigation and assessment of the impact that
various attacks can have on the organization.
• An incident response (IR) plan focus on immediate response,
addresses the identification, classification, response, and
recovery from an incident.
• A disaster recovery (DR) plan focuses on restoring systems,
addresses the preparation for and recovery from a disaster,
whether natural or man-made.
• A business continuity (BC) plan ensures that critical business
functions continue if a catastrophic incident or disaster occurs.
 Business Impact Analysis
• The first phase of contingency planning process. BIA, investigation and
assessment of the impact that various attacks on organization. Stages of
BIA
 Threat attack identification and prioritization: Create attack profiles, to
know what kind of data and condition.
 Business Unit Analysis: Determine which are most important functions
to organization.
 Attack success scenario Development: scenarios depicting attack with
details on method, the indicator and broad consequences of the attack.
 Potential Damage Assessment: Identifying estimate cost of best, worst
and most likely cases .
 Subordinate plan classification: Subordinate plans categorized as
disastrous or non disastrous. ( some attack are incident so take effective
action and some are disastrous so requires disaster recovery plan)
 Incident response planning
• Incident response planning includes the identification , classification and
response to an incident. The IR plan is made up of activities that are to be
performed when an incident has been identified.
• an incident is an attack against an information. Attacks are classified as
incidents if they have the following characteristics:
– They are directed against information assets.
– They have a realistic chance of success.
– They could threaten the confidentiality, integrity, or availability of
information resources.
• Incident response (IR) is a set of activities taken to plan for, detect, and correct
the impact of an incident on information assets.
• IR is more reactive than proactive, with the exception of the planning that must
occur to prepare the IR teams to be ready to react to an incident.
• IR consists of the following four phases: 1. Planning 2. Detection 3. Reaction 4.
Recovery
 Incident Planning
• Planning for an incident requires a detailed understanding of the
scenarios developed for the BIA.
• With this information in hand, the planning team can develop a series
of predefined responses that guide the organization’s incident
response (IR) team and information security staff.
• The predefined responses enable the organization to react quickly
and effectively to the detected incident.
• Incident Response Plan
• The planners should develop a set of documents that direct the
actions of each involved individual who reacts to and recovers from
the incident.
 Incident Detection
• Members of an organization sometimes notify systems
administrators, security administrators, or their managers of an
unusual occurrence.
• Incident Indicators, number of occurrences signal incident.
• Complaints are often collected by the help desk and can include
reports such as “the system is acting unusual,”“programs are
slow,”“my computer is acting weird,” or “data is not available.”
• Incident detection relies on either a human or automated system,
to identify an unusual occurrence and to classify it properly.
• Only by carefully training the user, the help desk, and all security
personnel on the analysis and identify, and classify an incident.
• Once an attack is properly identified, the organization can effectively
execute the corresponding procedures from the IR plan.
 Incident Reaction
• Incident reaction consist of actions outline in the IR plan that
guide the organization in attempting to stop the incident,
mitigate its impact, and provide information for recovery.
• These action take place as soon as the incident is over. Several
action perform in reaction such as notification of key
personnel and documentation of the incident, alert message,
alert roster etc.
• The incident containment strategies is the one that define the
incident reaction. The most direct means of containment is
cutting the wire
• Incident containment strategies focus on two tasks: stopping
the incident and recovering the control the system.
 Incident Recovery
• Once the incident has been contained and control , the next stage of
the IR plan, which must be immediately executed, is incident
recovery.
• prioritization of efforts: the first task is to identify the needed
human resources and launch them into action.
• Almost simultaneously, the organization must assess the damage in
order to determine what must be done to restore the system to a fully
functional state.
• Damage Assessment: Next, the process of computer forensics
determines how the incident occurred and what happened. These
facts data recorded before and during the incident
• Recovery: Next the organization repairs vulnerabilities, addresses
any shortcomings in safeguards, and restores the data and services.
 Automated Response
• New technologies are emerging in the field of incident response, some
existing technologies, extend their capabilities and functions.
• Although traditional systems were configured to detect incidents and then
notify a human administrator, new systems can respond to the incident
threat autonomously, based on preconfigured options.
• The downsides of current automated response systems may compensate
their benefits. Legal issues with tracking individuals via the systems of
others have yet to be resolved.
• What if the hacker that is backtracked is actually a compromised system
running an automated attack?
• What are the legal liabilities of a counterattack?
• How can security administrators condemn a hacker when they themselves
may have illegally hacked systems to track the hacker?
• These issues are complex but must be resolved to give the security
professionals better tools to combat incidents.
 Disaster Recovery Planning
• An event can be categorized as a disaster when
• 1. organization is unable to mitigate the impact of an incident ,
• 2. the level of destruction is so severe that the organization is unable to
recover quickly.
• An event that is initially classified as an incident is later determined to
be a disaster. When this happens, the organization responding and take
action to secure its most valuable assets to preserve value for the longer
term even at the risk of more disruption in the short term.
• DR planning is the process of preparing an organization to handle and
recover from a disaster, whether natural or man-made.
• It also provides details on roles and responsibilities in disaster recovery
effort. DR plan must be review during walkthrough or talk-through for
testing.
• Recovery Operation: The key emphasis of a
DR plan is to reestablish operations at the
primary site, the location at which the
organization performs its business. The goal is
to make things whole, or as they were before
the disaster
 Business Continuity Planning
• Business continuity planning prepares an organization to
reestablish or relocation critical business operations during a
disaster that affects operations at the primary site.
 Developing Continuity Program: The foundation of business
continuity planning is identification of critical business
functions and the resources needed to support them and the
selection should be reviewed periodically.
• Not every business needs such a plan or facilities like
manufacturing or retail organization may not have this option.
 Continuity Strategies: Selecting a strategy is usually cost. In
general, organizations have three exclusive options: host sites,
warm sites and cold sites.
• Options available for three functions: time shares, service
bureaus and mutual agreements
• Hot Sites : A hot site is a fully configured computer facility, with
all services, communications links, and physical plant operations
including heating and air conditioning.
• A hot site is the top of contingency planning, Hot sites duplicate
computing resources, peripherals, phone systems, applications,
and workstations. The hot site is the most expensive alternative
available.
• Warm Sites: A warm site provides many of the same services and
options of the hot site. However, it typically does not include the
actual applications, or application may not yet be installed and
configured.
• A warm site frequently includes computing equipment and
peripherals with servers but not client workstations.
• Cold Sites : A cold site provides only basic services and
facilities. No computer hardware or peripherals are provided.
• All communications services must be installed after the site is
occupied.
• Basically a cold site is an empty room with heating, air
conditioning, and electricity. A cold site is better than nothing.
• The main advantage of cold sites is the cost, be easier to lease a
new space on short notice, cold site a more controllable option,
but slower.
• Time-shares: A time-share is leased in conjunction with a
business partner or sister organization. It allows the
organization to maintain a disaster recovery and business
continuity option, at a reduced cost.
• The advantages are identical to the type of site selected (hot,
warm, or cold). Disadvantage is, need the facility simultaneous,
and agreeing to a group of friends.
• One can only hope the organizations remain on friendly terms,
as they would all have physical access to each other’s data.
• Service Bureaus: A service bureau is an agency that provides a
service for a fee. In service bureaus, the agreement to provide
physical facilities in the event of a disaster. With service bureaus,
contracts can be carefully created, specifying exactly what the
organization needs.
• The disadvantage is that a service must be renegotiated
periodically. Also, using a service bureau can be quite expensive.
• Mutual Agreements: A mutual agreement is a contract
between two or more organizations that specifies how each
will assist the other in the event of a disaster.
• It specify that each organization is required to provide the
necessary facilities, resources, and services until
organization is recover from the disaster.
• This type of arrangement is much like moving in with
relatives or even friends: it doesn’t take long to outstay
your welcome.
• Mutual agreements between business partners may be a cost-
effective solution.
• Other Options There are some specialized alternatives
available; rolling mobile site, externally stored resources