Principles of Incident Response & Disaster Recovery, Third Edition
By Michael E. Whitman and Herbert J. Mattord
Table Of Contents:
MODULE 1
An Overview Of Information Security And Risk Management 1
Introduction 2
An Overview of Information Security 2
Key Information Security Concepts 3
The 12 Categories of Threats 5
The Role of Information Security Policy in Developing Contingency Plans 12
Key Policy Components 13
Types of Info Sec Policies 13
Guidelines for Effective Policy Development and Implementation 15
Overview of Risk Management 19
Knowing Yourself and Knowing Your Enemy 19
Risk Management and the RM Framework 20
The RM Process 23
Risk Treatment/Risk Control 36
Module Summary 39
Review Questions 40
Real-World Exercises 41
Hands-On Projects 42
References 44
MODULE 2
Planning For Organizational Readiness 47
Introduction to Planning for Organizational Readiness 48
Key Laws, Regulations, and Standards Associated with Contingency Planning 49
Ethical Deterrence 49
Laws Germane to Contingency Planning 50
Beginning the Contingency Planning Process 52
Forming the CPMT 53
Contingency Planning Policy 56
Business Impact Analysis 57
Determine Mission/Business Processes and Recovery Criticality 58
Identify Resource Requirements 62
Identify Recovery Priorities for Systemn Resources 62
BIA Data Collection 62
Budgeting for Contingency Operations 67
Incident Response Budgeting 68
Disaster Recovery Budgeting 68
Business Continuity Budgeting 69
Crisis Management Budgeting 69
Module Summary 70
Review Questions 71
Real-World Exercises 71
Hands-On Projects 72
References 72
MODULE 3
Contingency Strategies For Incident Response, Disaster Recovery, And Business Continuity 73
Introduction 74
Safeguarding Information 76
The Impact of Cloud Computing on
Contingency Planning and Operations 77
Disk to Disk to Other: Delayed Protection 79
Redundancy-Based Backup and Recovery Using RAID 81
Database Backups 83
Application Backups 84
Backup and Recovery Plans 84
Backup of Other Devices 92
Site Resumption Strategies 92
Exclusive Site Resumption Strategies 92
Shared-Site Resumption Strategies 94
Mobile Sites and Other Options 96
Service Agreements 96
Module Summary 99
Review Questions 100
Real-World Exercises 101
Hands-On Projects 102
References 102
MODULE 4
Incident Response: Planning 103
Introduction 104
The IR Planning Process 104
Forming the IR Planning Team (IRPT) 105
Developing the Incident Response Policy 106
Integrating the BIA 108
Identifying and Reviewing Preventative Controls 111
Organizing the CSIRT 112
Developing the IR Plan 112
Planning for the Response “During the Incident” 113
Planning for “After the Incident” 114
Planning for “Before the Incident” 115
Ensuring Plan Training, Testing, and Exercising 116
Assembling and Maintaining the Final IR Plan 121
Hard-Copy IR Plans 122
Electronic IR Plans 122
Maintaining the Plan 123
Module Summary 124
Review Questions 125
Real-World Exercises 125
Hands-On Projects 126
References 126
MODULE 5
Incident Response: Organizing
And Preparing The Csirt 127
Introduction 128
Building the CSIRT 128
Step 1: Obtaining Management Support and Buy-In 129
Step 2: Determining the CSIRT Strategic Plan 129
Step 3: Gathering Relevant Information 133
Step 4: Designing the CSIRT’s Vision 134
Step 5: Communicating the CSIRT’s Vision and Operational Plan 141
Step 6: Beginning CSIRT Implementation 142
Step 7: Announcing the Operational CSIRT 142
Step 8: Evaluating the CSIRT’s Effectiveness 143
Final Thoughts on CSIRT Development 144
Special Circumstances in CSIRT Development and Operations 144
CSIRT Operations and the Security Operations Center 144
Outsourcing Incident Response and the CSIRT 145
Module Summary 147
Review Questions 149
Real-World Exercises 149
Hands-On Projects 150
References 150
MODULE 6
Incident Response: Incident
Detection Strategies 151
Introduction 152
Anatomy of an Attack—the “Kill Chain” 152
Incident Indicators 158
Possible Indicators of an Incident 158
Probable Indicators of an Incident 159
Definite Indicators 160
Identifying Real Incidents 161
Incident Detection Strategies 162
Detecting Incidents through Processes and Services 162
Detection Strategies for Common Incidents 165
General Detection Strategies 171
Manage Logging and Other Data Collection Mechanisms 173
Challenges in Intrusion Detection 173
Collection of Data to Aid in Detecting Incidents 174
Module Summary 177
Review Questions 177
Real-World Exercises 178
Hands-On Projects 178
References 178
MODULE 7
Incident Response: Detection Systems 181
Introduction to Intrusion Detection and Prevention Systems 182
IDPS Terminology 183
Why Use an IDPS? 185
Forces Working Against an IDPS 186
Justifying the Cost 186
IDPS Types 189
Network-Based IDPSs 189
Host-Based IDPSs 194
Application-Based IDPSs 197
Comparison of IDPS Technologies 198
IDPS Detection Approaches 199
Signature-Based IDPSs 199
Anomaly-Based IDPSs 199
IDPS Implementation 200
IDPS-Related Topics 201
Log File Monitors 201
Automated Response 201
Security Information and Event Management 203
What Are SIEM Systems? 203
Selecting a SIEM Solution 206
Module Summary 208
Review Questions 209
Real-World Exercises 209
Hands-On Projects 210
References 210
MODULE 8
Incident Response: Response Strategies 213
Introduction 214
IR Reaction Strategies 214
Response Preparation 215
Incident Containment 215
Incident Eradication 218
Incident Recovery 218
Incident Containment and Eradication Strategies for Specific Attacks 220
Handling Denial-of-Service (DoS) Incidents 221
Malware 224
Unauthorized Access 230
Inappropriate Use 235
Hybrid or Multicomponent Incidents 239
Automated IR Systems 241
Module Summary 242
Review Questions 243
Real-World Exercises 243
Hands-On Projects 244
References 244
MODULE 9
Incident Response: Recovery, Maintenance, And Investigations 247
Introduction 248
Recovery 248
Identify and Resolve Vulnerabilities 249
Restore Data 249
Restore Services and Processes 250
Restore Confidence Across the Organization 250
Maintenance 250
After-Action Review 251
Plan Review and Maintenance 252
Training 252
Rehearsal 253
Law Enforcement Involvement 253
Reporting to Upper Management 254
Loss Analysis 254
Incident Investigations and Forensics 255
Legal Issues in Digital Forensics 256
Digital Forensics Team 256
Digital Forensics Methodology 258
eDiscovery and Anti-Forensics 270
Module Summary 272
Review Questions 273
Real-World Exercises 274
Hands-On Projects 275
References 275
MODULE 10
Disaster Recovery 277
Introduction 278
Disaster Classifications 279
Forming the Disaster Recovery Team 281
Organization of the DR Team 281
Special Documentation and Equipment 283
Disaster Recovery Planning Functions 284
Develop the DR Planning Policy Statement 285
Review the Business Impact Analysis 287
Identify Preventive Controls 288
Develop Recovery Strategies 288
Develop the DR Plan Document 288
Plan Testing, Training, and Exercises 291
Plan Maintenance 291
Implementing the DR Plan 291
Preparation: Training the DR Team and the Users 292
Disaster Response Phase 300
Disaster Recovery Phase 301
Restoration Phase 301
Disaster Resumption Phase 302
Building the DR Plan 304
The Business Resumption Plan 305
Information Technology Contingency Planning Considerations 305
Systems Contingency Strategies 306
Systems Contingency Solutions 307
module summary 308
review questions 309
real-world exercises 310
hands-on projects 311
references 311
MODULE 11
Business Continuity 313
Introduction 314
Business Continuity Teams 315
Organization of BC Response Teams 316
Special Documentation and Equipment 317
Business Continuity Policy and Plan 318
Develop the BC Planning Policy Statement 318
Review the BIA 321
Identify Preventive Controls 321
Create BC Contingency (Relocation) Strategies 321
Develop the BC Plan 322
Ensure BC Plan Testing, Training, and Exercises 325
Ensure BC Plan Maintenance 325
Sample Business Continuity Plans 325
Implementing the BC Plan 325
Preparation for BC Actions 325
Relocation to the Alternate Site 326
Returning to a Primary Site 327
BC After-Action Review 328
Continuous Improvement of the BC Process 329
Improving the BC Plan 329
Improving the BC Staff 331
BC Training 331
Maintaining the BC Plan 333
Periodic BC Review 333
BC Plan Archival 333
Final Thoughts on Business Continuity and the COVID-19 Pandemic 334
Module Summary 335
Review Questions 335
Real-World Exercises 336
Hands-On Projects 336
References 337
MODULE 12
Crisis Management In Ir, Dr, And Bc 339
Introduction 340
Crisis Management in the
Organization 340
Crisis Terms and Definitions 341
Crisis Misconceptions 342
Preparing for Crisis Management 343
General Crisis Preparation Guidelines 343
Organizing the Crisis Management Teams 345
Crisis Management Critical Success Factors 346
Developing the Crisis Management Plan 348
Crisis Management Training and Testing 350
Other Crisis Management Preparations 352
Post-Crisis Trauma 353
Post-Traumatic Stress Disorder 353
Employee Assistance Programs 353
Immediately after the Crisis 353
Getting People Back to Work 354
Dealing with Loss 354
Law Enforcement Involvement 355
Federal Agencies 356
State Agencies 357
Local Agencies 358
Managing Crisis Communications 358
Crisis Communications 358
Avoiding Unnecessary Blame 361
Succession Planning 363
Elements of Succession Planning 363
Succession Planning Approaches for Crisis Management 364
International Standards in IR, DR, and BC 365
NIST Standards and Publications in IR, DR, and BC 365
ISO Standards and Publications in IR, DR, and BC 366
Other Standards and Publications in IR, DR, and BC 367
Module Summary 370
Review Questions 371
Real-World Exercises 372
Hands-On Projects 372
References 373
Glossary 375
Index 389