《时尚领导者》PPT课件.ppt

Cyber Disaster Recovery,20 years ago Disaster Recovery(D/R)plans protected brick and mortar companies.Today it must protect the growing virtual side of business:E-business.,Why Focus on Incident Preparedness?,20 years ago,survival of the business depended on survival of the brick-and-mortar infrastructureEarthquake and hurricane“proof”buildingsRedundant power and communicationsDisaster recovery planningRegulatory requirements,Today,survival of the business also depends on survival of the information infrastructureFirewalls,proxies,access controlsVPNs,encryption,authenticationGrowing regulationSOXHIPPAGLBACA Breach LawPlanning ahead insures against catastrophe,Overview,Traditional disaster recovery(D/R)planning is formal and tested regularlyCyber-D/R planning is less mature,but more necessary todayCyber-D/R requires quick reaction and different skill sets:e.g.,computer forensicsGrowing trend toward prosecutionCritical infrastructure protection requires better Cyber-D/R planning and response capability,“Traditional”disaster recovery,Business impact analysisDetermine functional areas critical to the businessIdentify critical computer systems and applicationsDetermine disaster recovery budgetFormal disaster recovery planDisaster declaration criteria and proceduresHot-site and cold-site arrangementsStaff response/call-out plansRecovery proceduresAnnual testing,“Cyber”disaster recovery,Business impact analysisFocusing on impact of“electronic”disasters such as computer security breaches,instead of“natural”disastersComputer Security Incident Response PlanSimilar in structure to disaster recovery planIncident declaration criteria and proceduresStaff response/call-out plansRecovery proceduresRestore operations“in-place,”not at hot-site Focus on forensic approachQuarterly testing,An observation,ISS responded to as many intrusion incidents in Q4-03 alone as it did all of 2003.75%of the cases have requested forensic evidence considerations for prosecution.These incidents were all different,but they have had recurring themes which make them easier to prepare for.,What happened?,These incidents were not caused by“natural”disasters like fire,flood,or earthquakeA“traditional”disaster recovery plan would not have been sufficientBut the potential effects were the sameAbility to conduct business was impactedReputation could have been damagedFinancial loss could have occurredLoss of customers,The need for good and timely information,During a natural disaster,information is made available to us by television,radio,and government sourcesDuring a cyber-disaster,we are almost always limited to the information we can obtain for ourselvesPlanning and response are improved when we know ahead of time how these attacks work and how we can defend against them,Obtaining good and timely information,Do you have skills in-house to stay on top of threats and vulnerabilities?Does your staff respond to attacks frequently enough to keep their skills sharp?Do you have(and follow)escalation,notification and handling procedures?What is the value of a second opinion when you think youre under attack?Can you conduct a forensic investigation without contaminating evidence?What are your regulatory requirements?,Information Security Lifecycle,Put all this in place without impacting users,What can we add or change to improve our security?,How well are we protected,now and in the future?,Given what we have,how do we handle security incidents?,Goals of an Incident Response,Gain control of any upcoming security problemsFacilitate centralized reporting of incidentsCoordinate response to incidentsRaise security awareness of usersProvide a clearinghouse of relevant computer security informationPromote security policiesProvide liaisons to legal and criminal investigative groups both inside and outside the company,