PART IV

In addition to the preventive controls, organizations should establish capabilities to detect security incidents and anomalies as they occur. Part IV discusses the various controls that organizations could consider. Specifically, Chapter 20 discusses the monitoring tools and methods employed in achieving the objectives.

The maxim that information assurance is a continuous process should be emphasized and made known that it is critical. As such, another important aspect of a successful information assurance program is the ability of the organization to measure the performance and effectiveness of the implemented controls over time. Without measurement and metrics, it would be impossible to evaluate weaknesses and make improvements. Chapter 21 discusses the importance of measuring its implementation.

When preventive controls fail, reactive controls must engage to minimize risk. Chapter 22 describes the incident-handling process and reporting. Chapter 23 covers the forensics aspect of information assurance in an incident response. Forensics is deployed to help determine root causes of information assurance failures with a high degree of certainly. Forensics is often used in legal matters when information technology will be submitted as evidence.

Business continuity helps ensure an organization can remain viable and operational in dire circumstances. Chapter 24 discusses business continuity and related aspects such as disaster recovery, contingency plans, and crisis management. While Chapter 24 primarily focuses on organizational processes, Chapter 25 focuses on the technical aspects of information technology backup and restoration.

Quick Answers

Q:   What is the prime difference between IPS and IDS?

A:   The main difference between an intrusion prevention system (IPS) and an intrusion detection system (IDS) is that an IDS focuses on detection only while an IPS focuses on detection and prevention. IDS products inform users that something is penetrating your system and it monitors potential intrusions. An IPS, on the other hand, attempts to prevent access, ensuring it identifies and blocks attacking traffic.

Q:   I have an IPS already. Is that all I need?

A:   An IPS is an important control and adds considerable value to a defense-in-depth posture. However, IPS is not a complete information security solution. It is no alternative to a soundly managed system of well-established solutions including firewalls, IDS, and antivirus programs.

Q:   I have a firewall and an IDS, and I think I am totally secured now. Why should I need information assurance professionals?

A:   Having a firewall and an IDS does not guarantee total information assurance. These provide only one aspect of information security. Unless implemented within a framework of appropriate process and personnel, these technologies cannot provide appropriate information assurance in any given situation. Recall that information assurance components should be properly configured and actively managed to maintain a secure environment. A bank vault that is never monitored or maintained will not provide an appropriate level of protection for the valuables inside.

Q:   Why is intrusion detection required in an organization?

A:   With the advancement of technology and evolution of the Internet, it is impossible for an organization to keep up with current and potential threats and vulnerabilities. In addition, these threats and vulnerabilities constantly evolve. Intrusion detection is a mechanism to assist an organization in managing these rising threats and vulnerabilities.

Q:   How does an IDS differ from a firewall?

A:   A firewall normally functions as a barrier between an authorized network and an unauthorized network. It is not able to detect all intrusions since the firewall will not be able to differentiate between “good” and “bad” traffic. This is where IDS becomes helpful because it is able to detect suspected intrusions as soon as it takes place and sends out alarm signals. Both firewalls and an IDS should be used in a complementary way by organizations to ensure information assurance.

Q:   What should an organization do after deploying an IDS?

A:   An IDS should be a technology that is part of a total integrated information assurance system. Once an IDS is deployed onto the system, it should be monitored, and any alerts triggered should be resolved. An IDS may have false positives (it sounds an alarm; however, no intrusion has been attempted. The information assurance team must tune the system to minimize false positives while not allowing true intrusion attempts to succeed. If there are too many false positives, no one will believe the system; on the other hand, if the IDS lets too many real attacks through, your system fails. To aid in this tuning, develop a set of documented monitoring guidelines and alert criteria so an organization can respond effectively and efficiently to incidents.

Q:   What is malware?

A:   Malware is short for malicious software. Malware is developed with the intention of causing harm or damage to information, processing equipment or facilities. Examples of software classified as malware are viruses, worms, and Trojans.

Q:   Why is a penetration test good for an organization?

A:   Well-structured penetration testing helps protect an organization by identifying vulnerabilities in the system, applications, networks, or processes before a real attack occurs. Organizations should consider conducting a penetration test at least twice a year or when there is a major change in the infrastructure or the operational environment. It is important for an organization to consider implementing recommendations given after the test results are presented and evaluated. This will reduce risks to the overall organization’s information assurance posture.

Q:   Can an organization monitor its employees’ e-mail and Internet usage?

A:   Privacy rights vary from economy to economy and compliance is important. At a minimum, the organization should review local laws and regulations to ensure compliance when monitoring employees’ activities in information systems. Although tools are available to monitor employee activities (e-mail reading and Internet browsing), some may violate local laws. Using such tools enables an organization to monitor just about every computer-based activity undertaken by an employee. Establish a policy and supporting rules on the use of communication resources. To prevent issues about a breach of an employee’s privacy rights, make sure you communicate the policy to employees and include it in your AT&E program. Make sure your use of monitoring tools and techniques does not violate any laws or regulations.

Q:   What are the factors to consider when selecting a vulnerability scanner to assess a server?

A:   Many vulnerability scanners are available, they range from commercial to open source scanners. Select a vulnerability scanner that meets your specific needs. Here are some points to think about while selecting a scanner:

       • Can the scanner be used for compliance checking such as against Payment Card Industry (PCI) or Sarbanes-Oxley Act (SOX)?

       • Does the scanner have a user-friendly interface?

       • Does the scanner use Common Vulnerability Enumeration (CVE) as its standard?

       • How frequent does the scanner update its database signature?

       • What type of report can be produced by the scanner?

Q:   In what situations are typical approaches such as the top-down and bottom-up approach effective in implementing information assurance efforts?

A:   A top-down approach is more suitable when organization-wide support is needed and to gain management buy-in throughout the information assurance life cycle. A bottom-up approach is appropriate when business functions need immediate action to implement controls. It is also a good approach for a decentralized environment.

Q:   Why is a business impact analysis (BIA) important?

A:   A BIA is the preliminary and most critical phase of any BCM program. The purpose of a BIA is to identify and prioritize critical business functions and supporting resources for an organization during the BCM program. BIA helps to identify vulnerabilities and threats and to calculate risks.

Q:   How do you ensure a successful implementation of a business continuity management (BCM) program?

A:   The critical success factors for BCM are

       • Adoption of proven methodology and standards

       • Experience in recovery process

       • Full support from top management

       • Integration of BCM into the organization’s information assurance management program

       • Well-defined roles and responsibilities for BCM committee members

Q:   Should an organization outsource or develop the BCP in-house?

A:   This is not a simple make vs buy decision. Most recovery strategies combine both options. An organization may not completely outsource BCP because most resources for planning and testing have to come from within the organization itself. Moreover, the decision to outsource BCP requires the management to weigh all the pros and cons of each option by balancing the speed, risks, skills, strategies, and costs.

Q:   What are the considerations to be made when choosing a hot-site vendor?

A:   Before beginning the selection process, the planner should ensure that vendors are thoroughly evaluated. The following are some of the key considerations:

       • Compatibility of the technical environment

       • Complementary services

       • Cost

       • Experience in recovery process

       • Facilities at recovery center

       • Geographical location of the recovery center

       • Personnel support

       • Responsiveness and flexibility

       • Testing capabilities

Q:   What is information security incident handling?

A:   An information security incident handling is the activity of managing actions or plans targeted for resolving information assurance–related events. Information security incident is crucial in business continuity management because it shows how an organization can contain and recover from information security incidents.

Q:   What is the relationship between information security incident handling and computer forensics?

A:   Computer forensics should work hand-in-hand with information security incident handling. Computer forensics should act together or be embedded in incident-handling procedures to achieve maximum results.

Q:   What is the meaning of chain of custody?

A:   A chain of custody is the historical record of how evidence is collected, analyzed, transported, and preserved with the goal of ensuring its admissibility in court. The chain of custody states that all evidence should be tagged with information to indicate the individuals who secured and validated the evidence.

Q:   Why is backup required?

Backup is important for business continuity when there is a need to resume normal operations after an incident or disaster. Without backup of critical data, it may not be possible for organizations to restore business functions and its survival is at stake. In addition to backup data, you should make sure your critical software is backed up and that a backup plan exists for hardware.

Q:   What should be taken into consideration when designing and planning backup strategies?

A:   When designing and planning backup strategies, criticality of data, data size, and volume, frequency of backup, application requirements, and storage media requirements should be taken into consideration.