I just did this for a client and there is an actual formula to follow!
1. Scope! You have to know what your limits in the BCP are or else you’ll drive yourself nuts trying to cover everything or not covering enough.
2. Identification of the key business areas impacted is important – which departments are impacted, who needs to be involved in the communication stream, etc.
3. Identify the critical functions – these are the basic functions that would need to happen in order to keep the business going.
4. Find the dependencies – what are the dependencies between the business areas and the critical functions and organize them by priority.
5. Downtime – how long can each critical function be down with the least impact?
6. Create a plan – this is your draft of the plan. There are many templates you can find online that have detailed instructions.
7. Test, test, test! Can’t stress this enough! It is important to have tabletop exercises and and mock event exercise to ensure that your BCP plan is actually functional and effective. During these tests you’ll test out the process, response time of the team at each phase of the BCP.
The company should first assess the organization’s assets by performing a BIA and by using FIPs 199 security categorization. Security categorization is based on the three security objectives, confidentiality, integrity, and availability. After the assets are scored, the assets with the overall high rating should be prioritized and have the most resources allocated in case of an attack. The lower scored assets still need to be protected as well but at a lower priority, Using the FIPS 199 model will help the organization categorize their assets based on industry-approved standards.
Business continuity (BC): it refers to the maintenance of business function or rapid recovery function in case of major interruption, whether the interruption is caused by fire, flood, epidemic disease, or malicious Internet attack. It is necessary to describe the procedures and instructions that enterprises must comply with within the face of these disasters, and it also changes the business processes, assets, human resources, business partners, and other aspects.
Disaster recovery plan: it mainly focuses on the recovery of IT infrastructure and business after a disaster, which is only an integral part of the complete business continuity plan.
Many people think that a disaster recovery plan and business continuity plan are the same things, but in fact, a business continuity plan focuses on the continuity of the whole enterprise. After a disaster, do you have a way to keep the human resources, manufacturing, sales, and support teams in normal operation, to ensure that the company can continue to make money? If the building where the enterprise is located is razed by a tornado, how should these customer service representatives deal with customer calls? Can they temporarily work at home, or in a spare site? All these problems, Business continuity companies are also taking advantage of this opportunity to rent out cubicles, including desks, telephones, and computers, and disaster recovery services based on services and equipment, to these enterprises that have suffered catastrophic accidents. Business impact analysis (BIA) is another component of the business continuity plan. BIA can determine the impact of a sudden loss of business functions, and it usually quantifies this impact. This kind of analysis can also help you evaluate whether you should outsource the non-core business in the business continuity plan. Basically, BIA can help you look at the processes of the whole enterprise and determine which processes are most important.
1. Form an incident response team
2. Develop an action manual
3. Prevention and preparation
4. Discovery and containment
5. Perform post-mortem analysis
the steps involved in a Cyber Incident Response Plan as per Security metrics website are:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
this is similar to NIST 4 Step plan:
1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Post-Incident Activity
So I went on the website whitehouse.gov and found a list of the contingency plans across the federal governments and guess what – they aren’t consistent. The structure of the plans are relatively similar but each department has it’s own goals, requirements, definitions and needs.
If you mean a consistency in documentation, even that can be challenged. I’ve rarely known, even in the US, any department that functions exactly like another. Even the sections for reporting to the general public are unique.
The detection and analysis step is the most important in the incident response process. In order to mitigate risks, the detection and analysis step can directly point out the area, where the action should begin to respond to the incident process. Organizations need to have strong detective capabilities to structure their information systems, so they can have enough time to resolve an incident. For example, they can use alert tools to monitor the systems.
I think the most important step is the post-incident activity because it creates discussion and knowledge sharing on the incident. Additionally, it allows for the team to determine where the weak points were that lead to breach and what can be done in the future to prevent similar attacks from occurring in the future.
Signature detection includes searching a series of bytes or packet queues in network communications to find known malicious programs. The biggest advantage of this detection method is that if you know the network behavior you want to find out, this signature is easy to develop and understand.
Anomaly detection technology is centered on the concept of network behavior benchmarks. This benchmark is an accepted explanation of online behavior. The anomaly detection engine will detect any behavior patterns that do not conform to people’s pre-defined or accepted behavior patterns.
Signature-based detection is when a file is determined to be malicious, a digital signature is written and uploaded to a database so anti-malware programs are able to detect that file or component in the future. Anomaly based detection looks at the behavior of the file. It is not necessarily looking for bad strings in the file, but looking for weird strings that cause it to behave in a while that is not common within the network.
According to the Center of Internet Security, Signature-based and anomaly-based detections are the two main methods of identifying and alerting on threats. While signature-based detection is used for threats we know, anomaly-based detection is used for changes in behavior. Signature-based detection relies on a preprogramed list of known indicators of compromise (IOCs). An IOC could include malicious network attack behavior, content of email subject lines, file hashes, known byte sequences, or malicious domains. Signatures may also include alerts on network traffic, including known malicious IP addresses that are attempting to access a system. In contrast to signature-based detection, anomaly-based detection is capable of alerting on unknown suspicious behavior. Anomaly-based detection involves first training the system with a normalized baseline and then comparing activity against that baseline.
Companies utilize NTP – the network time protocol. NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time (UTC). Generally companies will have an NTP server that the NTP protocol connects to so that all the devices are on the same time within a millisecond of each other.
I think that it is necessary to have a backup plan in the BCP. Can you imagine that your documents are destroyed when you try to file your tax return on the last day? If you make a copy and upload to your cloud or save it in your UBS, you will not suffer it. For organizations, they need to know what data should be stored, and how to back up the data. Also, the backups need to be testable, so the data can be recovered. The backup plan must mention how frequency to back up the data, and companies are able to mitigate some losses.
I totally agree, I could not imagine having the BCP plan and actually needing it. It would be chaos trying to put something together, all the while limited groups are able to work, revenues and profits are disappearing and investors and executives are looking for answers from anyone and everyone. I actually don’t think that more than 1% of companies would be able to survive an attack and not having a BCP in place. Unlike other areas and sectors, this is not something that can easily be done on the fly in the event of an emergency.
In my opinion BCPs are documents for a moment in time. A fantastic BCP plan may have been written that outlined everything you need to in case of an incident, but if it hasn’t ever been tested, reviewed or updated and it’s 5 years old… Well, then you might as well serve your business on a platter for the next guy to take over.
To me plans and policy are only as good as the latest update. Technologies change, get replaced. Business processes improve or are deprecated. Business environments change as you expand or pivot. Changes may be required due to changes in infrastructure, software, people, regulation, etc. All these things affect BCP and other types of contingency plans.
It depends on the purpose of the containment. If an attacker is executing the same hack that has been seen repeatedly, possibly disconnecting is the best approach. If the hack seems to be original then possibly blackholing or continuing to collect data is the best approach. SIEM monitors need to have standard operating procedures with criteria to determine which approach is to be taken with each attack.
Simulations shouldn’t take up the time of the network that most employees are accessing it. They should be done periodically as the organization determines sees fit, which could be once or twice a month, every 6 months, or every year. It ultimately depends on the size of the organization, and what times of the day the fewest amount of regular users are not accessing the network.
I think simulations should be performed at least once a year. This ensures that the plan is updated and accurate. If a key resource in the plan has the organization, this can be a great exercise to help the new resource come up to speed. Similar to Krish’s response, the simulation so occur when users will be impacted the least. This may differ based on the industry of the organization. For a retail company, they may want to avoid tests on the weekends.
Honeypot technology is meant to entice hackers by being easy to penetrate and appearing to contain desirable information. The honeypot can reveal where attackers are coming from, and the information gathered when hackers are lured in helps understand their motivation and behavior. Honeypotting can also be used to deflect attacks from actual targets.
The main difference between IDS and IPS: ids mainly detect the inside of the system, runs on the monitored host, and monitors the host’s network behavior, system log, process and memory, and other indicators; ips act on the firewall and external network of the system. Analyze the flow to the inside.
IDS are monitoring systems and IPS are control systems. IDS won’t alter network traffic while IPS prevents packets from delivering based on the contents of the packet, similar to how a firewall prevents traffic by IP address.
The main difference between them is that IDS is a monitoring system, while IPS is a control system.
IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.
Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.
Intrusion Prevention Systems (IPS): live in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.
While many IDS solutions will pull log files from the various devices, parse them, present them to the analyst in a readable form, sometimes you may have to go into a machine and dig through log files yourself. Are there any commands or software you have run into that could make combing through endless log files any easier?
BIA can help to identified the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution’s business functions and processes; assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis.
The organization can summarize some form of BIA report. The report may be useful in considering risk management and understanding the potential impact of different business interruption scenarios.
Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. BIA is needed as it identifies scenarios that could potentially cause losses to the business and through this the business can come up with a plan for investment for recovering, mitigation and prevention strategies. With the due diligence of a business impact analysis in hand, a business has a well thought out plan to recover from a disaster. Information gathered in the BIA assists in determining the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). RPO is the ability to recover files by specifying a point in time to restore the backup copy. RTO measures the time it takes for a system to be completely up and running in the event of a disaster.
Zibai Yang says
What is needed for a complete BCP?
Vanessa Marin says
I just did this for a client and there is an actual formula to follow!
1. Scope! You have to know what your limits in the BCP are or else you’ll drive yourself nuts trying to cover everything or not covering enough.
2. Identification of the key business areas impacted is important – which departments are impacted, who needs to be involved in the communication stream, etc.
3. Identify the critical functions – these are the basic functions that would need to happen in order to keep the business going.
4. Find the dependencies – what are the dependencies between the business areas and the critical functions and organize them by priority.
5. Downtime – how long can each critical function be down with the least impact?
6. Create a plan – this is your draft of the plan. There are many templates you can find online that have detailed instructions.
7. Test, test, test! Can’t stress this enough! It is important to have tabletop exercises and and mock event exercise to ensure that your BCP plan is actually functional and effective. During these tests you’ll test out the process, response time of the team at each phase of the BCP.
Ting-Yen Huang says
There are so many planes that seem needed for a company, how does the company prioritize them?
Mei X Wang says
The company should first assess the organization’s assets by performing a BIA and by using FIPs 199 security categorization. Security categorization is based on the three security objectives, confidentiality, integrity, and availability. After the assets are scored, the assets with the overall high rating should be prioritized and have the most resources allocated in case of an attack. The lower scored assets still need to be protected as well but at a lower priority, Using the FIPS 199 model will help the organization categorize their assets based on industry-approved standards.
Xinyi Zheng says
What is the differences between business continuity plans and IT disaster recovery plans?
Haozhe Lin says
Business continuity (BC): it refers to the maintenance of business function or rapid recovery function in case of major interruption, whether the interruption is caused by fire, flood, epidemic disease, or malicious Internet attack. It is necessary to describe the procedures and instructions that enterprises must comply with within the face of these disasters, and it also changes the business processes, assets, human resources, business partners, and other aspects.
Disaster recovery plan: it mainly focuses on the recovery of IT infrastructure and business after a disaster, which is only an integral part of the complete business continuity plan.
Many people think that a disaster recovery plan and business continuity plan are the same things, but in fact, a business continuity plan focuses on the continuity of the whole enterprise. After a disaster, do you have a way to keep the human resources, manufacturing, sales, and support teams in normal operation, to ensure that the company can continue to make money? If the building where the enterprise is located is razed by a tornado, how should these customer service representatives deal with customer calls? Can they temporarily work at home, or in a spare site? All these problems, Business continuity companies are also taking advantage of this opportunity to rent out cubicles, including desks, telephones, and computers, and disaster recovery services based on services and equipment, to these enterprises that have suffered catastrophic accidents. Business impact analysis (BIA) is another component of the business continuity plan. BIA can determine the impact of a sudden loss of business functions, and it usually quantifies this impact. This kind of analysis can also help you evaluate whether you should outsource the non-core business in the business continuity plan. Basically, BIA can help you look at the processes of the whole enterprise and determine which processes are most important.
Priyanka Ranu says
What are the steps involved in a Cyber Incident Response Plan?
Zibai Yang says
1. Form an incident response team
2. Develop an action manual
3. Prevention and preparation
4. Discovery and containment
5. Perform post-mortem analysis
Anthony Messina says
The SANS incident response plan consists of 6 steps:
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
The NIST Incident Response Process contains four steps:
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
Prince Patel says
the steps involved in a Cyber Incident Response Plan as per Security metrics website are:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned
this is similar to NIST 4 Step plan:
1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Post-Incident Activity
Cami Chen says
What are the differences of implement a business contingency plan between large organizations and small businesses?
Heather Ergler says
Why is it so important that information system contingency plans be consistent across various government agencies?
Vanessa Marin says
So I went on the website whitehouse.gov and found a list of the contingency plans across the federal governments and guess what – they aren’t consistent. The structure of the plans are relatively similar but each department has it’s own goals, requirements, definitions and needs.
If you mean a consistency in documentation, even that can be challenged. I’ve rarely known, even in the US, any department that functions exactly like another. Even the sections for reporting to the general public are unique.
https://www.whitehouse.gov/omb/information-for-agencies/agency-contingency-plans/
Krish Damany says
Of the different types of plan in the BCP umbrella, which is the most important to consider, or should all plans be considered equally?
Jonathan Castelli says
Which step is the most important in the incident response process and why?
Cami Chen says
The detection and analysis step is the most important in the incident response process. In order to mitigate risks, the detection and analysis step can directly point out the area, where the action should begin to respond to the incident process. Organizations need to have strong detective capabilities to structure their information systems, so they can have enough time to resolve an incident. For example, they can use alert tools to monitor the systems.
Anthony Wong says
I think the most important step is the post-incident activity because it creates discussion and knowledge sharing on the incident. Additionally, it allows for the team to determine where the weak points were that lead to breach and what can be done in the future to prevent similar attacks from occurring in the future.
Anthony Wong says
What is the difference between signature-based and anomaly IDS?
Zibai Yang says
Signature detection includes searching a series of bytes or packet queues in network communications to find known malicious programs. The biggest advantage of this detection method is that if you know the network behavior you want to find out, this signature is easy to develop and understand.
Anomaly detection technology is centered on the concept of network behavior benchmarks. This benchmark is an accepted explanation of online behavior. The anomaly detection engine will detect any behavior patterns that do not conform to people’s pre-defined or accepted behavior patterns.
Anthony Messina says
Signature-based detection is when a file is determined to be malicious, a digital signature is written and uploaded to a database so anti-malware programs are able to detect that file or component in the future. Anomaly based detection looks at the behavior of the file. It is not necessarily looking for bad strings in the file, but looking for weird strings that cause it to behave in a while that is not common within the network.
Prince Patel says
According to the Center of Internet Security, Signature-based and anomaly-based detections are the two main methods of identifying and alerting on threats. While signature-based detection is used for threats we know, anomaly-based detection is used for changes in behavior. Signature-based detection relies on a preprogramed list of known indicators of compromise (IOCs). An IOC could include malicious network attack behavior, content of email subject lines, file hashes, known byte sequences, or malicious domains. Signatures may also include alerts on network traffic, including known malicious IP addresses that are attempting to access a system. In contrast to signature-based detection, anomaly-based detection is capable of alerting on unknown suspicious behavior. Anomaly-based detection involves first training the system with a normalized baseline and then comparing activity against that baseline.
Junhan Hao says
How do companies overcome the time synchronization issue?
Anthony Messina says
Companies utilize NTP – the network time protocol. NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time (UTC). Generally companies will have an NTP server that the NTP protocol connects to so that all the devices are on the same time within a millisecond of each other.
Austin Mecca says
What in the BCP do you consider the most important?
Cami Chen says
I think that it is necessary to have a backup plan in the BCP. Can you imagine that your documents are destroyed when you try to file your tax return on the last day? If you make a copy and upload to your cloud or save it in your UBS, you will not suffer it. For organizations, they need to know what data should be stored, and how to back up the data. Also, the backups need to be testable, so the data can be recovered. The backup plan must mention how frequency to back up the data, and companies are able to mitigate some losses.
Austin Mecca says
Cami,
I totally agree, I could not imagine having the BCP plan and actually needing it. It would be chaos trying to put something together, all the while limited groups are able to work, revenues and profits are disappearing and investors and executives are looking for answers from anyone and everyone. I actually don’t think that more than 1% of companies would be able to survive an attack and not having a BCP in place. Unlike other areas and sectors, this is not something that can easily be done on the fly in the event of an emergency.
Vanessa Marin says
In my opinion BCPs are documents for a moment in time. A fantastic BCP plan may have been written that outlined everything you need to in case of an incident, but if it hasn’t ever been tested, reviewed or updated and it’s 5 years old… Well, then you might as well serve your business on a platter for the next guy to take over.
To me plans and policy are only as good as the latest update. Technologies change, get replaced. Business processes improve or are deprecated. Business environments change as you expand or pivot. Changes may be required due to changes in infrastructure, software, people, regulation, etc. All these things affect BCP and other types of contingency plans.
Zhen Li says
There are three way of the containment, there are disconnection, black-holing the attacker, continuing to collect data, which is the most effective?
Heather Ergler says
It depends on the purpose of the containment. If an attacker is executing the same hack that has been seen repeatedly, possibly disconnecting is the best approach. If the hack seems to be original then possibly blackholing or continuing to collect data is the best approach. SIEM monitors need to have standard operating procedures with criteria to determine which approach is to be taken with each attack.
Wenyao Ma says
How often should the organization perform simulations in response to disasters?
Krish Damany says
Simulations shouldn’t take up the time of the network that most employees are accessing it. They should be done periodically as the organization determines sees fit, which could be once or twice a month, every 6 months, or every year. It ultimately depends on the size of the organization, and what times of the day the fewest amount of regular users are not accessing the network.
Anthony Wong says
I think simulations should be performed at least once a year. This ensures that the plan is updated and accurate. If a key resource in the plan has the organization, this can be a great exercise to help the new resource come up to speed. Similar to Krish’s response, the simulation so occur when users will be impacted the least. This may differ based on the industry of the organization. For a retail company, they may want to avoid tests on the weekends.
Prince Patel says
How are Honey Pots critical to Security Infrastructure ?
Xinyi Zheng says
Honeypot technology is meant to entice hackers by being easy to penetrate and appearing to contain desirable information. The honeypot can reveal where attackers are coming from, and the information gathered when hackers are lured in helps understand their motivation and behavior. Honeypotting can also be used to deflect attacks from actual targets.
Kyuande Johnson says
Whats are the differences between a Intrusion Detection System and a Intrusion Prevention System?
Zibai Yang says
The main difference between IDS and IPS: ids mainly detect the inside of the system, runs on the monitored host, and monitors the host’s network behavior, system log, process and memory, and other indicators; ips act on the firewall and external network of the system. Analyze the flow to the inside.
Xinyi Zheng says
IDS are monitoring systems and IPS are control systems. IDS won’t alter network traffic while IPS prevents packets from delivering based on the contents of the packet, similar to how a firewall prevents traffic by IP address.
Prince Patel says
The main difference between them is that IDS is a monitoring system, while IPS is a control system.
IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.
Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.
Intrusion Prevention Systems (IPS): live in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.
Vanessa Marin says
What key controls do you feel are the most important to implement or ensure that an organization has in place?
Haozhe Lin says
A hot site should be implemented as a recovery strategy when the Recovery Time Objective (RTO) is high or low?
Junhan Hao says
when the RTO is low. If this time gap is short, a recovery strategy that can be implemented in a short time should be used.
Anthony Messina says
While many IDS solutions will pull log files from the various devices, parse them, present them to the analyst in a readable form, sometimes you may have to go into a machine and dig through log files yourself. Are there any commands or software you have run into that could make combing through endless log files any easier?
Mei X Wang says
What are the benefits of a business impact analysis?
Xinyi Zheng says
BIA can help to identified the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution’s business functions and processes; assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis.
Junhan Hao says
The organization can summarize some form of BIA report. The report may be useful in considering risk management and understanding the potential impact of different business interruption scenarios.
Priyanka Ranu says
Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. BIA is needed as it identifies scenarios that could potentially cause losses to the business and through this the business can come up with a plan for investment for recovering, mitigation and prevention strategies. With the due diligence of a business impact analysis in hand, a business has a well thought out plan to recover from a disaster. Information gathered in the BIA assists in determining the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). RPO is the ability to recover files by specifying a point in time to restore the backup copy. RTO measures the time it takes for a system to be completely up and running in the event of a disaster.