Recently in Business Continuity Category

Like many other professions that have a security dimension, information security professionals are (or at least, should be) trained to deal with crises. Excellent training is available from many sources, one of which is the SANS institutes security 504: Hacker Techniques, Exploits and Incident Handling. Since I am a mentor for 504, I feel that I am fairly comfortable with the material. One of the topics that I have found lacking in most training of which I am aware is that, while several (very useful) approaches to incident handling are discussed, not all that much attention is paid to how to actually organize an incident response structure.

In order to provide some more guidance to my students, I have done some research and I ended up on the FEMA site. While the Federal Emergency Management Agency is often scorned or ridiculed, they do have some interesting materials available for free.

Some background information first. FEMA's mission is to support citizens and first responders to ensure that we work together to build, sustain, and improve our capability to prepare for, protect against, respond to, recover from, and mitigate all hazards. This definition has "government" written all over it, but there are some useful components for my purposes.

Specifically, the part where they mention "prepare for and respond to" (incidents) has relevance.

FEMA's emergency management institute provides many types of study in the field of emergency management, but the one that I am most interested in is the independent self study option. Under the Independent Study Program, some very interesting resources are made available for free; more specifically, some modules are offered that address the Incident Command System (ICS).

IS-100.a Introduction to Incident Command System is a module that introduces the concept of an incident command system. "The Incident Command System, or ICS, is a standardized, on-scene, all-hazard incident management concept. ICS allows its users to adopt an integrated organizational structure to match the complexities and demands of single or multiple incidents without being hindered by jurisdictional boundaries." It does not take much imagination to see how this concept can be applied to information security incidents, or to wider incidents that include information security aspects.

The ICS approach is based on a few common concepts. The ones that are most relevant to us are the use of common terminology and clear text, adoption of a modular organization, management by objective, reliance on an incident action plan, and maintaining a manageable span of control.

The training material discusses roles and responsibilities of the incident commander, delegation of authority, unified command, command staff, general staff, and much more. All concepts that are very useful when dealing with security incidents or business continuity events.

I highly recommend taking a look at the online FEMA training offerings. They are free, include a self-assessment and if you pass the online exam, they will even give you a pretty certificate in a PDF file. No pretty letters after you name though.

I have always been slightly paranoid about making backups of my home systems. While I use a network-based service for off-site backups, running a backup (and restoring one) is constrained by the amount of network bandwidth that you have available and might take a considerable amount of time to complete successfully.

After I ran out of local disk storage on my regular Linux PC (which had two disks in RAID-1 configuration), I started shopping around for a small network attached storage solution that would be able to scale with my needs.

I really only had a few requirements:

• Must support disks in RAID-1 configuration
  
• Must be able to provide a CIF volume
  
• Must be able to support multiple users with their own privileges
• Must get good reviews on places like cnet, amazon, etc.
  
• Must have a relatively small footprint (I do not like clutter in my work areas)
  
• Must have low heat production and a low noise level
  
• Should be able to support rsync
• Could be nice to have ssh shell access
  
• Could be nice to have ftp support

After doing some research, I decided to purchase a Synology NAS Disk Station which I loaded with two Western Digital 1 TB Caviar Green Hard Drives. I opted for the "green" drives because they only run at 5400 rpm, which makes a little slower (not a problem for me), produce less heat and be less noisy. The solution is not the cheapest one out there, but I liked what I saw when I read the reviews and for backup solutions you usually get what you pay for.

When the shipment came in (well ahead of time; thanks Amazon!), I installed the two drives into the NAS without trouble. I was set to go when the device was hooked up to main power and my network switch. On pressing the power button, the came to life and started doing its boot sequence. Booting isn't all that fast, but that is not something that bothers me.

Installation using the provided disk was straightforward, and it became clear that this little power house has Linux under the hood. Note that as far as I can tell, installation using the provided CD-ROM is necessary; part of the initial install seems to be flashing a new firmware onto the device. Since the NAS will be connected to by several devices, I configured the device with a static IP address, but it also supports DHCP.

Anyone who is familiar with Linux logical volume management and software RAID will be immediately at home. The machine is very feature rich, but comes out of the box with just about any network services turned off: the way it should be.

The footprint on the network is nice-- no unnecessary services are running, just what you would hope for. The device offers a wide range of connectivity options: rsync, ssh, smb, ftp, telnet, etc. It can function as a BitTorrent client, a web server, a mysql server, and it even has some basic blog authoring support. I don't need most of these things, but my inner geek cannot help but grinning and uttering several "cool!"s. I haven't seen an option yet to have it send syslog data to another device.

The web-based GUI is nicely finished, but may be a little confusing for people without a strong background in managing a Linux-based storage device.

When the disks were initializing in RAID-1 (which takes a while for 1TB drives) activating the rsync server and the SMB share was as easy as checking two boxes, creating a user and assigning the appropriate privileges.

Other features include NTP, setting "power on" and "power off" times, integration with a UPS if you have one (mine is coming; our power grid is notoriously noisy and fairly unreliable), S.M.A.R.T. reporting, email notifications with a configurable SMTP server (including SSL and authentication support) and much more.

All in all, the device seems very nice for the price and it is worth taking a look at!

Since I have taken the role of a GIAC Gold adviser, I have seen many good papers pass by. Every now and then, some jump out as being clearly above average. This week has been a particularly good week and two new additions have joined the reading room.

Security Incident Handling in High Availability Environments by Algis Kibirkstis adopts the point of view of a telecommunications provider. Having done some data modeling work in large telephone exchanges myself, I have always been intrigued by the high level of requirements that this industry puts on itself. Kibirkstis provides an excellent overview of the concept of High Availability (carrier-grade reliability) and goes on to describe how the incident handling process takes place in these environments. The paper ends with a set of 8 concrete recommendations. The paper is available here.

Investigative Tree Models by Rodney Caudle ties in to my other fascination: how to use symbolic models to improve real-world situations. No, I am not talking about glossy fashion magazine models, but things like decision trees, graphs, etc. Caudle describes how to use attack trees to aid incident investigations. He takes the reader through the formal definitions of these models and clearly explains them by providing well-documented examples. The second part of the paper describes a full case study on how to use a tree model to obtain proof in an investigation into email abuse. The paper wraps up with a brief conclusion and a look forward at some possible future trends. The paper is available here.

More information about GIAC Gold certification can be found on the GIAC website.

I do not watch much TV, but as far as I can tell, the media have been relatively quiet about the Swine Flu recently. Many experts agree that there is a good chance that we will see a second wave of infections, which might be larger than the previous one. Especially for business that are facing rough times and that are already running on a skeleton crew, business continuity can be serious jeopardized if a significant number of employees is going to be out sick for an extended period of time.

Organizations can do a few things to reduce the chance that they are confronted with significant employee absence. The centers for disease control (CDC) recommend the following:

• Wash your hands often and thoroughly.
• Cover your nose and mouth with a tissue when you cough or sneeze. Throw the tissue in the trash after you use it.
• Avoid touching your eyes, nose or mouth. Germs spread this way.
• Try to avoid close contact with sick people.
• If you are sick with flu-like illness, stay home for at least 24 hours after your fever is gone except to get medical care or for other necessities. Keep away from others as much as possible to keep from making others sick.

Talk to your employer to see if she or he is willing to put up alcohol-based soap dispensers by the entrances to your work area and use it every time you enter your workplace. If they do, make sure they are refilled when empty and fixed if they are broken.

Alternatively, obtain a bottle of alcohol-based hand sanitizer and wash your hands every time you return to your desk. This is a very low-cost solution, but one that is extremely effective. These measures will not provide 100% protection, but they will reduce your chance of getting sick.

Business should start to verify that employees who are able to work from home have the ability to do so. Verify that everyone as their authentication credentials lined up, and if you use a secondary form of authentication, double check that your licenses are sufficient and not about to expire. Remind employees of the organization's policy for telecommuting and have workers test their remote access. If revenue streams allow, a great way to test this is through by granting employees a 'telecommute day'.

While a lot of these precautions might turn out to be unnecessary, when it comes to human safety, it is better to be over-prepared.