NSF_TaskDescription_T6_V1 1
NSF DEANZA SECURITY COURSE
Task Description: Task 6
Title: Document Procedures for Emergency Response
1. AUTHOR: Param Talwar
2. PERFORMANCE OBJECTIVES/SKILLS
(1). Pre-requisite skills:
The student should:
i. Know the Network Security Technology – such as Cryptography,
Firewalls, VPN’s, Denial of Service, Access Controls.
ii. Know about TCP/IP Protocol and its implementation in 7 layers OSI
Model.
iii. Know how to secure an Operating System and its applications within.
iii. Awareness of Security Layers – such as Network, Application, Operating
System, Middleware, Databases and Presentation Layer.
iv. Good writing skills and communication skills.
(2) New skills introduced/learned:
Be able to recognize common abnormal occurrences in Networks
Draft recovery steps for each of the most likely emergencies
Be aware of and document expected outcomes for each set of emergency
procedures
For cases where 100% recovery isn’t possible, explain why
3. KEY TOPICS COVERED
(1). Document Procedures for Emergency Response. Since an emergency may be sudden
and without warning, these procedures are designed to be flexible in order to accommodate
contingencies of various types of magnitudes.
(2). In addition it would contain on the notification and communication procedures including
escalation procedures.
4. SCENARIO SET UP (the business problem in the case, and student task)
Business Problem:
While monitoring helps validate that Security Policy is enforced, the documented results from
monitoring may lead to observation of patterns of abnormal activity. This can provide an early
stage diagnosis of threats (can be malicious or accidental threats). It is crucial for an organization
to be prepared with a set of actions to take when there is an emergency.
Student Task:
Identify the possible emergencies and prepare recognition conditions, a set of steps for each
emergency to bring the business operations back to its original state, and expected outcomes for
each set of procedures. All threats and attendant procedures that don’t take the systems back to
their original state must be documented.
Additional Notes on Scenario/Task:
Re Emergency Response document: In some sense you’re creating a cookbook. You have
recognition conditions for threats. Once threats are recognized, you have steps to take. Once
you’ve taken steps, you have expected outcomes.
NSF_TaskDescription_T6_V1 2
Re expected outcome section: Business needs to understand the expected outcome section,
esp. for risk procedures that won’t fully restore systems to their original state. To mitigate risk,
someone in upper management should be aware of the implications of these scenarios.
Output Sharing
Because all student groups might not choose to address the same emergencies, we should have
groups give presentations or provide a master list after the fact, to share task outcomes.
Resource: CERT
Network Magazine
Re procedures: Where relevant, should include steps like who to call, e.g., Do we know who to
call at the IFC when a denial of service attack occurs?
Regarding the scenario:
In what context might someone be asked to prepare an emergency response document?
The task of preparation of a security document is not supposed to be a response to an actual
emergency situation but a pro-active task that should be prepared much in advance and be
actually be referred to at the time of an emergence. Someone may be asked to prepare an
emergency response document as a pre-task in order to effectively deal with an emergency
situation. On the other hand the document should be flexible and not static so that any new
type of challenges can easily be incorporated into the document.
Emergencies are not conducive to clear-headed analysis and planning. When seconds count,
it’s hard to weigh options rationally, discuss alternatives coolly, run simulations and make the
best judgment. Far better is to plan for emergencies with plenty of time and practice so that
response during the emergencies themselves can be fast, effective and efficient.
What might the request to create an emergency response look like?
It should be short and in point form.
The emergency response document could be 2-tier.
a. Detailed document that is reviewed, on a regular basis.
b. Bullet document that contains specific instructions regarding what needs to be
done and in what priority, in a pre-conceived format.
What information would this request need to contain in order for the recipient to be able to
carry out the task?
- Receive and log incident call
- Determine the threat and categorize reported incident
- Inform the proper authorities and response teams
- Follow-up actions during the process of recovery and/or investigation
- Formal feedback to management
5. SCENARIO RESOURCES—These are documents that we provide to students to help them
complete the task.
a. C-Bay Profile/Network Information (This will need to come from earlier tasks, Task 1 lays out
this information, but additional details about C-Bay and its network will be provided in Tasks 2,3
and 4.)
b. C-Bay Security Policy (The last time the policy could have been updated is in Task 4.)
c. Is there additional information the student will need to complete this task? If so, what is
it?
NSF_TaskDescription_T6_V1 3
Incident handling includes three functions: incident reporting, incident analysis, and incident
response.
6. STUDENT SOLUTION DELIVERABLES
A. Emergency Response document that, for a set of common security emergencies,
documents (for each emergency):
Recognition conditions – review monitoring, a red flag should be raised if one notices
that a set pattern is not being followed.
Recovery steps – it would depend on the way the company has been hit, the category
the emergency falls under.
Expected outcomes – these would be the pre-conceived outcomes for each of the type
of emergency the company has been hit.
Any case in which recovery is less than 100% reflects a flaw in the monitoring systems. But, it
may not make business sense to address the flaw. All risks that don’t take the systems back to
their original state must be documented. (Must explain why 100% recovery isn’t tenable.)
Regarding the Emergency Response Document:
What distinguishes a good emergency response document from a bad one? What are the
characteristics of a good emergency response document?
A good emergency response document is one that has clearly defined steps and can be
easily followed whereas a bad one is hard to understand or follow which amounts of wasting
valuable time at the time of emergency.
The characteristics of a good emergency document are:
- It takes the user through simple logical steps.
- It uses language that is easily understood by the user.
- It covers most of the type of emergencies that could take place.
- It shows the tasks to be conducted in the right sequence and if warranted at the
right time intervals.
- It shows the escalation procedures.
- It gives details of the system/s under attack including diagrams if possible.
What steps should students follow to create the emergency response document?
In order to create the emergency response document the students should follow the following
steps:
- Get all the people involved in creating the document at one place and conduct a
brain storming exercise. Have an open mind and take down the suggestions of
each one before eliminating any choices, which should be done with the
consensus of the whole body.
- Bring in Subject Matter Experts in the meeting and take their views that should
be incorporated in the document. If possible, conduct individual interviews with
each of the Subject Matter Experts and bring their consolidated
views/suggestions to the group.
- An objective forum of the students, assigned the task, should review each of the
suggestions and start incorporating the same into the document.
What categories of information should a good emergency response document contain? What
should be outlined within each section?
The categories of information required for a good emergency document would depend on the
category of the emergency since the response for each category would be different. Each
category should have point-wise instructions to deal with the situation and ways to recover
losses, if any.
An emergency incident could fall into any of the under mentioned categories:
- Loss of confidentiality of information.
NSF_TaskDescription_T6_V1 4
- Compromise of integrity of information.
- Denial of service.
- Misuse of service, systems or information.
- Damage to systems.
Are there examples of good emergency response documents we can show students to help
them with this task? If so, where? Why are they good examples?
Yes, there are examples of good emergency response documents. (I will be giving a good
example in a few days that could be incorporated here. In case anyone else has any
suggestions please let me know.)
B. (Possibly) Revised Security Policy noting any additional recommended changes for the
security policy, based on the findings about expected outcomes task.
Regarding the Security Policy:
o What information should be included in a good security policy about emergency procedures?
Apart from the information stated above regarding the emergency procedures to be included
into the security policy the following should be included:
- Training – training should definitely be part of the procedure so that everyone is
familiar with the document at the time of the emergency, rather than looking for the
procedure to act at the time of a real emergency.
- Reviewing on a regular basis – since circumstances keep changing and newer
threats come into play, the policy should be reviewed at regular intervals, in order
to keep it up to date so that it evolves with the changing times and threats.
7. KEY DECISIONS
What key decisions will learners need to make when identifying recognition conditions?
- The most important decision the learners need to make is actually consciously
begin the process of containing/mitigating the emergency.
- To recognize and react to the situation rather than hoping it to be resolved soon on
its own.
- To be able to distinguish abnormal activity from routine activity.
- To know when to enact recovery steps.
What key decisions will learners need to make when identifying recovery steps?
The key decisions the learners need to make when identifying recovery steps would be:
- If there is a disaster, the system needs to be placed in the recovery mode in order
to rejuvenate the system.
- Assemble the key stakeholders together and set up an open communication with
them to get a proper feedback which should be incorporated in the recovery steps
part of the document.
What key decisions will learners need to make when determining expected outcomes?
- The learners should make a commitment to move forward.
- One person in the group should be made accountable for making the decisions so
that timely decisions are made.
What key decisions will learners need to make when determining whether some of the
risks that don’t take systems back to their original state are ok, while others should be
corrected?
- The leading body set up by the students has to decide what compromises have to
be made after determining the type of emergency and expected outcome.
8. COMMON MISTAKES
What are the most common mistakes people make, or might students make, when identifying
recognition conditions?
NSF_TaskDescription_T6_V1 5
- The most common mistake people make is not recognizing that they are in a state
of emergency, thus wasting valuable time.
What are the most common mistakes people make, or might students make, when identifying
recovery steps?
- The most common mistake people make is that, when they see an emergency
they tend to act alone and don’t look at it as a cumulative effort. At times making
changes to the process, on the fly, that could have far reaching implications.
What are the most common mistakes people make, or might students make, when
determining expected outcomes?
- Assuming that everything will work normally and that there will be 100% recovery.
What are the most common mistakes people make, or might students make, when
determining which risks the emergency response document won’t provide 100% recovery for,
because it doesn’t make business sense?
- Not recognizing the category of the risk.
- Not realizing that making certain changes could have far reaching implications.
9. READINGS & EXTERNAL RESOURCES
What resources (books, websites, tutorials, etc.) can we point students to help them create
their emergency response document?
CERT
Network Magazine
10. MENTOR/FACULTY RESOURCES
What might a model student solution look like for the emergency response document—i.e.,
what are the most common emergencies that students should plan for? For each emergency,
what steps should they take? For each set of steps, what are the expected outcomes? For
which emergencies does it make sense not to plan for full recovery?
- The first step is to look for the definition of the emergency level.
- Loss of confidentiality of information.
It could happen by an unauthorized person getting access to confidential
information by fraudulent means or hacking. In this type of emergency the
recovery can be complete but certain changes would have to be made to the fields
so that it should not be allowed to happen again.
- Compromise of integrity of information.
This emergency could be the result of an internal person compromising the
integrity. The recovery can be complete depending upon the extent of the
damage.
- Denial of service.
This could happen due to password expiry that could be rectified with no damage.
- Misuse of service, systems or information.
This again could be due to internal staff by either negligence or a deliberate act.
The staff member should be given training or reprimanded, depending on if it was
a mistake or deliberate.
- Damage to systems.
If the systems have been damaged then remaking the data by backup procedures
could result in not having 100% recovery. Some of the data could be completely
lost or the system/s may not be able to perform some of the functionalities.
What recommendations should students have made to the security policy?
In order to have a robust security policy the students should have made the following
recommendations:
Perform background checks for all workers. All workers to be placed in computer
related positions of trust must first pass a background check. It should be extended
NSF_TaskDescription_T6_V1 6
to all new employees, re-hired employees, transferred employees, as well as third
parties like temporaries, contractors, and consultants. This would help in thwarting
many of the insider security threats.
Maintain a low profile in the public’s eyes. There must be no signs indicating the
location of C-Bay’s computer or communication centers. This would decrease the
possibility of any physical damage to the data centers.
Wear a badge when inside C-Bay’s offices. All persons must wear an identification
badge on their outer garments so that both the picture and printed information on the
badge are clearly visible. This would thwart the attempts of any unwanted persons
from entering the premises of C-Bay in order to pose any threat to the systems.
Update and test information systems contingency plans. For computer and
communications systems, management must prepare, periodically update, and
regularly test contingency plans.
Store critical production data securely at off site location. Backups of essential
business information and software must be stored in an environmentally protected
and access-controlled site, which is sufficient distance away from the originating
facility to escape a local disaster.
Install latest patches on systems located on network periphery. All networked
production systems must have an adequately staffed process for expediently and
regularly reviewing all newly released systems software patches, bug fixes, and
upgrades.
Install and monitor intrusion detection. To allow C-Bay to promptly respond to
attacks, all internet-connected multi-user computers must be running an Intrusion
Detection System.
Turn on minimum level of systems event logging. Computer systems handling
sensitive, valuable, or critical information must securely log all significant security
relevant events. Examples of security relevant events include: password guessing
attempts, attempts to use privileges that have not been authorized, and modifications
to production application software.
Assign explicit responsibility for information security tasks. Specific information
security responsibilities must be incorporated into all worker job descriptions if such
workers have access to sensitive, valuable, or critical information.
Perform periodic risk assessments for critical systems. Information security risk
assessments for critical information systems and critical production applications must
be performed at least once a year.
Periodic training for all staff. The staff should be trained and have gone through
mock situations in order to reinforce the procedures; this would help in resolving the
actual emergency situation. Further, they should also be made familiar with the
document so that know where to look for the relevant information or whom to call at
the time of emergency rather than look for the information and waste valuable time.
Consideration should also be made to the type of training to be imparted to new staff
in regard to the following:
Constituency and constituency's systems and operations.
Standard operating procedures and policies.
Information disclosure policy.
What preparation and prior knowledge will mentors need to mentor this task?
Mentors should be aware of the type of security threats the company can encounter and
should have plans to mitigate them.
What resources will be helpful for them to refer to in order to prepare for this task?
The most important resource would be the emergency document prepared for this
eventuality.
What coaching questions will help the mentors facilitate student learning?
NSF_TaskDescription_T6_V1 7
Walking the students through realistic scenarios and posing questions based on the
scenarios would help the mentors facilitate student learning. This would reinforce the
different procedures the students have learnt about dealing with the threat/s.
What should the mentor keep in mind or be aware of when facilitating this task?
The mentor should be aware that, everyone in the class gets an opportunity to participate.
Moreover, having such methodological walkthroughs through realistic scenarios would help
everyone to learn from such experiences and make them more equipped with real situations
if and when they occur.