SlideShare ist ein Scribd-Unternehmen logo

Cyber resilience: planning to bounce back

Als PPTX, PDF herunterladen
Jisc
Jisc

by Andrew Lenaghan

Bildung
1 von 32
Cyber resilience: planning to bounce back Dr Andrew Lenaghan. OxCERT 28/11/2017
A Lenaghan. OxCERT, Thursday 9, 9:45-1015 Cyber resilience: planning to bounce back JISC Security Conference2017 , Manchester UK
Qu: What could hurt us?
Possible Scenarios Ref Description of example scenario 1 Permeant loss or 2+ staff members (Death /dismissal/leaving) within 1 month. 2 Contagious illness causes shortage of staff. E.g. new flu strain causes ½ staff to be absent >1 week. 3 Training and holiday commitment cause shortage of staff. E.g. 2 staff down > 3 days 4 Fire guts office all equipment (laptops/computers/screens/phones/printers) lost. 5 Break-in leads to the theft of laptop and desktop computers from OxCERT office. 6 Loss of service – plumbing, heating, telephony, internet access (VoIP) 7 Evacuation due to gas leak - unexpected loss of access to offices (>4h). Offices undamaged 8 Unexpected short term loss of mains power to a data centre (<2h). No damage to equipment. 9 DDOS on JANET causes loss of internet connectivity for a prolonged period > 4h. 10 Loss of fibre connectivity between DC’s 11 Incident causing irrecoverable loss of equipment at data centre eg fire. 12 Loss of mains power to OxCERT offices in Wellington Square <2h. 13 [With in Uni] Loss of VM in hosting 14 [With Vendor] Disruption to AV signature distribution mail and desktop AV cannot be updated 15 Component failure on the of the server acting as XEN (VM) host cause crash and failure to restart. 16 Cryptolocker style compromise on NAS lead to data becoming irretrievable due to encryption. 17 Rootkit infection of bastion host requires it to be isolated for investigation and rebuild. 18 Police seizure of server for criminal investigation. 4
Possible Scenarios Ref Description of example scenario Resource impacted 1 Permeant loss or 2+ staff members (Death /dismissal/leaving) within 1 month. Lack of people2 Contagious illness causes shortage of staff. E.g. new flu strain causes ½ staff to be absent for >1 week. 3 Training and holiday commitment cause shortage of staff. E.g. 2 staff down > 3 days 4 Fire guts office all equipment (laptops/computers/screens/phones/printers) lost. Lack of Access 5 Break-in leads to the theft of laptop and desktop computers from OxCERT office. 6 Loss of service – plumbing, heating, telephony, internet access (VoIP) 7 Evacuation due to gas leak - unexpected loss of access to offices (>4h). Offices undamaged 8 Unexpected short term loss of mains power to a data centre (<2h). No damage to equipment. Lack of Infrastructure 9 DDOS on JANET causes loss of internet connectivity for a prolonged period > 4h. 10 Loss of fibre connectivity between DC’s 11 Incident causing irrecoverable loss of equipment at data centre eg fire. 12 Loss of mains power to OxCERT offices in Wellington Square <2h. 13 [With in Uni] Loss of VM in hosting 3rd Party service14 [With Vendor] Disruption to AV signature distribution mail and desktop AV cannot be updated 15 Component failure on the of the server acting as XEN (VM) host cause crash and failure to restart. Miscellaneous 16 Cryptolocker style compromise on NAS lead to data becoming irretrievable due to encryption. 17 Rootkit infection of bastion host requires it to be isolated for investigation and rebuild. 18 Police seizure of server for criminal investigation. 5
Our outlook : Guarded optimism Hope for the best, plan for the worst6
Artefacts & Audiences Business Impact Assessment (BIA) Business Continuity Plan (BCP) Disaster Recovery ProceduresBackup arrangements Keeping running…. Restarting from scratch Parameters EngineeringManagement Potential Scenarios Operations Exercises 1 2 3 4 7
Principles (& dog food) ❖ Eating your own dog food (Credibility) Get our own house in order before we start laying down the law to others. ❖ Being open (& setting users expectations) Be transparent about the service levels we set & be held to account by our users we fall short. ❖ Building a predictable response Do the engineering, planning and testing to have confidence we can achieve the targets 8
CERT Requirement OxCERT must continue to operate even where there is significant damage to, or sustained hostile activity against, ourselves or the network infrastructure of the University we defend 9 Be Resilience
Cyber Resilience - is this new? Traditional information security Assumes a stable environment, evolutionary change Aim: Deal effectively with known risks / threats ❖ Best practice ❖ Lessons learned ❖ Risk adverse 10 Cyber Resilience (Culture) Assumes turbulent environment / disruptive technologies, step changes which are unknown / unpredictable Aim : Anticipate & adapt ❖ Agility - Ability to change ❖ Anticipating / Forward looking ❖ Innovation / creativity to meet threats
Cyber Resilience - is this new? Traditional information security Assumes a stable environment, evolutionary change Aim: Deal effectively with known risks / threats ❖ Best practice ❖ Lessons learned ❖ Risk adverse 11 Cyber Resilience (Culture) Assumes turbulent environment / disruptive technologies, step changes which are unknown / unpredictable Aim : Anticipate & adapt ❖ Agility - Ability to change ❖ Anticipating / Forward looking ❖ Innovation / creativity to meet threats Getting better Getting different
Business Organisation Impact Assessment Its not about how or why or the likelihood of a failure, just focus on ‘if’
Artefacts & Audiences 13 Business Impact Assessment (BIA) Business Continuity Plan (BCP) Disaster Recovery ProceduresBackup arrangements Keeping running…. Restarting from scratch Parameters EngineeringManagement 13 Potential Scenarios Operations Exercises
What did we needed to think about? Geographic locations OxCERT operates from The services we offer and the relative priorities for recovering them Dependancies ❖ Stakeholders who depend on OxCERT ❖ External systems, services, vendors OxCERT depends on Single points of failure in our infrastructure Key person risks in the team 14
The shape of a disaster 15 Time BAU Service Level Lastgoodbackup 100% Recovery Time ObjectiveRPO Maximum Acceptable Outage Response Full Service restored Minimum Acceptable Service Level Downtime Recovery Failed Disaster strikes Recovery Achieved
The shape of a disaster 16 Time Service Level 100% Recovery Time Objective Response Minimum Acceptable Service Level DowntimeDisaster strikes Recovery Achieved ç
The shape of a disaster 17 Time Service Level 100% Maximum Acceptable Outage Response Full Service restored Minimum Acceptable Service Level Recovery Failed ç Recovery succeed Disaster strikes
OxCERT BIA: On one page….Service Name Relative priority Recovery time objective (RTO) Maximum Acceptable Outage (MAO) Security Incident Response 1 3 days 1 week Network monitoring 2 1 week 2 weeks Advising and alerting (vulnerabilities) 3 2 weeks 2 months A Business Impact Assessment on a page
How service impact grows over time… eg Security incident response service 19 Catastrophic MAO * High * * Acceptable * * Marginal * * Duration 2h 4h 8h 24h 48h 1 week 2 weeks 1month
BIA Reflections Conducted between Q3/Q4, 2016 ❖ Planned 9.5 days days effort, an underestimate ❖ Biggest issue - capturing what we did in a structured way. Keep it simple : Focus on identifying a few high level services (divided these down into internal activities) Quick wins! : Analysis helped us identify: • Single points of failure - firewall, Office VPN server • Key person risks - sysadmin skills Buy-in - Targets were: • Reviewed by team & Management • Signed off by CISO 20
Business Continuity Planning
Artefacts & Audiences 22 Business Impact Assessment (BIA) Business Continuity Plan (BCP) Disaster Recovery ProceduresBackup arrangements Keeping running…. Restarting from scratch Parameters EngineeringManagement 22 Potential Scenarios Operations Exercises
No 3. Activate the Plan? 1. Disaster Occurs 2. Perform an initial damage assessment Stop Yes Recogniz e Phase Objective 1 DISASTER OCCURRENCE Safety of staff and visitors 2 INITIAL DAMAGE ASSESSMENT Develop an initial overview of the situation 3 ACTIVATING THE PLAN Decide whether to activate the plan based on the initial damage assessment of locations and system 23
(5). Relocate Recovery Team to alternate site & establish operations? 4. Form Recovery Team & Designate Coordinator Yes React Phase Objective 4 FORM RECOVERY TEAM Form the recovery team, designate a recovery coordinator 5 (RELOCATE TO ALTERNATE SITE) Establish a working environment from which to conduct the recovery and resume services. 24
7. Incident Coordination. Execute specific recovery procedures 8. Stand-down the Recovery Team & Transition back to normal operations Recover 6. Open an incident log & Communicate to key staff & teams Phase Objective 6 OPEN AN INCIDENT LOG Maintain a record of key milestones and decisions taken during in the recovery process EXTERNAL COMMUNICATION ACTIONS Inform key staff and teams that recovery is underway 7 INCIDENT COORDINATION Limit damage, prioritise performing recovery procedures, estimate recovery time. 8 STANDING DOWN Establish business as usual, inform key staff and teams
No 3. Activate the Plan? 1. Disaster Occurs (5). Relocate Recovery Team to alternate site & establish operations? 7. Incident Coordination. Execute specific recovery procedures 8. Stand-down the Recovery Team & Transition back to normal operations 2. Perform an initial damage assessment 4. Form Recovery Team & Designate Coordinator Stop Yes Recogniz e React Recover 6. Open an incident log & Communicate to key staff & teams A Business Continuity Plan on a page
How are we getting on?
Climbing the BCP/DR Maturity ladder 28 Approach Characteristics Level 5 Resilent • BCP/DR thinking integrated into processes • Metrics & continuous improvement • Audited / Reported on to Snr Mngt. Level 4 Proactive • Documented and maintained recovery plan • Exercises validate plan • Importance recognised & resourced Level 3 Prepared • Clear recovery procedures • Established recovery targets (RPO/RTO) • Need recognised, coordinated action Level 2 Reactive • Partial backups / fragmented approach • Informal/undocumented plan/key person risk • Need recognised but inconsistently enacted Level 1 Ad hoc • No recovery plan • Minimal or no backups • No buy-in
Climbing the BCP/DR Maturity ladder 29 Approach Characteristics OXCERT Recovery Level 5 Resilent • BCP/DR thinking integrated into processes • Metrics & continuous improvement • Audited / Reported on to Snr Mngt. Confident / consistent Level 4 Proactive • Documented and maintained recovery plan • Exercises validate plan • Importance recognised & resourced Likely to meet targets Level 3 Prepared • Clear recovery procedures • Established recovery targets (RPO/RTO) • Need recognised, coordinated action Probable but vulnerable to surprises Level 2 Reactive • Partial backups / fragmented approach • Informal/undocumented plan/key person risk • Need recognised but inconsistently enacted Possible Level 1 Ad hoc • No recovery plan • Minimal or no backups • No buy-in Partial / unlucky Start End
On to BCP exercises…. "Everybody has a plan until they get punched in the mouth.” 30
Dr Andrew Lenaghan, OxCERT JISC Security conference 2017, Manchester UK, V.04 Cyber resilience: planning to bounce back
jisc.ac.uk THankyou Dr Andrew Lenaghan (OxCERT) 28/11/2017 Cyber resilience: planning to bounce back 32

Empfohlen

Kunzite presents iso 90012015 part 1 pdca &amp; vendor selection process
Kunzite presents iso 90012015 part 1 pdca &amp; vendor selection processKunzite presents iso 90012015 part 1 pdca &amp; vendor selection process
Kunzite presents iso 90012015 part 1 pdca &amp; vendor selection processHpm India
 
Deep Dive into Disaster Recovery in the Cloud
Deep Dive into Disaster Recovery in the CloudDeep Dive into Disaster Recovery in the Cloud
Deep Dive into Disaster Recovery in the CloudBluelock
 
Pertemuan 15 disaster recovery plan
Pertemuan 15 disaster recovery planPertemuan 15 disaster recovery plan
Pertemuan 15 disaster recovery plannewbie2019
 
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...Kenexis
 
Severe storm event TC Yasi
Severe storm event TC YasiSevere storm event TC Yasi
Severe storm event TC YasiMick Lazell
 
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts Mike Boudreaux
 
Bruce Coull Resume Sep 2015 no referees
Bruce Coull Resume Sep 2015 no refereesBruce Coull Resume Sep 2015 no referees
Bruce Coull Resume Sep 2015 no refereesBruce Coull
 
IT Disaster Recovery Plan
IT Disaster Recovery PlanIT Disaster Recovery Plan
IT Disaster Recovery PlanCallOneTel
 

Empfohlen

Kunzite presents iso 90012015 part 1 pdca &amp; vendor selection process
Kunzite presents iso 90012015 part 1 pdca &amp; vendor selection processKunzite presents iso 90012015 part 1 pdca &amp; vendor selection process
Kunzite presents iso 90012015 part 1 pdca &amp; vendor selection processHpm India
 
Deep Dive into Disaster Recovery in the Cloud
Deep Dive into Disaster Recovery in the CloudDeep Dive into Disaster Recovery in the Cloud
Deep Dive into Disaster Recovery in the CloudBluelock
 
Pertemuan 15 disaster recovery plan
Pertemuan 15 disaster recovery planPertemuan 15 disaster recovery plan
Pertemuan 15 disaster recovery plannewbie2019
 
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...
Optimizing Fire3 and Gas System Design Using the ISA Technical Report ISA TR8...Kenexis
 
Severe storm event TC Yasi
Severe storm event TC YasiSevere storm event TC Yasi
Severe storm event TC YasiMick Lazell
 
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts
Safety Lifecycle Management - Emerson Exchange 2010 - Meet the Experts Mike Boudreaux
 
Bruce Coull Resume Sep 2015 no referees
Bruce Coull Resume Sep 2015 no refereesBruce Coull Resume Sep 2015 no referees
Bruce Coull Resume Sep 2015 no refereesBruce Coull
 
IT Disaster Recovery Plan
IT Disaster Recovery PlanIT Disaster Recovery Plan
IT Disaster Recovery PlanCallOneTel
 
Varrow Madness 2014 DR Presentation
Varrow Madness 2014 DR PresentationVarrow Madness 2014 DR Presentation
Varrow Madness 2014 DR PresentationAndrew Miller
 
Bcp
BcpBcp
Bcpmadunix
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery PlanDavid Donovan
 
The Cost of Downtime
The Cost of DowntimeThe Cost of Downtime
The Cost of DowntimeMiriam O'Brien
 
The Cost of Downtime
The Cost of DowntimeThe Cost of Downtime
The Cost of DowntimeMiriam O'Brien
 
Business Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docxBusiness Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docxfelicidaddinwoodie
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineGraeme Parker
 
Disaster Recovery
Disaster RecoveryDisaster Recovery
Disaster RecoveryTopLine Strategies
 
Business continuity and disaster recovery
Business continuity and disaster recoveryBusiness continuity and disaster recovery
Business continuity and disaster recoveryAdeel Javaid
 
Business continuity presentation
Business continuity presentationBusiness continuity presentation
Business continuity presentationSteveKutzer
 
Introductory PresentationGoals of .docx
Introductory PresentationGoals of .docxIntroductory PresentationGoals of .docx
Introductory PresentationGoals of .docxbagotjesusa
 
Cyberdyne systems (2)
Cyberdyne systems (2)Cyberdyne systems (2)
Cyberdyne systems (2)Bryan Moss
 
Disaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and StandardDisaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and StandardPT Datacomm Diangraha
 
AITP July 2012 Presentation - Disaster Recovery - Business + Technology
AITP July 2012 Presentation - Disaster Recovery - Business + TechnologyAITP July 2012 Presentation - Disaster Recovery - Business + Technology
AITP July 2012 Presentation - Disaster Recovery - Business + TechnologyAndrew Miller
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Nathan Winters
 
Building blocks for BCM programme
Building blocks for BCM programmeBuilding blocks for BCM programme
Building blocks for BCM programmeMalcolm Van Harte
 
Fulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BCFulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BCSteve Meek
 
Business Recovery Planning
Business Recovery PlanningBusiness Recovery Planning
Business Recovery PlanningNanette Struck
 
Team 4, Team PMP”IT Installation of the Adelphi V.docx
Team 4, Team PMP”IT Installation of the Adelphi V.docxTeam 4, Team PMP”IT Installation of the Adelphi V.docx
Team 4, Team PMP”IT Installation of the Adelphi V.docxmattinsonjanel
 
BCP Awareness
BCP Awareness BCP Awareness
BCP Awareness Imad Almurib
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 

Weitere ähnliche Inhalte

Ähnlich wie Cyber resilience: planning to bounce back

Varrow Madness 2014 DR Presentation
Varrow Madness 2014 DR PresentationVarrow Madness 2014 DR Presentation
Varrow Madness 2014 DR PresentationAndrew Miller
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery PlanDavid Donovan
 
Business Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docxBusiness Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docxfelicidaddinwoodie
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineGraeme Parker
 
Business continuity and disaster recovery
Business continuity and disaster recoveryBusiness continuity and disaster recovery
Business continuity and disaster recoveryAdeel Javaid
 
Business continuity presentation
Business continuity presentationBusiness continuity presentation
Business continuity presentationSteveKutzer
 
Introductory PresentationGoals of .docx
Introductory PresentationGoals of .docxIntroductory PresentationGoals of .docx
Introductory PresentationGoals of .docxbagotjesusa
 
Cyberdyne systems (2)
Cyberdyne systems (2)Cyberdyne systems (2)
Cyberdyne systems (2)Bryan Moss
 
Disaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and StandardDisaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and StandardPT Datacomm Diangraha
 
AITP July 2012 Presentation - Disaster Recovery - Business + Technology
AITP July 2012 Presentation - Disaster Recovery - Business + TechnologyAITP July 2012 Presentation - Disaster Recovery - Business + Technology
AITP July 2012 Presentation - Disaster Recovery - Business + TechnologyAndrew Miller
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Nathan Winters
 
Building blocks for BCM programme
Building blocks for BCM programmeBuilding blocks for BCM programme
Building blocks for BCM programmeMalcolm Van Harte
 
Fulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BCFulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BCSteve Meek
 
Business Recovery Planning
Business Recovery PlanningBusiness Recovery Planning
Business Recovery PlanningNanette Struck
 
Team 4, Team PMP”IT Installation of the Adelphi V.docx
Team 4, Team PMP”IT Installation of the Adelphi V.docxTeam 4, Team PMP”IT Installation of the Adelphi V.docx
Team 4, Team PMP”IT Installation of the Adelphi V.docxmattinsonjanel
 

Ähnlich wie Cyber resilience: planning to bounce back (20)

Varrow Madness 2014 DR Presentation
Varrow Madness 2014 DR PresentationVarrow Madness 2014 DR Presentation
Varrow Madness 2014 DR Presentation
 
Bcp
BcpBcp
Bcp
 
Disaster Recovery Plan
Disaster Recovery PlanDisaster Recovery Plan
Disaster Recovery Plan
 
The Cost of Downtime
The Cost of DowntimeThe Cost of Downtime
The Cost of Downtime
 
The Cost of Downtime
The Cost of DowntimeThe Cost of Downtime
The Cost of Downtime
 
Business Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docxBusiness Continuity Planning and Disaster Recovery Plannin.docx
Business Continuity Planning and Disaster Recovery Plannin.docx
 
Cyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated DisciplineCyber Security and Business Continuity an Integrated Discipline
Cyber Security and Business Continuity an Integrated Discipline
 
Disaster Recovery
Disaster RecoveryDisaster Recovery
Disaster Recovery
 
Business continuity and disaster recovery
Business continuity and disaster recoveryBusiness continuity and disaster recovery
Business continuity and disaster recovery
 
Business continuity presentation
Business continuity presentationBusiness continuity presentation
Business continuity presentation
 
Introductory PresentationGoals of .docx
Introductory PresentationGoals of .docxIntroductory PresentationGoals of .docx
Introductory PresentationGoals of .docx
 
Cyberdyne systems (2)
Cyberdyne systems (2)Cyberdyne systems (2)
Cyberdyne systems (2)
 
Disaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and StandardDisaster Recovery: Understanding Trend, Methodology, Solution, and Standard
Disaster Recovery: Understanding Trend, Methodology, Solution, and Standard
 
AITP July 2012 Presentation - Disaster Recovery - Business + Technology
AITP July 2012 Presentation - Disaster Recovery - Business + TechnologyAITP July 2012 Presentation - Disaster Recovery - Business + Technology
AITP July 2012 Presentation - Disaster Recovery - Business + Technology
 
Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010Ultan kinahan dr - minasi 2010
Ultan kinahan dr - minasi 2010
 
Building blocks for BCM programme
Building blocks for BCM programmeBuilding blocks for BCM programme
Building blocks for BCM programme
 
Fulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BCFulcrum Group- Layer Your DR/BC
Fulcrum Group- Layer Your DR/BC
 
Business Recovery Planning
Business Recovery PlanningBusiness Recovery Planning
Business Recovery Planning
 
Team 4, Team PMP”IT Installation of the Adelphi V.docx
Team 4, Team PMP”IT Installation of the Adelphi V.docxTeam 4, Team PMP”IT Installation of the Adelphi V.docx
Team 4, Team PMP”IT Installation of the Adelphi V.docx
 
BCP Awareness
BCP Awareness BCP Awareness
BCP Awareness
 

Mehr von Jisc

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxJisc
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jisc
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxJisc
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Jisc
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...Jisc
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 

Mehr von Jisc (20)

Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...International students’ digital experience: understanding and mitigating the ...
International students’ digital experience: understanding and mitigating the ...
 
Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 

Kürzlich hochgeladen

Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterMateoGardella
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxVishalSingh1417
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...KokoStevan
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 

Kürzlich hochgeladen (20)

Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 

Cyber resilience: planning to bounce back

  • 1. Cyber resilience: planning to bounce back Dr Andrew Lenaghan. OxCERT 28/11/2017
  • 2. A Lenaghan. OxCERT, Thursday 9, 9:45-1015 Cyber resilience: planning to bounce back JISC Security Conference2017 , Manchester UK
  • 3. Qu: What could hurt us?
  • 4. Possible Scenarios Ref Description of example scenario 1 Permeant loss or 2+ staff members (Death /dismissal/leaving) within 1 month. 2 Contagious illness causes shortage of staff. E.g. new flu strain causes ½ staff to be absent >1 week. 3 Training and holiday commitment cause shortage of staff. E.g. 2 staff down > 3 days 4 Fire guts office all equipment (laptops/computers/screens/phones/printers) lost. 5 Break-in leads to the theft of laptop and desktop computers from OxCERT office. 6 Loss of service – plumbing, heating, telephony, internet access (VoIP) 7 Evacuation due to gas leak - unexpected loss of access to offices (>4h). Offices undamaged 8 Unexpected short term loss of mains power to a data centre (<2h). No damage to equipment. 9 DDOS on JANET causes loss of internet connectivity for a prolonged period > 4h. 10 Loss of fibre connectivity between DC’s 11 Incident causing irrecoverable loss of equipment at data centre eg fire. 12 Loss of mains power to OxCERT offices in Wellington Square <2h. 13 [With in Uni] Loss of VM in hosting 14 [With Vendor] Disruption to AV signature distribution mail and desktop AV cannot be updated 15 Component failure on the of the server acting as XEN (VM) host cause crash and failure to restart. 16 Cryptolocker style compromise on NAS lead to data becoming irretrievable due to encryption. 17 Rootkit infection of bastion host requires it to be isolated for investigation and rebuild. 18 Police seizure of server for criminal investigation. 4
  • 5. Possible Scenarios Ref Description of example scenario Resource impacted 1 Permeant loss or 2+ staff members (Death /dismissal/leaving) within 1 month. Lack of people2 Contagious illness causes shortage of staff. E.g. new flu strain causes ½ staff to be absent for >1 week. 3 Training and holiday commitment cause shortage of staff. E.g. 2 staff down > 3 days 4 Fire guts office all equipment (laptops/computers/screens/phones/printers) lost. Lack of Access 5 Break-in leads to the theft of laptop and desktop computers from OxCERT office. 6 Loss of service – plumbing, heating, telephony, internet access (VoIP) 7 Evacuation due to gas leak - unexpected loss of access to offices (>4h). Offices undamaged 8 Unexpected short term loss of mains power to a data centre (<2h). No damage to equipment. Lack of Infrastructure 9 DDOS on JANET causes loss of internet connectivity for a prolonged period > 4h. 10 Loss of fibre connectivity between DC’s 11 Incident causing irrecoverable loss of equipment at data centre eg fire. 12 Loss of mains power to OxCERT offices in Wellington Square <2h. 13 [With in Uni] Loss of VM in hosting 3rd Party service14 [With Vendor] Disruption to AV signature distribution mail and desktop AV cannot be updated 15 Component failure on the of the server acting as XEN (VM) host cause crash and failure to restart. Miscellaneous 16 Cryptolocker style compromise on NAS lead to data becoming irretrievable due to encryption. 17 Rootkit infection of bastion host requires it to be isolated for investigation and rebuild. 18 Police seizure of server for criminal investigation. 5
  • 6. Our outlook : Guarded optimism Hope for the best, plan for the worst6
  • 7. Artefacts & Audiences Business Impact Assessment (BIA) Business Continuity Plan (BCP) Disaster Recovery ProceduresBackup arrangements Keeping running…. Restarting from scratch Parameters EngineeringManagement Potential Scenarios Operations Exercises 1 2 3 4 7
  • 8. Principles (& dog food) ❖ Eating your own dog food (Credibility) Get our own house in order before we start laying down the law to others. ❖ Being open (& setting users expectations) Be transparent about the service levels we set & be held to account by our users we fall short. ❖ Building a predictable response Do the engineering, planning and testing to have confidence we can achieve the targets 8
  • 9. CERT Requirement OxCERT must continue to operate even where there is significant damage to, or sustained hostile activity against, ourselves or the network infrastructure of the University we defend 9 Be Resilience
  • 10. Cyber Resilience - is this new? Traditional information security Assumes a stable environment, evolutionary change Aim: Deal effectively with known risks / threats ❖ Best practice ❖ Lessons learned ❖ Risk adverse 10 Cyber Resilience (Culture) Assumes turbulent environment / disruptive technologies, step changes which are unknown / unpredictable Aim : Anticipate & adapt ❖ Agility - Ability to change ❖ Anticipating / Forward looking ❖ Innovation / creativity to meet threats
  • 11. Cyber Resilience - is this new? Traditional information security Assumes a stable environment, evolutionary change Aim: Deal effectively with known risks / threats ❖ Best practice ❖ Lessons learned ❖ Risk adverse 11 Cyber Resilience (Culture) Assumes turbulent environment / disruptive technologies, step changes which are unknown / unpredictable Aim : Anticipate & adapt ❖ Agility - Ability to change ❖ Anticipating / Forward looking ❖ Innovation / creativity to meet threats Getting better Getting different
  • 12. Business Organisation Impact Assessment Its not about how or why or the likelihood of a failure, just focus on ‘if’
  • 13. Artefacts & Audiences 13 Business Impact Assessment (BIA) Business Continuity Plan (BCP) Disaster Recovery ProceduresBackup arrangements Keeping running…. Restarting from scratch Parameters EngineeringManagement 13 Potential Scenarios Operations Exercises
  • 14. What did we needed to think about? Geographic locations OxCERT operates from The services we offer and the relative priorities for recovering them Dependancies ❖ Stakeholders who depend on OxCERT ❖ External systems, services, vendors OxCERT depends on Single points of failure in our infrastructure Key person risks in the team 14
  • 15. The shape of a disaster 15 Time BAU Service Level Lastgoodbackup 100% Recovery Time ObjectiveRPO Maximum Acceptable Outage Response Full Service restored Minimum Acceptable Service Level Downtime Recovery Failed Disaster strikes Recovery Achieved
  • 16. The shape of a disaster 16 Time Service Level 100% Recovery Time Objective Response Minimum Acceptable Service Level DowntimeDisaster strikes Recovery Achieved ç
  • 17. The shape of a disaster 17 Time Service Level 100% Maximum Acceptable Outage Response Full Service restored Minimum Acceptable Service Level Recovery Failed ç Recovery succeed Disaster strikes
  • 18. OxCERT BIA: On one page….Service Name Relative priority Recovery time objective (RTO) Maximum Acceptable Outage (MAO) Security Incident Response 1 3 days 1 week Network monitoring 2 1 week 2 weeks Advising and alerting (vulnerabilities) 3 2 weeks 2 months A Business Impact Assessment on a page
  • 19. How service impact grows over time… eg Security incident response service 19 Catastrophic MAO * High * * Acceptable * * Marginal * * Duration 2h 4h 8h 24h 48h 1 week 2 weeks 1month
  • 20. BIA Reflections Conducted between Q3/Q4, 2016 ❖ Planned 9.5 days days effort, an underestimate ❖ Biggest issue - capturing what we did in a structured way. Keep it simple : Focus on identifying a few high level services (divided these down into internal activities) Quick wins! : Analysis helped us identify: • Single points of failure - firewall, Office VPN server • Key person risks - sysadmin skills Buy-in - Targets were: • Reviewed by team & Management • Signed off by CISO 20
  • 22. Artefacts & Audiences 22 Business Impact Assessment (BIA) Business Continuity Plan (BCP) Disaster Recovery ProceduresBackup arrangements Keeping running…. Restarting from scratch Parameters EngineeringManagement 22 Potential Scenarios Operations Exercises
  • 23. No 3. Activate the Plan? 1. Disaster Occurs 2. Perform an initial damage assessment Stop Yes Recogniz e Phase Objective 1 DISASTER OCCURRENCE Safety of staff and visitors 2 INITIAL DAMAGE ASSESSMENT Develop an initial overview of the situation 3 ACTIVATING THE PLAN Decide whether to activate the plan based on the initial damage assessment of locations and system 23
  • 24. (5). Relocate Recovery Team to alternate site & establish operations? 4. Form Recovery Team & Designate Coordinator Yes React Phase Objective 4 FORM RECOVERY TEAM Form the recovery team, designate a recovery coordinator 5 (RELOCATE TO ALTERNATE SITE) Establish a working environment from which to conduct the recovery and resume services. 24
  • 25. 7. Incident Coordination. Execute specific recovery procedures 8. Stand-down the Recovery Team & Transition back to normal operations Recover 6. Open an incident log & Communicate to key staff & teams Phase Objective 6 OPEN AN INCIDENT LOG Maintain a record of key milestones and decisions taken during in the recovery process EXTERNAL COMMUNICATION ACTIONS Inform key staff and teams that recovery is underway 7 INCIDENT COORDINATION Limit damage, prioritise performing recovery procedures, estimate recovery time. 8 STANDING DOWN Establish business as usual, inform key staff and teams
  • 26. No 3. Activate the Plan? 1. Disaster Occurs (5). Relocate Recovery Team to alternate site & establish operations? 7. Incident Coordination. Execute specific recovery procedures 8. Stand-down the Recovery Team & Transition back to normal operations 2. Perform an initial damage assessment 4. Form Recovery Team & Designate Coordinator Stop Yes Recogniz e React Recover 6. Open an incident log & Communicate to key staff & teams A Business Continuity Plan on a page
  • 27. How are we getting on?
  • 28. Climbing the BCP/DR Maturity ladder 28 Approach Characteristics Level 5 Resilent • BCP/DR thinking integrated into processes • Metrics & continuous improvement • Audited / Reported on to Snr Mngt. Level 4 Proactive • Documented and maintained recovery plan • Exercises validate plan • Importance recognised & resourced Level 3 Prepared • Clear recovery procedures • Established recovery targets (RPO/RTO) • Need recognised, coordinated action Level 2 Reactive • Partial backups / fragmented approach • Informal/undocumented plan/key person risk • Need recognised but inconsistently enacted Level 1 Ad hoc • No recovery plan • Minimal or no backups • No buy-in
  • 29. Climbing the BCP/DR Maturity ladder 29 Approach Characteristics OXCERT Recovery Level 5 Resilent • BCP/DR thinking integrated into processes • Metrics & continuous improvement • Audited / Reported on to Snr Mngt. Confident / consistent Level 4 Proactive • Documented and maintained recovery plan • Exercises validate plan • Importance recognised & resourced Likely to meet targets Level 3 Prepared • Clear recovery procedures • Established recovery targets (RPO/RTO) • Need recognised, coordinated action Probable but vulnerable to surprises Level 2 Reactive • Partial backups / fragmented approach • Informal/undocumented plan/key person risk • Need recognised but inconsistently enacted Possible Level 1 Ad hoc • No recovery plan • Minimal or no backups • No buy-in Partial / unlucky Start End
  • 30. On to BCP exercises…. "Everybody has a plan until they get punched in the mouth.” 30
  • 31. Dr Andrew Lenaghan, OxCERT JISC Security conference 2017, Manchester UK, V.04 Cyber resilience: planning to bounce back
  • 32. jisc.ac.uk THankyou Dr Andrew Lenaghan (OxCERT) 28/11/2017 Cyber resilience: planning to bounce back 32