ICT205 Security Risks and Its Mitigation Strategies Assessment Answer
The report is about the security risks and its mitigation strategies that could be used by an IT organisation. In the provided scenario, a company named as ITBase has been detected a security risk with their server. Although they are using a higher cost IT infrastructure but silently caught in attack. It is found as a new type of attack where the attacker rather than attacking on the network, target their server to launch attack on another companies. The IT manager at ITBase detect this attack while their security check and contact a security provider to discuss its remediation. The organisation is using some basic security mechanisms like firewall in their network but the system administrator is never reviewed the logs. Besides this firewall security, there are no other security system is used there. After being caught in this type of attack the ITBase decided to prepare to analyse and deploy some security measures that will add a layer of security for future attacks and laid them run their business continuously. For this purpose, a disaster recovery plan is prepared for ITBase to overcome from this type of attacks. With this DRP plan, an incident response plan and a security checklist are prepared for further monitoring purpose. The report elaborates the details of the disaster recovery plan, incident response plan and security checklist for ITBase organisation that helps them in elimination the current risk with the attack and help protect them in future incidents.
The ITBase organisation has face a newer type of attack over their server. This attack directly targets their server and use it as a central station to attack on so many other organisations. The attacker pass on their high capacity network infrastructure and got access of their server. This incident is caught by their IT manager while security service check. The manager than contacted a security company named as SeekSecNet and plan for a penetration test for external attack. With this, they want to reveal the weaknesses of their IT infrastructure and improve the security and reduce the risk of being attached again. ITBase is currently using an extremely competitive and very high cost IT infra. They have a firewall installed at their network for protection but the logs were not reviewed by the system administrator. Rather than this firewall there are no any security mechanism is used to protect against attack. After the above attack incident, ITBase learned a lot and now plan to implement several security measures in their organisation to dismiss the attack effect. They are planning to implement such system where if this type of attack happened again, it is detected by the system admin by monitoring such activities within the IT infra or network and quickly intimate to the ITBase system admin. For this purpose, ITBase contacted the SeekSecNet to investigate the incident and develop the possible methods that work in the incident. Ultimately, they prepare a disaster recovery plan that help in overcome from these types of attacks if identified in the future. With this, they develop an investigation response summary and a security incident checklist. All these documents provide them layer of protection to overcome from such incidents and a plan to respond in such situation.
Disaster recovery Plan (DRP)
A disaster is of many types, shapes and size. It is not depending up on only natural resources like earthquakes but it includes any type of incidents that impact our daily work, any type of cyber-attack, failure of devices or any activity that led our company to closure (Shaw, K., 2020). So, every organisation should prepare a disaster recovery plan having the details about the actions that can be taken when a disaster may arise to quickly resume their business. Continuity of our business is aligned with disaster recovery or we can say disaster recovery is a part f business continuity. This will be focused on keeping our business running when a disaster may occur (Softchoice. 2020). here are the steps to create a disaster recovery plan for ITBase –
Step 1 – Assets Inventory – it is the first step of the disaster recovery plan. In this step, we identify all our inventories or the IT assets, thinking all assets are important to our business. And prepare a list of assets that include all the servers, systems, storage devices, network devices, appliances and other inventories. Based on the list, prepare a site map that shows all the listed things where they are located in the building.
Step 2 – Prepare Risk Assessment – once we prepared the list of assets and inventories, we need to identify associated risks with them. This risk includes all the internal and external risks that impact the IT infra by any mean. Then, identify the probability of it occurring with the level of impact if the event may occur.
Step 3 – Identify Business Critical Assets – once we have done with prior steps, we need to sort and scrutinize the more critical devices and applications based on their importance to the business. This approach helps us at the time of resuming the business services by identifying the most important assets that are essential to resume our business. This task will be done by interviewing the staff and manager of each department, ask and note down the essential equipment that need to resume their work.
Step 4 – Identify Recovery Objective – this step is very important for a disaster recovery plan. We have prior list the essential assets need to resume the services of our business. In this stap, we prepare the objectives of that recovery. This is done by sorting out the essential assets, their up time and down time, importance of data required, time of restoration and all the internal and external industry regulations associated with it. Then we access the RTO (recovery time objectives) and RPO (recovery point objective). The RTO is an acceptable time that need to restore that inventory or asset and its features while the RPO is an acceptable amount of losses with that assets that we can afford.
Step 5 – Identify Techniques and Tools – once we are ready to restore IT assets with all the identified features, we need to identify the required tool and techniques that help us in resuming the identified services. This include the tool and techniques to retrieve and restore data, restoring server services, internet connectivity and other essential hardware, software and services. We can use CDP solutions, backup and restoration tools or cloud replication etc.
Step 6 – Create a Response Team – at this time, we have prepared all the important aspects of our disaster recovery plan. Now we need to have a response team which response at the time of disaster and after the disaster, in business restoration process. This response team should have the managers of all the departments, IT admin, important members of management and other technical staff who can help in the restoration process. This process can be delegated to a third party organisation. Which will be notify at the time of disaster and handle the restoration process. Both of the organisations have a service level agreement that has all the details of the disaster and its recovery objectives, agreed and signed by both organisations.
Step 7 – Documentation and Team Communication – while create an in-house response team, we should have all the things in written in a documentation form. This disaster recovery document has the complete plan, list of assets, objectives, responsible team or member and all other statement that is the part of the disaster recovery plan. With this DR document, a communication plan is also there that is used when a disaster will occur, to keep communicate with the response team members or by the others to keep them inform. This disaster strategy plan, will be shared among the teams and all the departments so that it can be accessed during disaster.
Step 8 – Test, Evaluate and Update – once our planning is complete, we need to test the plan and practice over it to being perfect in responding at the time of disaster. Several practise sessions can be including in this step to test the effectiveness of the plan. If the team found any loop hole, the plan will be update accordingly. Once the plan is updated, it is submitted to the management for final review. Although the plan is most robust, we need to review and test it time to time to check its effectiveness by the changing need and updating assets in the organisation.
We have prepared the disaster recovery plan for ITBase organisation that we can use when any type of disaster will occur. The investigation response is the planning of response that will be followed then and after the disaster. This includes the steps that need to be taken when a negative incident is identified that harm our business. The main goal of a investigation response plan is to restore and maintain the business operations as fast and as effectively as possible that reduce the high impact on our business, its reputation and customer base (Services, P., 2020). Here are the steps that we follow while preparing the investigation response planning –
Step 1 – Identification – in this steep, we identify and detect the incident of disaster. This will includes timely checking the security logs, server logs, activities inside the network, detection of any unknown user or IP address, identification of any unknown service or process and review the logs on the firewall to identify and detect any suspicious activity in the network. These steps of identification should be carried out in timely manner so that we can identify any vulnerabilities prior to its occurrence.
Step 2 – Collection of evidence – after reviewing logs, server and network processes we collect the data that shows suspicious activities inside the organisation network. This include identification and collection of the processes running and suspicious on the server, suspicious logs in the database of firewall, collection of IP addresses that are unknown to our network, installation of any unknown application or service on the server and any security related log on server, firewall and network. All this data helps us in identifying the core issue of the disaster or attack in our network or on server.
Step 3 – Examination – when we collect all the evidences from the different sources, we examine them for any type of vulnerabilities. Prior to this examination, we make a copy of the data and keep the original data at save place, so that integrity of the data will be maintained and examination will be done on the imaged or copied data. We deeply examine the logs, network activities, services on the server and access of the resources in the network and server. By this examination, we will find several important evidences that help us in further identification of the possible disaster.
Step 4 – Analysis – based on the examined data, some evidences are collected that include suspicious services on the server, network activities, application and unknown processes. We identify all the suspicious activities and the processes that may be related to the incident of disaster. We physically check and identify each evidence to measure its vulnerability and negative impacts. It uses a type of trojan virus that running as a background service and controlled by the attacker. Who use it to attack over other organisations using our server and the resources.
Step 5 – Reporting – when we have done with examination, analysis and complete all the investigation, we prepare a report based on the identified resources and the possible eliminating techniques. This report is a written report that describe all the evidences that we identify, related risks, the analysis we did on the vulnerable resources and the final elimination tools and techniques that the organisation should use to eliminate and overcome from those issues or disaster situation. The report helps the organisation in further identification and use of the tools and techniques that can help in protect their IT environment and server from future disasters.
Security Incident Checklist
Here is the security checklist that we have used with the organisation to implement the disaster recovery plan, response and recovery objectives against the disaster incident (EC-Council Official Blog. 2020) (Agility Recovery. 2020).
- Authority and ownership – as the primary thing, we need to identify the responsible authority for a particular type of activity. this will help us in proper evaluation of the incident. The responsible authority or owner may be team or department, manager, IT admin, network admin or any security staff.
- Access risk – identifying risk related to those assets is important to identify the overall impact of the disaster on our services and assets. Risk identification is the primary aspect in any disaster recovery plan that help us in identifying and calculate the risk and help in performing risk assessment or analysis of business impact.
- Setting recovery objectives – setting recovery objectives help in decreasing down-time and save cost. This also an important step within our disaster recovery plan.
- Setting roles and communication – all the teams are delegated their roles and responsibilities with a proper communication plan.
- Identification and confirmation of an incident – based on their roles, every team member, search for the incident evidence, analyse and evaluate it and confirm the incident.
- Effect of the incident – with the identification od incident, they also assess its effects over business and infrastructure. So that preventive measures are used accordingly.
- Restore and recover the infrastructure – when an incident is identified, we use its eliminating techniques and tools and ensure it is effectively preventing its occurrence in the future.
- Review and update the disaster recovery plan – after the incident is identified and eliminated, we finally review all the aspects and update the disaster recovery plan to meet the new objectives.
In this assessment task, we evaluate and analyse the disaster situation of ITBase organisation. The organisation has faced an attack on their server and make it a launching pad to drive attacks over other organisations. As requested, we prepare a disaster recovery plan for ITBase which helps them in preparing for such types of disasters in the future. As a part of this disaster recovery plan, an investigation response plan and security checklist are prepared to help the organisation to maintain their business continuity. All the aspects that are demanded by the organisation is mentioned in this disaster recovery plan and a detailed response and recovery steps are provided in details.