Etextbook 978 1111138059 Principles of Incident Response and Disaster Recovery

eTextbook 978-1111138059 Principles
of Incident Response and Disaster

Recovery
Visit to download the full and correct content document:
https://ebookmass.com/product/etextbook-978-1111138059-principles-of-incident-res
ponse-and-disaster-recovery/
Copyright 2013 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part.
Table of Contents
PREFACE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
CHAPTER 1
An Overview of Information Security and Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Opening Case Scenario: Pernicious Proxy Probing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Information Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Key Information Security Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Overview of Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Know Yourself. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Know the Enemy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Risk Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Risk Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Contingency Planning and Its Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Business Impact Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Incident Response Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Disaster Recovery Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Business Continuity Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Contingency Planning Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Role of Information Security Policy in Developing Contingency Plans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Key Policy Definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Enterprise Information Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Issue-Specific Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Systems-Specific Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Policy Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Ethical Considerations in the Use of Information Security Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Closing Case Scenario: Pondering People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
CHAPTER 2
Planning for Organizational Readiness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Opening Case Scenario: Proper Planning Prevents Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Beginning the Contingency Planning Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Commitment and Support of Senior Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Elements Required to Begin Contingency Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Contingency Planning Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
A Sample Generic Policy and High-Level Procedures for Contingency Plans . . . . . . . . . . . . . . . . . . . . . . . . . . 55
vii
viii Table of Contents
Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Determine Mission/Business Processes and Recovery Criticality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Identify Resource Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Identify System Resource Recovery Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
BIA Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Online Questionnaires . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Facilitated Data-Gathering Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Process Flows and Interdependency Studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Risk Assessment Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
IT Application or System Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Financial Reports and Departmental Budgets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Audit Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Production Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Budgeting for Contingency Operations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Incident Response Budgeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Disaster Recovery Budgeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Business Continuity Budgeting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Crisis Management Budgeting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Closing Case Scenario: Outrageously Odd Outages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
CHAPTER 3
Contingency Strategies for IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Opening Scenario: Panicking over Powder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Data and Application Resumption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Online Backups and the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Disk to Disk to Other: Delayed Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Redundancy-Based Backup and Recovery Using RAID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Database Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Application Backups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Backup and Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Real-Time Protection, Server Recovery, and Application Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Site Resumption Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Exclusive Site Resumption Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Shared-Site Resumption Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Service Agreements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Review Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Hands-On Project 3-1: Command-line Backup Using rdiff-backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Hands-On Project 3-2: Copying Virtual Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Closing Case Scenario: Disaster Denied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Table of Contents ix
CHAPTER 4
Incident Response: Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Opening Case Scenario: DDoS Dilemma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
The IR Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Forming the IR Planning Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Developing the Incident Response Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Building the Computer Security Incident Response Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Incident Response Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Information for attack success end case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Planning for the Response During the Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Planning for “After the Incident”. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Reaction!. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Planning for “Before the Incident”. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
The CCDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Assembling and Maintaining the Final IR Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Closing Case Scenario: The Never-Ending Story . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
CHAPTER 5
Incident Response: Detection and Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Opening Case Scenario: Oodles of Open Source Opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Detecting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Possible Indicators of an Incident. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Probable Indicators of an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Technical Details: Rootkits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Definite Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Identifying Real Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Intrusion Detection and Prevention Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Technical Details: Processes and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
IDPS Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Why Use an IDPS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
IDPS Network Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Technical Details: Ports and Port Scanning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
IDPS Detection Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Automated Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Incident Decision Making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Collection of Data to Aid in Detecting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Challenges in Intrusion Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
x Table of Contents

Closing Case Scenario: Jokes with JJ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
CHAPTER 6
Incident Response: Organizing and Preparing the CSIRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Opening Case Scenario: Trouble in Tuscaloosa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Building the CSIRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Step 1: Obtaining Management Support and Buy-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Step 2: Determining the CSIRT Strategic Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Step 3: Gathering Relevant Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Step 4: Designing the CSIRT Vision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
A Sample Generic Policy and High-Level Procedures for Contingency Plans . . . . . . . . . . . . . . . . . . . . . . . . . 243
Step 5: Communicating the CSIRT’s Vision and Operational Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Step 6: Beginning CSIRT Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Step 7: Announce the operational CSIRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Step 8: Evaluating CSIRT Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Final Thoughts on CSIRT Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Outsourcing Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Current and Future Quality of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Division of Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Sensitive Information Revealed to the Contractor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Lack of Organization-Specific Knowledge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Lack of Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Handling Incidents at Multiple Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Maintaining IR Skills In-House . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Closing Case Scenario: Proud to Participate in Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
CHAPTER 7
Incident Response: Response Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Opening Case Scenario: Viral Vandal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
IR Response Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Response Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Incident Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
The Cuckoo’s Egg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Incident Eradication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Incident Recovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Incident Containment and Eradication Strategies for Specific Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Egghead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Handling Denial of Service (DoS) Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Table of Contents xi
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Unauthorized Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Inappropriate Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Hybrid or Multicomponent Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Automated IR Response Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Closing Case Scenario: Worrisome Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
CHAPTER 8
Incident Response: Recovery and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Opening Case Scenario: Wily Worms Wake Workers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Identify and Resolve Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Restore Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Restore Services and Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Restore Confidence across the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
After-Action Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Plan Review and Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Rehearsal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Law Enforcement Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Reporting to Upper Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Loss Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Sample Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Incident Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Legal Issues in Digital Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Digital Forensics Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Technical Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Digital Forensics Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
eDiscovery and Anti-Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Closing Case Scenario: Bureaucratic Blamestorms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
CHAPTER 9
Disaster Recovery: Preparation and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Opening Case Scenario: Flames Force Fan Fury . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Disaster Classifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
xii Table of Contents
Forming the Disaster Recovery Team. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Organization of the DR Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Special Documentation and Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Disaster Recovery Planning Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Develop the DR Planning Policy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Review the Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Identify Preventive Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Develop Recovery Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Develop the DR Plan Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Plan Testing, Training, and Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Plan Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Information Technology Contingency Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Client/Server Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Data Communications Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Mainframe Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Sample Disaster Recovery Plans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
The Business Resumption Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
The DR Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
Closing Case Scenario: Proactively Pondering Potential Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
CHAPTER 10
Disaster Recovery: Operation and Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Opening Case Scenario: Dastardly Disaster Drives Dialing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Facing Key Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Preparation: Training the DR Team and the Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Plan Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Plan Triggers and Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Disaster Recovery Planning as Preparation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
DR Training and Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
DR Plan Testing and Rehearsal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Rehearsal and Testing of the Alert Roster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Disaster Response Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Recovery Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Resumption Phase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Restoration Phase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Repair or Replacement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Restoration of the Primary Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Relocation from Temporary Offices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Resumption at the Primary Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Standing Down and the After-Action Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Table of Contents xiii

Closing Case Scenario: Smart Susan Starts Studying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
CHAPTER 11
Business Continuity Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Opening Case Scenario: Lovely Local Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
Business Continuity Team. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
BC Team Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
Special Documentation and Equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Business Continuity Policy and Plan Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Develop the BC Planning Policy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Review the BIA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Identify Preventive Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Create BC Contingency (Relocation) Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Develop the BC Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Ensure BC Plan Testing, Training, and Exercises. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Ensure BC Plan Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Sample Business Continuity Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Implementing the BC Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
Preparation for BC Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Returning to a Primary Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
BC After-Action Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Continuous Improvement of the BC Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Improving the BC Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Improving the BC Staff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Maintaining the BC Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
Periodic BC Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
BC Plan Archivist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Closing Case Scenario: Exciting Emergency Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
CHAPTER 12
Crisis Management and International Standards inIR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Opening Case Scenario: Terrible Tragedy Today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Crisis Management in the Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Crisis Terms and Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Crisis Misconceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Preparing for Crisis Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
General Preparation Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Organizing the Crisis Management Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
xiv Table of Contents
Crisis Management Critical Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Developing the Crisis Management Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Crisis Management Training and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
Ongoing Case: Alert Roster Test at HAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Post-crisis Trauma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Posttraumatic Stress Disorder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Employee Assistance Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Immediately after the Crisis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Getting People Back to Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Dealing with Loss. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Law Enforcement Involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Federal Agencies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Local Agencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Managing Crisis Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Crisis Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
The 11 Steps Of Crisis Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Avoiding Unnecessary Blame . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Succession Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Elements of Succession Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Succession Planning Approaches for Crisis Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
International Standards in IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
NIST Standards and Publications in IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
ISO Standards and Publications in IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
Other Standards and Publications in IR/DR/BC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Closing Case Scenario: Boorish Board Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
APPENDIX A
Sample Business Continuity Plan for ABC Co. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
APPENDIX B
Contingency Plan Template from the Computer Security Resource Center at
the National Institute of Standards and Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
APPENDIX C
Sample Crisis Management Plan for Hierarchical Access, Ltd. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
GLOSSARY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 577
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
Preface
As global networks expand the interconnection of the world’s technically complex infra-
structure, communication and computing systems gain added importance. Information secu-
rity has gained in importance as a professional practice, and information security has
emerged as an academic discipline. Recent events, such as malware attacks and successful
hacking efforts, have pointed out the weaknesses inherent in unprotected systems and
exposed the need for heightened security of these systems. In order to secure technologically
advanced systems and networks, both education and the infrastructure to deliver that educa-
tion are needed to prepare the next generation of information technology and information
security professionals to develop a more secure and ethical computing environment. There-
fore, improved tools and more sophisticated techniques are needed to prepare students to
recognize the threats and vulnerabilities present in existing systems and to design and
develop the secure systems needed in the near future. Many years have passed since the
need for improved information security education has been recognized, and as Dr. Ernest
McDuffie of NIST points out:
While there is no doubt that technology has changed the way we live, work, and
play, there are very real threats associated with the increased use of technology
and our growing dependence on cyberspace….
Education can prepare the general public to identify and avoid risks in cyber-
space; education will ready the cybersecurity workforce of tomorrow; and
xv
xvi Preface
education can keep today’s cybersecurity professionals at the leading edge of the latest
technology and mitigation strategies.
Source: NIST
The need for improvements in information security education is so great that the U.S. National Secu-
rity Agency (NSA) has established Centers of Academic Excellence in Information Assurance, as
described in Presidential Decision Directive 63, “The Policy on Critical Infrastructure Protection,”
May 1998:
The program goal is to reduce vulnerabilities in our National Information Infrastructure
by promoting higher education in information assurance, and producing a growing num-
ber of professionals with IA expertise in various disciplines.
Source: National Security Agency
The technical nature of the dominant texts on the market does not meet the needs of students who
have a major other than computer science, computer engineering, or electronic engineering. This is
a key concern for academics who wish to focus on delivering skilled undergraduates to the commer-
cial information technology (IT) sector. Specifically, there is a clear need for information security,
information systems, criminal justice, political science, and accounting information systems students
to gain a clear understanding of the foundations of information security.
Approach
This book provides an overview of contingency operations and its components as well as a thorough
treatment of the administration of the planning process for incident response, disaster recovery, and
business continuity. It can be used to support course delivery for information-security-driven programs
targeted at information technology students, as well as IT management and technology management
curricula aimed at business or technical management students.
Learning Support—Each chapter includes a Chapter Summary and a set of open-ended Review
Questions. These are used to reinforce learning of the subject matter presented in the chapter.
Chapter Scenarios—Each chapter opens and closes with a case scenario that follows the same fic-
tional company as it encounters various contingency planning or operational issues. The closing sce-
nario also includes a few discussion questions. These questions give the student and the instructor
an opportunity to discuss the issues that underlie the content.
Hands-On Learning—At the end of each chapter, Real-World Exercises and Hands-On Projects are
provided. These give students the opportunity to examine the contingency planning arena outside
the classroom. Using these exercises, students can pursue the learning objectives listed at the begin-
ning of each chapter and deepen their understanding of the text material.
Boxed Examples—These supplemental sections, which feature examples not associated with the
ongoing case study, are included to illustrate key learning objectives or extend the coverage of
plans and policies.
New to This Edition

This edition provides a greater level of detail than the previous edition, specifically in the examination of
incident response activities. It incorporates new approaches and methods that have been developed at
NIST. Although the material on disaster recovery, business continuity, and crisis management has not
Preface xvii
been reduced, the text’s focus now follows that of the IT industry in shifting to the prevention, detection,
reaction to, and recovery from computer-based incidents and avoidance of threats to the security of infor-
mation. We are fortunate to have had the assistance of a reviewer who worked as a contributing author
for NIST, ensuring alignment between this text and the methods recommended by NIST.
Author Team
Long-time college professors and information security professionals Michael Whitman and Herbert
Mattord have jointly developed this text to merge knowledge from the world of academic study
with practical experience from the business world. Professor Andrew Green has been added to this
proven team to add a new dimension of practical experience.
Michael Whitman, Ph.D., CISM, CISSP Michael Whitman is a professor of information security
and assurance in the Information Systems Department, Michael J. Coles College of Business at Ken-
nesaw State University, Kennesaw, Georgia, where he is the director of the KSU Center for Informa-
tion Security Education (infosec.kennesaw.edu). Dr. Whitman has over 20 years of experience in
higher education, with over 12 years of experience in designing and teaching information security
courses. He is an active researcher in information security, fair and responsible use policies, and
computer-use ethics. He currently teaches graduate and undergraduate courses in information secu-
rity. He has published articles in the top journals in his field, including Information Systems
Research, Communications of the ACM, Information and Management, Journal of International
Business Studies, and Journal of Computer Information Systems. He is a member of the Association
for Computing Machinery and the Association for Information Systems. Under Dr. Whitman’s lead-
ership, Kennesaw State University has been recognized by the National Security Agency and the
Department of Homeland Security as a National Center of Academic Excellence in Information
Assurance Education three times; the university’s coursework has been reviewed by national-level
information assurance subject matter experts and determined to meet the national training standard
for information systems security professionals. Dr. Whitman is also the coauthor of Principles of
Information Security, 4th edition; Management of Information Security, 4th edition; Readings and
Cases in the Management of Information Security; Readings and Cases in Information Security:
Law and Ethics; The Hands-On Information Security Lab Manual, 3rd edition; Roadmap to the
Management of Information Security for IT and Information Security Professionals; Guide to Fire-
walls and VPNs, 3rd edition; Guide to Firewalls and Network Security, 2nd edition; and Guide to
Network Security, all published by Course Technology. In 2012, Dr. Whitman was selected by the
Colloquium for Information Systems Security Education as the recipient of the 2012 Information
Assurance Educator of the Year award.
Herbert Mattord, Ph.D. CISM, CISSP Herbert Mattord completed 24 years of IT industry experi-
ence as an application developer, database administrator, project manager, and information security
practitioner before joining the faculty of Kennesaw State University in 2002. Dr. Mattord is an
assistant professor of information security and assurance and the coordinator for the Bachelor of
Business Administration in Information Security and Assurance program. He is the operations man-
ager of the KSU Center for Information Security Education and Awareness (infosec.kennesaw.edu)
as well as the coordinator for the KSU certificate in Information Security and Assurance. During
his career as an IT practitioner, Dr. Mattord has been an adjunct professor at: Kennesaw State Uni-
versity; Southern Polytechnic State University in Marietta, Georgia; Austin Community College in
Austin, Texas; and Texas State University: San Marcos. He currently teaches undergraduate courses
in information security, data communications, local area networks, database technology, project
management, systems analysis and design, and information resources management and policy. He
xviii Preface
was formerly the manager of corporate information technology security at Georgia-Pacific Corpora-
tion, where much of the practical knowledge found in this textbook was acquired. Professor Mat-
tord is also the coauthor of Principles of Information Security, 4th edition; Management of Informa-
tion Security, 4th edition; Readings and Cases in the Management of Information Security; Readings
and Cases in Information Security: Law and Ethics; The Hands-On Information Security Lab Man-
ual, 3rd edition; Roadmap to the Management of Information Security for IT and Information
Security Professionals; Guide to Firewalls and VPNs, 3rd edition; Guide to Firewalls and Network
Security, 2nd edition; and Guide to Network Security, all published by Course Technology.
Andrew Green, MSIS Andrew Green is a lecturer of information security and assurance in the Informa-
tion Systems Department, Michael J. Coles College of Business at Kennesaw State University, Kennesaw,
Georgia. Mr. Green has over a decade of experience in information security. Prior to entering academia
full time, he worked as an information security consultant, focusing primarily on the needs of small
and medium-sized businesses. Prior to that, he worked in the healthcare IT field, where he developed and
supported transcription interfaces for medical facilities throughout the United States. Mr. Green is also a
full-time Ph.D. student at Nova Southeastern University, where he is studying information systems with
a concentration in information security. He is the coauthor of Guide to Firewalls and VPNs, 3rd edition
and Guide to Network Security, both published by Course Technology.
Structure
The textbook is organized into 12 chapters and 3 appendices. Here are summaries of each chapter’s
contents:
Chapter 1. An Overview of Information Security and Risk Management This chapter defines the
concepts of information security and risk management and explains how they are integral to the
management processes used for incident response and contingency planning.
Chapter 2. Planning for Organizational Readiness The focus of this chapter is on how an organiza-
tion can plan for and develop organizational processes and staffing appointments needed for suc-
cessful incident response and contingency plans.
Chapter 3. Contingency Strategies for IR/DR/BC This chapter explores the relationships between
contingency planning and the subordinate elements of incident response, business resumption, disas-
ter recovery, and business continuity planning. It also explains the techniques used for data and
application backup and recovery.
Chapter 4. Incident Response: Planning This chapter expands on the incident response planning
process to include processes and activities that are needed as well as the skills and techniques used
to develop such plans.
Chapter 5. Incident Response: Detection and Decision Making This chapter describes how incidents
are detected and how decision making regarding incident escalation and plan activation occur.
Chapter 6. Incident Response: Organizing and Preparing the CSIRT This chapter presents the
details of the actions that the CSIRT performs and how they are designed and developed.
Chapter 7. Incident Response: Response Strategies This chapter describes IR reaction strategies and
how they are applied to incidents.
Preface xix
Chapter 8. Incident Response: Recovery and Maintenance This chapter describes how an organiza-
tion plans for and executes the recovery process when an incident occurs; it also expands on the
steps involved in the ongoing maintenance of the IR plan.
Chapter 9. Disaster Recovery: Preparation and Implementation This chapter explores how organi-
zations prepare for disasters and recovery from disasters.
Chapter 10. Disaster Recovery: Operation and Maintenance This chapter presents the challenges an
organization faces when engaged in DR operations and how such challenges are met.
Chapter 11. Business Continuity Planning This chapter covers how organizations ensure continu-
ous operations even when the primary facilities used by the organization are not available.
Chapter 12. Crisis Management and International Standards in IR/DR/BC This chapter covers the
role of crisis management and recommends the elements of a plan to prepare for crisis response. The
chapter also covers the key international standards that affect IR, DR, and BC.
Appendices. The three appendices present sample BC and crisis management plans and templates.
Text and Graphic Conventions

Wherever appropriate, additional information and exercises have been added to this book to help
you better understand what is being discussed in the chapter. Icons throughout the text alert you to
additional materials. The icons used in this textbook are described here:
Notes present additional helpful material related to the subject being

described.
Offline boxes offer material that expands on the chapter’s contents but that
may not be central to the learning objectives of the chapter.
Technical Details boxes provide additional technical information on informa-

tion security topics.
Real World Exercises are structured activities to allow students to enrich their
understanding of selected topics presented in the chapter by exploring Web-
based or other widely available resources.
Hands-On Projects offer students the chance to explore the technical aspects
of the theories presented in the chapter.
xx Preface
Instructor’s Materials
The following supplemental materials are available for use in a classroom setting. All the supple-
ments available with this book are provided to the instructor on a single CD-ROM (ISBN:
9781111138066) and online at the textbook’s Web site.
Please visit login.cengage.com and log in to access instructor-specific resources.
To access additional course materials, please visit www.cengagebrain.com. At the CengageBrain.com
home page, search for the ISBN of your title (from the back cover of your book) using the search
box at the top of the page. This will take you to the product page, where these resources can be found.
Additional materials designed especially for you might be available for your course online. Go to
www.cengage.com/coursetechnology and search for this book title periodically for more details.
Electronic Instructor’s Manual—The Instructor’s Manual that accompanies this textbook includes
additional instructional material to assist in class preparation, including suggestions for classroom
activities, discussion topics, and additional projects.
Solution Files—The Solution Files include answers to selected end-of-chapter materials, including the
Review Questions and some of the Hands-On Projects.
ExamView—This textbook is accompanied by ExamView, a powerful testing software package that
allows instructors to create and administer printed, computer (LAN-based), and Internet exams.
ExamView includes hundreds of questions that correspond to the topics covered in this text,
enabling students to generate detailed study guides that include page references for further review.
The computer-based and Internet testing components allow students to take exams at their compu-
ters, and also save the instructor time by grading each exam automatically.
PowerPoint Presentations—This book comes with Microsoft PowerPoint slides for each chapter.
These are included as a teaching aid for classroom presentation. They can also be made available to
students on the network for chapter review, or they can be printed for classroom distribution. Instruc-
tors, feel free to add your own slides for additional topics you introduce to the class.
Information Security Community Site—Stay Secure with the Information Security Community Site!
Connect with students, professors, and professionals from around the world, and stay on top of this
ever-changing field.
● Visit www.cengage.com/community/infosec.
● Download resources such as instructional videos and labs.
● Ask authors, professors, and students the questions that are on your mind in our Discussion
Forums.
● See up-to-date news, videos, and articles.
● Read author blogs.
● Listen to podcasts on the latest Information Security topics.
Acknowledgments
The authors would like to thank their families for their support and understanding for the many
hours dedicated to this project, hours taken in many cases from family activities. Special thanks to
Karen Scarfone, coauthor of several NIST SPs. Her reviews and suggestions resulted in a more read-
able manuscript. Additionally, the authors would like to thank Doug Burks, primary developer of
Preface xxi
the Security Onion project used in this textbook. Doug’s insight and suggestions for the Hands-On
Projects helped make them more robust and practical for students to use.
Reviewers
We are indebted to the following individuals for their respective contributions of perceptive feed-
back on the initial proposal, the project outline, and the individual chapters of the text:
Karen Scarfone, Scarfone Cybersecurity
Gary Kessler, Embry-Riddle Aeronautical University
Special Thanks
The authors wish to thank the editorial and production teams at Course Technology. Their diligent
and professional efforts greatly enhanced the final product:
Michelle Ruelos Cannistraci, Senior Product Manager
Kent Williams, Developmental Editor
Nick Lombardi, Acquisitions Editor
Andrea Majot, Senior Content Project Manager
Nicole Ashton Spoto, Technical Editor
In addition, several professional and commercial organizations and individuals have aided the
development of the textbook by providing information and inspiration, and the authors wish to
acknowledge their contribution:
Bernstein Crisis Management
Continuity Central
Information Systems Security Associations
Institute for Crisis Management
National Institute of Standards and Technology
Oracle, Inc.
Purdue University
Rothstein Associates, Inc.
SunGard
Our colleagues in the Department of Information Systems and the Michael J. Coles College of
Business, Kennesaw State University
Dr. Amy Woszczynski, Interim Chair of the Department of Information Systems, Michael J. Coles
College of Business, Kennesaw State University
Dr. Kathy Schwaig, Dean of the Michael J. Coles College of Business, Kennesaw State University
Our Commitment
The authors are committed to serving the needs of the adopters and readers. We would be pleased
and honored to receive feedback on the textbook and its supporting materials. You can contact us
through Course Technology.
chapter 1
An Overview of Information
Security and Risk Management
An ounce of prevention is worth a pound of cure. —Benjamin Franklin
Upon completion of this material, you should be able to:

● Define and explain information security
● Identify and explain the basic concepts of risk management
● List and discuss the components of contingency planning
● Describe the role of information security policy in the development of contingency plans
2 Chapter 1 An Overview of Information Security and Risk Management
Opening Case Scenario: Pernicious Proxy Probing
Paul Alexander and his boss Amanda Wilson were sitting in Amanda’s office
discussing the coming year’s budget when they heard a commotion in the hall.
Hearing his name mentioned, Paul stuck his head out the door and saw Jonathon
Jasper (“JJ” to his friends) walking quickly toward him.
“Paul!” JJ called again, relieved to see Paul waiting in Amanda’s office.
“Hi, Amanda,” JJ said, then, looking at Paul, he added, “We have a problem.” JJ was
one of the systems administrators at Hierarchical Access LTD (HAL), a Georgia-based
Internet service provider that serves the northwest region of metropolitan Atlanta.
Paul stepped out into the hall, closing Amanda’s door behind him.
“What’s up, JJ?”
“I think we’ve got someone sniffing around the e-mail server,” JJ replied. “I just
looked at the log files, and there is an unusual number of failed login attempts on
accounts that normally just don’t have that many, like yours!”
Paul paused a moment.
“But the e-mail server’s proxied,” he finally said to JJ, “which means it must be an
internal probe.”
“Yeah, that’s why it’s a problem,” JJ replied. “We haven’t gotten this kind of thing
since we installed the proxy and moved the Web and e-mail servers inside the DMZ.
It’s got to be someone in-house.”
JJ looked exasperated. “And after all that time I spent conducting awareness training!”
“Don’t worry just yet,” Paul told him. “Let’s make a few calls, and then we’ll go
from there. Grab your incident response book and meet me in the conference room
in 10 minutes. Grab Tina in network operations on the way.”
Introduction
This book is about being prepared for the unexpected, being ready for such events as
incidents and disasters. We call this contingency planning, and the sad fact is that most
organizations don’t incorporate it into their day-to-day business activities. Such organi-
zations are often not well prepared to offer the proper response to a disaster or security
incident. By July 2012, Internet World Stats estimated that there were over 2.4 billion
people online,1 representing one third of the world’s 6.9 billion population. Each one of
those online users is a potential threat to any online system. The vast majority of Inter-
net users will not intentionally probe, monitor, attack, or attempt to access an organiza-
tion’s information without authorization; however, that potential does exist. If even less
than 1/10 of 1 percent of online users make the effort, the result would be almost two
and a half million potential attackers.
Information Security 3
In the weeks that followed the September 11, 2001 attacks in New York, Pennsylvania, and
Washington D.C., the media reported on the disastrous losses that various organizations 1
were suffering. Still, many organizations were able to continue conducting business. Why?
The reason is that those organizations were prepared for unexpected events. The cataclysm in
2001 was not the first attack on the World Trade Center (WTC). On February 26, 1993, a
car bomb exploded beneath one of the WTC towers, killing 6 and injuring over 1000. The
attack was limited in its devastation only because the attackers weren’t able to acquire all the
components for a coordinated bomb and cyanide gas attack.2
Still, this attack was a wake-up call for the hundreds of organizations that conducted business
in the WTC. Many began asking the question, “What would we have done if the attack had
been more successful?” As a direct result, many of the organizations occupying the WTC on
September 11, 2001 had developed contingency plans. Although thousands of people lost
their lives in the attack, many were able to evacuate, and many organizations were prepared
to resume their businesses in the aftermath of the devastation.
A 2008 Gartner report found that two out of three organizations surveyed had to invoke their
disaster recovery or business continuity plans in the two years preceding the study.3 Consider-
ing that nearly 80 percent of businesses affected by a disaster either never reopen or close
within 18 months of the event, having a disaster recovery and business continuity plan is
vital to sustaining operations when disasters strike.4 Considering the risks, it is imperative
that management teams create, implement, and test effective plans to deal with incidents and
disasters. For this reason, the field of information security has been steadily growing and is
taken seriously by more and more organizations, not only in the United States but throughout
the world.
Before we can discuss contingency planning in detail, we must introduce some critical con-
cepts of which contingency planning is an integral part. The first of these, which serves as the
overall disciplinary umbrella, is information security. This refers to many interlinked programs
and activities that work together to ensure the confidentiality, integrity, and availability of the
information used by organizations. This includes steps to ensure the protection of organiza-
tional information systems, specifically during incidents and disasters. Because information
security is a complex subject, which includes risk management as well as information security
policy, it is important to have an overview of that broad field and an understanding of these
major components. Contingency planning is an important element of information security, but
before management can plan for contingencies, it should have an overall strategic plan for
information security in place, including risk management processes to guide the appropriate
managerial and technical controls. This chapter serves as an overview of information security,
with special consideration given to risk management and the role that contingency planning
plays in (1) information security in general and (2) risk management in particular.
Information Security
The Committee on National Security Systems (CNSS) has defined information security as
the protection of information and its critical elements, including the systems and hard-
ware that use, store, and transmit that information. This definition is part of the CNSS
model (see Figure 1-1), which serves as the conceptual framework for understanding
information security. The model evolved from a similar model developed within the
computer security industry, known as the C.I.A. triangle. An industry standard for com-
puter security since the development of the mainframe, the C.I.A. triangle illustrates the
three most critical characteristics of information used within information systems: confi-
dentiality, integrity, and availability.
Information assets have the characteristics of confidentiality when only those persons or com-
puter systems with the rights and privileges to access it are able to do so. Information assets
have integrity when they are not exposed (while being stored, processed, or transmitted) to
corruption, damage, destruction, or other disruption of their authentic states; in other words,
the information is whole, complete, and uncorrupted. Finally, information assets have
availability when authorized users—persons or computer systems—are able to access them in
the specified format without interference or obstruction. In other words, the information is
there when it is needed, from where it is supposed to be, and in the format expected.
gy
nolo
Tech
tion
yE duca
Polic
Confidentiality Confidentiality
gy
olo
hn
ec
nT
tio
ca
Integrity Integrity
du
yE
lic
Po
Availability Availability
Storage Processing Transmission Storage Processing Transmission

© Cengage Learning 2014
Figure 1-1 The CNSS security model
In summary, information security (InfoSec) is the protection of the confidentiality, integrity,

and availability of information, whether in storage, during processing, or in transmission.
Such protection is achieved through the application of policy, education and training, and
technology.
Key Information Security Concepts

In general, a threat is an object, person, or other entity that is a potential risk of loss to
an asset, which is the organizational resource being protected. An asset can be logical,
such as a Web site, information, or data, or it can be physical, such as a person, com-
puter system, or other tangible object. A threat can become the basis for an attack—an
intentional or unintentional attempt to cause damage to or otherwise compromise the
information or the systems that support it. A threat-agent is a specific and identifiable
instance of a general threat that exploits vulnerabilities set up to protect the asset. NIST
defines a vulnerability as “a flaw or weakness in system security procedures, design,
implementation, or internal controls that could be exercised (accidentally triggered or
intentionally exploited) and result in a security breach or violation of the system’s secu-
rity policy.”5 Vulnerabilities that have been examined, documented, and published are
referred to as well-known vulnerabilities. Some vulnerabilities are latent and thus not
revealed until they are discovered and made known.
There are two common uses of the term exploit in information security. First, threat-agents
are said to exploit a system or information asset by using it illegally for their personal 1
gains. Second, threat-agents can create an exploit, or means to target a specific vulnerabil-
ity, usually found in software, to formulate an attack. A defender tries to prevent attacks
by applying a control, a safeguard, or a countermeasure; these terms, all synonymous with
control, represent security mechanisms, policies, or procedures that can successfully counter
attacks, reduce risk, resolve vulnerabilities, and generally improve the security within an
organization.
The results of a 2012 study that collected, categorized, and ranked the identifiable threats to
information security are shown in Table 1-1. The study compared its findings with a prior
study conducted by one of its researchers.
Threat Category 2010 Ranking Prior Ranking

Espionage or trespass
1 4
Software attacks 2 1
Human error or failure 3 3
Theft 4 7
Compromises to intellectual property 5 9
Sabotage or vandalism 6 5
Technical software failures or errors 7 2
Technical hardware failures or errors 8 6
Forces of nature 9 8
Deviations in quality of service from service providers 10 10
Technological obsolescence 11 11
Information extortion 12 12
Source: 2003 Study © Communications of the ACM used with permission
Table 1-1 Threats to information security6
The threat categories shown in Table 1-1 are explained in detail in the following sections.
Trespass Trespass is a broad category of electronic and human activities that can
breach the confidentiality of information. When an unauthorized individual gains access
to the information an organization is trying to protect, that act is categorized as a deliber-
ate act of trespass. In the opening scenario of this chapter, the IT staff members at HAL
were more disappointed than surprised to find someone poking around their mail server,
looking for a way in. Acts of trespass can lead to unauthorized real or virtual actions
that enable information gatherers to enter premises or systems they have not been autho-
rized to enter.
The classic perpetrator of deliberate acts of espionage or trespass is the hacker. In this text,
hackers are people who bypass legitimate controls placed on information systems in order to
gain access to data or information against the intent of the owner. More specifically, a hacker
is someone who uses skill, guile, or fraud to attempt to bypass the controls placed around
information that belongs to someone else.
Software Attacks Deliberate software attacks occur when an individual or group

designs software to attack a system. This software is referred to as malicious code, mali-
cious software, or malware. These software components or programs are designed to
damage, destroy, or deny service to the target systems. Some of the more common
instances of malicious code are viruses and worms, Trojan horses, logic bombs, bots,
rootkits, and back doors. Equally prominent among the recent incidences of malicious
code are the denial-of-service attacks conducted by attackers on popular e-commerce
sites. A denial-of-service (DoS) attack seeks to deny legitimate users access to services
by either tying up a server’s available resources or causing it to shut down. A variation
on the DoS attack is the distributed DoS (DDoS) attack, in which an attacker compro-
mises a number of systems, then uses these systems (called zombies or bots) to attack
an unsuspecting target.
A potential source of confusion when it comes to threats posed by malicious code are the
differences between the method of propagation (worm versus virus), the payload (what the
malware does once it is in place, such as deny service or install a back door), and the vector
of infection (how the code is transmitted from system to system, whether through social
engineering or by technical means, such as an open network share). Various concepts related
to the topic of malicious code are discussed in the following sections.
Viruses Computer viruses are segments of code that perform malicious actions. The code
attaches itself to an existing program and takes control of that program’s access to the
targeted computer. The virus-controlled target program then carries out the virus’s plan by
replicating itself and inserting itself into additional targeted systems.
Opening an infected e-mail or some other seemingly trivial action can cause anything from
random messages popping up on a user’s screen to the destruction of entire hard drives of
data. Viruses are passed from machine to machine via physical media, e-mail, or other
forms of computer data transmission. When these viruses infect a machine, they may immedi-
ately scan the local machine for e-mail applications; they may even send themselves to every
user in the e-mail address book.
There are several types of viruses. One type is the macro virus, which is embedded in auto-
matically executing macrocode, common in word-processed documents, spreadsheets, and
database applications. Another type, the boot virus, infects the key operating systems files
located in a computer’s boot sector.
Worms Named for the tapeworm in John Brunner’s novel The Shockwave Rider, worms
are malicious programs that replicate themselves constantly without requiring another pro-
gram to provide a safe environment for replication. Worms can continue replicating them-
selves until they completely fill available resources, such as memory, hard drive space, and
network bandwidth. These complex behaviors can be invoked with or without the
user downloading or executing the file. Once the worm has infected a computer, it can redis- 1
tribute itself to all e-mail addresses found on the infected system. Further, a worm can
deposit copies of itself onto all Web servers that the infected system can reach, so that users
who subsequently visit those sites become infected themselves. Worms also take advantage of
open shares found on the network in which an infected system is located, placing working
copies of the worm code onto the server so that users of those shares are likely to become
infected.
Back Doors and Trap Doors A virus or worm can have a payload that installs a back
door or trap door component in a system, which allows the attacker to access a system, at
will, with special privileges. Examples of these kinds of payloads are SubSeven, Back Orifice,
and Flashfake.
Polymorphism One of the biggest ongoing problems in fighting viruses and worms are
polymorphic threats. A polymorphic threat is one that changes its apparent shape over time,
making it undetectable by techniques that look for preconfigured signatures. These viruses
and worms actually evolve, changing their size and appearance to elude detection by antivi-
rus software programs. This means that an e-mail generated by the virus may not match
previous examples, making detection more of a challenge.
Propagation Vectors The way that malicious code is spread from one system to another
can vary widely. One common way is through a social engineering attack—that is, getting
the computer user to perform an action that enables the infection. An example of this is the
Trojan horse, often simply called a Trojan. A Trojan is something that looks like a desirable
program or tool but is in fact a malicious entity. Other propagation vectors do not require
human interaction, leveraging open network connections, file shares, or software vulnerabil-
ities to spread themselves.
Malware Hoaxes As frustrating as viruses and worms are, perhaps more time and money
is spent on resolving malware hoaxes. Well-meaning people can disrupt the harmony and
flow of an organization when they send random e-mails warning of dangerous malware that
is fictitious. While these individuals feel they are helping out by warning their coworkers of a
threat, much time and energy is wasted as everyone forwards the message to everyone they
know, posts the message on social media sites, and begins updating antivirus protection
software. By teaching its employees how to verify whether a malware threat is real, the
organization can reduce the impact of this type of threat.
Human Error or Failure This threat category includes acts performed by an

authorized user, usually without malicious intent or purpose. When people use information
systems, mistakes sometimes happen as a result of inexperience, improper training, incorrect
assumptions, and so forth. Unfortunately, small mistakes can produce extensive damage
with catastrophic results. This is what is meant by human error. Human failure, on the
other hand, is the intentional refusal or unintentional inability to comply with policies,
guidelines, and procedures, with a potential loss of information. An organization may be
doing its part to protect information, but if an individual employee fails to follow estab-
lished protocols, information can still be put at risk.
Theft The threat of theft—the illegal taking of another’s property—is a constant prob-
lem. Within an organization, property can be physical, electronic, or intellectual. The
value of information assets suffer when they are copied and taken away without the own-
er’s knowledge. This threat category also includes acts of espionage, given that an attacker
is often looking for information to steal. Any breach of confidentiality can be construed as
an act of theft.
Attackers can use many different methods to access the information stored in an information
system. Some information gathering is quite legal—for example, when doing research. Such
techniques are collectively referred to as competitive intelligence. When information gathering
employs techniques that cross the threshold of what is considered legal or ethical, it becomes
known as industrial espionage.
Also of concern in this category is the theft or loss of mobile devices, including phones,
tablets, and computers. Although the devices themselves are of value, perhaps even more valu-
able is the information stored within. Users who have been issued company equipment may
establish (and save) VPN-connection information, passwords, access credentials, company
records, customer information, and the like. This valuable information becomes a target for
information thieves. In fact, it has become commonplace to find lost or stolen devices in the
trash, with the hard drives or data cards (like phone SIMs) removed or the data having been
copied and erased The information is more valuable and easier to conceal than the actual
device itself.
Users who travel or use their devices away from home should be extremely careful when leav-
ing the device unattended at a restaurant table, conference room, or hotel room. Actually,
most globally engaged organizations now have explicit policy directives that prohibit taking
these portable devices to certain countries and direct employees required to travel to take
sanitized, almost disposable, devices that are not allowed contact with internal company net-
works or technology.
Compromises to Intellectual Property Many organizations create or support the

development of intellectual property as part of their business operations. FOLDOC, an
online dictionary of computing, defines intellectual property (IP) this way:
The ownership of ideas and control over the tangible or virtual representation of those
ideas. Use of another person’s intellectual property may or may not involve royalty
payments or permission but should always include proper credit to the source.7
Source: FOLDOC
IP includes trade secrets, copyrights, trademarks, and patents, all of which employees use to
conduct day-to-day business. Once an organization has properly identified its IP, breaches in
the controls placed to control access to it constitute a threat to the security of this
information.
Often, an organization purchases or leases the IP of other organizations and must therefore
abide by the purchase or licensing agreement for its fair and responsible use.
Of equal concern is the exfiltration, or unauthorized removal of information, from an

organization. Most commonly associated with disgruntled employees, the protection of 1
intellectual property from unauthorized disclosure to third parties further illustrates the
severity of this issue. Theft of organizational IP, such as trade secrets or trusted informa-
tion like customer personal and financial records, is a commonplace issue. Data
exfiltration is also being made tougher to combat because of the increasing popularity
of “bring your own device” (or BYOD) systems, which allow employees to attach their
own personal devices to the corporate network. These devices are frequently not as
secure as the systems owned and maintained by the organization. If compromised by
attackers prior to attaching to the corporate network, BYOD systems can easily be used
as conduits to allow data to be exfiltrated. Additionally, unhappy employees can use
these devices to copy data, then leave the organization with that valuable asset in their
hands and no one the wiser.
Among the most common IP breaches is the unlawful use or duplication of software-based
intellectual property, more commonly known as software piracy. Because most software is
licensed to a particular purchaser, its use is restricted to a single user or to a designated user
in an organization. If the user copies the program to another computer without securing
another license or transferring the license, he or she has violated the copyright. Software
licenses are strictly enforced by a number of regulatory and private organizations, and soft-
ware publishers use several control mechanisms to prevent copyright infringement. In addition
to the laws surrounding software piracy, two watchdog organizations investigate allegations
of software abuse: the Software & Information Industry Association (SIIA), the Web site for
which can be found at www.siia.net, and the Business Software Alliance (BSA), which can be
found at www.bsa.org.
Sabotage or Vandalism This threat category involves the deliberate sabotage of a

computer system or business or acts of vandalism to either destroy an asset or damage an
organization’s image. The acts can range from petty vandalism by employees to organized
sabotage by outsiders. A frequently encountered threat is the assault on an organization’s
electronic profile—its Web site.
A much more sinister form of hacking is cyberterrorism. Cyberterrorists hack systems
to conduct terrorist activities through network or Internet pathways. The United States
and other governments are developing security measures intended to protect the critical
computing and communications networks as well as the physical and power utility
infrastructures.
Technical Software Failures or Errors This threat category stems from purchasing
software with unknown hidden faults. Large quantities of computer code are written, pub-
lished, and sold before all the significant security-related bugs are detected and resolved.
Also, combinations of particular software and hardware may reveal new bugs. While most
bugs are not a security threat, some may be exploitable and may result in potential loss or
damage to information used by those programs. In addition to bugs, there may be untested
failure conditions or purposeful subversions of the security controls built into systems. These
may be oversights or intentional shortcuts left by programmers for benign or malign rea-
sons. Collectively, shortcut access routes into programs that bypass security checks are
called trap doors; they can cause serious security breaches.
Software bugs are so commonplace that entire Web sites are dedicated to documenting
them—for example, Bugtraq (www.securityfocus.com) and the National Vulnerability Data-
base (http://nvd.nist.gov). These resources provide up-to-the-minute information on the latest
security vulnerabilities and a very thorough archive of past bugs.
Technical Hardware Failures or Errors Technical hardware failures or errors

occur when a manufacturer distributes equipment containing a known or unknown flaw.
These defects can cause the system to perform outside of expected parameters, resulting in
unreliable service or lack of availability. Some errors are terminal, in that they result in the
unrecoverable loss of the equipment. Some errors are intermittent, in that they only periodi-
cally manifest themselves, resulting in faults that are not easily identified. For example,
equipment can sometimes stop working or can work in unexpected ways. Murphy’s Law
says that if something can possibly go wrong, it will. In other words, it’s not whether some-
thing will fail but when.
Forces of Nature Forces of nature, also known as force majeure, or acts of God, pose
some of the most dangerous threats imaginable because they often occur with very little warn-
ing. Fire, flood, earthquake, lightning, volcanic eruptions, even animal or insect infestation—
these threats disrupt not only the lives of individuals but also the storage, transmission, and
use of information.
Deviations in Quality of Service by Service Providers This threat category

covers situations in which a product or service is not delivered to the organization as
expected. Utility companies, service providers, and other value-added organizations form a
vast web of interconnected services. An organization’s information system depends on the
successful operation of such interdependent support systems, including power grids, telecom
networks, parts suppliers, service vendors, and even the janitorial staff and garbage haulers.
Any one of these support systems can be interrupted by storms, employee illnesses, or other
unforeseen events.
An example of this threat category occurs when a construction crew damages a fiber-optic
link for an ISP. The backup provider may be online and in service but may only be able to
supply a fraction of the bandwidth the organization needs for full service. This degradation
of service is a form of availability disruption. Internet service, communications, and power
irregularities can dramatically affect the availability of information and systems.
Technological Obsolescence This threat category involves antiquated or outdated

infrastructure that leads to unreliable and untrustworthy systems. Management must recog-
nize that when technology becomes outdated, there is a risk of a loss of data integrity from
attacks. Strategic planning should always include an analysis of the technology that is
currently in use. Ideally, proper planning will prevent the risks stemming from technology
obsolesce, but when obsolescence is identified, management must take immediate action. IT
professionals play a large role in the identification of obsolescence.
Information Extortion The threat of information extortion is the possibility that an

attacker or trusted insider will steal information from a computer system and demand
compensation for its return or for an agreement to not disclose the information. Extortion
is common in credit card number theft. Unfortunately, organized crime is increasingly

involved in this area. 1
Other Threats Listings The Computer Security Institute conducts an annual study of
computer crime, the results for which are shown in Table 1-2. Malware attacks continue to
cause the most financial loss, and malware continues to be the most frequently cited attack
(with a reported loss of over $42 million in 2009 alone). Nearly 70 percent of respondents
noted that they had experienced one or more malware attacks in the 12-month reporting
period—and that doesn’t include companies that are unwilling to report attacks. The fact
is, almost every company has been attacked. Whether or not that attack was successful
depends on the company’s security efforts.
Type of Attack or Misuse 2010/11 2008 2006 2004 2002 2000

Malware infection (revised after 2008) 67% 50% 65% 78% 85% 85%
Being fraudulently represented as sender of 39% 31% (new category)

phishing message
Laptop/mobile hardware theft/loss 34% 42% 47% 49% 55% 60%
Bots/zombies in organization 29% 20% (new category
Insider abuse of Internet access or e-mail 25% 44% 42% 59% 78% 79%
Denial of service 17% 21% 25% 39% 40% 27%
Unauthorized access or privilege escalation 13% 15% (revised category)

by insider
Password sniffing 11% 9% (new category)
System penetration by outsider 11% (revised category)
Exploit of client Web browser 10% (new category)
Other Attacks/Misuse categories with less than 10% responses not listed above include
(listed in decreasing order of occurrence/reporting):
Financial fraud
Web site defacement
Exploit of wireless network
Other exploit of public-facing Web site
Theft of or unauthorized access to PII or PHI due to all other causes
Instant Messaging misuse
Theft of or unauthorized access to IP due to all other causes
Exploit of user’s social network profile
Theft of or unauthorized access to IP due to mobile device theft/loss
Theft of or unauthorized access to PII or PHI due to mobile device theft/loss
Exploit of DNS Server
Extortion or blackmail associated with threat of attack or release of stolen data
Source CSI/FBI surveys 2000 to 2010/11 (www.gocsi.com)
Table 1-2 Top Ten CSI/FBI survey results for types of attack or misuse (2000-2011)8
Another random document with
no related content on Scribd:
DANCE ON STILTS AT THE GIRLS’ UNYAGO, NIUCHI
Newala, too, suffers from the distance of its water-supply—at least

the Newala of to-day does; there was once another Newala in a lovely
valley at the foot of the plateau. I visited it and found scarcely a trace
of houses, only a Christian cemetery, with the graves of several
missionaries and their converts, remaining as a monument of its
former glories. But the surroundings are wonderfully beautiful. A
thick grove of splendid mango-trees closes in the weather-worn
crosses and headstones; behind them, combining the useful and the
agreeable, is a whole plantation of lemon-trees covered with ripe
fruit; not the small African kind, but a much larger and also juicier
imported variety, which drops into the hands of the passing traveller,
without calling for any exertion on his part. Old Newala is now under
the jurisdiction of the native pastor, Daudi, at Chingulungulu, who,
as I am on very friendly terms with him, allows me, as a matter of
course, the use of this lemon-grove during my stay at Newala.
FEET MUTILATED BY THE RAVAGES OF THE “JIGGER”
(Sarcopsylla penetrans)
The water-supply of New Newala is in the bottom of the valley,

some 1,600 feet lower down. The way is not only long and fatiguing,
but the water, when we get it, is thoroughly bad. We are suffering not
only from this, but from the fact that the arrangements at Newala are
nothing short of luxurious. We have a separate kitchen—a hut built
against the boma palisade on the right of the baraza, the interior of
which is not visible from our usual position. Our two cooks were not
long in finding this out, and they consequently do—or rather neglect
to do—what they please. In any case they do not seem to be very
particular about the boiling of our drinking-water—at least I can
attribute to no other cause certain attacks of a dysenteric nature,
from which both Knudsen and I have suffered for some time. If a
man like Omari has to be left unwatched for a moment, he is capable
of anything. Besides this complaint, we are inconvenienced by the
state of our nails, which have become as hard as glass, and crack on
the slightest provocation, and I have the additional infliction of
pimples all over me. As if all this were not enough, we have also, for
the last week been waging war against the jigger, who has found his
Eldorado in the hot sand of the Makonde plateau. Our men are seen
all day long—whenever their chronic colds and the dysentery likewise
raging among them permit—occupied in removing this scourge of
Africa from their feet and trying to prevent the disastrous
consequences of its presence. It is quite common to see natives of
this place with one or two toes missing; many have lost all their toes,
or even the whole front part of the foot, so that a well-formed leg
ends in a shapeless stump. These ravages are caused by the female of
Sarcopsylla penetrans, which bores its way under the skin and there
develops an egg-sac the size of a pea. In all books on the subject, it is
stated that one’s attention is called to the presence of this parasite by
an intolerable itching. This agrees very well with my experience, so
far as the softer parts of the sole, the spaces between and under the
toes, and the side of the foot are concerned, but if the creature
penetrates through the harder parts of the heel or ball of the foot, it
may escape even the most careful search till it has reached maturity.
Then there is no time to be lost, if the horrible ulceration, of which
we see cases by the dozen every day, is to be prevented. It is much
easier, by the way, to discover the insect on the white skin of a
European than on that of a native, on which the dark speck scarcely
shows. The four or five jiggers which, in spite of the fact that I
constantly wore high laced boots, chose my feet to settle in, were
taken out for me by the all-accomplished Knudsen, after which I
thought it advisable to wash out the cavities with corrosive
sublimate. The natives have a different sort of disinfectant—they fill
the hole with scraped roots. In a tiny Makua village on the slope of
the plateau south of Newala, we saw an old woman who had filled all
the spaces under her toe-nails with powdered roots by way of
prophylactic treatment. What will be the result, if any, who can say?
The rest of the many trifling ills which trouble our existence are
really more comic than serious. In the absence of anything else to
smoke, Knudsen and I at last opened a box of cigars procured from
the Indian store-keeper at Lindi, and tried them, with the most
distressing results. Whether they contain opium or some other
narcotic, neither of us can say, but after the tenth puff we were both
“off,” three-quarters stupefied and unspeakably wretched. Slowly we
recovered—and what happened next? Half-an-hour later we were
once more smoking these poisonous concoctions—so insatiable is the
craving for tobacco in the tropics.
Even my present attacks of fever scarcely deserve to be taken
seriously. I have had no less than three here at Newala, all of which
have run their course in an incredibly short time. In the early
afternoon, I am busy with my old natives, asking questions and
making notes. The strong midday coffee has stimulated my spirits to
an extraordinary degree, the brain is active and vigorous, and work
progresses rapidly, while a pleasant warmth pervades the whole
body. Suddenly this gives place to a violent chill, forcing me to put on
my overcoat, though it is only half-past three and the afternoon sun
is at its hottest. Now the brain no longer works with such acuteness
and logical precision; more especially does it fail me in trying to
establish the syntax of the difficult Makua language on which I have
ventured, as if I had not enough to do without it. Under the
circumstances it seems advisable to take my temperature, and I do
so, to save trouble, without leaving my seat, and while going on with
my work. On examination, I find it to be 101·48°. My tutors are
abruptly dismissed and my bed set up in the baraza; a few minutes
later I am in it and treating myself internally with hot water and
lemon-juice.
Three hours later, the thermometer marks nearly 104°, and I make
them carry me back into the tent, bed and all, as I am now perspiring
heavily, and exposure to the cold wind just beginning to blow might
mean a fatal chill. I lie still for a little while, and then find, to my
great relief, that the temperature is not rising, but rather falling. This
is about 7.30 p.m. At 8 p.m. I find, to my unbounded astonishment,
that it has fallen below 98·6°, and I feel perfectly well. I read for an
hour or two, and could very well enjoy a smoke, if I had the
wherewithal—Indian cigars being out of the question.
Having no medical training, I am at a loss to account for this state
of things. It is impossible that these transitory attacks of high fever
should be malarial; it seems more probable that they are due to a
kind of sunstroke. On consulting my note-book, I become more and
more inclined to think this is the case, for these attacks regularly
follow extreme fatigue and long exposure to strong sunshine. They at
least have the advantage of being only short interruptions to my
work, as on the following morning I am always quite fresh and fit.
My treasure of a cook is suffering from an enormous hydrocele which
makes it difficult for him to get up, and Moritz is obliged to keep in
the dark on account of his inflamed eyes. Knudsen’s cook, a raw boy
from somewhere in the bush, knows still less of cooking than Omari;
consequently Nils Knudsen himself has been promoted to the vacant
post. Finding that we had come to the end of our supplies, he began
by sending to Chingulungulu for the four sucking-pigs which we had
bought from Matola and temporarily left in his charge; and when
they came up, neatly packed in a large crate, he callously slaughtered
the biggest of them. The first joint we were thoughtless enough to
entrust for roasting to Knudsen’s mshenzi cook, and it was
consequently uneatable; but we made the rest of the animal into a
jelly which we ate with great relish after weeks of underfeeding,
consuming incredible helpings of it at both midday and evening
meals. The only drawback is a certain want of variety in the tinned
vegetables. Dr. Jäger, to whom the Geographical Commission
entrusted the provisioning of the expeditions—mine as well as his
own—because he had more time on his hands than the rest of us,
seems to have laid in a huge stock of Teltow turnips,[46] an article of
food which is all very well for occasional use, but which quickly palls
when set before one every day; and we seem to have no other tins
left. There is no help for it—we must put up with the turnips; but I
am certain that, once I am home again, I shall not touch them for ten
years to come.
Amid all these minor evils, which, after all, go to make up the
genuine flavour of Africa, there is at least one cheering touch:
Knudsen has, with the dexterity of a skilled mechanic, repaired my 9
× 12 cm. camera, at least so far that I can use it with a little care.
How, in the absence of finger-nails, he was able to accomplish such a
ticklish piece of work, having no tool but a clumsy screw-driver for
taking to pieces and putting together again the complicated
mechanism of the instantaneous shutter, is still a mystery to me; but
he did it successfully. The loss of his finger-nails shows him in a light
contrasting curiously enough with the intelligence evinced by the
above operation; though, after all, it is scarcely surprising after his
ten years’ residence in the bush. One day, at Lindi, he had occasion
to wash a dog, which must have been in need of very thorough
cleansing, for the bottle handed to our friend for the purpose had an
extremely strong smell. Having performed his task in the most
conscientious manner, he perceived with some surprise that the dog
did not appear much the better for it, and was further surprised by
finding his own nails ulcerating away in the course of the next few
days. “How was I to know that carbolic acid has to be diluted?” he
mutters indignantly, from time to time, with a troubled gaze at his
mutilated finger-tips.
Since we came to Newala we have been making excursions in all
directions through the surrounding country, in accordance with old
habit, and also because the akida Sefu did not get together the tribal
elders from whom I wanted information so speedily as he had
promised. There is, however, no harm done, as, even if seen only
from the outside, the country and people are interesting enough.
The Makonde plateau is like a large rectangular table rounded off
at the corners. Measured from the Indian Ocean to Newala, it is
about seventy-five miles long, and between the Rovuma and the
Lukuledi it averages fifty miles in breadth, so that its superficial area
is about two-thirds of that of the kingdom of Saxony. The surface,
however, is not level, but uniformly inclined from its south-western
edge to the ocean. From the upper edge, on which Newala lies, the
eye ranges for many miles east and north-east, without encountering
any obstacle, over the Makonde bush. It is a green sea, from which
here and there thick clouds of smoke rise, to show that it, too, is
inhabited by men who carry on their tillage like so many other
primitive peoples, by cutting down and burning the bush, and
manuring with the ashes. Even in the radiant light of a tropical day
such a fire is a grand sight.
Much less effective is the impression produced just now by the
great western plain as seen from the edge of the plateau. As often as
time permits, I stroll along this edge, sometimes in one direction,
sometimes in another, in the hope of finding the air clear enough to
let me enjoy the view; but I have always been disappointed.
Wherever one looks, clouds of smoke rise from the burning bush,
and the air is full of smoke and vapour. It is a pity, for under more
favourable circumstances the panorama of the whole country up to
the distant Majeje hills must be truly magnificent. It is of little use
taking photographs now, and an outline sketch gives a very poor idea
of the scenery. In one of these excursions I went out of my way to
make a personal attempt on the Makonde bush. The present edge of
the plateau is the result of a far-reaching process of destruction
through erosion and denudation. The Makonde strata are
everywhere cut into by ravines, which, though short, are hundreds of
yards in depth. In consequence of the loose stratification of these
beds, not only are the walls of these ravines nearly vertical, but their
upper end is closed by an equally steep escarpment, so that the
western edge of the Makonde plateau is hemmed in by a series of
deep, basin-like valleys. In order to get from one side of such a ravine
to the other, I cut my way through the bush with a dozen of my men.
It was a very open part, with more grass than scrub, but even so the
short stretch of less than two hundred yards was very hard work; at
the end of it the men’s calicoes were in rags and they themselves
bleeding from hundreds of scratches, while even our strong khaki
suits had not escaped scatheless.
NATIVE PATH THROUGH THE MAKONDE BUSH, NEAR

MAHUTA
I see increasing reason to believe that the view formed some time
back as to the origin of the Makonde bush is the correct one. I have
no doubt that it is not a natural product, but the result of human
occupation. Those parts of the high country where man—as a very
slight amount of practice enables the eye to perceive at once—has not
yet penetrated with axe and hoe, are still occupied by a splendid
timber forest quite able to sustain a comparison with our mixed
forests in Germany. But wherever man has once built his hut or tilled
his field, this horrible bush springs up. Every phase of this process
may be seen in the course of a couple of hours’ walk along the main
road. From the bush to right or left, one hears the sound of the axe—
not from one spot only, but from several directions at once. A few
steps further on, we can see what is taking place. The brush has been
cut down and piled up in heaps to the height of a yard or more,
between which the trunks of the large trees stand up like the last
pillars of a magnificent ruined building. These, too, present a
melancholy spectacle: the destructive Makonde have ringed them—
cut a broad strip of bark all round to ensure their dying off—and also
piled up pyramids of brush round them. Father and son, mother and
son-in-law, are chopping away perseveringly in the background—too
busy, almost, to look round at the white stranger, who usually excites
so much interest. If you pass by the same place a week later, the piles
of brushwood have disappeared and a thick layer of ashes has taken
the place of the green forest. The large trees stretch their
smouldering trunks and branches in dumb accusation to heaven—if
they have not already fallen and been more or less reduced to ashes,
perhaps only showing as a white stripe on the dark ground.
This work of destruction is carried out by the Makonde alike on the
virgin forest and on the bush which has sprung up on sites already
cultivated and deserted. In the second case they are saved the trouble
of burning the large trees, these being entirely absent in the
secondary bush.
After burning this piece of forest ground and loosening it with the
hoe, the native sows his corn and plants his vegetables. All over the
country, he goes in for bed-culture, which requires, and, in fact,
receives, the most careful attention. Weeds are nowhere tolerated in
the south of German East Africa. The crops may fail on the plains,
where droughts are frequent, but never on the plateau with its
abundant rains and heavy dews. Its fortunate inhabitants even have
the satisfaction of seeing the proud Wayao and Wamakua working
for them as labourers, driven by hunger to serve where they were
accustomed to rule.
But the light, sandy soil is soon exhausted, and would yield no
harvest the second year if cultivated twice running. This fact has
been familiar to the native for ages; consequently he provides in
time, and, while his crop is growing, prepares the next plot with axe
and firebrand. Next year he plants this with his various crops and
lets the first piece lie fallow. For a short time it remains waste and
desolate; then nature steps in to repair the destruction wrought by
man; a thousand new growths spring out of the exhausted soil, and
even the old stumps put forth fresh shoots. Next year the new growth
is up to one’s knees, and in a few years more it is that terrible,
impenetrable bush, which maintains its position till the black
occupier of the land has made the round of all the available sites and
come back to his starting point.
The Makonde are, body and soul, so to speak, one with this bush.
According to my Yao informants, indeed, their name means nothing
else but “bush people.” Their own tradition says that they have been
settled up here for a very long time, but to my surprise they laid great
stress on an original immigration. Their old homes were in the
south-east, near Mikindani and the mouth of the Rovuma, whence
their peaceful forefathers were driven by the continual raids of the
Sakalavas from Madagascar and the warlike Shirazis[47] of the coast,
to take refuge on the almost inaccessible plateau. I have studied
African ethnology for twenty years, but the fact that changes of
population in this apparently quiet and peaceable corner of the earth
could have been occasioned by outside enterprises taking place on
the high seas, was completely new to me. It is, no doubt, however,
correct.
The charming tribal legend of the Makonde—besides informing us
of other interesting matters—explains why they have to live in the
thickest of the bush and a long way from the edge of the plateau,
instead of making their permanent homes beside the purling brooks
and springs of the low country.
“The place where the tribe originated is Mahuta, on the southern
side of the plateau towards the Rovuma, where of old time there was
nothing but thick bush. Out of this bush came a man who never
washed himself or shaved his head, and who ate and drank but little.
He went out and made a human figure from the wood of a tree
growing in the open country, which he took home to his abode in the
bush and there set it upright. In the night this image came to life and
was a woman. The man and woman went down together to the
Rovuma to wash themselves. Here the woman gave birth to a still-
born child. They left that place and passed over the high land into the
valley of the Mbemkuru, where the woman had another child, which
was also born dead. Then they returned to the high bush country of
Mahuta, where the third child was born, which lived and grew up. In
course of time, the couple had many more children, and called
themselves Wamatanda. These were the ancestral stock of the
Makonde, also called Wamakonde,[48] i.e., aborigines. Their
forefather, the man from the bush, gave his children the command to
bury their dead upright, in memory of the mother of their race who
was cut out of wood and awoke to life when standing upright. He also
warned them against settling in the valleys and near large streams,
for sickness and death dwelt there. They were to make it a rule to
have their huts at least an hour’s walk from the nearest watering-
place; then their children would thrive and escape illness.”
The explanation of the name Makonde given by my informants is
somewhat different from that contained in the above legend, which I
extract from a little book (small, but packed with information), by
Pater Adams, entitled Lindi und sein Hinterland. Otherwise, my
results agree exactly with the statements of the legend. Washing?
Hapana—there is no such thing. Why should they do so? As it is, the
supply of water scarcely suffices for cooking and drinking; other
people do not wash, so why should the Makonde distinguish himself
by such needless eccentricity? As for shaving the head, the short,
woolly crop scarcely needs it,[49] so the second ancestral precept is
likewise easy enough to follow. Beyond this, however, there is
nothing ridiculous in the ancestor’s advice. I have obtained from
various local artists a fairly large number of figures carved in wood,
ranging from fifteen to twenty-three inches in height, and
representing women belonging to the great group of the Mavia,
Makonde, and Matambwe tribes. The carving is remarkably well
done and renders the female type with great accuracy, especially the
keloid ornamentation, to be described later on. As to the object and
meaning of their works the sculptors either could or (more probably)
would tell me nothing, and I was forced to content myself with the
scanty information vouchsafed by one man, who said that the figures
were merely intended to represent the nembo—the artificial
deformations of pelele, ear-discs, and keloids. The legend recorded
by Pater Adams places these figures in a new light. They must surely
be more than mere dolls; and we may even venture to assume that
they are—though the majority of present-day Makonde are probably
unaware of the fact—representations of the tribal ancestress.
The references in the legend to the descent from Mahuta to the
Rovuma, and to a journey across the highlands into the Mbekuru
valley, undoubtedly indicate the previous history of the tribe, the
travels of the ancestral pair typifying the migrations of their
descendants. The descent to the neighbouring Rovuma valley, with
its extraordinary fertility and great abundance of game, is intelligible
at a glance—but the crossing of the Lukuledi depression, the ascent
to the Rondo Plateau and the descent to the Mbemkuru, also lie
within the bounds of probability, for all these districts have exactly
the same character as the extreme south. Now, however, comes a
point of especial interest for our bacteriological age. The primitive
Makonde did not enjoy their lives in the marshy river-valleys.
Disease raged among them, and many died. It was only after they
had returned to their original home near Mahuta, that the health
conditions of these people improved. We are very apt to think of the
African as a stupid person whose ignorance of nature is only equalled
by his fear of it, and who looks on all mishaps as caused by evil
spirits and malignant natural powers. It is much more correct to
assume in this case that the people very early learnt to distinguish
districts infested with malaria from those where it is absent.
This knowledge is crystallized in the
ancestral warning against settling in the
valleys and near the great waters, the
dwelling-places of disease and death. At the
same time, for security against the hostile
Mavia south of the Rovuma, it was enacted
that every settlement must be not less than a
certain distance from the southern edge of the
plateau. Such in fact is their mode of life at the
present day. It is not such a bad one, and
certainly they are both safer and more
comfortable than the Makua, the recent
intruders from the south, who have made USUAL METHOD OF
good their footing on the western edge of the CLOSING HUT-DOOR
plateau, extending over a fairly wide belt of
country. Neither Makua nor Makonde show in their dwellings
anything of the size and comeliness of the Yao houses in the plain,
especially at Masasi, Chingulungulu and Zuza’s. Jumbe Chauro, a
Makonde hamlet not far from Newala, on the road to Mahuta, is the
most important settlement of the tribe I have yet seen, and has fairly
spacious huts. But how slovenly is their construction compared with
the palatial residences of the elephant-hunters living in the plain.
The roofs are still more untidy than in the general run of huts during
the dry season, the walls show here and there the scanty beginnings
or the lamentable remains of the mud plastering, and the interior is a
veritable dog-kennel; dirt, dust and disorder everywhere. A few huts
only show any attempt at division into rooms, and this consists
merely of very roughly-made bamboo partitions. In one point alone
have I noticed any indication of progress—in the method of fastening
the door. Houses all over the south are secured in a simple but
ingenious manner. The door consists of a set of stout pieces of wood
or bamboo, tied with bark-string to two cross-pieces, and moving in
two grooves round one of the door-posts, so as to open inwards. If
the owner wishes to leave home, he takes two logs as thick as a man’s
upper arm and about a yard long. One of these is placed obliquely
against the middle of the door from the inside, so as to form an angle
of from 60° to 75° with the ground. He then places the second piece
horizontally across the first, pressing it downward with all his might.
It is kept in place by two strong posts planted in the ground a few
inches inside the door. This fastening is absolutely safe, but of course
cannot be applied to both doors at once, otherwise how could the
owner leave or enter his house? I have not yet succeeded in finding
out how the back door is fastened.
MAKONDE LOCK AND KEY AT JUMBE CHAURO

This is the general way of closing a house. The Makonde at Jumbe
Chauro, however, have a much more complicated, solid and original
one. Here, too, the door is as already described, except that there is
only one post on the inside, standing by itself about six inches from
one side of the doorway. Opposite this post is a hole in the wall just
large enough to admit a man’s arm. The door is closed inside by a
large wooden bolt passing through a hole in this post and pressing
with its free end against the door. The other end has three holes into
which fit three pegs running in vertical grooves inside the post. The
door is opened with a wooden key about a foot long, somewhat
curved and sloped off at the butt; the other end has three pegs
corresponding to the holes, in the bolt, so that, when it is thrust
through the hole in the wall and inserted into the rectangular
opening in the post, the pegs can be lifted and the bolt drawn out.[50]
MODE OF INSERTING THE KEY
With no small pride first one householder and then a second

showed me on the spot the action of this greatest invention of the
Makonde Highlands. To both with an admiring exclamation of
“Vizuri sana!” (“Very fine!”). I expressed the wish to take back these
marvels with me to Ulaya, to show the Wazungu what clever fellows
the Makonde are. Scarcely five minutes after my return to camp at
Newala, the two men came up sweating under the weight of two
heavy logs which they laid down at my feet, handing over at the same
time the keys of the fallen fortress. Arguing, logically enough, that if
the key was wanted, the lock would be wanted with it, they had taken
their axes and chopped down the posts—as it never occurred to them
to dig them out of the ground and so bring them intact. Thus I have
two badly damaged specimens, and the owners, instead of praise,
come in for a blowing-up.
The Makua huts in the environs of Newala are especially
miserable; their more than slovenly construction reminds one of the
temporary erections of the Makua at Hatia’s, though the people here
have not been concerned in a war. It must therefore be due to
congenital idleness, or else to the absence of a powerful chief. Even
the baraza at Mlipa’s, a short hour’s walk south-east of Newala,
shares in this general neglect. While public buildings in this country
are usually looked after more or less carefully, this is in evident
danger of being blown over by the first strong easterly gale. The only
attractive object in this whole district is the grave of the late chief
Mlipa. I visited it in the morning, while the sun was still trying with
partial success to break through the rolling mists, and the circular
grove of tall euphorbias, which, with a broken pot, is all that marks
the old king’s resting-place, impressed one with a touch of pathos.
Even my very materially-minded carriers seemed to feel something
of the sort, for instead of their usual ribald songs, they chanted
solemnly, as we marched on through the dense green of the Makonde
bush:—
“We shall arrive with the great master; we stand in a row and have
no fear about getting our food and our money from the Serkali (the
Government). We are not afraid; we are going along with the great
master, the lion; we are going down to the coast and back.”
With regard to the characteristic features of the various tribes here
on the western edge of the plateau, I can arrive at no other
conclusion than the one already come to in the plain, viz., that it is
impossible for anyone but a trained anthropologist to assign any
given individual at once to his proper tribe. In fact, I think that even
an anthropological specialist, after the most careful examination,
might find it a difficult task to decide. The whole congeries of peoples
collected in the region bounded on the west by the great Central
African rift, Tanganyika and Nyasa, and on the east by the Indian
Ocean, are closely related to each other—some of their languages are
only distinguished from one another as dialects of the same speech,
and no doubt all the tribes present the same shape of skull and
structure of skeleton. Thus, surely, there can be no very striking
differences in outward appearance.
Even did such exist, I should have no time
to concern myself with them, for day after day,
I have to see or hear, as the case may be—in
any case to grasp and record—an
extraordinary number of ethnographic
phenomena. I am almost disposed to think it
fortunate that some departments of inquiry, at
least, are barred by external circumstances.
Chief among these is the subject of iron-
working. We are apt to think of Africa as a
country where iron ore is everywhere, so to
speak, to be picked up by the roadside, and
where it would be quite surprising if the
inhabitants had not learnt to smelt the
material ready to their hand. In fact, the
knowledge of this art ranges all over the
continent, from the Kabyles in the north to the
Kafirs in the south. Here between the Rovuma
and the Lukuledi the conditions are not so
favourable. According to the statements of the
Makonde, neither ironstone nor any other
form of iron ore is known to them. They have
not therefore advanced to the art of smelting
the metal, but have hitherto bought all their
THE ANCESTRESS OF
THE MAKONDE
iron implements from neighbouring tribes.
Even in the plain the inhabitants are not much
better off. Only one man now living is said to
understand the art of smelting iron. This old fundi lives close to
Huwe, that isolated, steep-sided block of granite which rises out of
the green solitude between Masasi and Chingulungulu, and whose
jagged and splintered top meets the traveller’s eye everywhere. While
still at Masasi I wished to see this man at work, but was told that,
frightened by the rising, he had retired across the Rovuma, though
he would soon return. All subsequent inquiries as to whether the
fundi had come back met with the genuine African answer, “Bado”
(“Not yet”).
BRAZIER
Some consolation was afforded me by a brassfounder, whom I

came across in the bush near Akundonde’s. This man is the favourite
of women, and therefore no doubt of the gods; he welds the glittering
brass rods purchased at the coast into those massive, heavy rings
which, on the wrists and ankles of the local fair ones, continually give
me fresh food for admiration. Like every decent master-craftsman he
had all his tools with him, consisting of a pair of bellows, three
crucibles and a hammer—nothing more, apparently. He was quite
willing to show his skill, and in a twinkling had fixed his bellows on
the ground. They are simply two goat-skins, taken off whole, the four
legs being closed by knots, while the upper opening, intended to
admit the air, is kept stretched by two pieces of wood. At the lower
end of the skin a smaller opening is left into which a wooden tube is
stuck. The fundi has quickly borrowed a heap of wood-embers from
the nearest hut; he then fixes the free ends of the two tubes into an
earthen pipe, and clamps them to the ground by means of a bent
piece of wood. Now he fills one of his small clay crucibles, the dross
on which shows that they have been long in use, with the yellow
material, places it in the midst of the embers, which, at present are
only faintly glimmering, and begins his work. In quick alternation
the smith’s two hands move up and down with the open ends of the
bellows; as he raises his hand he holds the slit wide open, so as to let
the air enter the skin bag unhindered. In pressing it down he closes
the bag, and the air puffs through the bamboo tube and clay pipe into
the fire, which quickly burns up. The smith, however, does not keep
on with this work, but beckons to another man, who relieves him at
the bellows, while he takes some more tools out of a large skin pouch
carried on his back. I look on in wonder as, with a smooth round
stick about the thickness of a finger, he bores a few vertical holes into
the clean sand of the soil. This should not be difficult, yet the man
seems to be taking great pains over it. Then he fastens down to the
ground, with a couple of wooden clamps, a neat little trough made by
splitting a joint of bamboo in half, so that the ends are closed by the
two knots. At last the yellow metal has attained the right consistency,
and the fundi lifts the crucible from the fire by means of two sticks
split at the end to serve as tongs. A short swift turn to the left—a
tilting of the crucible—and the molten brass, hissing and giving forth
clouds of smoke, flows first into the bamboo mould and then into the
holes in the ground.
The technique of this backwoods craftsman may not be very far
advanced, but it cannot be denied that he knows how to obtain an
adequate result by the simplest means. The ladies of highest rank in
this country—that is to say, those who can afford it, wear two kinds
of these massive brass rings, one cylindrical, the other semicircular
in section. The latter are cast in the most ingenious way in the
bamboo mould, the former in the circular hole in the sand. It is quite
a simple matter for the fundi to fit these bars to the limbs of his fair
customers; with a few light strokes of his hammer he bends the
pliable brass round arm or ankle without further inconvenience to
the wearer.
SHAPING THE POT
SMOOTHING WITH MAIZE-COB
CUTTING THE EDGE

FINISHING THE BOTTOM
LAST SMOOTHING BEFORE

BURNING
FIRING THE BRUSH-PILE

LIGHTING THE FARTHER SIDE OF
THE PILE
TURNING THE RED-HOT VESSEL
NYASA WOMAN MAKING POTS AT MASASI

Pottery is an art which must always and everywhere excite the
interest of the student, just because it is so intimately connected with
the development of human culture, and because its relics are one of
the principal factors in the reconstruction of our own condition in
prehistoric times. I shall always remember with pleasure the two or
three afternoons at Masasi when Salim Matola’s mother, a slightly-
built, graceful, pleasant-looking woman, explained to me with
touching patience, by means of concrete illustrations, the ceramic art
of her people. The only implements for this primitive process were a
lump of clay in her left hand, and in the right a calabash containing
the following valuables: the fragment of a maize-cob stripped of all
its grains, a smooth, oval pebble, about the size of a pigeon’s egg, a
few chips of gourd-shell, a bamboo splinter about the length of one’s
hand, a small shell, and a bunch of some herb resembling spinach.
Nothing more. The woman scraped with the
shell a round, shallow hole in the soft, fine
sand of the soil, and, when an active young
girl had filled the calabash with water for her,
she began to knead the clay. As if by magic it
gradually assumed the shape of a rough but
already well-shaped vessel, which only wanted
a little touching up with the instruments
before mentioned. I looked out with the
MAKUA WOMAN closest attention for any indication of the use
MAKING A POT. of the potter’s wheel, in however rudimentary
SHOWS THE a form, but no—hapana (there is none). The
BEGINNINGS OF THE embryo pot stood firmly in its little
POTTER’S WHEEL
depression, and the woman walked round it in
a stooping posture, whether she was removing
small stones or similar foreign bodies with the maize-cob, smoothing
the inner or outer surface with the splinter of bamboo, or later, after
letting it dry for a day, pricking in the ornamentation with a pointed
bit of gourd-shell, or working out the bottom, or cutting the edge
with a sharp bamboo knife, or giving the last touches to the finished
vessel. This occupation of the women is infinitely toilsome, but it is
without doubt an accurate reproduction of the process in use among
our ancestors of the Neolithic and Bronze ages.
There is no doubt that the invention of pottery, an item in human
progress whose importance cannot be over-estimated, is due to
women. Rough, coarse and unfeeling, the men of the horde range
over the countryside. When the united cunning of the hunters has
succeeded in killing the game; not one of them thinks of carrying
home the spoil. A bright fire, kindled by a vigorous wielding of the
drill, is crackling beside them; the animal has been cleaned and cut
up secundum artem, and, after a slight singeing, will soon disappear
under their sharp teeth; no one all this time giving a single thought
to wife or child.
To what shifts, on the other hand, the primitive wife, and still more
the primitive mother, was put! Not even prehistoric stomachs could
endure an unvarying diet of raw food. Something or other suggested
the beneficial effect of hot water on the majority of approved but
indigestible dishes. Perhaps a neighbour had tried holding the hard
roots or tubers over the fire in a calabash filled with water—or maybe
an ostrich-egg-shell, or a hastily improvised vessel of bark. They
became much softer and more palatable than they had previously
been; but, unfortunately, the vessel could not stand the fire and got
charred on the outside. That can be remedied, thought our
ancestress, and plastered a layer of wet clay round a similar vessel.
This is an improvement; the cooking utensil remains uninjured, but
the heat of the fire has shrunk it, so that it is loose in its shell. The
next step is to detach it, so, with a firm grip and a jerk, shell and
kernel are separated, and pottery is invented. Perhaps, however, the
discovery which led to an intelligent use of the burnt-clay shell, was
made in a slightly different way. Ostrich-eggs and calabashes are not
to be found in every part of the world, but everywhere mankind has
arrived at the art of making baskets out of pliant materials, such as
bark, bast, strips of palm-leaf, supple twigs, etc. Our inventor has no
water-tight vessel provided by nature. “Never mind, let us line the
basket with clay.” This answers the purpose, but alas! the basket gets
burnt over the blazing fire, the woman watches the process of
cooking with increasing uneasiness, fearing a leak, but no leak
appears. The food, done to a turn, is eaten with peculiar relish; and
the cooking-vessel is examined, half in curiosity, half in satisfaction
at the result. The plastic clay is now hard as stone, and at the same
time looks exceedingly well, for the neat plaiting of the burnt basket
is traced all over it in a pretty pattern. Thus, simultaneously with
pottery, its ornamentation was invented.
Primitive woman has another claim to respect. It was the man,
roving abroad, who invented the art of producing fire at will, but the
woman, unable to imitate him in this, has been a Vestal from the
earliest times. Nothing gives so much trouble as the keeping alight of
the smouldering brand, and, above all, when all the men are absent
from the camp. Heavy rain-clouds gather, already the first large
drops are falling, the first gusts of the storm rage over the plain. The
little flame, a greater anxiety to the woman than her own children,
flickers unsteadily in the blast. What is to be done? A sudden thought
occurs to her, and in an instant she has constructed a primitive hut
out of strips of bark, to protect the flame against rain and wind.
This, or something very like it, was the way in which the principle
of the house was discovered; and even the most hardened misogynist
cannot fairly refuse a woman the credit of it. The protection of the
hearth-fire from the weather is the germ from which the human
dwelling was evolved. Men had little, if any share, in this forward
step, and that only at a late stage. Even at the present day, the
plastering of the housewall with clay and the manufacture of pottery
are exclusively the women’s business. These are two very significant
survivals. Our European kitchen-garden, too, is originally a woman’s
invention, and the hoe, the primitive instrument of agriculture, is,
characteristically enough, still used in this department. But the
noblest achievement which we owe to the other sex is unquestionably
the art of cookery. Roasting alone—the oldest process—is one for
which men took the hint (a very obvious one) from nature. It must
have been suggested by the scorched carcase of some animal
overtaken by the destructive forest-fires. But boiling—the process of
improving organic substances by the help of water heated to boiling-
point—is a much later discovery. It is so recent that it has not even
yet penetrated to all parts of the world. The Polynesians understand
how to steam food, that is, to cook it, neatly wrapped in leaves, in a
hole in the earth between hot stones, the air being excluded, and
(sometimes) a few drops of water sprinkled on the stones; but they
do not understand boiling.
To come back from this digression, we find that the slender Nyasa
woman has, after once more carefully examining the finished pot,
put it aside in the shade to dry. On the following day she sends me
word by her son, Salim Matola, who is always on hand, that she is
going to do the burning, and, on coming out of my house, I find her
already hard at work. She has spread on the ground a layer of very
dry sticks, about as thick as one’s thumb, has laid the pot (now of a
yellowish-grey colour) on them, and is piling brushwood round it.
My faithful Pesa mbili, the mnyampara, who has been standing by,
most obligingly, with a lighted stick, now hands it to her. Both of
them, blowing steadily, light the pile on the lee side, and, when the
flame begins to catch, on the weather side also. Soon the whole is in a
blaze, but the dry fuel is quickly consumed and the fire dies down, so
that we see the red-hot vessel rising from the ashes. The woman
turns it continually with a long stick, sometimes one way and
sometimes another, so that it may be evenly heated all over. In
twenty minutes she rolls it out of the ash-heap, takes up the bundle
of spinach, which has been lying for two days in a jar of water, and
sprinkles the red-hot clay with it. The places where the drops fall are
marked by black spots on the uniform reddish-brown surface. With a
sigh of relief, and with visible satisfaction, the woman rises to an
erect position; she is standing just in a line between me and the fire,
from which a cloud of smoke is just rising: I press the ball of my
camera, the shutter clicks—the apotheosis is achieved! Like a
priestess, representative of her inventive sex, the graceful woman
stands: at her feet the hearth-fire she has given us beside her the
invention she has devised for us, in the background the home she has
built for us.
At Newala, also, I have had the manufacture of pottery carried on
in my presence. Technically the process is better than that already
described, for here we find the beginnings of the potter’s wheel,
which does not seem to exist in the plains; at least I have seen
nothing of the sort. The artist, a frightfully stupid Makua woman, did
not make a depression in the ground to receive the pot she was about
to shape, but used instead a large potsherd. Otherwise, she went to
work in much the same way as Salim’s mother, except that she saved
herself the trouble of walking round and round her work by squatting
at her ease and letting the pot and potsherd rotate round her; this is
surely the first step towards a machine. But it does not follow that
the pot was improved by the process. It is true that it was beautifully
rounded and presented a very creditable appearance when finished,
but the numerous large and small vessels which I have seen, and, in
part, collected, in the “less advanced” districts, are no less so. We
moderns imagine that instruments of precision are necessary to
produce excellent results. Go to the prehistoric collections of our
museums and look at the pots, urns and bowls of our ancestors in the
dim ages of the past, and you will at once perceive your error.
MAKING LONGITUDINAL CUT IN
BARK
DRAWING THE BARK OFF THE LOG
REMOVING THE OUTER BARK

BEATING THE BARK
WORKING THE BARK-CLOTH AFTER BEATING, TO MAKE IT

SOFT
MANUFACTURE OF BARK-CLOTH AT NEWALA

To-day, nearly the whole population of German East Africa is
clothed in imported calico. This was not always the case; even now in
some parts of the north dressed skins are still the prevailing wear,
and in the north-western districts—east and north of Lake
Tanganyika—lies a zone where bark-cloth has not yet been
superseded. Probably not many generations have passed since such
bark fabrics and kilts of skins were the only clothing even in the
south. Even to-day, large quantities of this bright-red or drab
material are still to be found; but if we wish to see it, we must look in
the granaries and on the drying stages inside the native huts, where
it serves less ambitious uses as wrappings for those seeds and fruits
which require to be packed with special care. The salt produced at
Masasi, too, is packed for transport to a distance in large sheets of
bark-cloth. Wherever I found it in any degree possible, I studied the
process of making this cloth. The native requisitioned for the
purpose arrived, carrying a log between two and three yards long and
as thick as his thigh, and nothing else except a curiously-shaped
mallet and the usual long, sharp and pointed knife which all men and
boys wear in a belt at their backs without a sheath—horribile dictu!
[51]
Silently he squats down before me, and with two rapid cuts has
drawn a couple of circles round the log some two yards apart, and
slits the bark lengthwise between them with the point of his knife.
With evident care, he then scrapes off the outer rind all round the
log, so that in a quarter of an hour the inner red layer of the bark
shows up brightly-coloured between the two untouched ends. With
some trouble and much caution, he now loosens the bark at one end,
and opens the cylinder. He then stands up, takes hold of the free
edge with both hands, and turning it inside out, slowly but steadily
pulls it off in one piece. Now comes the troublesome work of
scraping all superfluous particles of outer bark from the outside of
the long, narrow piece of material, while the inner side is carefully
scrutinised for defective spots. At last it is ready for beating. Having
signalled to a friend, who immediately places a bowl of water beside
him, the artificer damps his sheet of bark all over, seizes his mallet,
lays one end of the stuff on the smoothest spot of the log, and
hammers away slowly but continuously. “Very simple!” I think to
myself. “Why, I could do that, too!”—but I am forced to change my
opinions a little later on; for the beating is quite an art, if the fabric is
not to be beaten to pieces. To prevent the breaking of the fibres, the
stuff is several times folded across, so as to interpose several
thicknesses between the mallet and the block. At last the required
state is reached, and the fundi seizes the sheet, still folded, by both
ends, and wrings it out, or calls an assistant to take one end while he
holds the other. The cloth produced in this way is not nearly so fine
and uniform in texture as the famous Uganda bark-cloth, but it is
quite soft, and, above all, cheap.
Now, too, I examine the mallet. My craftsman has been using the
simpler but better form of this implement, a conical block of some
hard wood, its base—the striking surface—being scored across and
across with more or less deeply-cut grooves, and the handle stuck
into a hole in the middle. The other and earlier form of mallet is
shaped in the same way, but the head is fastened by an ingenious
network of bark strips into the split bamboo serving as a handle. The
observation so often made, that ancient customs persist longest in
connection with religious ceremonies and in the life of children, here
finds confirmation. As we shall soon see, bark-cloth is still worn
during the unyago,[52] having been prepared with special solemn
ceremonies; and many a mother, if she has no other garment handy,
will still put her little one into a kilt of bark-cloth, which, after all,
looks better, besides being more in keeping with its African
surroundings, than the ridiculous bit of print from Ulaya.
MAKUA WOMEN

Etextbook 978 1111138059 Principles of Incident Response and Disaster Recovery

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Etextbook 978 1111138059 Principles of Incident Response and Disaster Recovery

Uploaded by

Copyright:

Available Formats

eTextbook 978-1111138059 Principles

of Incident Response and Disaster

Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Forming the Disaster Recovery Team. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Real-World Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

Crisis Management Critical Success Factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

New to This Edition

Text and Graphic Conventions

Notes present additional helpful material related to the subject being

Technical Details boxes provide additional technical information on informa-

An ounce of prevention is worth a pound of cure. —Benjamin Franklin

Upon completion of this material, you should be able to:

Opening Case Scenario: Pernicious Proxy Probing

Storage Processing Transmission Storage Processing Transmission

In summary, information security (InfoSec) is the protection of the confidentiality, integrity,

Key Information Security Concepts

Threat Category 2010 Ranking Prior Ranking

Human error or failure 3 3

Compromises to intellectual property 5 9

Technical software failures or errors 7 2

Technical hardware failures or errors 8 6

Deviations in quality of service from service providers 10 10

Software Attacks Deliberate software attacks occur when an individual or group

Human Error or Failure This threat category includes acts performed by an

Compromises to Intellectual Property Many organizations create or support the

Of equal concern is the exfiltration, or unauthorized removal of information, from an

Sabotage or Vandalism This threat category involves the deliberate sabotage of a

Technical Hardware Failures or Errors Technical hardware failures or errors

Deviations in Quality of Service by Service Providers This threat category

Technological Obsolescence This threat category involves antiquated or outdated

Information Extortion The threat of information extortion is the possibility that an

is common in credit card number theft. Unfortunately, organized crime is increasingly

Type of Attack or Misuse 2010/11 2008 2006 2004 2002 2000

Being fraudulently represented as sender of 39% 31% (new category)

Laptop/mobile hardware theft/loss 34% 42% 47% 49% 55% 60%

Bots/zombies in organization 29% 20% (new category

Denial of service 17% 21% 25% 39% 40% 27%

Unauthorized access or privilege escalation 13% 15% (revised category)

Password sniffing 11% 9% (new category)

System penetration by outsider 11% (revised category)

Exploit of client Web browser 10% (new category)

Newala, too, suffers from the distance of its water-supply—at least

The water-supply of New Newala is in the bottom of the valley,

NATIVE PATH THROUGH THE MAKONDE BUSH, NEAR

MAKONDE LOCK AND KEY AT JUMBE CHAURO

MODE OF INSERTING THE KEY

With no small pride first one householder and then a second

Some consolation was afforded me by a brassfounder, whom I

SMOOTHING WITH MAIZE-COB

CUTTING THE EDGE

LAST SMOOTHING BEFORE

FIRING THE BRUSH-PILE

TURNING THE RED-HOT VESSEL

NYASA WOMAN MAKING POTS AT MASASI

DRAWING THE BARK OFF THE LOG

REMOVING THE OUTER BARK

WORKING THE BARK-CLOTH AFTER BEATING, TO MAKE IT

MANUFACTURE OF BARK-CLOTH AT NEWALA

You might also like