| Incident Manager: | | Our Incident Manager is handling minor events and more sigificant incidents that happen in data centers. | | Continuous monitoring takes place and any unusual behaviour is an event and any event that could impact the business is escolated to be an incident. | | Service Incident and Event Management (SIEM) system is the application used to record all incidents and to manage the life cycle through to closed. |
| Service Incident and Event Management: | | Minor events and more significant incidents are documented in the database where information cannot be deleted or lost. | | Even an incident that happended a year ago can still be investigated in conjunction with a currrent incident to identify common pattens that may imply a fraud. | | Every investigation has a goal of discovering the root cause, but not all incidents can be traced back to a single factor that can be eliminated or avoided. |
| Proactive Support: | | By continually monitoring what people do and by trapping every user error message, we have become preactive and can contact the user before the user needs to raise a support request. | | Online chat and webinars provide real-time tuition to users when it is applicable. | | With regular calls to each user, the ability to cross sell other services is improved. |
| Priorities: | | All application services are automatically monitored so any high priority incident will already be known and people will be working on how to circumvent the issue. | | Where an application service is not working the way that a person expects it to work, then a specification may need to be revised to match exactly what a person want it to do. It can take time for stability to evolve where the documented specification of any procedure matched exactly how the business want to work. As a policy: it is not the business that needs to adapt to how the service works, it is the role of the service to adapt to match what is needed. |
| | | SIEM: | | 1. Unique ID of the Incident (usually allocated automatically by the system) | | 2. Date and time of recording | | 3. Service Desk agent responsible for the registration | | 4. Method of notification | | 5. Caller/ user data | | 6. Callback method | | 7. Description of symptoms | | 8. Affected users/ business areas | | 9. Affected service(s) | | 10. Prioritization, a function of the following components: | | . 1. Urgency (available time until the resolution of the Incident), e.g. | | .. 1. Up to 0,5 hrs | | .. 2. Up to 2,0 hrs | | .. 3. Up to 6,0 hrs | | . 2. Degree of severity (damage caused to the business), e.g. | | .. 1. High (interruption to critical business processes) | | .. 2. Normal (interruption to the work of individual employees) | | .. 3. Low (hindrance to the work of individual employees, continuation of work possible by means of a circumventive solution) | | . 3. Priority (for example in stages 1, 2 and 3): The result from the combination of urgency and the degree of severity | | 11. Relationships to CIs | | 12. Product category, usually selected from a category-tree according to the following example: | | . 1. Client PC | | .. 1. Standard configuration 1 | | .. 2. ... | | . 2. Printer | | .. 1. Manufacturer 1 | | .. 2. ... | | 13. Incident category, usually selected from a category-tree according to the following example: | | . 1. Hardware error | | . 2. Software error | | . 3. ... | | 14. Links to related Incident Records (if a similar outstanding Incident exists, to which the new Incident is able to be attributed) | | 15. Links to related Problem Records (if any outstanding Problems exist, to which the new Incident is able to be attributed) | | 16. Activity log | | . 1. Date and time | | . 2. Person in charge | | . 3. Description of activities | | 17. Resolution and closure data | | . 1. Resolution time and date | | . 2. Closure time and date | | . 3. Closure categories (if required, revised product and Incident categorizations) |
| Incident Analysis: | | 1. Equipment Failure. | | 2. System Software Vulnerability. | | 3. Distributed Denial of Service (DDOS) Attack. | | 4. Open Web Application Security Project (OWASP) Attack. | | 5. Upload File Attack. | | 6. Email Link Attack. | | 7. Email Attachment Attack. | | 8. Download Program Attack. | | 9. Document Attack. | | 10. Phishing Attack. |
| Equipment Failure: | | 1. A data center equipment (server) failure is expected with a planned incident response process. Within a rack, vey few single points of failure exist and equipment is replaced every 32 months, but failures can happen. | | 2. The applicable data center status is switched from Production to Disabled. All network traffic is switched to an alternative data center with a status as Production. It is expected that only few approved people may notice any delay in the "saved" message following any data entry event. | | 3. The equipment that has failed is replaced on a like-for-like basis in the next 32 hours. The replaced equipment is broken down and recycled. | | 4. The data center with a status as Disabled is switched to Test and penetration trials performed for the next 32 hours. When the penetration trials have verified that the data center is operating as expected, its status is switched from Test to Production. As part of the switch to Production status, all data is synchronised with other production data centers. | | 5. An objective is to ensure that Eliza never stops and cannot be stopped by any kind of equipment failure in any data center. A large number of data centers have a status as Production at any point in time. Pseudonymised and Replicated Encrypted Data (PARED) is real-time shared by all data centers with a status as Production. |
| System Software Vulnerability: | | 1. Each data center has a different set of system software so a vulnerability in one data center may be avoided by other data centers. Some protocol vulnerabilities such as HTTPS are used by every data center, so vulnerabilities are expected with a planned incident response process. | | 2. The vulnerable data center status is switched from Production to Disabled. All network traffic is switched to an alternative data center with a status as Production. | | 3. The equipment with vulnerable system software is replaced on a like-for-like basis with equipment with patched system software. The replaced equipment has its system software patched and tested to be ready to be reused in other data centers. System software is never patched on any equipment in any data center. | | 4. The data center with new equipment installed is switched to Test and penetration trials performed for the next 32 hours. When the penetration trials have verified that the data center is operating as expected, its status is switched from Test to Production. As part of the switch to Production status, all data is synchronised with other production data centers. | | 5. An objective is to ensure that Eliza never stops and cannot be stopped by any kind of system software vulnerability in any data center. One data center at a time has its equipment replaced with patched and tested equipment, while business continues to be provided by other data centers. |
| Server Rack Integrity: | | 1. The majority of the time, no person is permitted access to any server rack. Servers have no screen, no keyboard, no USB ports, no VGA ports, no audio ports and no other ports, except Ethernet. | | 2. The pair of engineers who are granted access to a server rack are permitted to replace one piece of equipment on a like-for-like basis. The rack is powered off before the engineers arrive and powered on after the engineers depart - no testing is done on-site. | | 3. Data center management ensure that the pair of engineers are only permitted to replace like-for-like equipment in the correct rack. No single engineer is permitted into a server room. |
| Open Web Application Security Project (OWASP) Attack: | | 1. The majority of attacks are those identified and classifed by OWASP such as a brute force attack or SQL injection attack. Many hundreds of OWASP attacks have taken place every day for the past twenty years without a single data breach. | | 2. The primary defence against OWASP attacks is a first class hardware, network and software architecture. The elimination of application programming was the single most important improvement that countered most attack methods. A Single Application Program policy is deployed that reduces the attack surface so only one program called Eliza needs to be defended. | | 3. Eliza is the artificial intelligent assistant that operates in every data center and provides every Bespoke Application Service. Eliza sanitizes every input field value and transaction to ensure that an attack script cannot get into a server. | | 4. Eliza encrypts every field value, so where a criminal tried to enter some malware, it is encrypted into a format that is harmless and cannot be used in an attack. Eliza does not permit application programs to be executed so a malware program has no way to operate. | | 5. Eliza encrypts every URL with many different methods that continually evolve so the criminal cannot comprehend what is happening. A series of transactions that worked one day may be recorded by a criminal, but those transactions will never run again because the encryption methods will have changed. |
| Three Tier Architecture: | | 1. The finest minds in the world have designed the Three-Tier-Architecture as the most secure hardware solution that can be devised as :- | | (1) Web Servers are wired in parallel and driven by a load-balancing firewall. Any single web server can fail and the application service continues to be provided. No data is stored on a web server. | | (2) Application Servers in parallel are connected via a router to the web servers. No application server is connected to the Internet and so cannot be hacked by a criminal. Any single application server can fail and the application service continues to be provided. | | (3) Database Server is connected via a router to the application servers. No database server is connected to the Internet and cannot be hacked by a criminal. Rotating disks have been replaced with flash disks for performance reasons. | | 2. A Bastion server connects to each server so data stored on a server can be updated in real-time. | | 3. An Email server is separate from the secure three-tier-architecture, but encrypted messages can flow via the Bastion server. | | 4. Each rack of servers is powered from batteries and those batteries are charged using solar and green off-peak energy. | | 5. Each data center replicates the same architecture, however different physical hardware vendors equipment will be used and different system software will be used. The days of all equipment being sourced from IBM has evolved to sourcing whatever is the best hardware at the time it is purchased. The days of all system software being IBM Websphere has evolved to sourcing whatever is the best system software at the time it is needed. | | 6. A critial security factor is that the key application and database servers are not connected to the internet and can only be accesses via other servers using secure protocols. A critical privacy factor is that the business data is encryped and replicated so it cannot be stolen and cannot be lost. |
| Upload File Attack: | | 1. It is a fact that approved people will use computers that are infected with malware and will upload files that are infected with that malware. While it would be nice if all approved people were prevented from being infected with malware, an incident response must exist to the treat. | | 2. Uploaded file types are limited to purposefully exclude file types such as XLS that are likely to be infected. Any XLS file can be saved as a CSV or HTML or PDF file type that will not contain a macro virus. This safeguard is not to protect the servers, but to protect other approved people who try to access the uploaded file that may be infected. | | 3. The physical storage size of an uploaded file will dictate the network capacity needed to upload and download that file. A phone may be able to take a photo with a JPG size as 25 MB or the equivalent of one-thousand web pages. The network could be blocked for many minutes to upload such an photo and the network would be blocked each time a person tries to view or download the phone - delays for everybody on the network equivalent to 1000 pages being viewed. This safeguard is not to protect the server network, but to protect approved networks when trying to access the uploaded file. | | 3. Servers are protected from any kind upload attack because no application programs can run on a server and so no file can be opened to cause a virus or malware infection. Servers are located in Tier-4 data centers that provide the Internet backbone so network speeds are considerably faster than any approved persons network. |
| Email Link Attack: | | 1. Eliza, data centers and servers will never need to click on an email link that may open a malware infected web page. Eliza, data centers and servers cannot be attacked by an email link. | | 2. People are advised to cut and paste email links into their browser so the address can be verified before it is clicked. Any email that was not expected is likely to be a phishing attack. Any email with a link that was not expected is likely to be a malware attack. | | 3. Email is no longer fit-for-purpose and should be phased out and replaced with Business Message Services that cannot be used by criminals. | | 4. The vast majory of data breaches in the world are associated with private email servers that are not backed up in a safe and secure way. As a policy, all emails to the Application Service Provider shall be physically deleted within a few hours of receipt. |
| Email Attachment Attack: | | 1. Eliza, data centers and servers will never need to open an attachment that may contain malware. Eliza, data centers and servers cannot be attacked by an email attachment. | | 2. People who do not want to be responsible for infecting others are advised to avoid using email attachments. People who do not want their computer to be infected with malware are advised not to open an email attachment. | | 3. Email is no longer fit-for-purpose and should be phased out and replaced with Business Message Services that cannot be used by criminals. | | 4. Security people in the know will send an email to themselves via Google and/or Microsoft where most malware will be caught and blocked. As a policy, all email attachments to the Application Service Provider shall be resent via a Google mail address to make sure it is harmless. Emails should only be processed on cheap (£49) expendable smart phones so when they get infected, they can be restored to factory settings. | | 5. Email attachment files in an Office file format must be saved as safe CSV or TXT files using a free of charge "reader" on a smart phone - Office shall not be used on any production computer. Not only may some attachment files contain virus malware, but a propriatory file format may not be readable in a few years time. |
| Download Program Attack: | | 1. Virtually every virus, trojan, ransomware and malware infection comes as a downloaded application program. To stop all malware infections is very simple - prohibit every application program download. | | 2. Every application service that is needed can now be provided using modern online services that have replaced every obsolete application program. People who choose to keep on using obsolete application programs have chosen to be infected by malware from time-to-time. People who choose to use modern application services have chosen never to be infected by malware. | | 3. Data center servers are configured to prevent application programs from being executed so malware cannot run. Data center servers are configured to prevent programs from being downloaded so malware cannot get in. | | 4. Never imagine that any anti-virus application program could possibly stop all malware - it can only prevent some known malware from running. Anti-virus programs may be malware in their own right and daily updates will be a source of criminal attacks. |
| Document Attack: | | 1. Every document that flows from computer to computer is both a data leak and an attack method. Documents that contain private, confidential, sensitive or personal information must be encrypted to prevent a very expensive data breach. | | 2. Documents that leak business data from computer to computer will eventually be discovered and the ICO should impose maximum fines for total incompetent trading. Paper documents must be kept in a safe locked place with records keep as evidence as to who and when access to those paper documents are made. Where access evidence is not maintained in a professional way, very high fines will be imposed by the ICO to prevent such illegal behaviour. Where the reason for such bad behaviour is "we have always done it like that" then the fine should be doubled as the incompetence is endemic and such companies must be stopped from trading. | | 3. Many kinds of documents can contain macro virus inflections such as ransomware. Every company infected by ransomware chose to trade using documents that could contain ransomware and could spread that ransomware to other people. The company could have evolved from twenty year old document technology to use encrypted application services, but choose to trade with an unjust advantage of using obsolete technology. Unjust enrichment is an extra fine imposed by the ICO on companies that choose to trade using such old technology, rather than use encrypted technology. |
| Phishing Attack: | | 1. Every criminal attack begins with a lot of silent phishing attacks to gather intelligence on the target person or persons. It does not take too long to gather information about the persons family, their holidays, their life style, their salary range, their hobbies and their special interests. | | 2. When a network of a persons contacts has evolved, then it becomes practical to impersonate some of those contacts to see what extra intelligence can be accumulated - even if it takes a few years. A criminal network may be phishing many thousands of people at the same time, so one email form a fake contact each month will go unchallenged. A phishing phone call from a long lost aquantance or a known contact each month will identify when the person is most under presure to respond with a quick reply. | | 3. Criminals have identified that many intelligent people have an attention span of a few minutes, so an email that was expected with a link to a relevant topic will be pressed on a Friday, but not on a Monday. Criminals can pretend to be lots of other people and while it may take months or years, eventually the person will disclose something important on the phone or in an email. Once any sensitive information is disclosed, then more will be disclosed in a blackmail cycle. | | 4. Every phone call and email is copied and processed by agencies in all parts of the world. What is legally said in one culture may become illegal in other cultures in the future. What is said and written will be recorded and can only be used against that person in the future. By definition, every phone call and email is a data leak. Private, confidential and sensitive business information must never be leaked by phone or email. | | 5. Most people have already had their identity stolen so any phone call or email must be assumed to be a phishing attack until evidence can be found to the contrary. It is relatively easy for a criminal to use the forgotten password procedure to take control of another persons email address. Criminals understand that it is easy to fake the "from" email address to make an email look like it came from a persons known contact. |
| Virtualisation: | | 1. Most data centers are merging many physical servers into a massive server that acts as virtual servers. At the current time, virtualisation may be cost effective, but it does not increase availability, reliability or security. | | 2. At the current time, a large number of small simple servers are used with each server being locked down to do one and only one job. By running many simple servers in parallel, in the event that a server fails, the other servers continue to provide the application service with no interuption. | | 3. By minimising the system software running on each server and stopping all ancillary services, the performance of a server can be maximised, its security is maximised and its easy to keep cool. Keep It Simple means that virtualisation is not able to provide any business benefits because non-stop operations are so critical. | | 4. In every research, a large number of very simple servers working in parallel deliver better non-stop operations than any virtualised solution. Virtualisation may have benefits where the transaction load is very variable or where short bursts of massive processing power is needed, but for Bespoke Application Services, a large number of very simple servers has better availability and reliability. |
| Insider Threat: | | 1. External criminals have been preventing from doing any harm to any Bespoke Application Services for more than twenty years. Threat analysis shows that internal people are a risk to be managed with these policies:- | | (1) Need to Know. | | (2) Least Privaledge. | | (3) Fragmentation. | | (4) Duty of Care. | | 2. Internal people are managed on a strict need to know basis. The majority of people who are keeping data centers operational do not need to know who the customers are and who the approved people are. Designers, developers, testers and configuration people do not need to known who the customers are or who the suppliers are. | | 3. Least privaledge is implemented for internal people to only have the rights to do what it says in their job title and nothing else. A handful of people in Second Level Support reporting to the Request Fulfuilment Manager may have rights similar to a customers approved person, but not other person has the right to view any business data or function. Most internal people have very low levels of rights that give them shared access to their diary, their work schedule, their deliverables and nothing else. Least privaledge means that most internal people have never seen a Bespoke Application Service and have no idea of how to use it. System administration has been delegated to Eliza so no person needs system administration rights. | | 4. Fragmentation means that it takes three internal people working in different places to manage a new encryption key or to schedule equipment replacement. No one person has the right to make any significant decision that could impact the operation of the business - typically three people must cooperate to ratify any significant decision. Inside people can tell Eliza what system administration work to do, but more than one person needs to confirm the work package. | | 5. The organisation has a duty of care to protect its internal people and their families from criminal attacks and threats. People are protected by publishing that no one person can make any change to any aspect of the organisation - it takes three people in different places to access an encryption key. Where a criminal gang threatens to harm the child of a manager if certain business data is not disclosed, the executive can prove to the criminal they they do not have the ability to access any business data - they can only access encrypted data. The best protection that the organisation can give to the child of a manager is the certainty that no matter what blackmail is threatened, inside people do not have the ability to disclose any business data. | | 6. Legal court orders are managed on a need to know basis - the majority of inside people do not even know who a customer is or what application services they may use. Executives have the evidence that they are not skilled or experienced to manually decrypt any physical data that has been stored. Managers can prove that while Eliza is capable of using many different decryption methods to view business data, no person has the skills to manually carry out decryption. A legal court order on a customer may be able to identify and demand an approved person who could sign-in and access the business data that is the subject of the court order. |
|