Question

Further research the topic of "Security Incident Response" and write a report of at least 250...

Further research the topic of "Security Incident Response" and write a report of at least 250 words that explains the need, purpose, execution, and review of an incident response action. Cite your references, please.

Homework Answers

Answer #1

Security Incident Response:-

When a security incident occurs, every second matters. Malware infections rapidly spread, ransomware can cause catastrophic damage, and compromised accounts can be used for privilege escalation, leading attackers to more sensitive assets.Whatever the size of your organization, you should have a trained incident response team tasked with taking immediate action when incidents happen.

Incident Response

Incident response is the structured methodology an organization uses to respond to and manage a Cyberattack. A well-defined incident response plan allows you to effectively identify, minimize the damage, and reduce the cost of a cyber attack, while finding and fixing the cause to prevent future attacks. . An incident response aims to reduce this damage and recover as quickly as possible. Investigation is also a key component in order to learn from the attack and better prepare for the future. Because many companies today experience a breach at some point in time, a well-developed and repeatable incident response plan is the best way to protect your company.

Why we need Incident Response

As the cyberattacks increase in scale and frequency, incident response plans become more vital to a company’s cyber defenses. Poor incident response can alienate customers and trigger greater government regulation. Effective incident response is critical, regardless of your industry.

Depending on the severity of the breach, legal, press and executive management should be involved. In many cases, other departments such as customer service, finance or IT need to take immediate action. Your incident response plan should clearly state, depending on the type and severity of the breach, who should be informed. The plan should include full contact details and how to communicate with each relevant party, to save time in the aftermath of an attack.

The Incident Response Team

The company should look to their “Computer Incident Response Team (CIRT)” to lead incident response efforts. This team is comprised of experts from upper-level management, IT, information security, IT auditors when available, as well as any physical security staff that can aid when an incident includes direct contact to company systems. Incident response should also be supported by HR, legal, and PR or communications.

Incident Response Plan – Six Steps:-


1.  Assemble your team – It’s critical to have the right people with the right skills, along with associated tribal knowledge. Appoint a team leader who will have overall responsibility for responding to the incident. This person should have a direct line of communication with management so that important decisions—such as taking key systems offline if necessary—can be made quickly.

In smaller organizations, or where a threat isn’t severe, your SOC team or managed security consultants may be sufficient to handle an incident. But for the more serious incidents, you should include other relevant areas of the company such as corporate communications and human resources.

If you have built a Security Incident Response Team , now is the time to activate your team, bringing in the entire range of pre-designated technical and non-technical specialists.

If a breach could result in litigation, or requires public notification and remediation, you should notify your legal department immediately.

2. Detect and ascertain the source. The IR team you’ve assembled should first work to identify the cause of the breach, and then ensure that it’s contained.

Security teams will become aware that an incident is occurring or has occurred from a very wide variety of indicators, including:

· Users, system administrators, network administrators, security staff, and others from within your organization reporting signs of a security incident

· SIEMs or other security products generating alerts based on analysis of log data

· File integrity checking software, using hashing algorithms to detect when important files have been altered

· Anti-malware programs

· Logs (including audit-related data), which should be systematically reviewed to look at anomalous and suspicious activity with:

Users

External storage

Real-time memory

Network devices

Operating systems

Cloud services

Applications

3. Contain and recover – A security incident is analogous to a forest fire. Once you’ve detected an incident and its source, you need to contain the damage. This may involve disabling network access for computers known to be infected by viruses or other malware (so they can be quarantined) and installing security patches to resolve malware issues or network vulnerabilities. You may also need to reset passwords for users with accounts that were breached, or block accounts of insiders that may have caused the incident. Additionally, your team should back up all affected systems to preserve their current state for later forensics.

Next, move to any needed service restoration, which includes two critical steps:

a. Perform system/network validation and testing to certify all systems as operational.

b. Recertify any component that was compromised as both operational and secure.

Ensure your long-term containment strategy includes not only returning all systems to production to allow for standard business operation, but also locking down or purging user accounts and backdoors that enabled the intrusion.

4. Assess the damage and severity – Until the smoke clears it can be difficult to grasp the severity of an incident and the extent of damage it has caused. For example, did it result from an external attack on servers that could shut down critical business components such as an e-commerce or reservation systems? Or, for example, did a web application layer intrusion perform a SQL Injection attack to execute malicious SQL statements on a web application’s database or potentially use a web server as a pathway to steal data from or control critical backend systems? If critical systems are involved, escalate the incident and activate your CSIRT or response team immediately.

In general, look at the cause of the incident. In cases where there was a successful external attacker or malicious insider, consider the event as more severe and respond accordingly. At the right time, review the pros and cons of launching a full-fledged cyber attribution investigation.

5. Begin the notification process – A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized person. Privacy laws such as GDPR and California’s CCPA require public notification in the event of such a data breach. Notify affected parties so they can protect themselves from identity theft or other fallout from the disclosure of confidential personal or financial data. See Exabeam’s blog on how to create a breach notification letter in advance of a security incident.

6. Start now to prevent the same type of incident in the future – Once a security incident has been stabilized, examine lessons learned to prevent recurrences of similar incidents. This might include patching server vulnerabilities, training employees on how to avoid phishing scams, or rolling out technologies to better monitor insider threats. Fixing security flaws or vulnerabilities found during your post-incident activities is a given.

Also, review lessons learned from the incident and implement appropriate changes to your security policies with training for staff and employees. For example, if the attack resulted from an unwitting employee opening an Excel file as an email attachment, implement a company-wide policy and training on how to recognize and respond to a phishing email.

Lastly, update your security incident response plan to reflect all of these preventative measures.

Every organization will have different incident response steps based on their unique IT environment and business needs. Study industry guides such as those published by NIST to ensure your IR planning includes all the necessary incident response steps to protect your organization when a cybersecurity incident occurs.

Know the answer?
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Not the answer you're looking for?
Ask your own homework help question
Similar Questions
Further research the topic of "Security Incident Response" and write a report of at least 250...
Further research the topic of "Security Incident Response" and write a report of at least 250 words that explains the need, purpose, execution, and review of an incident response action. Cite your references, please.
1. Research a current topic in genetics and write at least a 100 word summary (in...
1. Research a current topic in genetics and write at least a 100 word summary (in your own words), include hyperlinks to your sources.
Provide an argument in affirmation of the topic: It is better to protect privacy over security....
Provide an argument in affirmation of the topic: It is better to protect privacy over security. Your response should be at least 250 words long and include at least one academic source to support your argument. APA format
Discuss "What Makes a Good Research Topic"? Write down your answer with supporting examples and explanation....
Discuss "What Makes a Good Research Topic"? Write down your answer with supporting examples and explanation. response should be a minimum of 5 sentences but should not exceed 250 words
Explain the purpose, actions, side effects, interactions, and precautions for psychotropic medication in common use. This...
Explain the purpose, actions, side effects, interactions, and precautions for psychotropic medication in common use. This response should be at least 250 words in length and please make sure you cite your references used. Than you.
No Plagiarism please 250 words at least For this discussion forum you will research ONE local...
No Plagiarism please 250 words at least For this discussion forum you will research ONE local community resource that is available to support individuals who are in need of assistance related to one of the health issues discussed in this week's modules (disease prevention, substance abuse/addictions, or aging, dying, and death). For the resource you choose, please provide the following information: Resource name, location, mission, summary of services provided, and the populations the resource serves. Your post should be at...
Course: Information Security Select a recent cybersecurity incident that occurred within the last two years. In...
Course: Information Security Select a recent cybersecurity incident that occurred within the last two years. In your response discuss how you would approach the investigation. Be sure to describe the following: Who would you interview? What information would you need? What tools would you use? What process would you employ? Please ensure response is at least 200 words.
CHCPOL003 Research and apply evidence to practice: Scenario 1: Identify a Research Topic and set Objectives...
CHCPOL003 Research and apply evidence to practice: Scenario 1: Identify a Research Topic and set Objectives 1.1)   Research Topic (Write the topic as a phrase or a sentence) 1.2)   Why did you choose this topic? (Why is this topic relevant to you?) 1.3)   Objectives (Write each objective as a phrase or a sentence) Scenario 2: Literature Review List the literature reviewed. Discuss with the Nurse Educator, the strengths, relevance, reliability and currency of the information gathered. e.g: Simpson, H. (2016), 'Informed Consent: D'oh,...
Research the facility.- Assisted Living Write a 260- to 350-word summary. Your summary should: • Describe...
Research the facility.- Assisted Living Write a 260- to 350-word summary. Your summary should: • Describe the facility you selected and its purpose in the health care industry. • Identify the populations who use the facility. • Identify key characteristics of the facility. • Explain why you have selected this type of facility. Cite at least 2 peer-reviewed, scholarly, or similar references.
Learning goals Be able to: Research and develop a business presentation to regulators about FinTech security...
Learning goals Be able to: Research and develop a business presentation to regulators about FinTech security and regulation (RegTech) in their country. You are working as a consultant in the area of FinTech security & regulation. Research and put together a report to regulators with the following: Assignment topic: What are / should regulators doing / do about (X) in (Y)? where X is the FinTech application (X) and Y is the financial market. X= 1. Cryptocurrencies & ICOs 2....
ADVERTISEMENT
Need Online Homework Help?

Get Answers For Free
Most questions answered within 1 hours.

Ask a Question
ADVERTISEMENT