Time
3 hours 47 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Now we discuss at length Incident Response Procedures. You'll learn why it's critical to establish a formal process, how to capture, record and track incidents and what that data can reveal. You'll also learn how incident reporting contributes to improved training, improved security practices and what types of adverse impacts not having a sound incident response and reporting system would produce. [toggle_content title="Transcript"] This has to do with Incident Response Procedures. The first item we look at is preparation. Organizations should take care, put preparation steps in place usually within the organization individuals that are to do incident-response must be identified this must be supported by management to ensure that specific individuals are chosen and prepared, properly trained, equipped with tools and proper procedures has to monitor incidents, identify incidents and respond to these incident. Usually within the organization incident identification should be carried out effectively and efficiently so that incidents do not go undiscovered. When we have proper security training in place, incidents carefully identified promptly such that they can be monitored and if security controls need to be put in place these controls are appropriately selected and put in place. The incident response personnel should also know when to escalate and notify other management entities. In certain cases, the incident they're responding to might be out all of their skill knowledge you could have somebody trained in a Microsoft platform responding to an incident within a Unix or Linux platform. They would have to escalate because it is now beyond their skill level. And sometimes you want to take down a server or you want to shut down a server or some critical components you have to notify senior management. The incidence response personnel should have their notification trees or call trees as we call them phone numbers or e-mail address of the designated or significant individuals within management that must be notified when some of these incidents occur. It is not just the authority of the individual responding to justify shutting down some critical servers. Management notification might be sought. Individuals that are responding to these incidents need to really understand when to escalate and when to notify senior management. The mitigation steps needed to be put in place should be understood by the security responders. The mitigation steps that will follow, they should follow best practice as to putting controls in place to mitigate incidences that might have occurred. They should know all the risks. They should identify all the controls and where the controls are lacking or been compromised, be able to find these controls and reactivate them they need to understand what mitigation steps to put in place and in what sequence these steps should follow up. After all incidents, the Incident Response Teams need to sit down and do a lessons learned. What did we learn from this? How did it occur? Why did it occur? From the knowledge gathered from all the lessons learned effort they can better come up with strategies to better secure the environment. Strategies probably even for faster response, better response. The lessons learned is very important. You must always review. Do a review of what happened? How did it happen? When did it happen? Where did it happen? You want to review the conditions around the incident so that you can better identify controls that are lacking, control that are weak, or controls that need to be adjusted to ensure these activities do not occur again. The incident response personnel also need to do careful reporting. They need to do reporting such that, it should be reporting within the organizations or it could also be reporting external to the organization. Maybe your shareholders need to be informed, your customers need to be informed, senior management needs to be informed or the legal authorities could also need to be informed. The incident response personnel must be working with their legal department. They need to work with the legal department so as to be careful in what information they report out to the general public or their shareholders. Recovery procedures have to be identified so that we can follow best practice recovery procedures could it be recovering your data, your hardware, your infrastructure, operating systems. The organization has to have a proper recovery plan. The recovery plan will be documented for the use of their response team so that they follow these procedures properly. Once the plan has been properly documented, it's translated to procedures and these procedures should follow to recover the organization in a secure manner. The first responders are the individuals that respond initially to any incidents when they occur. These individuals are identified and designated to do these activities. They should be properly trained to identify incidents, report incidents, they should know how to control or mitigate these incidents when they occur. Some of the things they need to look out for is has there been a data breach If there's been a data breach, they need to know to what extent has this data breach has occurred. They should review the logs. They should know is it critical or noncritical information. Has there been personally identifiable information breached? They need to know. By carefully researching reviewing the logs, they can tell to the extent to which the data has been compromised within the organization, Further to that they need to put damage and loss control in place they need by reviewing what has happened. They need to prevent further damage and loss control should it be; do we need to remove the server from the network? Deactivate system on the network, disconnect Internet connection or even quarantine the systems. The incident response personnel should prevent further damage and loss control. There might be some storage devices that need to be removed of the network you have to disconnect these devices and this is how you could best respond to incidents should they occur in your network environment. [/toggle_content]

Video Transcription

00:04
this has to do it. Incident response procedures.
00:07
The first item we look at his preparation organizations should take care.
00:12
Put preparation steps in place, usually within the organization in the vid walls that are to do incident response must be identified.
00:20
This must be supported by management to ensure that specific individuals are chosen and prepared, properly trained, equipped with tools on proper procedures. Has toe out to monitor incidents. Identify incidents on respond to this incident's
00:39
usually within the organization incident. Identification should be carried out effectively and efficiently so that incidents do not go
00:48
on Discovered
00:49
when you have
00:51
proper security training in place. Incidents are carefully identified
00:56
promptly such that they can be monitored on if security controls need to be put in place. These controls are appropriately selected and put in place.
01:07
The incident response personnel should also know when toe escalate on notify or the management
01:15
entities.
01:18
In certain cases, the incident they're responding to might be out off their skill knowledge. You could have somebody trained in a Microsoft platform responding to an incident within a UNIX or Lennox platform. They would have to escalate because it is now beyond their skill level on. Sometimes
01:38
you want to take down a Sava or you want to shut down the server or some critical component.
01:42
You have to notify senior management. So the incident response personnel. She will have their notification trees or called trees, as we call them
01:53
four numbers or email addresses, off designated or significant individuals within management that most be notified when some of these incidents occur.
02:05
It is not just the authority off the individual respondent toe. Justify shutting down some critical service, so management notification might be sort. So individuals that are responding to these incidents need to really understand, went to escalate on, went to notify senior management.
02:24
The mitigation steps
02:27
needed me there to be put in place will then be on the stewed, should be understood by the security responders.
02:35
The mitigation steps there to follow. They should follow best practice as toe putting controls in place to mitigate incidents that have occurred.
02:43
They should know all the risks. They should identify all the controls on where the controls are lacking or being compromised.
02:51
Be ableto find these controls on reactivate them. They need to understand what mitigation steps to put in place and in What sequence? The stepchild for low
03:00
after all incidents. The incident response team's need to sit down on do a lessons learned. What did we learn from these? How did the Riker
03:09
why did it occur?
03:12
From the knowledge gathered from all the lessons learned efforts, They can better come up with
03:19
strategy used to better secure the environment. Strategy is probably even for faster response.
03:25
Better response.
03:28
S o The lessons learned is very important. You must always review
03:32
do a review off. What happened? How did it happen? When did it happen? Where did it happen? You know, you want to review the conditions around the incident so that you can better identify controls that are locking controls that are weak on control that need need to be adjusted
03:51
to ensure these activities do not occur again.
03:53
The incident response personnel also need to do a careful reporting. They need to do report inside that it should be reporting within the organizations or it could also be reporting external to the organization. Maybe your shareholders need to be informed. Your customers need to be informed. Senior management needs to be informed, or the
04:14
legal authorities also
04:15
could need to be informed. The incident response personnel must be working with the legal department. They need to work with the legal department so as to be careful in what, what has to be careful what information they report out to the general public or their shareholders. Recovery procedures
04:35
have to be identified so that
04:38
we can follow best practice recovery procedures. Toe could be recovering your data, your hardware, your infrastructure operating systems you have toe I. The organization has to have
04:53
a proper recovery
04:56
plant.
04:57
The recovery plan will be documented for the Incident Response team so that they follow these procedures properly. Once the plan has been properly documented,
05:08
it's translated toe procedures and these procedures will be followed to recover the organization in a secure manner.
05:15
The first responders are the individuals that
05:18
respond initially tow any incidents when their car these individuals are identified on designated to do these activities. They should be properly trained
05:30
toe, identify incidents,
05:32
report incidents they should know howto control me to get this incidents when they occur. Some of the things they need toe look out for is as they're being a data breach. If there has been a daughter bridge.
05:47
They need to know to what extent as this that I breach occurred. They should review the logs.
05:54
They should know. Is it critical or non critical? Information
05:57
as they're being personally identifiable? Information breached. They need to know so by carefully rest by carefully researching on reviewing the logs, they can tell to the extent to which the data has been compromised within the organization. Further to that, they need to put damage and lost control in place.
06:16
They need. By reviewing what has happened, they need to prevail. For that damage on lost control should be we need to remove the servers from the network,
06:27
deactivate the system on this on the network,
06:30
disconnect Internet connection or even choir in time. The systems the incident response personnel should prevent for that damage and lost control. There might be some storage devices that need to be removed off the network. You have to disconnect these devices on. This is how you called best response toe incident. Shoot Naoko
06:49
your network environment

Up Next

IT Security Governance

IT Security Governance is a type of risk management process that can be applied to business operations, identifying critical information and protecting that information from enemies

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor