Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
Now we discuss at length Incident Response Procedures. You'll learn why it's critical to establish a formal process, how to capture, record and track incidents and what that data can reveal. You'll also learn how incident reporting contributes to improved training, improved security practices and what types of adverse impacts not having a sound incident response and reporting system would produce. [toggle_content title="Transcript"] This has to do with Incident Response Procedures. The first item we look at is preparation. Organizations should take care, put preparation steps in place usually within the organization individuals that are to do incident-response must be identified this must be supported by management to ensure that specific individuals are chosen and prepared, properly trained, equipped with tools and proper procedures has to monitor incidents, identify incidents and respond to these incident. Usually within the organization incident identification should be carried out effectively and efficiently so that incidents do not go undiscovered. When we have proper security training in place, incidents carefully identified promptly such that they can be monitored and if security controls need to be put in place these controls are appropriately selected and put in place. The incident response personnel should also know when to escalate and notify other management entities. In certain cases, the incident they're responding to might be out all of their skill knowledge you could have somebody trained in a Microsoft platform responding to an incident within a Unix or Linux platform. They would have to escalate because it is now beyond their skill level. And sometimes you want to take down a server or you want to shut down a server or some critical components you have to notify senior management. The incidence response personnel should have their notification trees or call trees as we call them phone numbers or e-mail address of the designated or significant individuals within management that must be notified when some of these incidents occur. It is not just the authority of the individual responding to justify shutting down some critical servers. Management notification might be sought. Individuals that are responding to these incidents need to really understand when to escalate and when to notify senior management. The mitigation steps needed to be put in place should be understood by the security responders. The mitigation steps that will follow, they should follow best practice as to putting controls in place to mitigate incidences that might have occurred. They should know all the risks. They should identify all the controls and where the controls are lacking or been compromised, be able to find these controls and reactivate them they need to understand what mitigation steps to put in place and in what sequence these steps should follow up. After all incidents, the Incident Response Teams need to sit down and do a lessons learned. What did we learn from this? How did it occur? Why did it occur? From the knowledge gathered from all the lessons learned effort they can better come up with strategies to better secure the environment. Strategies probably even for faster response, better response. The lessons learned is very important. You must always review. Do a review of what happened? How did it happen? When did it happen? Where did it happen? You want to review the conditions around the incident so that you can better identify controls that are lacking, control that are weak, or controls that need to be adjusted to ensure these activities do not occur again. The incident response personnel also need to do careful reporting. They need to do reporting such that, it should be reporting within the organizations or it could also be reporting external to the organization. Maybe your shareholders need to be informed, your customers need to be informed, senior management needs to be informed or the legal authorities could also need to be informed. The incident response personnel must be working with their legal department. They need to work with the legal department so as to be careful in what information they report out to the general public or their shareholders. Recovery procedures have to be identified so that we can follow best practice recovery procedures could it be recovering your data, your hardware, your infrastructure, operating systems. The organization has to have a proper recovery plan. The recovery plan will be documented for the use of their response team so that they follow these procedures properly. Once the plan has been properly documented, it's translated to procedures and these procedures should follow to recover the organization in a secure manner. The first responders are the individuals that respond initially to any incidents when they occur. These individuals are identified and designated to do these activities. They should be properly trained to identify incidents, report incidents, they should know how to control or mitigate these incidents when they occur. Some of the things they need to look out for is has there been a data breach If there's been a data breach, they need to know to what extent has this data breach has occurred. They should review the logs. They should know is it critical or noncritical information. Has there been personally identifiable information breached? They need to know. By carefully researching reviewing the logs, they can tell to the extent to which the data has been compromised within the organization, Further to that they need to put damage and loss control in place they need by reviewing what has happened. They need to prevent further damage and loss control should it be; do we need to remove the server from the network? Deactivate system on the network, disconnect Internet connection or even quarantine the systems. The incident response personnel should prevent further damage and loss control. There might be some storage devices that need to be removed of the network you have to disconnect these devices and this is how you could best respond to incidents should they occur in your network environment. [/toggle_content]