Time
10 hours 32 minutes
Difficulty
Beginner
CEU/CPE
11

Video Transcription

00:00
Welcome to Cyber Aires Video Siris on the cop T A security plus 5 +01 Certification and exam. I'm your instructor, Ron Werner.
00:10
Cease I buried at I t. For more information on this certification and many others.
00:16
This next video for the security plus domain five will help you prepare for section five dot for
00:23
given on a scenario, follow incident response procedures.
00:27
This session is all about incident response,
00:30
also known as I r
00:33
Not to be a pessimist, but systems fail
00:36
regularly.
00:37
There were always be events out of our control that take down our systems
00:41
and we need to be ready for it.
00:44
Planning for such events is vital to ensure effective incident handling in response. When the time comes,
00:50
proper planning makes the difference between being able to recover quickly instead of potentially ruining your business.
00:59
Section 5.4 on incident response covers the following concepts
01:04
First Section incident Response planning.
01:07
This is the document you will develop defining your incident response plan,
01:14
showing roles and responsibilities, reporting requirements, who's involved with it and then the actual steps involved in incident response for your organization.
01:25
The second section is about the incident response process.
01:29
Preparation for the incident. Identification, containment, eradication, recovery. Then lessons learned.
01:36
Let's dive in the incident response plan,
01:40
for we can go too far in defining our incident response plan. It's important to understand the definition of an incident
01:47
is that malware isn't malware that was clean. Is it a breach? What is an incident for your organization
01:56
On the screen, you'll see a few different definitions, one for n'est, the other from cyber
02:01
according to nest.
02:04
An incident is an occurrence that actually or potentially jeopardizes the confidentiality, integrity or availability of your information systems
02:13
or the information that system processes, stores or transmit.
02:19
It could also constitute a riel or potential policy violation.
02:25
Cyber Ray has their definition as well.
02:28
It's an incident. Is unplanned disruption or degradation of a networker system service
02:34
that needs to be resolved?
02:36
We'll keep off immediately because that's up to your business. I recommend within your organization you define. Wouldn't incident is
02:46
before we go too much further in discussing the incident response plan,
02:50
I want you to be aware of the incident response process On your screen is the process as defined by NIST in their document SP 861 their security incident handling guy.
03:02
These are the steps I mentioned earlier. Keep these in your mind As you're thinking about your plant,
03:08
we'll discuss each of these steps in detail. In Part two of this video,
03:14
you can see I like to use nest as an authoritative source
03:19
not only for incident response in handling, but really anything dealing with information security
03:23
on the screen now is their definition of an incident response plan.
03:30
According to nest in the incident response plan is the documentation of a predetermined set of instructions or procedures to detect, respond to and limit the consequences of
03:42
a some type of a malicious attack or policy violation that could harm your organization,
03:47
organizations, information systems or just organizational data.
03:53
Please see the Incident Response Guide for more information.
03:57
It provides guidance on the exact elements to include Mission Strategies, goals,
04:02
senior management approval for the your Incident Response plan,
04:06
approach to Incident Response
04:09
Team Communication's metrics for measuring response capabilities,
04:14
a road map for understanding your maturity when it comes to incident response
04:18
and how the I R plan fits within your organization.
04:23
It's a great reference. I highly recommend,
04:27
according to the Comp TIA Security Plus Certification exam Objectives
04:31
thes air different elements of the incident response plan. You should be aware of that. You're preparing for that exam.
04:38
It's documenting that the incident types categories rules, responsibilities and the cyber Incident Response Team's reporting requirements exercises.
04:48
Let's talk about each of these in detail
04:53
you should define in your incident response plan. Your incident types, as I mentioned early, have your definition of incident
05:00
on the screen. Here, you see a few the different general categories. An incident could be a natural occurrence. So fire flood a weather related event
05:13
man made
05:15
could be human, mechanical, malicious or policy violation.
05:19
Mechanical technical. So hard drive failures. An example.
05:24
Accidental human error
05:27
looking on a link that turns out to be fishing,
05:30
opening up
05:31
an avenue through a firewall that maybe shouldn't be open.
05:36
Malicious is to compromise of confidentiality, integrity or availability. Those air those intentional breach is militias could beat internal or external
05:47
and then policy violations.
05:49
People who may be knowingly or unknowingly violated policy
05:56
would be considered. An incident within your organization needs to be defined within your i. R. P.
06:02
Your incident response plan should also grant clear authority for actions taken during the incident. Who's responsible? Who are the decision makers who takes which actions
06:15
I recommend, including that as part of a checklist in your I. R P. That way, when there's a problem, there's clear definitions. Who does what
06:25
When you're walking through your I. R P. You want to have this fine? Who does incident alert it?
06:30
Is that your service desk for help desk
06:32
all employees who could be involved? Maybe a security operation center.
06:39
Next is who does the identification of the incident in triage.
06:43
So let's just say someone notifies your help desk. They might just take that initial look to know whether to escalate or not
06:53
doing that. Triage is to determine potential impact. And what's going on is crucial step in incident response
07:00
decision making usually done at a manager level. Who decides what actions to take?
07:06
Did we do some cleanup?
07:08
Do we track the incident maybe to define who was conducting, say a breach
07:15
If their requirements are for evidence collection,
07:18
grab gathering equipment.
07:21
That's also a step that needs to be defined. Who will do this, by the way? You don't want to allow just any employee to collect evidence. We'll talk about it in digital forensics section about that chain of evidence that may be required.
07:34
Maintaining the integrity of any equipment
07:39
Who conducts forensics? Do you have expertise in house or not?
07:43
Maybe you need to outsource that to a trusted third party who's knowledgeable in the technical details of digital forensics
07:53
repair recovery? Who's gonna conduct that?
07:56
Reporting Reporting should be conducted through out each of these steps
08:00
and then communicating also done throughout but particularly who talked outside the organization.
08:07
Maybe that's your marketing or PR department or legal are the only ones who've been mentioned. That's outside the organization.
08:13
To protect
08:15
the reputation of your organization,
08:18
walk through these roles and responsibilities. Make sure you're aware of them not only for the security plus Exam but as a security professional
08:26
often included as part of roles and responsibilities for incident. Response is the definition of specific teams.
08:35
For example, a computer emergency response team
08:39
cert a computer incident response team C I R T shirt
08:43
computer security incident response team. These are all similar names for what you may see within an organization.
08:50
These could be formalized. Standing
08:54
where the team members are readily to find or could be ad hoc, where you pull in team members as needed
09:01
internal employees or external. Maybe you need to pull in some expert
09:05
ideas from outside your organization.
09:09
It could be central
09:11
to the organization or distributed to pull from different area areas of the organization.
09:18
It concludes your systems network application administrators, Those who are familiar with the technologies
09:24
legal is often involved in assert
09:28
because of compliance issues or if you may have to take this to court.
09:33
Human resource is if you're dealing with saying internal employee who violated the policy, each arm must be involved, get them involved early
09:43
and then executives and management. The decision makers.
09:46
All of these groups should be part of a defined computer emergency response team.
09:54
Another part of your incident response plan should be the reporting requirements. How do you escalate?
10:01
So we need to make sure you document document document,
10:07
write everything down, capture everything is part of your incident response. This will be important. Also, with digital forensics
10:15
might just want to use a segregated system to protect the integrity of your documentation.
10:20
You can do this often within a help desk system.
10:24
Often an incident will be initially reported on help to your help desk so you can utilize that software to help document what's happening with your incident.
10:35
You also want to show what evidence was collected. When, where, why and how.
10:39
Who has access to that evidence? Who had access to it as well. Where is it being currently stored
10:46
and then reporting and disclosing? Who do you have to talk to about the incident
10:54
with an internal to the organization? Your management Legal
10:58
Each are
11:00
other affected organizations. So if this is touching third parties or your supply chain
11:07
may be required to disclose to that
11:09
if it's a breach of personally identifiable information, you may be required to report to clients or customers
11:18
might also want to report this, say to other organizations, like certain certain that or or the Internet Crime Complete center. I see three dot org's
11:28
last idea to think about. This is where you want legal involved and management is your insurance company. You have cyber insurance you may be required to report in. Your insurance company can help you walk through your incident.
11:41
Once you've established your incident response plan. You need to test it, make sure it's gonna work.
11:48
You do this through exercises through training tabletop scenarios, where you all meet in a conference room, go through some likely scenarios. For example, we have a huge weather event that comes through wiping out our facility.
12:03
What steps do we take or there's a beat? A breach?
12:07
Walk through it with your teeth.
12:09
The idea is to be prepared.
12:13
You want to prepare each roll. Each member of the team will have different responsibilities. Make sure they know what to d'oh.
12:20
Learning how to handle an incident while you're going through one. It's not a good idea.
12:24
You want to be thoughtful in your process rather than reaction or
12:31
to mention there's different ways to accomplish this. The idea with testing is to find potential shortfalls or issues with your incident response plan.
12:41
Fix it, and that way you're prepare
12:43
when the inevitable failure occurs,
12:48
this concludes Part one of Section 54 on incident Response
12:52
in Part two will cover the incident response process

Up Next

CompTIA Security+

CompTIA Security Plus certification is a great place to start learning IT or cybersecurity. Take advantage of Cybrary's free Security+ training.

Instructed By

Instructor Profile Image
Ron Woerner
CEO, President, Chief Consultant at RWX Security Solutions LLC
Instructor