Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson offers an introduction into incident response policy. An incident response policy is important as it guides the Incident Response Team on what actions need to be taken during certain incidents. This lesson touches upon: · Policy creation and implementation · Defining risk and deciding on what needs security · Calculating loss

Video Transcription

00:04
Hello and welcome to Cyber. My name is Max Alexander, and I will be your subject matter expert for incident response in advanced forensics today, we're gonna talk about incident response policy.
00:16
So the first thing we're gonna talk about us, the creation or implementation of policy and procedures. A lot of organizations, especially if you're just getting started, you may not have an adequate policy are a policy or procedure. So it's important to kind of codified policies and procedures. So individuals
00:33
who are joining your incident Response team will kind of have a direction and guidance of where they should go.
00:39
So basically, incident reports response policy will guide the incident response team of what actions they should take during incidents on the policy should also place a higher priority on incidents that pose a greater risk to the organization.
00:53
So, essentially you're having all types of incident are all kinds of incidents. You're not going to want to wait every incident equally. Obviously, certain incidents would have a higher priority than others. So maybe a dos attack. That's something you would want to devote a lot of time, money, resource and energy into
01:11
trying to investigate her mediate, whereas maybe a spam email
01:15
would warrant the full force of the incident response investigation.
01:21
So the response should also correspond to the priority of the incident and the risk of the overall organization. So again, that's just going back and saying that if it's not really that big of a risk, why bother devoting all of that time and money into investigating something that's that's more or less trivial,
01:38
so defining risk and deciding what needs secured?
01:42
So that should be the paramount task in your risk assessment policy. So
01:51
ideally, we would want to secure everything and anything that we could if money were no object. But essentially, that's what a lot of organizations will be constrained by his money in time
02:04
and using this security. Uber Ali's method is not always the best way to go about securing things because we do have resource constraints. We essentially can't secure everything,
02:17
and it does not provide the benefit for the cost. So we kind of have to understand
02:24
what it is that we want to protect that we value the most. So that's gonna fall under asset valuation. So in order to do asset Val valuation, you have to look at the total cost of an asset to include the purchase, price,
02:38
development and maintenance costs, advertising costs, costs for support, repair and replacement, as well as the cost due to the loss of reputation. And so
02:47
so, essentially is just asking. You know, if this asset were to be destroyed or you had to replace this asset,
02:55
you're having to think of all of the total cost that it would require to replace that asset on that's keeping in mind. What we talked about previously is that there may be some hidden costs. A cz well, so if you're heading to replace certain assets, trying to think of the total cost of
03:15
research and development,
03:17
media attention and all of those things that you may not necessarily think of todo when and replace that asset.
03:25
So the next thing that we're gonna talk about when we're looking at how to secure what need security is defining a threat.
03:32
So a threat is a person or thing that it's likely to cause danger or damage.
03:38
So that could be, you know, an employee who doesn't have a good idea of information, security and clicks on an email it could be an external threats, such as a hacker, someone who wants to break into your building and steal your files so all of those things would necessarily be considered threats.
03:58
And then a vulnerability
04:00
is something that is open to attack, harm or damage. So it could be maybe an unpatched
04:08
operating system earned unpatched law that you haven't software that could be a lock on a door that doesn't work properly. So those air vulnerabilities and then, lastly, ISS is risk, and risk is going to be defined as the possibility
04:25
that a threat will exploit that vulnerability. So what? What is the possibility that someone in your office might click on a link
04:33
that download some malicious software and wipes out their laptop? It's ransomware on it. Or what is the risk that some hacker is going to exploit that vulnerability in your unpatched software and destroy your system?
04:49
So how did we calculate loss?
04:53
Loss would essentially be able to help guide the organization on prioritizing what needs to be protected and what does.
05:03
Um,
05:04
so exposure factor is the first thing that we would have to look at and exposure factors to find as the percent of loss of an asset if the risk materializes. And that's essentially expressed in a new miracle fashion of 0.2 which is nothing
05:24
to 1.0, which would be 100%.
05:28
And then the single lost expectancy. So single locks expectancy is the cost of a single realized risk against an asset that's expressed in a dollar sign.
05:39
So when you look at single loss expectancy, that's essentially saying, if this risk were to occur,
05:45
um, how much damage do I think that I'm going to experience?
05:50
And then the annualized rate of occurrence is the frequency occurrence of of the type of incident occurring. So 1.0 is going to equate to one time a year 2.0, Islam to play 22 times a year,
06:06
0.1 is going to be one time in 10 years, etcetera. So that just helps you calculate the frequency of something occurring
06:15
and then your annualized loss expectancy.
06:18
So that's going to be calculated by multiplying your single loss expectancy with your annualized rate of occurrence. For instance, if you had a single loss expectancy of $75,000 you were expecting that to occur twice within that year.
06:39
Then essentially, you would end up with 100 and $50,000. Uh, damage.
06:45
Oh,
06:46
likewise, If you had something that was $75,000 of damage and you were expecting that occur once in 100 years you would have $70,000 for your annualized loss expectancy.
07:00
And what you're gonna do with those numbers is essentially you're going to look at how much it would cost to secure something in order to prevent that from occurring.
07:09
So if you're looking at trying to prevent that last example that that's expected to cost you a loss of $75 a year, but you're essentially the voting $100,000 into preventing that loss, that's not a very good return on invested.
07:25
So you never want the amount of resource is and time that you're devoting to something to cost more than it's actually going to argue. Expected to cost your business

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor