Hello and welcome to Cyber. My name is Max Alexander, and I will be your subject matter expert for incident response in advanced forensics today, we're gonna talk about incident response policy.
So the first thing we're gonna talk about us, the creation or implementation of policy and procedures. A lot of organizations, especially if you're just getting started, you may not have an adequate policy are a policy or procedure. So it's important to kind of codified policies and procedures. So individuals
who are joining your incident Response team will kind of have a direction and guidance of where they should go.
So basically, incident reports response policy will guide the incident response team of what actions they should take during incidents on the policy should also place a higher priority on incidents that pose a greater risk to the organization.
So, essentially you're having all types of incident are all kinds of incidents. You're not going to want to wait every incident equally. Obviously, certain incidents would have a higher priority than others. So maybe a dos attack. That's something you would want to devote a lot of time, money, resource and energy into
trying to investigate her mediate, whereas maybe a spam email
would warrant the full force of the incident response investigation.
So the response should also correspond to the priority of the incident and the risk of the overall organization. So again, that's just going back and saying that if it's not really that big of a risk, why bother devoting all of that time and money into investigating something that's that's more or less trivial,
so defining risk and deciding what needs secured?
So that should be the paramount task in your risk assessment policy. So
ideally, we would want to secure everything and anything that we could if money were no object. But essentially, that's what a lot of organizations will be constrained by his money in time
and using this security. Uber Ali's method is not always the best way to go about securing things because we do have resource constraints. We essentially can't secure everything,
and it does not provide the benefit for the cost. So we kind of have to understand
what it is that we want to protect that we value the most. So that's gonna fall under asset valuation. So in order to do asset Val valuation, you have to look at the total cost of an asset to include the purchase, price,
development and maintenance costs, advertising costs, costs for support, repair and replacement, as well as the cost due to the loss of reputation. And so
so, essentially is just asking. You know, if this asset were to be destroyed or you had to replace this asset,
you're having to think of all of the total cost that it would require to replace that asset on that's keeping in mind. What we talked about previously is that there may be some hidden costs. A cz well, so if you're heading to replace certain assets, trying to think of the total cost of
research and development,
media attention and all of those things that you may not necessarily think of todo when and replace that asset.
So the next thing that we're gonna talk about when we're looking at how to secure what need security is defining a threat.
So a threat is a person or thing that it's likely to cause danger or damage.
So that could be, you know, an employee who doesn't have a good idea of information, security and clicks on an email it could be an external threats, such as a hacker, someone who wants to break into your building and steal your files so all of those things would necessarily be considered threats.
And then a vulnerability
is something that is open to attack, harm or damage. So it could be maybe an unpatched
operating system earned unpatched law that you haven't software that could be a lock on a door that doesn't work properly. So those air vulnerabilities and then, lastly, ISS is risk, and risk is going to be defined as the possibility
that a threat will exploit that vulnerability. So what? What is the possibility that someone in your office might click on a link
that download some malicious software and wipes out their laptop? It's ransomware on it. Or what is the risk that some hacker is going to exploit that vulnerability in your unpatched software and destroy your system?
So how did we calculate loss?
Loss would essentially be able to help guide the organization on prioritizing what needs to be protected and what does.
so exposure factor is the first thing that we would have to look at and exposure factors to find as the percent of loss of an asset if the risk materializes. And that's essentially expressed in a new miracle fashion of 0.2 which is nothing
to 1.0, which would be 100%.
And then the single lost expectancy. So single locks expectancy is the cost of a single realized risk against an asset that's expressed in a dollar sign.
So when you look at single loss expectancy, that's essentially saying, if this risk were to occur,
um, how much damage do I think that I'm going to experience?
And then the annualized rate of occurrence is the frequency occurrence of of the type of incident occurring. So 1.0 is going to equate to one time a year 2.0, Islam to play 22 times a year,
0.1 is going to be one time in 10 years, etcetera. So that just helps you calculate the frequency of something occurring
and then your annualized loss expectancy.
So that's going to be calculated by multiplying your single loss expectancy with your annualized rate of occurrence. For instance, if you had a single loss expectancy of $75,000 you were expecting that to occur twice within that year.
Then essentially, you would end up with 100 and $50,000. Uh, damage.
likewise, If you had something that was $75,000 of damage and you were expecting that occur once in 100 years you would have $70,000 for your annualized loss expectancy.
And what you're gonna do with those numbers is essentially you're going to look at how much it would cost to secure something in order to prevent that from occurring.
So if you're looking at trying to prevent that last example that that's expected to cost you a loss of $75 a year, but you're essentially the voting $100,000 into preventing that loss, that's not a very good return on invested.
So you never want the amount of resource is and time that you're devoting to something to cost more than it's actually going to argue. Expected to cost your business