00:03
>> Hello, and welcome to Cybrary.
00:03
My name is Max Alexander.
00:03
I'm going to be your subject matter expert for
00:03
Cybrary's Incident Response and
00:03
>> Advance Forensics course.
00:03
>> Today, we're going to talk about
00:03
the introduction to incident response.
00:03
To understand incident response,
00:03
we first need to provide
00:03
an overview of cybersecurity paradox.
00:03
Modern computer systems and
00:03
networks were designed to be connected.
00:03
To enable companies and businesses
00:03
>> to share information,
00:03
>> to reach out and touch customers,
00:03
and to just be interactive with each other,
00:03
with their employees,
00:03
we need that connectivity
00:03
within our networks and systems.
00:03
no information system is going
00:03
>> to be 100 percent secure,
00:03
>> but that doesn't mean that we shouldn't try.
00:03
Lieutenant Colonel George Jacobson
00:03
during the Vietnam War said,
00:03
"Security is either 10 percent or 90 percent,
00:03
>> depending on the expert that you talk to.
00:03
>> But there is not any expert that will doubt that its
00:03
either the first 10 percent of
00:03
the first 90 percent." That's important.
00:03
Cybersecurity is the backbone
00:03
>> to protecting our networks,
00:03
>> to protecting our information,
00:03
to protecting our data systems,
00:03
so we still have to do that.
00:03
That being said, no matter what we do,
00:03
no information system is going
00:03
>> to be 100 percent secure.
00:03
>> Regardless of the measures that we put in place,
00:03
there's always going to be some type
00:03
of risk and some type of threat.
00:03
the system as hard as we could make it,
00:03
there's going to be some type of
00:03
end-user or a person that
00:03
can interfere with that security and
00:03
users are always going to be the weakest link.
00:03
In very large organizations,
00:03
you're going to have individuals who
00:03
may not be very computer savvy,
00:03
and they might click on malicious links
00:03
>> or go to websites that they shouldn't go
00:03
>> to and that's going to endanger your system
00:03
because obviously, it was designed to be connective,
00:03
and there's that vulnerability
00:03
that that user could expose you to.
00:03
That being said, cybersecurity incidents will occur and
00:03
organizations must know how to respond to
00:03
those incidents as part of
00:03
due care and due diligence to their customer.
00:03
But also just as part of being a good business owner,
00:03
it's important to respond to
00:03
these cybersecurity incidents to
00:03
protect your proprietary information,
00:03
because that's what keeps you in business.
00:03
Or if we say the target incident,
00:03
you are not able to protect your networks,
00:03
your data systems that well,
00:03
it could impact your business
00:03
and other people may want to go shop at somewhere else.
00:03
It's very important to do that.
00:03
But to dovetail off of what Colonel Jacobson said,
00:03
Colonel T.E. Lawrence
00:03
>> from Lawrence in Arabia fame said,
00:03
>> "Defeating insurgents is messy and slow,
00:03
like eating soup with a knife."
00:03
That ties into this cybersecurity paradox
00:03
and to the constant threat
00:03
that is posed to information systems,
00:03
and computers, and networks.
00:03
We're always going to end up having to
00:03
fight this cybersecurity battle.
00:03
Technology advances every day,
00:03
there's new threats, there's new viruses,
00:03
so we're on the losing end
00:03
>> of that battle because there's
00:03
>> always someone out there trying to
00:03
one up the cybersecurity expert.
00:03
Therefore, these incidents are going to occur and
00:03
we have to know how to deal
00:03
with them and respond to them.
00:03
>> What is a cyber incident response?
00:03
>> To look at that, we can go to the
00:03
>> NIST Publication 800-61
00:03
>> and the Computer Security Response Center, CSRC,
00:03
>> of the National Institute of Standards and Technology,
00:03
NIST, defines both events
00:03
and incidents in that publication,
00:03
the security incident handling guide.
00:03
Whereas an event is described simply as
00:03
an observable occurrence in a system or network,
00:03
an incident is defined as a violation or
00:03
a threat of computer security policies,
00:03
acceptable use policies,
00:03
or standard security policies.
00:03
That's a lot of information.
00:03
an incident is any violation of
00:03
your organization's security policies or
00:03
procedures that compromises or
00:03
attempts to compromise the confidentiality,
00:03
integrity, or availability of
00:03
that information so that CIA triad,
00:03
if you're a CISSP or studying for that CISSP,
00:03
anything that is going to or potentially
00:03
compromise that CIA triad is going to be an incident.
00:03
Each organization is going to be different.
00:03
They may have their own set of laws, regulatory rules,
00:03
administration procedures, policies,
00:03
guidelines that it's going to use
00:03
to defining a cybersecurity incidents.
00:03
It's important to check with
00:03
your organization if they've already got rules in
00:03
place to see what is defined as an incident.
00:03
How do cybersecurity incidents occur?
00:03
There's going to be many paths that are
00:03
going to lead to the occurrence of
00:03
the cybersecurity incident and they're
00:03
going to require some response.
00:03
Some of the most common ways
00:03
that incidents are going to occur,
00:03
and these are just a small list of incidents,
00:03
there is obviously more,
00:03
one of the first one is negligence.
00:03
If you're in a classified information setting,
00:03
or you've got proprietary information,
00:03
or sensitive information,
00:03
that could be mishandling that information.
00:03
If you're on a system and you've got access to
00:03
social security numbers or you've got
00:03
access to that proprietary information,
00:03
someone who shouldn't have access to that,
00:03
that could cause great harm to your organization.
00:03
That is something to take into consideration.
00:03
This is something that is emerging right now that
00:03
it's been going on since the dawn of time,
00:03
but it's now just coming into
00:03
the light and something that
00:03
we're going to have to deal with.
00:03
Some of those incidents
00:03
are example by Edward Snowden, Private Manning.
00:03
Regardless of whatever you
00:03
think their actions were right or wrong,
00:03
the organizations that they worked for feel
00:03
>> that they caused grievous harm to that organization.
00:03
>> We'll talk more about cyber insider threat later on and
00:03
problems that they can cause for your organization.
00:03
Criminal activity is another type
00:03
of threat that are posed to information systems.
00:03
That could include data theft,
00:03
loss of trade secrets.
00:03
Someone hacking into your network and
00:03
accessing social security numbers,
00:03
credit card data, or
00:03
that proprietary information that
00:03
makes your business special.
00:03
Those are important consideration.
00:03
The basic theft of funds,
00:03
crimeware, ransomware,
00:03
having someone have to pay to access their data
00:03
again or obtain access to their computer systems.
00:03
Denial of service is the next one,
00:03
maybe it's an insider threat
00:03
that has planted some type of logic bomb
00:03
>> that prohibits you from accessing information.
00:03
>> Or distributed denial of
00:03
service attack like what Iran launched against
00:03
United States banking websites that
00:03
stopped their customers from going to the websites.
00:03
Could be extortion, again,
00:03
ransomware is another type of extortion
00:03
>> or the Sony hack,
00:03
>> which we'll also talk about later on,
00:03
trying to blackmail someone
00:03
to do something or not do something.
00:03
You have hacktivism, which is exemplified by anonymous.
00:03
They believe what they're doing is
00:03
the right thing and they take essentially action
00:03
by hacking people who they don't agree with
00:03
to some political ideology or end.
00:03
Then hacking for thrills.
00:03
You're going to have your
00:03
>> basic low-level script kiddies
00:03
>> all the way up to your advanced hackers,
00:03
>> such as Guicifer.
00:03
>> These are types of how cybersecurity incidents occur.
00:03
Again, this is not an all inclusive list,
00:03
but these are just some examples of
00:03
how and why they occur.