Part 3 - Incident Response Policies

Video Activity

This lesson covers incident response policies which include: · Who does what · Prioritization · "Do the thinking for you' · Have both broad and fine details When drafting a security policy, it is important to consider what is permitted and not permitted on your network. Remember, it is not an incident if nothing is violated. The policy needs to add...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson covers incident response policies which include: · Who does what · Prioritization · "Do the thinking for you' · Have both broad and fine details When drafting a security policy, it is important to consider what is permitted and not permitted on your network. Remember, it is not an incident if nothing is violated. The policy needs to address the following: · Network traffic · Host applications · Web, e mail, FTP · User account activity · Administrator account activity · Guest/other account activity In case there is lack of policy, should an incident occur, notify senior management, form an Ad hoc team and get the necessary assistance.

Video Transcription
00:04
>> Again, harping on the policies.
00:04
Your policy should state what to do, when and by whom.
00:04
So what actions and what authority,
00:04
are the incident response team members
00:04
authorized to take.
00:04
Essentially and looking at that policy,
00:04
there should be a prioritization of actions and
00:04
incidents that coincide with
00:04
your organization, your company's goals.
00:04
Ideally what should happen is that
00:04
they should do the thinking for you.
00:04
They should take the guesswork out
00:04
of responding to those incidents where you're
00:04
just able to go in and perform your work functions
00:04
as required and not have to
00:04
ask for a lot of mother may eyes,
00:04
in these particular instances.
00:04
They should have the granularity
00:04
enough to highlight details
00:04
of actions that you should take while still
00:04
providing this very fine details
00:04
of an incident response plan.
00:04
You want to be able to look at this and
00:04
>> essentially have a playbook per se
00:04
>> when you come across this type of incident,
00:04
you know exactly what to do and exactly
00:04
how to handle this incident,
00:04
because it's documented in
00:04
some type of policy and procedure manual.
00:04
Also in conjunction with the policy you want to look
00:04
at what is and what is not allowed within your network.
00:04
Going back to that policy,
00:04
it's not technically an incident
00:04
unless it violates your security policy.
00:04
In conjunction with that CIA triad of
00:04
confidentiality, integrity, and availability,
00:04
although it may touch on some of those actions
00:04
>> that may potentially violate the CIA triad.
00:04
>> If you have a very good policy and procedure guideline,
00:04
unless it violates something
00:04
within your organization's policies and procedures,
00:04
it may not necessarily be an incident.
00:04
Again, your policies should look
00:04
at all aspects that
00:04
could essentially impact the organization's operations.
00:04
Those policies and procedures essentially want to have
00:04
a no or no-go list for what's allowed on
00:04
your network traffic, your protocol matrices.
00:04
What is allowed for host applications and services?
00:04
What type of web,
00:04
email or FTP processes
00:04
are you allowed to have on your network?
00:04
Lot of organizations are going to cloud-based services.
00:04
So what type of traffic is or is not permitted
00:04
on your network that your employees can use?
00:04
If you start seeing a lot of email or my email traffic,
00:04
but if you see a lot of traffic going
00:04
up to an FTP servers,
00:04
that's something that's allowed.
00:04
Are you losing large amounts of
00:04
data to that foreign uploaded side?
00:04
User account activity or users following the policies
00:04
>> and procedures that are prescribed
00:04
>> for that acceptable use policy.
00:04
If they're doing something that generally
00:04
falls outside of an acceptable use
00:04
if they're going to websites that they shouldn't go to,
00:04
if they're sending emails to foreign email addresses,
00:04
does that violate that user account of activity?
00:04
Also you need to look at the administrator accounts.
00:04
Are individuals assigned administrator roles
00:04
that necessarily shouldn't be,
00:04
or administrators taking actions
00:04
that they necessarily should not take?
00:04
Then guest and other account activity.
00:04
Disabling guest accounts on
00:04
computers or ensuring they don't have them,
00:04
or the creation of
00:04
guest accounts where they shouldn't be,
00:04
and other types of activity which would essentially
00:04
violate your organization's security policies.
00:04
Knowing essentially if there's
00:04
a problem is very important,
00:04
knowing what right looks like,
00:04
it is important that way
00:04
>> you know what wrong looks like,
00:04
>> and you're able to investigate
00:04
and remediate those incidents.
00:04
Again, policy will help us discover essentially
00:04
>> what is permitted and what is not permitted.
00:04
>> But what if there's a lack of policy?
00:04
If you notice something on the network
00:04
that essentially violates that CIA triad,
00:04
but there's not necessarily
00:04
a policy or something that's codified,
00:04
providing guidance on what to do,
00:04
one of the first steps that you should take is
00:04
to notify senior management of,
00:04
hey, I've noticed that there's this type of problem.
00:04
Here's the type of impact that it
00:04
could have on the organization,
00:04
and asking them for guidance on
00:04
that situation once you've
00:04
provided them all of the facts,
00:04
or the what ifs that could occur.
00:04
Another step that might be taken is to form
00:04
essentially an ad hoc incident response teams.
00:04
Essentially this part of that team
00:04
you're going to want to have a director,
00:04
probably someone who is from
00:04
senior management or at least is
00:04
able to report to senior management,
00:04
an investigator who is technically savvy,
00:04
who understands essentially what is occurring,
00:04
what that incident,
00:04
and then the other staff roles that we've talked
00:04
about in this class is appropriate.
00:04
Then once you've essentially form that team,
00:04
you're going to want to follow those react
00:04
>> principles and procedures in order to help resolve
00:04
>> that incident and prevent it from getting worse.
00:04
>> Then lastly, if you don't have
00:04
policies and procedures or you don't
00:04
have a lot of
00:04
experience within that incident response team,
00:04
the most important thing that you're going to
00:04
want to do is get help,
00:04
be it internal or external help.
Up Next