00:04
>> Again, harping on the policies.
00:04
Your policy should state what to do, when and by whom.
00:04
So what actions and what authority,
00:04
are the incident response team members
00:04
Essentially and looking at that policy,
00:04
there should be a prioritization of actions and
00:04
incidents that coincide with
00:04
your organization, your company's goals.
00:04
Ideally what should happen is that
00:04
they should do the thinking for you.
00:04
They should take the guesswork out
00:04
of responding to those incidents where you're
00:04
just able to go in and perform your work functions
00:04
as required and not have to
00:04
ask for a lot of mother may eyes,
00:04
in these particular instances.
00:04
They should have the granularity
00:04
enough to highlight details
00:04
of actions that you should take while still
00:04
providing this very fine details
00:04
of an incident response plan.
00:04
You want to be able to look at this and
00:04
>> essentially have a playbook per se
00:04
>> when you come across this type of incident,
00:04
you know exactly what to do and exactly
00:04
how to handle this incident,
00:04
because it's documented in
00:04
some type of policy and procedure manual.
00:04
Also in conjunction with the policy you want to look
00:04
at what is and what is not allowed within your network.
00:04
Going back to that policy,
00:04
it's not technically an incident
00:04
unless it violates your security policy.
00:04
In conjunction with that CIA triad of
00:04
confidentiality, integrity, and availability,
00:04
although it may touch on some of those actions
00:04
>> that may potentially violate the CIA triad.
00:04
>> If you have a very good policy and procedure guideline,
00:04
unless it violates something
00:04
within your organization's policies and procedures,
00:04
it may not necessarily be an incident.
00:04
Again, your policies should look
00:04
could essentially impact the organization's operations.
00:04
Those policies and procedures essentially want to have
00:04
a no or no-go list for what's allowed on
00:04
your network traffic, your protocol matrices.
00:04
What is allowed for host applications and services?
00:04
email or FTP processes
00:04
are you allowed to have on your network?
00:04
Lot of organizations are going to cloud-based services.
00:04
So what type of traffic is or is not permitted
00:04
on your network that your employees can use?
00:04
If you start seeing a lot of email or my email traffic,
00:04
but if you see a lot of traffic going
00:04
up to an FTP servers,
00:04
that's something that's allowed.
00:04
Are you losing large amounts of
00:04
data to that foreign uploaded side?
00:04
User account activity or users following the policies
00:04
>> and procedures that are prescribed
00:04
>> for that acceptable use policy.
00:04
If they're doing something that generally
00:04
falls outside of an acceptable use
00:04
if they're going to websites that they shouldn't go to,
00:04
if they're sending emails to foreign email addresses,
00:04
does that violate that user account of activity?
00:04
Also you need to look at the administrator accounts.
00:04
Are individuals assigned administrator roles
00:04
that necessarily shouldn't be,
00:04
or administrators taking actions
00:04
that they necessarily should not take?
00:04
Then guest and other account activity.
00:04
Disabling guest accounts on
00:04
computers or ensuring they don't have them,
00:04
guest accounts where they shouldn't be,
00:04
and other types of activity which would essentially
00:04
violate your organization's security policies.
00:04
Knowing essentially if there's
00:04
a problem is very important,
00:04
knowing what right looks like,
00:04
it is important that way
00:04
>> you know what wrong looks like,
00:04
>> and you're able to investigate
00:04
and remediate those incidents.
00:04
Again, policy will help us discover essentially
00:04
>> what is permitted and what is not permitted.
00:04
>> But what if there's a lack of policy?
00:04
If you notice something on the network
00:04
that essentially violates that CIA triad,
00:04
but there's not necessarily
00:04
a policy or something that's codified,
00:04
providing guidance on what to do,
00:04
one of the first steps that you should take is
00:04
to notify senior management of,
00:04
hey, I've noticed that there's this type of problem.
00:04
Here's the type of impact that it
00:04
could have on the organization,
00:04
and asking them for guidance on
00:04
that situation once you've
00:04
provided them all of the facts,
00:04
or the what ifs that could occur.
00:04
Another step that might be taken is to form
00:04
essentially an ad hoc incident response teams.
00:04
Essentially this part of that team
00:04
you're going to want to have a director,
00:04
probably someone who is from
00:04
senior management or at least is
00:04
able to report to senior management,
00:04
an investigator who is technically savvy,
00:04
who understands essentially what is occurring,
00:04
and then the other staff roles that we've talked
00:04
about in this class is appropriate.
00:04
Then once you've essentially form that team,
00:04
you're going to want to follow those react
00:04
>> principles and procedures in order to help resolve
00:04
>> that incident and prevent it from getting worse.
00:04
>> Then lastly, if you don't have
00:04
policies and procedures or you don't
00:04
experience within that incident response team,
00:04
the most important thing that you're going to
00:04
want to do is get help,
00:04
be it internal or external help.