Time
7 hours 36 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson covers incident response policies which include: · Who does what · Prioritization · "Do the thinking for you' · Have both broad and fine details When drafting a security policy, it is important to consider what is permitted and not permitted on your network. Remember, it is not an incident if nothing is violated. The policy needs to address the following: · Network traffic · Host applications · Web, e mail, FTP · User account activity · Administrator account activity · Guest/other account activity In case there is lack of policy, should an incident occur, notify senior management, form an Ad hoc team and get the necessary assistance.

Video Transcription

00:04
so again kind of harping on the policies. Your policy should state what to do, when and by whom. So what actions and what a story are the incident response team members authorized to take.
00:19
So, essentially, in looking at that policy, there should be a prioritization of actions and incidents. The kind of coincide with your organization, your company's goals and ideally, why should happen is that they should do the thinking for you. They should take the guesswork
00:38
out of responding to those incidents where you're just able to go in
00:43
and perform your Worf options eyes required and not have to ask for a lot of mother. May I cz on these particular instances, and they should should be have the granularity granularity enough to highlight details of actions
01:02
that you should take while still providing the very fine details of an incident response plan.
01:07
So you want to be able to look at this and essentially have a playbook
01:12
per se of. When you come across this type of incident, you know exactly what to do and exactly how to handle this incident, because it documented on some type of policy and procedure, man.
01:30
So also kind of in conjunction with the policy. You wanna look at what is and what is not allowed within your network. So going back to that that policy it's not technically an incident unless it violates your security policy.
01:47
So in conjunction with that, see, I try out of confidentiality, integrity and availability. Although it may touch on some of those actions that may potentially violate the CIA triad. If you have a very good
02:02
policy and procedure guidelines, unless it violates something that's within your organization,
02:08
policies and procedures,
02:09
it may not necessarily be an incident.
02:13
So again, your policies should look at old aspects that could essentially impact our organization's operations. So those policies and procedures essentially want to have a no or no go left for what? Some out on your network traffic. Your protocol maker sees,
02:32
uh, what is allowed for host applications and service is
02:37
what type of Web email or FTP processes are you allowed to have on your network?
02:43
Ah, lot of organizations are going to cloud based service is what type of traffic is or is not permitted on your network that your employees could use. So if you start seeing a lot of email
02:57
our email traffic, but you see a lot of traffic going up to an FTP servers that something that's allowed are you losing a lot of large amounts of data
03:05
to that, you know, for uploaded side user account to your users following
03:12
the policies and procedures that are prescribed for that acceptable use policy. So if they're doing something that generally falls outside of except use if they're going to websites that they shouldn't go to for sending e mails to foreign email addresses, does that violate that user account activity?
03:31
So also, you need to look at the administrator accounts. Are individuals assigned administrator roles that necessarily shouldn't be our administrators, taking actions that they necessarily should not take
03:46
and then guest in other account activity. So disabling guest accounts on computers or ensuring they don't have them? Or the creation of guest accounts, which shouldn't be on other types of activity, which would essentially violate your organisation's security policies. Knowing essentially, if there's a problem,
04:04
eyes very important. Knowing what right looks like it is important that way. You know what wrong looks like
04:12
and you're able to investigate or beat hate those incidents
04:15
so again, policy will help us discover essentially what is permitted. What is not admitted that What if there's a lack
04:21
S O? If you noticed something on the network that essentially violates that CIA triad, but there's not necessarily a policy or something that's codified. Providing guidance I want to do in the first steps that you should take is to notify Senior Manage. Hey, I've noticed that there's this time with a problem.
04:40
Here's the type of impact that it could have on the organization
04:43
and asking them for guidance on that situation once you provided them all of the fax for the what ifs that could occur. So another step that might be taken is to form essentially an ad hoc incident response team. So essentially is part of that team. You're gonna want to have a director,
05:01
probably someone who is from senior management or at least is able to report to senior management
05:09
on Investigator who is technically savvy, who understands essentially what is occurring with that incident and then the other staff rules that we've talked about in this class is appropriate.
05:20
And then what ships essentially form that team you're gonna wanna follow those react principles and procedures
05:29
in order to help resolve that incident and prevent it from getting worse. And then lastly, if you don't have policies and procedures or you don't have ah lot of experience with in that incident response team, the most important thing that you're gonna want to do is get help being internal our external help.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor