This week’s topic was quite eye opening, the story about Walmart preparedness was astounding. The unique thing about this reading for me was the importance of rehearsals and how they play a great role in rapid response. As mentioned in the book, rehearsals are critical, and companies must execute them frequently. Some examples of rehearsals include walk throughs in which managers get together and discuss, step by step, what each other will do during an incidence. The other complex rehearsal is doing live tests of planned actions. Live tests are very important for technical responses and should be practiced routinely because this can not only improve response time but also correct mistakes.
Hello,
After glancing over your thoughts on the importance of preparedness and familiarity with the process of incident response, I can tell that you have truly gleaned the most critical parts of familiarization. Rehearsals for incident response and disaster recovery can come in more methods, each serving a different purpose in preparing the employees and management to face potential threats. Among my favourite methods of rehearsals, and one that all companies should adhere to, is the safety drill, in which the organization creates the simulation of a disaster occurring and must test the employees on their knowledge of the recovery process as well as any IT contingency resources that are involved.
One of the key takeaways that I’ve learnt from Chapter 10, Incident and Disaster Response, is the relation of business continuity planning and disaster recovery. Disaster recovery is a subset of business continuity planning and focuses on restoring IT function after a disaster. Business continuity plan has a wider scope and consists of a plan of action specifying how business operations can be maintained during a disaster or how core businesses can be restored when a disaster occurs.
Hi Zeynep, you have done a great job at differentiating between a disaster recovery and business continuity plan. As mentioned, disaster recovery focuses on restoring IT functions after a disaster, and depending your business, one can choose between, a cold, warm or hot site to recover from a disaster.
You made an excellent point in mentioning that the Disaster Recovery is basically a subset of a business continuity plan. It’s so important that organizations have this in place,
The most intriguing section from this chapter was the use and implementation of different types of IDS systems in organizations. IDSs are often described as security cameras of an organization and tend to give plenty of false alarms. These false alarms can be drastically reduced by efficient tuning of the IDS by the security engineers. It is important to note that tuning is done by the security engineers based on their knowledge level and experience. However, this can lead to major pitfalls for an organization, if incorrect tuning leads to increase in false negatives where actual attacks are not captured and diagnosed by IDS. Another important factor to be noted was the importance of integrated logging to get a better view of events. Manually diagnosing every log from every IDS can be very tedious and time consuming. Hence, it is important for security administrators to perform coherent event correlation to understand attacks which might not seemingly be malicious if viewed individually.
Akshay your opinion is splendid, i agree with you that when IDS is incorrectly tuned, it leads to increase in false negatives where actual attacks are not captured and diagnosed. In the same breath, this is the reason why some companies can’t afford IDS system because they require enormous technical expertise which often comes at a high cost.
One key point that I pick from Chapter 10 (Incident and Disaster Response) is about principles of business continuity management. The most important objective that every organization should realize is about the safety of people. The plan should be included the evacuation plan to ensure people can evacuate in time when the disaster occurred. Another benefit of business continuity is the reduced capacity in decision making. Creating BCP helps organization to plan and once the incident occurs, they can follow the plan and action immediately. Lastly, low-tech solution like phone trees is essential when all the system break down.
Good job, Num.
Another interesting topic in Chapter 10, is the formulation od the Computer Security Incident Response Team. Ordinarily, one would think that such a team should be reserved for the IT & Cybersecurity staff alone, but the CSIRT members are selected from various departments, such as the Human Resource department, the firm’s legal unit, a member form the affected business unit of the organization, and the firm’s public relations director. The CSIRT team is usually headed by an experienced senior manager of the organization, and decisions during a major incident are business decisions.
You have rightly pointed out that the first priority of any organization in times of incident or emergency is the safety of its employees. All the example given by you like evacuation plan, phone calling tree exercise are components of a well defined BCP. Another important point you mentioned was the reduced capacity to make decisions, when an organization is facing an incident. People tend to panic at such times and hence rather than making decisions, they need to be trained through simulations and walk through as to how to react when facing such situations.
The COVID19 should be a good exemple of business and desaster management in small and large scale. Who or which goverment couldl be held legally liable/accountebale for it? under which judiristion ? international ,criminal, civil or all of it toghether? What lesson should we learn from this? There are a lot of questions here when having a BRP (Business Recovery Plan) and DRP (Disaster recovery Plan) for IT.
Through reading chapter 10 of the Corporate Computer Security textbook, which emphasizes the planning and preparedness organizations must have when the inevitable incident or disaster occurs, I have come to understand that my knowledge of the intrusion response process for major incidents was severely lacking. While I had been taught the general idea of the processes that organizations should follow when handling a major incident through previous courses in both my graduate and undergraduate courses, I found myself stumped by many of the finer points and the depth to which it was covered in the chapter. An example of this is how the textbook discusses the need for IT security professional to have a moderate understanding of the legal process in the United States, going on to cover the differences between criminal law, which primarily deals with violations of criminal statutes, and civil law, which are based around the interpretations of right s and duties that organizations or personnel have relative to one another. Another part I found fascinating is the section discussing computer forensics and the process to make evidence admissible, such as the need for special equipment that copies the contents of hard drives without making any changes or impacting the original.
Hello Imran, Thanks for fleshing out the need for IT professionals to have reasonable knowledge of the legal systems and how that applies to cybersecurity related crimes.
According to chapter 10 of the Corporate Computer Security textbook, verdict in a criminal case is given when the case is proven beyond reasonable doubt but in a civil case, verdict is given based on preponderance of the evidence.
After reading chapter 10 of the Corpoarte Computer Security text book and the various topics on incident and disaster response, I am more informed about the procedures for business continuity management. According to this chapter, the safety of people is the first thing to be considered when planning and managing an event. As IT Auditors and Cybersecurity professionals, we may work as part of a firm’s business continuity planning team, so it is important to remember the importance of evacuation plans and evacuation drills. Also, it’s very dangerous to allow staff members around buildings with structural weaknesses or toxic chemicals. Planning for major events should be done ahead of time so people can know exactly what they are required to do.
However, it is necessary to make provision for some flexibility in response to any type of disaster. This is because unexpected situation could arise in a crisis and if the structure is too rigid, decision makers may be unable to respond to these uncertainties.
Incident and Disaster Response is such a pertinent topic that companies must always keep in mind. Without the proper procedures or a business continuity plan put in place, a company can put themselves at risk for serious impact for a lot of damage and loss.
For example, if a natural disaster were to occur, an organization should be well versed in maintaining their business due to the simulations that have been performed prior too. Rehearsals are key, and as long as the necessary employees are aware of certain procedures, all should work together for the better good of the company.
I agree with your point and would also like to include that in addition to running simulations in executing their disaster recovery procedures, it’s crucial that the business update their BCP regularly and also test their recovery solutions/site to ensure that it works.
One key takeaway from Chapter 10 was the incident response process for major incidents. This can be summed up in a couple stages, which includes detection, analysis, escalation, containment, recovery, apology, punishment, and a postmortem evaluation that is usually skipped because most businesses want to catch up on work that was missed during down time. The most important phases of the response process are detection (by intrusion detection technology), analysis (to confirm attack is real and determine the scope), and escalation (incident is then handled by business continuity team or CSIRTs). Computer security incident response teams (CSIRTs) usually include members from the legal department, line organizations, public relations, human resources, and senior management. Having a group of leaders from vital departments within an organization can help manage damage control during an incident while keeping employees on the same page regarding incident response.
Hi Sarah, really nice reply that outlined the incident response process. I’m not sure if you though of this but I believe that detection is the most paramount step in the process that I feel most companies fall short on. Personally, I see this as an area to shift capabilities away from human monitoring and more towards bot monitoring. Therefore, adding a ‘Hal’ type figure to the detection team could prove valuable.
You got the point. A good incident response needs every part of the organization working together, which means including members from the legal department, line organizations, public relations, human resources, and senior management.
When dealing with a potential disaster, my personal mantra is “proactive not reactive”. However, when catastrophic times comes to an organization, preparation can only go so far. The portion of Chapter 10 by Boyle and Panko that I found interesting was the section on “containment”. Containment is an interesting action when an attack occurs because it is both crucial for security but could also glean light on the attacker and their methods of accessing the system. The data collection process can only be done if the information at risk is not too pertinent and the security professionals have put the attacker in a deep enough black hole. This was a very interesting way to treat an attacker and I never heard of it before reading in. I think this can be very beneficial to aiding in the proactivity of an organization and their security plans.
The One Key Takeaway for me from Chapter 10 is about the principle of Business Continuity Management. In Business Continuity Management, the first job is to provide for the safety of people which is People First. Reduction of capacity in decision making, avoidance of rigidity and communication are also the principle of Business Continuity Management. But the principle for IT Business Continuity Management might be slightly different from the Business Continuity Management as IT Business Continuity Management looks specifically at the technical aspects of how a company can keep running.
Hi, peiran Liu
You are right, the implementation of the project plan needs the good cooperation of the personnel.At the same time, you need to arrange an emergency contact for IT security.This position requires good judgment and resilience, because sometimes disasters can be more disruptive than expected.
Business process analysis knowledge point: In this stage, by visiting relevant personnel of each business department, various business processes are analyzed to understand the importance and time sensitivity of various business processes to the enterprise. At the same time, according to the relevant evaluation principles, we can get the loss of the enterprise itself when the core process cannot proceed normally due to the disaster. Such losses may be quantifiable, such as the loss of documents, calculation errors caused by direct losses; It can also be an intangible loss, such as a loss of customer satisfaction or competitive advantage. Based on the comprehensive consideration of quantifiable and unquantifiable losses, the tolerance of various core business processes for disaster damage is obtained, which is used as the decision basis to determine their recovery priorities. Finally, the indicators of recovery requirements of these core business processes, such as RTO, RPO, NRO and various resources needed for recovery, are determined.
This week’s topic was quite eye opening, the story about Walmart preparedness was astounding. The unique thing about this reading for me was the importance of rehearsals and how they play a great role in rapid response. As mentioned in the book, rehearsals are critical, and companies must execute them frequently. Some examples of rehearsals include walk throughs in which managers get together and discuss, step by step, what each other will do during an incidence. The other complex rehearsal is doing live tests of planned actions. Live tests are very important for technical responses and should be practiced routinely because this can not only improve response time but also correct mistakes.
Hello,
After glancing over your thoughts on the importance of preparedness and familiarity with the process of incident response, I can tell that you have truly gleaned the most critical parts of familiarization. Rehearsals for incident response and disaster recovery can come in more methods, each serving a different purpose in preparing the employees and management to face potential threats. Among my favourite methods of rehearsals, and one that all companies should adhere to, is the safety drill, in which the organization creates the simulation of a disaster occurring and must test the employees on their knowledge of the recovery process as well as any IT contingency resources that are involved.
One of the key takeaways that I’ve learnt from Chapter 10, Incident and Disaster Response, is the relation of business continuity planning and disaster recovery. Disaster recovery is a subset of business continuity planning and focuses on restoring IT function after a disaster. Business continuity plan has a wider scope and consists of a plan of action specifying how business operations can be maintained during a disaster or how core businesses can be restored when a disaster occurs.
Hi Zeynep, you have done a great job at differentiating between a disaster recovery and business continuity plan. As mentioned, disaster recovery focuses on restoring IT functions after a disaster, and depending your business, one can choose between, a cold, warm or hot site to recover from a disaster.
Hi Zeynep,
You made an excellent point in mentioning that the Disaster Recovery is basically a subset of a business continuity plan. It’s so important that organizations have this in place,
Best,
Natalie
The most intriguing section from this chapter was the use and implementation of different types of IDS systems in organizations. IDSs are often described as security cameras of an organization and tend to give plenty of false alarms. These false alarms can be drastically reduced by efficient tuning of the IDS by the security engineers. It is important to note that tuning is done by the security engineers based on their knowledge level and experience. However, this can lead to major pitfalls for an organization, if incorrect tuning leads to increase in false negatives where actual attacks are not captured and diagnosed by IDS. Another important factor to be noted was the importance of integrated logging to get a better view of events. Manually diagnosing every log from every IDS can be very tedious and time consuming. Hence, it is important for security administrators to perform coherent event correlation to understand attacks which might not seemingly be malicious if viewed individually.
Akshay your opinion is splendid, i agree with you that when IDS is incorrectly tuned, it leads to increase in false negatives where actual attacks are not captured and diagnosed. In the same breath, this is the reason why some companies can’t afford IDS system because they require enormous technical expertise which often comes at a high cost.
One key point that I pick from Chapter 10 (Incident and Disaster Response) is about principles of business continuity management. The most important objective that every organization should realize is about the safety of people. The plan should be included the evacuation plan to ensure people can evacuate in time when the disaster occurred. Another benefit of business continuity is the reduced capacity in decision making. Creating BCP helps organization to plan and once the incident occurs, they can follow the plan and action immediately. Lastly, low-tech solution like phone trees is essential when all the system break down.
Good job, Num.
Another interesting topic in Chapter 10, is the formulation od the Computer Security Incident Response Team. Ordinarily, one would think that such a team should be reserved for the IT & Cybersecurity staff alone, but the CSIRT members are selected from various departments, such as the Human Resource department, the firm’s legal unit, a member form the affected business unit of the organization, and the firm’s public relations director. The CSIRT team is usually headed by an experienced senior manager of the organization, and decisions during a major incident are business decisions.
Hell Num,
You have rightly pointed out that the first priority of any organization in times of incident or emergency is the safety of its employees. All the example given by you like evacuation plan, phone calling tree exercise are components of a well defined BCP. Another important point you mentioned was the reduced capacity to make decisions, when an organization is facing an incident. People tend to panic at such times and hence rather than making decisions, they need to be trained through simulations and walk through as to how to react when facing such situations.
The COVID19 should be a good exemple of business and desaster management in small and large scale. Who or which goverment couldl be held legally liable/accountebale for it? under which judiristion ? international ,criminal, civil or all of it toghether? What lesson should we learn from this? There are a lot of questions here when having a BRP (Business Recovery Plan) and DRP (Disaster recovery Plan) for IT.
Through reading chapter 10 of the Corporate Computer Security textbook, which emphasizes the planning and preparedness organizations must have when the inevitable incident or disaster occurs, I have come to understand that my knowledge of the intrusion response process for major incidents was severely lacking. While I had been taught the general idea of the processes that organizations should follow when handling a major incident through previous courses in both my graduate and undergraduate courses, I found myself stumped by many of the finer points and the depth to which it was covered in the chapter. An example of this is how the textbook discusses the need for IT security professional to have a moderate understanding of the legal process in the United States, going on to cover the differences between criminal law, which primarily deals with violations of criminal statutes, and civil law, which are based around the interpretations of right s and duties that organizations or personnel have relative to one another. Another part I found fascinating is the section discussing computer forensics and the process to make evidence admissible, such as the need for special equipment that copies the contents of hard drives without making any changes or impacting the original.
Hello Imran, Thanks for fleshing out the need for IT professionals to have reasonable knowledge of the legal systems and how that applies to cybersecurity related crimes.
According to chapter 10 of the Corporate Computer Security textbook, verdict in a criminal case is given when the case is proven beyond reasonable doubt but in a civil case, verdict is given based on preponderance of the evidence.
After reading chapter 10 of the Corpoarte Computer Security text book and the various topics on incident and disaster response, I am more informed about the procedures for business continuity management. According to this chapter, the safety of people is the first thing to be considered when planning and managing an event. As IT Auditors and Cybersecurity professionals, we may work as part of a firm’s business continuity planning team, so it is important to remember the importance of evacuation plans and evacuation drills. Also, it’s very dangerous to allow staff members around buildings with structural weaknesses or toxic chemicals. Planning for major events should be done ahead of time so people can know exactly what they are required to do.
However, it is necessary to make provision for some flexibility in response to any type of disaster. This is because unexpected situation could arise in a crisis and if the structure is too rigid, decision makers may be unable to respond to these uncertainties.
Incident and Disaster Response is such a pertinent topic that companies must always keep in mind. Without the proper procedures or a business continuity plan put in place, a company can put themselves at risk for serious impact for a lot of damage and loss.
For example, if a natural disaster were to occur, an organization should be well versed in maintaining their business due to the simulations that have been performed prior too. Rehearsals are key, and as long as the necessary employees are aware of certain procedures, all should work together for the better good of the company.
I agree with your point and would also like to include that in addition to running simulations in executing their disaster recovery procedures, it’s crucial that the business update their BCP regularly and also test their recovery solutions/site to ensure that it works.
One key takeaway from Chapter 10 was the incident response process for major incidents. This can be summed up in a couple stages, which includes detection, analysis, escalation, containment, recovery, apology, punishment, and a postmortem evaluation that is usually skipped because most businesses want to catch up on work that was missed during down time. The most important phases of the response process are detection (by intrusion detection technology), analysis (to confirm attack is real and determine the scope), and escalation (incident is then handled by business continuity team or CSIRTs). Computer security incident response teams (CSIRTs) usually include members from the legal department, line organizations, public relations, human resources, and senior management. Having a group of leaders from vital departments within an organization can help manage damage control during an incident while keeping employees on the same page regarding incident response.
Hi Sarah, really nice reply that outlined the incident response process. I’m not sure if you though of this but I believe that detection is the most paramount step in the process that I feel most companies fall short on. Personally, I see this as an area to shift capabilities away from human monitoring and more towards bot monitoring. Therefore, adding a ‘Hal’ type figure to the detection team could prove valuable.
Hi Sarah,
You got the point. A good incident response needs every part of the organization working together, which means including members from the legal department, line organizations, public relations, human resources, and senior management.
When dealing with a potential disaster, my personal mantra is “proactive not reactive”. However, when catastrophic times comes to an organization, preparation can only go so far. The portion of Chapter 10 by Boyle and Panko that I found interesting was the section on “containment”. Containment is an interesting action when an attack occurs because it is both crucial for security but could also glean light on the attacker and their methods of accessing the system. The data collection process can only be done if the information at risk is not too pertinent and the security professionals have put the attacker in a deep enough black hole. This was a very interesting way to treat an attacker and I never heard of it before reading in. I think this can be very beneficial to aiding in the proactivity of an organization and their security plans.
The One Key Takeaway for me from Chapter 10 is about the principle of Business Continuity Management. In Business Continuity Management, the first job is to provide for the safety of people which is People First. Reduction of capacity in decision making, avoidance of rigidity and communication are also the principle of Business Continuity Management. But the principle for IT Business Continuity Management might be slightly different from the Business Continuity Management as IT Business Continuity Management looks specifically at the technical aspects of how a company can keep running.
Hi, peiran Liu
You are right, the implementation of the project plan needs the good cooperation of the personnel.At the same time, you need to arrange an emergency contact for IT security.This position requires good judgment and resilience, because sometimes disasters can be more disruptive than expected.
Business process analysis knowledge point: In this stage, by visiting relevant personnel of each business department, various business processes are analyzed to understand the importance and time sensitivity of various business processes to the enterprise. At the same time, according to the relevant evaluation principles, we can get the loss of the enterprise itself when the core process cannot proceed normally due to the disaster. Such losses may be quantifiable, such as the loss of documents, calculation errors caused by direct losses; It can also be an intangible loss, such as a loss of customer satisfaction or competitive advantage. Based on the comprehensive consideration of quantifiable and unquantifiable losses, the tolerance of various core business processes for disaster damage is obtained, which is used as the decision basis to determine their recovery priorities. Finally, the indicators of recovery requirements of these core business processes, such as RTO, RPO, NRO and various resources needed for recovery, are determined.