• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.701 ■ Spring 2021 ■ Jose Gomez
  • Homepage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit 01 – Threat Environment
      • Unit 02 – System Security Plan
      • Unit 03 – Planning and Policy
      • Unit 04 – Cryptography
      • Unit 05 – Secure Networks
      • Unit 06 – Firewalls
      • Unit 07 – Mid-Term Exam
    • Second Half of the Semester
      • Unit 08 – Access Control
      • Unit 9 Host Hardening
      • Unit 10 Application Security
      • Unit 11 Data Protection
      • Unit 12 – Incident and Disaster Response
  • Deliverables
    • Assignments
    • Case Studies
      • Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Case Study 2 – Cyberattack: The Maersk Global Supply-Chain Meltdown
    • Participation
    • Team Project
  • Harvard Coursepack
  • Gradebook

Question to discuss with my classmates

April 7, 2021 by Jose Gomez 46 Comments

Filed Under: 12 - Incident and Disaster Response Tagged With:

Reader Interactions

Comments

  1. Zibai Yang says

    April 8, 2021 at 8:56 am

    What is needed for a complete BCP?

    Log in to Reply
    • Vanessa Marin says

      April 13, 2021 at 11:42 pm

      I just did this for a client and there is an actual formula to follow!

      1. Scope! You have to know what your limits in the BCP are or else you’ll drive yourself nuts trying to cover everything or not covering enough.
      2. Identification of the key business areas impacted is important – which departments are impacted, who needs to be involved in the communication stream, etc.
      3. Identify the critical functions – these are the basic functions that would need to happen in order to keep the business going.
      4. Find the dependencies – what are the dependencies between the business areas and the critical functions and organize them by priority.
      5. Downtime – how long can each critical function be down with the least impact?
      6. Create a plan – this is your draft of the plan. There are many templates you can find online that have detailed instructions.
      7. Test, test, test! Can’t stress this enough! It is important to have tabletop exercises and and mock event exercise to ensure that your BCP plan is actually functional and effective. During these tests you’ll test out the process, response time of the team at each phase of the BCP.

      Log in to Reply
  2. Ting-Yen Huang says

    April 9, 2021 at 1:43 pm

    There are so many planes that seem needed for a company, how does the company prioritize them?

    Log in to Reply
    • Mei X Wang says

      April 12, 2021 at 4:59 pm

      The company should first assess the organization’s assets by performing a BIA and by using FIPs 199 security categorization. Security categorization is based on the three security objectives, confidentiality, integrity, and availability. After the assets are scored, the assets with the overall high rating should be prioritized and have the most resources allocated in case of an attack. The lower scored assets still need to be protected as well but at a lower priority, Using the FIPS 199 model will help the organization categorize their assets based on industry-approved standards.

      Log in to Reply
  3. Xinyi Zheng says

    April 11, 2021 at 2:36 am

    What is the differences between business continuity plans and IT disaster recovery plans?

    Log in to Reply
    • Haozhe Lin says

      April 12, 2021 at 12:02 am

      Business continuity (BC): it refers to the maintenance of business function or rapid recovery function in case of major interruption, whether the interruption is caused by fire, flood, epidemic disease, or malicious Internet attack. It is necessary to describe the procedures and instructions that enterprises must comply with within the face of these disasters, and it also changes the business processes, assets, human resources, business partners, and other aspects.

      Disaster recovery plan: it mainly focuses on the recovery of IT infrastructure and business after a disaster, which is only an integral part of the complete business continuity plan.

      Many people think that a disaster recovery plan and business continuity plan are the same things, but in fact, a business continuity plan focuses on the continuity of the whole enterprise. After a disaster, do you have a way to keep the human resources, manufacturing, sales, and support teams in normal operation, to ensure that the company can continue to make money? If the building where the enterprise is located is razed by a tornado, how should these customer service representatives deal with customer calls? Can they temporarily work at home, or in a spare site? All these problems, Business continuity companies are also taking advantage of this opportunity to rent out cubicles, including desks, telephones, and computers, and disaster recovery services based on services and equipment, to these enterprises that have suffered catastrophic accidents. Business impact analysis (BIA) is another component of the business continuity plan. BIA can determine the impact of a sudden loss of business functions, and it usually quantifies this impact. This kind of analysis can also help you evaluate whether you should outsource the non-core business in the business continuity plan. Basically, BIA can help you look at the processes of the whole enterprise and determine which processes are most important.

      Log in to Reply
  4. Priyanka Ranu says

    April 11, 2021 at 12:02 pm

    What are the steps involved in a Cyber Incident Response Plan?

    Log in to Reply
    • Zibai Yang says

      April 12, 2021 at 12:23 am

      1. Form an incident response team
      2. Develop an action manual
      3. Prevention and preparation
      4. Discovery and containment
      5. Perform post-mortem analysis

      Log in to Reply
    • Anthony Messina says

      April 13, 2021 at 9:01 am

      The SANS incident response plan consists of 6 steps:

      Preparation
      Identification
      Containment
      Eradication
      Recovery
      Lessons Learned

      The NIST Incident Response Process contains four steps:

      Preparation
      Detection and Analysis
      Containment, Eradication, and Recovery
      Post-Incident Activity

      Log in to Reply
    • Prince Patel says

      April 14, 2021 at 11:35 am

      the steps involved in a Cyber Incident Response Plan as per Security metrics website are:
      1. Preparation
      2. Identification
      3. Containment
      4. Eradication
      5. Recovery
      6. Lessons Learned

      this is similar to NIST 4 Step plan:

      1. Preparation
      2. Detection and Analysis
      3. Containment, Eradication, and Recovery
      4. Post-Incident Activity

      Log in to Reply
  5. Cami Chen says

    April 11, 2021 at 7:12 pm

    What are the differences of implement a business contingency plan between large organizations and small businesses?

    Log in to Reply
  6. Heather Ergler says

    April 11, 2021 at 7:37 pm

    Why is it so important that information system contingency plans be consistent across various government agencies?

    Log in to Reply
    • Vanessa Marin says

      April 13, 2021 at 11:48 pm

      So I went on the website whitehouse.gov and found a list of the contingency plans across the federal governments and guess what – they aren’t consistent. The structure of the plans are relatively similar but each department has it’s own goals, requirements, definitions and needs.

      If you mean a consistency in documentation, even that can be challenged. I’ve rarely known, even in the US, any department that functions exactly like another. Even the sections for reporting to the general public are unique.

      https://www.whitehouse.gov/omb/information-for-agencies/agency-contingency-plans/

      Log in to Reply
  7. Krish Damany says

    April 11, 2021 at 7:55 pm

    Of the different types of plan in the BCP umbrella, which is the most important to consider, or should all plans be considered equally?

    Log in to Reply
  8. Jonathan Castelli says

    April 11, 2021 at 8:12 pm

    Which step is the most important in the incident response process and why?

    Log in to Reply
    • Cami Chen says

      April 12, 2021 at 10:08 pm

      The detection and analysis step is the most important in the incident response process. In order to mitigate risks, the detection and analysis step can directly point out the area, where the action should begin to respond to the incident process. Organizations need to have strong detective capabilities to structure their information systems, so they can have enough time to resolve an incident. For example, they can use alert tools to monitor the systems.

      Log in to Reply
    • Anthony Wong says

      April 13, 2021 at 7:49 pm

      I think the most important step is the post-incident activity because it creates discussion and knowledge sharing on the incident. Additionally, it allows for the team to determine where the weak points were that lead to breach and what can be done in the future to prevent similar attacks from occurring in the future.

      Log in to Reply
  9. Anthony Wong says

    April 11, 2021 at 8:41 pm

    What is the difference between signature-based and anomaly IDS?

    Log in to Reply
    • Zibai Yang says

      April 12, 2021 at 12:33 am

      Signature detection includes searching a series of bytes or packet queues in network communications to find known malicious programs. The biggest advantage of this detection method is that if you know the network behavior you want to find out, this signature is easy to develop and understand.
      Anomaly detection technology is centered on the concept of network behavior benchmarks. This benchmark is an accepted explanation of online behavior. The anomaly detection engine will detect any behavior patterns that do not conform to people’s pre-defined or accepted behavior patterns.

      Log in to Reply
    • Anthony Messina says

      April 13, 2021 at 9:08 am

      Signature-based detection is when a file is determined to be malicious, a digital signature is written and uploaded to a database so anti-malware programs are able to detect that file or component in the future. Anomaly based detection looks at the behavior of the file. It is not necessarily looking for bad strings in the file, but looking for weird strings that cause it to behave in a while that is not common within the network.

      Log in to Reply
    • Prince Patel says

      April 14, 2021 at 4:43 pm

      According to the Center of Internet Security, Signature-based and anomaly-based detections are the two main methods of identifying and alerting on threats. While signature-based detection is used for threats we know, anomaly-based detection is used for changes in behavior. Signature-based detection relies on a preprogramed list of known indicators of compromise (IOCs). An IOC could include malicious network attack behavior, content of email subject lines, file hashes, known byte sequences, or malicious domains. Signatures may also include alerts on network traffic, including known malicious IP addresses that are attempting to access a system. In contrast to signature-based detection, anomaly-based detection is capable of alerting on unknown suspicious behavior. Anomaly-based detection involves first training the system with a normalized baseline and then comparing activity against that baseline.

      Log in to Reply
  10. Junhan Hao says

    April 11, 2021 at 9:27 pm

    How do companies overcome the time synchronization issue?

    Log in to Reply
    • Anthony Messina says

      April 13, 2021 at 9:13 am

      Companies utilize NTP – the network time protocol. NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time (UTC). Generally companies will have an NTP server that the NTP protocol connects to so that all the devices are on the same time within a millisecond of each other.

      Log in to Reply
  11. Austin Mecca says

    April 11, 2021 at 9:46 pm

    What in the BCP do you consider the most important?

    Log in to Reply
    • Cami Chen says

      April 12, 2021 at 10:33 pm

      I think that it is necessary to have a backup plan in the BCP. Can you imagine that your documents are destroyed when you try to file your tax return on the last day? If you make a copy and upload to your cloud or save it in your UBS, you will not suffer it. For organizations, they need to know what data should be stored, and how to back up the data. Also, the backups need to be testable, so the data can be recovered. The backup plan must mention how frequency to back up the data, and companies are able to mitigate some losses.

      Log in to Reply
      • Austin Mecca says

        April 13, 2021 at 8:32 pm

        Cami,

        I totally agree, I could not imagine having the BCP plan and actually needing it. It would be chaos trying to put something together, all the while limited groups are able to work, revenues and profits are disappearing and investors and executives are looking for answers from anyone and everyone. I actually don’t think that more than 1% of companies would be able to survive an attack and not having a BCP in place. Unlike other areas and sectors, this is not something that can easily be done on the fly in the event of an emergency.

        Log in to Reply
    • Vanessa Marin says

      April 13, 2021 at 11:54 pm

      In my opinion BCPs are documents for a moment in time. A fantastic BCP plan may have been written that outlined everything you need to in case of an incident, but if it hasn’t ever been tested, reviewed or updated and it’s 5 years old… Well, then you might as well serve your business on a platter for the next guy to take over.

      To me plans and policy are only as good as the latest update. Technologies change, get replaced. Business processes improve or are deprecated. Business environments change as you expand or pivot. Changes may be required due to changes in infrastructure, software, people, regulation, etc. All these things affect BCP and other types of contingency plans.

      Log in to Reply
  12. Zhen Li says

    April 11, 2021 at 10:27 pm

    There are three way of the containment, there are disconnection, black-holing the attacker, continuing to collect data, which is the most effective?

    Log in to Reply
    • Heather Ergler says

      April 13, 2021 at 5:06 pm

      It depends on the purpose of the containment. If an attacker is executing the same hack that has been seen repeatedly, possibly disconnecting is the best approach. If the hack seems to be original then possibly blackholing or continuing to collect data is the best approach. SIEM monitors need to have standard operating procedures with criteria to determine which approach is to be taken with each attack.

      Log in to Reply
  13. Wenyao Ma says

    April 11, 2021 at 10:56 pm

    How often should the organization perform simulations in response to disasters?

    Log in to Reply
    • Krish Damany says

      April 13, 2021 at 7:19 pm

      Simulations shouldn’t take up the time of the network that most employees are accessing it. They should be done periodically as the organization determines sees fit, which could be once or twice a month, every 6 months, or every year. It ultimately depends on the size of the organization, and what times of the day the fewest amount of regular users are not accessing the network.

      Log in to Reply
    • Anthony Wong says

      April 13, 2021 at 7:54 pm

      I think simulations should be performed at least once a year. This ensures that the plan is updated and accurate. If a key resource in the plan has the organization, this can be a great exercise to help the new resource come up to speed. Similar to Krish’s response, the simulation so occur when users will be impacted the least. This may differ based on the industry of the organization. For a retail company, they may want to avoid tests on the weekends.

      Log in to Reply
  14. Prince Patel says

    April 11, 2021 at 11:11 pm

    How are Honey Pots critical to Security Infrastructure ?

    Log in to Reply
    • Xinyi Zheng says

      April 13, 2021 at 3:06 am

      Honeypot technology is meant to entice hackers by being easy to penetrate and appearing to contain desirable information. The honeypot can reveal where attackers are coming from, and the information gathered when hackers are lured in helps understand their motivation and behavior. Honeypotting can also be used to deflect attacks from actual targets.

      Log in to Reply
  15. Kyuande Johnson says

    April 11, 2021 at 11:37 pm

    Whats are the differences between a Intrusion Detection System and a Intrusion Prevention System?

    Log in to Reply
    • Zibai Yang says

      April 12, 2021 at 1:07 am

      The main difference between IDS and IPS: ids mainly detect the inside of the system, runs on the monitored host, and monitors the host’s network behavior, system log, process and memory, and other indicators; ips act on the firewall and external network of the system. Analyze the flow to the inside.

      Log in to Reply
    • Xinyi Zheng says

      April 13, 2021 at 3:01 am

      IDS are monitoring systems and IPS are control systems. IDS won’t alter network traffic while IPS prevents packets from delivering based on the contents of the packet, similar to how a firewall prevents traffic by IP address.

      Log in to Reply
    • Prince Patel says

      April 14, 2021 at 11:37 am

      The main difference between them is that IDS is a monitoring system, while IPS is a control system.

      IDS doesn’t alter the network packets in any way, whereas IPS prevents the packet from delivery based on the contents of the packet, much like how a firewall prevents traffic by IP address.

      Intrusion Detection Systems (IDS): analyze and monitor network traffic for signs that indicate attackers are using a known cyberthreat to infiltrate or steal data from your network. IDS systems compare the current network activity to a known threat database to detect several kinds of behaviors like security policy violations, malware, and port scanners.

      Intrusion Prevention Systems (IPS): live in the same area of the network as a firewall, between the outside world and the internal network. IPS proactively deny network traffic based on a security profile if that packet represents a known security threat.

      Log in to Reply
  16. Vanessa Marin says

    April 11, 2021 at 11:42 pm

    What key controls do you feel are the most important to implement or ensure that an organization has in place?

    Log in to Reply
  17. Haozhe Lin says

    April 11, 2021 at 11:56 pm

    A hot site should be implemented as a recovery strategy when the Recovery Time Objective (RTO) is high or low?

    Log in to Reply
    • Junhan Hao says

      April 13, 2021 at 12:01 am

      when the RTO is low. If this time gap is short, a recovery strategy that can be implemented in a short time should be used.

      Log in to Reply
  18. Anthony Messina says

    April 12, 2021 at 8:41 am

    While many IDS solutions will pull log files from the various devices, parse them, present them to the analyst in a readable form, sometimes you may have to go into a machine and dig through log files yourself. Are there any commands or software you have run into that could make combing through endless log files any easier?

    Log in to Reply
  19. Mei X Wang says

    April 12, 2021 at 4:54 pm

    What are the benefits of a business impact analysis?

    Log in to Reply
    • Xinyi Zheng says

      April 13, 2021 at 2:55 am

      BIA can help to identified the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution’s business functions and processes; assessment and prioritization of all business functions and processes, including their interdependencies, as part of a work flow analysis.

      Log in to Reply
    • Junhan Hao says

      April 13, 2021 at 6:58 pm

      The organization can summarize some form of BIA report. The report may be useful in considering risk management and understanding the potential impact of different business interruption scenarios.

      Log in to Reply
    • Priyanka Ranu says

      April 13, 2021 at 8:50 pm

      Business impact analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accident or emergency. BIA is needed as it identifies scenarios that could potentially cause losses to the business and through this the business can come up with a plan for investment for recovering, mitigation and prevention strategies. With the due diligence of a business impact analysis in hand, a business has a well thought out plan to recover from a disaster. Information gathered in the BIA assists in determining the Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). RPO is the ability to recover files by specifying a point in time to restore the backup copy. RTO measures the time it takes for a system to be completely up and running in the event of a disaster.

      Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • 01 – Introduction (2)
  • 01 – Threat Environment (3)
  • 02 – System Security Plan (6)
  • 03 – Planning and Policy (7)
  • 04 – Cryptography (6)
  • 05 – Secure Networks (7)
  • 06 – Firewalls (5)
  • 08 – Access Control (7)
  • 09 – Host Hardening (5)
  • 10 – Application Security (6)
  • 11 – Data Protection (4)
  • 12 – Incident and Disaster Response (5)
  • 13 – Review (1)
  • 13 – Team Project Presentations and Review for Final (1)
Fox School of Business

Copyright © 2025 · Course News Pro on Genesis Framework · WordPress · Log in