There are four main types of incident severity, false alarms, minor incidents, major incidents, and disasters. False alarms are essentially false positives and can be costly and time-consuming. Minor incidents are breaches that occur and can be easily handled by the IT staff. Major incidents are going to be too large for the general IT staff to take on, so firms usually create a computer security incident response team (CSIRT), and because major incidents are costly from a profit standpoint to the organization the CSIRT team usually consists of members from legal, public relations, and upper management. And finally, we have disasters. Disasters could include natural disasters like fires or floods, or any other disturbance that tends to be out of the CSIRT teams. Disasters can keep a business from running, and so a business continuity plan, as well as a business continuity team, should be created. With major incidents, legal usually gets involved, but as IT security staff it is going to be important to have an understanding of the legal process and some of the laws they are dealing with, especially when customer data privacy is involved, but knowing the legal process can help avoid mistakes that could invalidate any cases brought against them.
As you mention, a business continuity plan is crucial in the face of a disaster to help a business resume the critical processes and continue to operate despite large setbacks in normal operations. It is imperative that the BCP is regularly tested, maintained, and altered if needed.
Disaster recovery and incident response has become a necessity in today’s technologically driven
business world. A significant amount of consumer information is put into businesses’ information
systems with the expectation to protect their private and financial data. The chapter of book addresses the importance of why organizations need effective disaster recovery and contingency planning. A foundation of knowledge is built through the understanding of the statistical and practical implications of disaster recovery and contingency planning. The core function of a DR plan is to maintain functionality of business processes when and not if an incident of a disastrous
proportion is to occur. For a DR plan to be effective, organizations must plan for disasters of all types. Disasters can take the shape of cyber-attacks, natural disasters, or technical/hardware disasters. Organizations need to plan for technical and hardware disasters. This examination will cover cyber-attacks and natural disasters in hopes of answering why it is a necessity to plan for such incidents separately.
I agree with you that disaster recovery and incident response are becoming more and more important. Maintain operations as quickly as possible with business continuity plans and resume operations. Businesses need strong business continuity plans and well-trained business continuity teams. Day-to-day maintenance of the company’s revenue-generating business by organizing for technical and hardware disasters to deal with business continuity that is often threatened by disasters. The better a company’s disaster recovery plan is, the more it can reduce the damage caused by a disaster.
As an incident response consultant I would echo this week’s reading on the importance of maintaining the integrity of data collection following an incident. It is imperative to generate hash values of all the evidence gathered, document any transfer of evidence via chain of custody forms and create foresnic copies where applicable. Failure to peserve unaltered evidence will render evidence inadmissable in court. Evidence perservation is certainly not a fun portion of cybersecurity but a vital one nonetheless.
Two days before Hurricane Katrina, mentioned at the beginning of the chapter, Walmart activated its Business Continuity Center. This exemplifies the visible tip of the Walmart disaster recovery plan. Walmart succeeded because Walmart’s disaster preparedness plan was well prepared. This means the importance of well-prepared disaster preparedness plans.
Incident severities are classified in this chapter into four threat levels: false positives, minor incidents, major incidents, and disasters. In IDS, many suspicious activities turn out to be false false positives, wasting a lot of scarce and expensive security time. Minor incidents can be handled by staff on duty. Major incidents have too much impact on the IT on duty and are left to the staff to handle. The more adequate a company’s disaster recovery plan is, the more it can reduce the losses caused by a disaster. Businesses need robust business continuity plans and well-trained business continuity teams
The Walmart example is a good one because it shows that having a BCP and utilizing it can result in a successful outcome, and as you said the more sufficient an organization’s disaster recovery plan, the better off they will be, especially from a financial standpoint.
Thanks for the post Dan! Great job highlighting the Walmart example. The activation phase of initializing a business continuity plan is critical; timing it correctly can mitigate damages (such as flooding ruining equipment that has not been moved to an alternate site).
Incident response planning is a cyclical process. You plan, test, refine, and repeat. The threat environment is constantly changing and you need to be prepared to respond to new threats. An outdated and untested response plan is about as good as having no plan at all. The book outlines multiple types of plans. This includes the intrusion detection system, business continuity plan, and disaster recovery plan.
The IDS helps detect and respond to cyber threats. The BCP helps get the business back up and running as soon as possible following a business interruption. The DRP helps respond and potentially move operations to a different location following a disaster such as hurricane, fire, or other act of god.
You make a good point. Having an old and untested response plan doesn’t have any effect. As you said the threat environment is constantly changing and so with that, the DRP or the BCP as well as the other plans need to be updated regularly as the threat environment changes.
The biggest takeaway in this section for me is the usefulness of integrated log files and how synchronized they need to be to do their job effectively. With all of the alerts coming in on individual IDS/IPSs it is important that they are intuitively integrated into a central logging machine that will store all of the logs and provide a larger view of what is occurring in an environment, specific to fractions of seconds. This machine should be largely isolated from the main network to hinder an attacker from being able to easily cover their tracks. Aggregated alerts can show attacks coming in and help security teams realize when a virus is spreading across a network like the book’s example demonstrated.
The biggest takeaway I took from this reading was how important it is for an organization to implement an incident and disaster recovery response plan. An incident response plan are procedures that IT can utilize to identify, eliminate, and recover from cybersecurity threats. The NIST mentions the 4 key phases to an IR is preparation (has employees been trained on security policies?), detection & analysis, containment & eradication (what backups are in place & does MFA apply to remote access?), and post-incident recovery. All lessons learned involving all should be mandatory after an incident with the goal of improving security. A disaster recovery plan is a plan on how an organization would respond to a natural disaster, cyber attacks, power outages, or any other disruptive event. For a disaster recovery plan, a risk assessment is needed, objectives for the disaster recovery plan, and test & revise it. Exercises like table tops are extremely helpful and could prepare individuals on what to do in a real life disaster.
Hi Victoria,
I totally agree with you as regards your detailed analysis on incidence and disaster recovery response. This is so because incident response can be defined as a set of measures you may take to cope with various kinds of security breaches. Also referred to as IT incidents and security incidents, such events are to be handled in a way to reduce recovery time and costs. To mitigate risks and be prepared for as wide a range of events as possible, you need a detailed and comprehensive incident response plan. This is a set of procedures and actions to be taken when a security breach is revealed.
One major takeaway from this chapter is the need to protect people first in business continuity planning and incident responses. As IT professionals, it is very easy to get caught up in protecting systems, data, and IT infrastructure, but it is important to not lose sight of the overall protection goal of human lives. For example, using gases to extinguish a fire may protect computers more than using water, however the gases would be toxic to humans and must therefore not be used. This can also lead to issues regarding fail-open vs fail-closed lock doors, as a fail-open could allow an intruder access to key hardware, but a failed-closed door could trap someone in a server room in an emergency. Again it is important to always put people first.
Hello Patrick,
That’s a great point. The human lives needs to be at the top when planning for the incident response. The data, server, and other IT related processes could be recovered after an disaster, however, the humans can’t be. Therefore, it need to be the most important to plan accordingly to ensure that everyone is safe in the event of any incident.
IDS is a computer monitoring system. It monitors the system in real-time and issues alerts when anomalies are detected. It can be divided into several categories according to the source of information and the detection method: the basis of data can be divided into host-based IDS and network-based IDS. The detection method can be divided into anomaly intrusion detection and misuse intrusion detection. Unlike a firewall, an IDS intrusion detection system is a monitoring device that does not connect to any link and does not require network traffic to flow through to work.
One of my main takeaways from this chapter is the importance of learning from previous incidents. This is typically done at the end of the incident response process, but it is necessary to remember this step is coming throughout the entire process because you do not want to delete any evidence or information that will be helpful in reviewing how the breach occurred and the cumulative effects it had before the end of the process. Thoughtful completion this final step in the incident response process can help the organization better understand all the specifics about how the incident occurred, how widespread the effects of the breach were, and how to better prevent against similar and all breaches in the future.
The Lessons learned phase is such a critical phase in the incident response lifecycle. If an organization can’t identify what areas were successful or unsuccessful during an incident this incidates an immature security program. The lessons learned phase doesn’t have to be overly complicated or drawn out. A simple post-incident debrief of what went well and were pain exist can help organizations recover from incidents faster in the future.
In the incident response process, there are 3 critical stages: detection, analysis and escalation. Detection refers to when responders/security personnel discover an incident has occurred. This can be due to the usage of an IDS, or even a simple technical failure (i.e. an employees inability to access important work files). Next, analysis refers to the security personnel’s ability to categorize the incident/occurrence which was detected. This is the stage when a group such as a SOC (security operations center) filters out the false alarms from true incidents and malicious/unauthorized behavior. This is done by reading through log files. Lastly, escalation is when the incident is elevated to the organization’s CSIRT and other business continuity stakeholders.
Having an incident response plan could reduce the number of successful cyber-attacks on the companies’ network. Every incident has a different level of severity. There are four different types of severities covered within this week’s reading: false alarms, minor incidents, major incident, and disasters. False alarms are when a certain event has been reported as an incident despite being a normal network activity. Minor incident is the type of incident that can be resolved by the on-duty officers such removing a virus form the affected computers and related incidents. Major incident is when the companies need to on board a different firm to assist them with resolving the incident. The example of the disaster is any types of environmental threat such as fire or floods.
One of the key points that I took away from this reading was the different ways to implement an IDS.
I was particular interested by honeypots, which are used to ‘trick’ attackers into accessing the resources inside it. I think the psychology aspect of this is super interesting, and wonder how curious they are in actual practice – are they actually effective?
Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
An incident response handles countermeasures that mitigate the risks of an active data breach. Disaster recovery plans reduce risks and damage caused by unexpected disasters like weather events, equipment damage, or human errors that have negative business impacts
Your incident response plan is for one incident. It is the immediate action you take to avoid going into disaster mode. Your DRP is a plan that goes into place if your operations have been halted or severely disabled.
Dhaval Patel says
There are four main types of incident severity, false alarms, minor incidents, major incidents, and disasters. False alarms are essentially false positives and can be costly and time-consuming. Minor incidents are breaches that occur and can be easily handled by the IT staff. Major incidents are going to be too large for the general IT staff to take on, so firms usually create a computer security incident response team (CSIRT), and because major incidents are costly from a profit standpoint to the organization the CSIRT team usually consists of members from legal, public relations, and upper management. And finally, we have disasters. Disasters could include natural disasters like fires or floods, or any other disturbance that tends to be out of the CSIRT teams. Disasters can keep a business from running, and so a business continuity plan, as well as a business continuity team, should be created. With major incidents, legal usually gets involved, but as IT security staff it is going to be important to have an understanding of the legal process and some of the laws they are dealing with, especially when customer data privacy is involved, but knowing the legal process can help avoid mistakes that could invalidate any cases brought against them.
Antonio Cozza says
As you mention, a business continuity plan is crucial in the face of a disaster to help a business resume the critical processes and continue to operate despite large setbacks in normal operations. It is imperative that the BCP is regularly tested, maintained, and altered if needed.
kofi bonsu says
Disaster recovery and incident response has become a necessity in today’s technologically driven
business world. A significant amount of consumer information is put into businesses’ information
systems with the expectation to protect their private and financial data. The chapter of book addresses the importance of why organizations need effective disaster recovery and contingency planning. A foundation of knowledge is built through the understanding of the statistical and practical implications of disaster recovery and contingency planning. The core function of a DR plan is to maintain functionality of business processes when and not if an incident of a disastrous
proportion is to occur. For a DR plan to be effective, organizations must plan for disasters of all types. Disasters can take the shape of cyber-attacks, natural disasters, or technical/hardware disasters. Organizations need to plan for technical and hardware disasters. This examination will cover cyber-attacks and natural disasters in hopes of answering why it is a necessity to plan for such incidents separately.
Dan Xu says
Hi Kofi,
I agree with you that disaster recovery and incident response are becoming more and more important. Maintain operations as quickly as possible with business continuity plans and resume operations. Businesses need strong business continuity plans and well-trained business continuity teams. Day-to-day maintenance of the company’s revenue-generating business by organizing for technical and hardware disasters to deal with business continuity that is often threatened by disasters. The better a company’s disaster recovery plan is, the more it can reduce the damage caused by a disaster.
Kelly Sharadin says
As an incident response consultant I would echo this week’s reading on the importance of maintaining the integrity of data collection following an incident. It is imperative to generate hash values of all the evidence gathered, document any transfer of evidence via chain of custody forms and create foresnic copies where applicable. Failure to peserve unaltered evidence will render evidence inadmissable in court. Evidence perservation is certainly not a fun portion of cybersecurity but a vital one nonetheless.
Dan Xu says
Two days before Hurricane Katrina, mentioned at the beginning of the chapter, Walmart activated its Business Continuity Center. This exemplifies the visible tip of the Walmart disaster recovery plan. Walmart succeeded because Walmart’s disaster preparedness plan was well prepared. This means the importance of well-prepared disaster preparedness plans.
Incident severities are classified in this chapter into four threat levels: false positives, minor incidents, major incidents, and disasters. In IDS, many suspicious activities turn out to be false false positives, wasting a lot of scarce and expensive security time. Minor incidents can be handled by staff on duty. Major incidents have too much impact on the IT on duty and are left to the staff to handle. The more adequate a company’s disaster recovery plan is, the more it can reduce the losses caused by a disaster. Businesses need robust business continuity plans and well-trained business continuity teams
Dhaval Patel says
Hi Dan Xu,
The Walmart example is a good one because it shows that having a BCP and utilizing it can result in a successful outcome, and as you said the more sufficient an organization’s disaster recovery plan, the better off they will be, especially from a financial standpoint.
Lauren Deinhardt says
Thanks for the post Dan! Great job highlighting the Walmart example. The activation phase of initializing a business continuity plan is critical; timing it correctly can mitigate damages (such as flooding ruining equipment that has not been moved to an alternate site).
Madalyn Stiverson says
Incident response planning is a cyclical process. You plan, test, refine, and repeat. The threat environment is constantly changing and you need to be prepared to respond to new threats. An outdated and untested response plan is about as good as having no plan at all. The book outlines multiple types of plans. This includes the intrusion detection system, business continuity plan, and disaster recovery plan.
The IDS helps detect and respond to cyber threats. The BCP helps get the business back up and running as soon as possible following a business interruption. The DRP helps respond and potentially move operations to a different location following a disaster such as hurricane, fire, or other act of god.
Dhaval Patel says
Hi Madalyn,
You make a good point. Having an old and untested response plan doesn’t have any effect. As you said the threat environment is constantly changing and so with that, the DRP or the BCP as well as the other plans need to be updated regularly as the threat environment changes.
Antonio Cozza says
The biggest takeaway in this section for me is the usefulness of integrated log files and how synchronized they need to be to do their job effectively. With all of the alerts coming in on individual IDS/IPSs it is important that they are intuitively integrated into a central logging machine that will store all of the logs and provide a larger view of what is occurring in an environment, specific to fractions of seconds. This machine should be largely isolated from the main network to hinder an attacker from being able to easily cover their tracks. Aggregated alerts can show attacks coming in and help security teams realize when a virus is spreading across a network like the book’s example demonstrated.
Victoria Zak says
The biggest takeaway I took from this reading was how important it is for an organization to implement an incident and disaster recovery response plan. An incident response plan are procedures that IT can utilize to identify, eliminate, and recover from cybersecurity threats. The NIST mentions the 4 key phases to an IR is preparation (has employees been trained on security policies?), detection & analysis, containment & eradication (what backups are in place & does MFA apply to remote access?), and post-incident recovery. All lessons learned involving all should be mandatory after an incident with the goal of improving security. A disaster recovery plan is a plan on how an organization would respond to a natural disaster, cyber attacks, power outages, or any other disruptive event. For a disaster recovery plan, a risk assessment is needed, objectives for the disaster recovery plan, and test & revise it. Exercises like table tops are extremely helpful and could prepare individuals on what to do in a real life disaster.
kofi bonsu says
Hi Victoria,
I totally agree with you as regards your detailed analysis on incidence and disaster recovery response. This is so because incident response can be defined as a set of measures you may take to cope with various kinds of security breaches. Also referred to as IT incidents and security incidents, such events are to be handled in a way to reduce recovery time and costs. To mitigate risks and be prepared for as wide a range of events as possible, you need a detailed and comprehensive incident response plan. This is a set of procedures and actions to be taken when a security breach is revealed.
Patrick Jurgelewicz says
One major takeaway from this chapter is the need to protect people first in business continuity planning and incident responses. As IT professionals, it is very easy to get caught up in protecting systems, data, and IT infrastructure, but it is important to not lose sight of the overall protection goal of human lives. For example, using gases to extinguish a fire may protect computers more than using water, however the gases would be toxic to humans and must therefore not be used. This can also lead to issues regarding fail-open vs fail-closed lock doors, as a fail-open could allow an intruder access to key hardware, but a failed-closed door could trap someone in a server room in an emergency. Again it is important to always put people first.
Vraj Patel says
Hello Patrick,
That’s a great point. The human lives needs to be at the top when planning for the incident response. The data, server, and other IT related processes could be recovered after an disaster, however, the humans can’t be. Therefore, it need to be the most important to plan accordingly to ensure that everyone is safe in the event of any incident.
zijian ou says
IDS is a computer monitoring system. It monitors the system in real-time and issues alerts when anomalies are detected. It can be divided into several categories according to the source of information and the detection method: the basis of data can be divided into host-based IDS and network-based IDS. The detection method can be divided into anomaly intrusion detection and misuse intrusion detection. Unlike a firewall, an IDS intrusion detection system is a monitoring device that does not connect to any link and does not require network traffic to flow through to work.
Michael Jordan says
One of my main takeaways from this chapter is the importance of learning from previous incidents. This is typically done at the end of the incident response process, but it is necessary to remember this step is coming throughout the entire process because you do not want to delete any evidence or information that will be helpful in reviewing how the breach occurred and the cumulative effects it had before the end of the process. Thoughtful completion this final step in the incident response process can help the organization better understand all the specifics about how the incident occurred, how widespread the effects of the breach were, and how to better prevent against similar and all breaches in the future.
Kelly Sharadin says
Hi Michael,
The Lessons learned phase is such a critical phase in the incident response lifecycle. If an organization can’t identify what areas were successful or unsuccessful during an incident this incidates an immature security program. The lessons learned phase doesn’t have to be overly complicated or drawn out. A simple post-incident debrief of what went well and were pain exist can help organizations recover from incidents faster in the future.
Kelly
Lauren Deinhardt says
In the incident response process, there are 3 critical stages: detection, analysis and escalation. Detection refers to when responders/security personnel discover an incident has occurred. This can be due to the usage of an IDS, or even a simple technical failure (i.e. an employees inability to access important work files). Next, analysis refers to the security personnel’s ability to categorize the incident/occurrence which was detected. This is the stage when a group such as a SOC (security operations center) filters out the false alarms from true incidents and malicious/unauthorized behavior. This is done by reading through log files. Lastly, escalation is when the incident is elevated to the organization’s CSIRT and other business continuity stakeholders.
Vraj Patel says
Having an incident response plan could reduce the number of successful cyber-attacks on the companies’ network. Every incident has a different level of severity. There are four different types of severities covered within this week’s reading: false alarms, minor incidents, major incident, and disasters. False alarms are when a certain event has been reported as an incident despite being a normal network activity. Minor incident is the type of incident that can be resolved by the on-duty officers such removing a virus form the affected computers and related incidents. Major incident is when the companies need to on board a different firm to assist them with resolving the incident. The example of the disaster is any types of environmental threat such as fire or floods.
Andrew Nguyen says
One of the key points that I took away from this reading was the different ways to implement an IDS.
I was particular interested by honeypots, which are used to ‘trick’ attackers into accessing the resources inside it. I think the psychology aspect of this is super interesting, and wonder how curious they are in actual practice – are they actually effective?
Olayinka Lucas says
Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
An incident response handles countermeasures that mitigate the risks of an active data breach. Disaster recovery plans reduce risks and damage caused by unexpected disasters like weather events, equipment damage, or human errors that have negative business impacts
Your incident response plan is for one incident. It is the immediate action you take to avoid going into disaster mode. Your DRP is a plan that goes into place if your operations have been halted or severely disabled.