MIS 5214 - Section 001 - David Lanter
March 31, 2022 by Jose Gomez 22 Comments
Dhaval Patel says
April 1, 2022 at 9:53 am
There are four main types of incident severity, false alarms, minor incidents, major incidents, and disasters. False alarms are essentially false positives and can be costly and time-consuming. Minor incidents are breaches that occur and can be easily handled by the IT staff. Major incidents are going to be too large for the general IT staff to take on, so firms usually create a computer security incident response team (CSIRT), and because major incidents are costly from a profit standpoint to the organization the CSIRT team usually consists of members from legal, public relations, and upper management. And finally, we have disasters. Disasters could include natural disasters like fires or floods, or any other disturbance that tends to be out of the CSIRT teams. Disasters can keep a business from running, and so a business continuity plan, as well as a business continuity team, should be created. With major incidents, legal usually gets involved, but as IT security staff it is going to be important to have an understanding of the legal process and some of the laws they are dealing with, especially when customer data privacy is involved, but knowing the legal process can help avoid mistakes that could invalidate any cases brought against them.
Antonio Cozza says
April 4, 2022 at 12:38 am
As you mention, a business continuity plan is crucial in the face of a disaster to help a business resume the critical processes and continue to operate despite large setbacks in normal operations. It is imperative that the BCP is regularly tested, maintained, and altered if needed.
kofi bonsu says
April 3, 2022 at 5:48 am
Disaster recovery and incident response has become a necessity in today’s technologically driven
business world. A significant amount of consumer information is put into businesses’ information
systems with the expectation to protect their private and financial data. The chapter of book addresses the importance of why organizations need effective disaster recovery and contingency planning. A foundation of knowledge is built through the understanding of the statistical and practical implications of disaster recovery and contingency planning. The core function of a DR plan is to maintain functionality of business processes when and not if an incident of a disastrous
proportion is to occur. For a DR plan to be effective, organizations must plan for disasters of all types. Disasters can take the shape of cyber-attacks, natural disasters, or technical/hardware disasters. Organizations need to plan for technical and hardware disasters. This examination will cover cyber-attacks and natural disasters in hopes of answering why it is a necessity to plan for such incidents separately.
Dan Xu says
April 3, 2022 at 11:39 am
I agree with you that disaster recovery and incident response are becoming more and more important. Maintain operations as quickly as possible with business continuity plans and resume operations. Businesses need strong business continuity plans and well-trained business continuity teams. Day-to-day maintenance of the company’s revenue-generating business by organizing for technical and hardware disasters to deal with business continuity that is often threatened by disasters. The better a company’s disaster recovery plan is, the more it can reduce the damage caused by a disaster.
Kelly Sharadin says
April 3, 2022 at 10:25 am
As an incident response consultant I would echo this week’s reading on the importance of maintaining the integrity of data collection following an incident. It is imperative to generate hash values of all the evidence gathered, document any transfer of evidence via chain of custody forms and create foresnic copies where applicable. Failure to peserve unaltered evidence will render evidence inadmissable in court. Evidence perservation is certainly not a fun portion of cybersecurity but a vital one nonetheless.
April 3, 2022 at 11:35 am
Two days before Hurricane Katrina, mentioned at the beginning of the chapter, Walmart activated its Business Continuity Center. This exemplifies the visible tip of the Walmart disaster recovery plan. Walmart succeeded because Walmart’s disaster preparedness plan was well prepared. This means the importance of well-prepared disaster preparedness plans.
Incident severities are classified in this chapter into four threat levels: false positives, minor incidents, major incidents, and disasters. In IDS, many suspicious activities turn out to be false false positives, wasting a lot of scarce and expensive security time. Minor incidents can be handled by staff on duty. Major incidents have too much impact on the IT on duty and are left to the staff to handle. The more adequate a company’s disaster recovery plan is, the more it can reduce the losses caused by a disaster. Businesses need robust business continuity plans and well-trained business continuity teams
April 5, 2022 at 8:36 am
Hi Dan Xu,
The Walmart example is a good one because it shows that having a BCP and utilizing it can result in a successful outcome, and as you said the more sufficient an organization’s disaster recovery plan, the better off they will be, especially from a financial standpoint.
Lauren Deinhardt says
April 5, 2022 at 10:40 pm
Thanks for the post Dan! Great job highlighting the Walmart example. The activation phase of initializing a business continuity plan is critical; timing it correctly can mitigate damages (such as flooding ruining equipment that has not been moved to an alternate site).
Madalyn Stiverson says
April 3, 2022 at 4:21 pm
Incident response planning is a cyclical process. You plan, test, refine, and repeat. The threat environment is constantly changing and you need to be prepared to respond to new threats. An outdated and untested response plan is about as good as having no plan at all. The book outlines multiple types of plans. This includes the intrusion detection system, business continuity plan, and disaster recovery plan.
The IDS helps detect and respond to cyber threats. The BCP helps get the business back up and running as soon as possible following a business interruption. The DRP helps respond and potentially move operations to a different location following a disaster such as hurricane, fire, or other act of god.
April 5, 2022 at 8:56 am
You make a good point. Having an old and untested response plan doesn’t have any effect. As you said the threat environment is constantly changing and so with that, the DRP or the BCP as well as the other plans need to be updated regularly as the threat environment changes.
April 3, 2022 at 9:59 pm
The biggest takeaway in this section for me is the usefulness of integrated log files and how synchronized they need to be to do their job effectively. With all of the alerts coming in on individual IDS/IPSs it is important that they are intuitively integrated into a central logging machine that will store all of the logs and provide a larger view of what is occurring in an environment, specific to fractions of seconds. This machine should be largely isolated from the main network to hinder an attacker from being able to easily cover their tracks. Aggregated alerts can show attacks coming in and help security teams realize when a virus is spreading across a network like the book’s example demonstrated.
Victoria Zak says
April 3, 2022 at 10:08 pm
The biggest takeaway I took from this reading was how important it is for an organization to implement an incident and disaster recovery response plan. An incident response plan are procedures that IT can utilize to identify, eliminate, and recover from cybersecurity threats. The NIST mentions the 4 key phases to an IR is preparation (has employees been trained on security policies?), detection & analysis, containment & eradication (what backups are in place & does MFA apply to remote access?), and post-incident recovery. All lessons learned involving all should be mandatory after an incident with the goal of improving security. A disaster recovery plan is a plan on how an organization would respond to a natural disaster, cyber attacks, power outages, or any other disruptive event. For a disaster recovery plan, a risk assessment is needed, objectives for the disaster recovery plan, and test & revise it. Exercises like table tops are extremely helpful and could prepare individuals on what to do in a real life disaster.
April 5, 2022 at 9:15 pm
I totally agree with you as regards your detailed analysis on incidence and disaster recovery response. This is so because incident response can be defined as a set of measures you may take to cope with various kinds of security breaches. Also referred to as IT incidents and security incidents, such events are to be handled in a way to reduce recovery time and costs. To mitigate risks and be prepared for as wide a range of events as possible, you need a detailed and comprehensive incident response plan. This is a set of procedures and actions to be taken when a security breach is revealed.
Patrick Jurgelewicz says
April 3, 2022 at 10:43 pm
One major takeaway from this chapter is the need to protect people first in business continuity planning and incident responses. As IT professionals, it is very easy to get caught up in protecting systems, data, and IT infrastructure, but it is important to not lose sight of the overall protection goal of human lives. For example, using gases to extinguish a fire may protect computers more than using water, however the gases would be toxic to humans and must therefore not be used. This can also lead to issues regarding fail-open vs fail-closed lock doors, as a fail-open could allow an intruder access to key hardware, but a failed-closed door could trap someone in a server room in an emergency. Again it is important to always put people first.
Vraj Patel says
April 6, 2022 at 9:41 am
That’s a great point. The human lives needs to be at the top when planning for the incident response. The data, server, and other IT related processes could be recovered after an disaster, however, the humans can’t be. Therefore, it need to be the most important to plan accordingly to ensure that everyone is safe in the event of any incident.
zijian ou says
April 4, 2022 at 11:45 am
IDS is a computer monitoring system. It monitors the system in real-time and issues alerts when anomalies are detected. It can be divided into several categories according to the source of information and the detection method: the basis of data can be divided into host-based IDS and network-based IDS. The detection method can be divided into anomaly intrusion detection and misuse intrusion detection. Unlike a firewall, an IDS intrusion detection system is a monitoring device that does not connect to any link and does not require network traffic to flow through to work.
Michael Jordan says
April 5, 2022 at 1:58 pm
One of my main takeaways from this chapter is the importance of learning from previous incidents. This is typically done at the end of the incident response process, but it is necessary to remember this step is coming throughout the entire process because you do not want to delete any evidence or information that will be helpful in reviewing how the breach occurred and the cumulative effects it had before the end of the process. Thoughtful completion this final step in the incident response process can help the organization better understand all the specifics about how the incident occurred, how widespread the effects of the breach were, and how to better prevent against similar and all breaches in the future.
April 5, 2022 at 5:51 pm
The Lessons learned phase is such a critical phase in the incident response lifecycle. If an organization can’t identify what areas were successful or unsuccessful during an incident this incidates an immature security program. The lessons learned phase doesn’t have to be overly complicated or drawn out. A simple post-incident debrief of what went well and were pain exist can help organizations recover from incidents faster in the future.
April 5, 2022 at 10:28 pm
In the incident response process, there are 3 critical stages: detection, analysis and escalation. Detection refers to when responders/security personnel discover an incident has occurred. This can be due to the usage of an IDS, or even a simple technical failure (i.e. an employees inability to access important work files). Next, analysis refers to the security personnel’s ability to categorize the incident/occurrence which was detected. This is the stage when a group such as a SOC (security operations center) filters out the false alarms from true incidents and malicious/unauthorized behavior. This is done by reading through log files. Lastly, escalation is when the incident is elevated to the organization’s CSIRT and other business continuity stakeholders.
April 6, 2022 at 8:36 am
Having an incident response plan could reduce the number of successful cyber-attacks on the companies’ network. Every incident has a different level of severity. There are four different types of severities covered within this week’s reading: false alarms, minor incidents, major incident, and disasters. False alarms are when a certain event has been reported as an incident despite being a normal network activity. Minor incident is the type of incident that can be resolved by the on-duty officers such removing a virus form the affected computers and related incidents. Major incident is when the companies need to on board a different firm to assist them with resolving the incident. The example of the disaster is any types of environmental threat such as fire or floods.
Andrew Nguyen says
April 10, 2022 at 10:06 pm
One of the key points that I took away from this reading was the different ways to implement an IDS.
I was particular interested by honeypots, which are used to ‘trick’ attackers into accessing the resources inside it. I think the psychology aspect of this is super interesting, and wonder how curious they are in actual practice – are they actually effective?
Olayinka Lucas says
April 20, 2022 at 10:17 pm
Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident, or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
An incident response handles countermeasures that mitigate the risks of an active data breach. Disaster recovery plans reduce risks and damage caused by unexpected disasters like weather events, equipment damage, or human errors that have negative business impacts
Your incident response plan is for one incident. It is the immediate action you take to avoid going into disaster mode. Your DRP is a plan that goes into place if your operations have been halted or severely disabled.
You must be logged in to post a comment.