Chapter 10 of Boyle and Panko’s book describes disaster planning, recovery and analysis. The chapter goes into detail on various types of disasters, ranging from natural, to man made, and physical to digital, and describes the various tools that can be used to prevent, respond to and recover from these disasters. What stood out to me most overall in this chapter was that the overarching theme of disaster prevention and recovery seems to be thoroughness and preparedness. Often as IT professionals or even business owners, we don’t want to assume that a disaster will occur and want to hope that we never have to respond to one, but as the book points out, nobody is immune and disaster can strike unpredictably. Whether it’s having in place a solid physical recovery plan, or using data systems like network monitoring and data backups, having a clearly defined, practiced and thorough DRP is essential to ensuring that an organization can continue to function regardless of what might occur
Hi Andrew,
I agree that the book provides an insightful exploration of disaster planning, recovery, and analysis. The chapter meticulously categorizes disasters into natural and man-made, thereby underlining the importance of tailored contingency plans. The authors’ comprehensive approach to disaster management underscores the necessity for constant vigilance, rigorous planning, and robust recovery strategies.
You make an excellent point that nobody is immune or 100% secure from disasters and incidents and it’s better to plan in advance for when a disaster occurs. Not planning for the inevitable disaster or incident will leave an organization completely unprepared and it may take a long time for organizations to completely recover their networks and systems once an incident occurs.
Thank you Kenneth, yes, I think a lot of the time security professionals or organizations consider security from a preventative point but as we’ve learned through our classes so far, the only way to completely secure a system is to not use it at all. Therefor, just by virtue of our systems being in use, we should treat the risk of an incident as not a possibility, but an inevitability. Understanding that there will always be risks and there will always be incidents is necessary in understanding and reacting to risk and threats
Boyle and Panko’s Chapter 10 provides insightful perspectives on incident and disaster response, underscoring the importance of meticulous preparation and proactive strategies. It emphasizes on the significance of risk assessment, incident response planning, and business continuity planning. The chapter highlights the criticality of a well-structured incident response team, equipped with clearly defined roles and responsibilities. It also underscores the need for regular testing and updating of response plans, ensuring their effectiveness in real-life scenarios. This narrative is a stark reminder that in the realm of information security, prevention is always better than cure. The chapter serves as a comprehensive guide for organizations to enhance their resilience against potential threats and disruptions.
Great summary. One thing that stood out the most for me in this week’s chapter was the incident response section. I was surprised to find in section 10.2 that there are many ways to detect an attack and how sometimes a CIRS will sometimes let the hacker go one with what they are doing in the network, this way you can gather where they are, what they are doing and give you information on how to contain and get them out of the network while learning tactics for next time.
What stood out for me in this chapter was the incident response section. Seeing that I’m on the audit side of the program, I don’t get to see many incidents and how to respond to them. First, there are three priorities at the beginning of the incident. One, you will have to quickly learn that there is an actual incident, which is called detection. Second, you will need to understand the incident to be sure that it is a real event, see what the damage level could be and do reconnaissance so you can plan for containment and recovery, that is called analysis. Lastly, you need to handle the incident with the staff and or escalate handling to the business continuity team which is also called CSIRT. During the detection phase, the chapter shows that a majority of the people who detect an attack or incident are nontechnical employees. I found that interesting but makes sense as the front-line employees are the ones that are out there the most on the systems. It is important for them to understand how to report such incidents to the IS department. Log files are one way to analyze the incidents and learn where and what. Understanding it is important as it could be a software glitch or an equipment problem. The more I talk to people in the field and the more I read this text, log files are brought up many times. In this week’s chapter in section 10.2, it shows that there are many ways to detect an attack. Simply analyzing the log files or an IDS alert are several ways to detect an attack. One really big surprise to me and the first time encountering this is that some companies will allow an attacker to continue working on the server this way the company can observe what they are doing as this information collected may aid in analysis and could potentially be evidence on prosecution. You never want them to carry on for too long but just enough to gather evidence of what they are doing and there should always be a senior business executive available to make a critical security related business decision. I’m curious, has anyone ever observed an attacker on a network and let them carry out an attack as you gather information etc.?
Hi Jeff,
Thank you for this robust elucidation, the spotlight was on the incident response aspect, a realm often unseen from my audit-oriented perspective. The three-tiered approach – detection, analysis, and handling or escalation – was particularly illuminating. Interestingly, the frontline employees, often non-technical, are the primary detectors of such incidents. The role of log files in incident analysis was emphasized, aiding in distinguishing between software glitches and equipment issues. A surprising revelation was the strategic allowance of continued server access to attackers, enabling valuable data collection for potential prosecution. This raises the question: Have you ever deliberately allowed an attack to proceed for information gathering purposes?
In the realm of security, there is a saying “It’s not a matter of if, but when an incident will occur” which means it’s just a matter of time before a cyber incident takes place. Therefore firms must prepare a comprehensive incident response plan. In Chapter 10 “Incident and Disaster Response” the author delves into different things firms should consider to create an incident response plan that works to quickly recover from disaster and ensure business continuity. The author explores various incident types and rehearsal methods like tabletop exercises and live tests to validate the effectiveness of an incident response plan.
I have always viewed business continuity from an IT perspective, Having either a hot site which is a replica of the production site and the firm can be up and running on short notice, or a cold site which is building but the firm will need to bring resources such as computer and data which takes long to set up, However, the author explained how business continuity planning extends beyond IT, encompassing the entire organization and outlining how a company will restore core business operations post-disaster. To develop a successful business continuity plan, a firm should first identify all major processes, assess their importance, and prioritize critical processes that require immediate focus. This approach ensures necessary resources and actions are outlined.
Another thing that the author emphasized is that a thorough incident response or business continuity plan is not sufficient without proper testing to validate its effectiveness and ensure key personnel are identified and understand their responsibilities. Regular updates on the plan should be conducted to reflect current changes
Hi Mariam,
I agree with the adage in the security sphere, “It’s not a matter of if, but when an incident will occur,” underscores the inevitability of cyber incidents, necessitating robust incident response plans. Chapter 10 delves into crafting such plans, exploring various incident types and testing methods. While I’ve viewed business continuity from an IT lens, the author broadens this perspective to encompass the entire organization. To craft a successful plan, firms must identify and prioritize critical processes, ensuring resource allocation and action plans are outlined. The author stresses that plans must be regularly tested, updated, and understood by key personnel.
I agree with you. The chapter emphasizes the inevitability of cyber incidents and the need for comprehensive incident response plans. It covers incident types, rehearsal methods or tabletop exercise, and business continuity beyond IT, outlining steps to identify critical processes and regularly test and update plans for effectiveness and personnel readiness.
Chapter 10 delves into fundamental incident and disaster response concepts, highlighting the critical need for speed and accuracy in addressing various levels of incidents. A four-level severity scale is introduced, ranging from false alarms to catastrophic events threatening business continuity. These situations necessitate meticulous planning and rehearsals to ensure effective response strategies.
Major security incidents are discussed in detail, covering stages like detection, analysis, containment, and recovery, along with organizational aspects of the CSIRT. The complexities of punishment, especially regarding criminal prosecution versus employee discipline, are explored, underlining the challenges in legal repercussions.
Legal considerations encompass criminal versus civil law, jurisdictional complexities, international cybercrime laws, rules of evidence, and computer forensics, culminating in federal laws addressing cyber threats.
Also, the chapter transitions to Intrusion Detection Systems (IDSs), elucidating their functions, challenges like event correlation, and the shift towards distributed IDSs for enhanced security.
Finally, the importance of business continuity planning and IT disaster response, including the adoption of cloud-based hosting and data centers, underscores the multifaceted nature of safeguarding operations during crises, necessitating comprehensive planning for resilience and recovery.
Ikenna, your points are well noted especially the last one, business continuity and IT disaster response. This can include adopting strategies like cloud-based hosting and data centers to ensure resilience and recovery during crises. Overall, this chapter highlights the comprehensive nature of incident and disaster response, from planning and detection to legal considerations and technological solutions like IDSs, all aimed at safeguarding operations and ensuring business continuity in the face of security incidents and disasters.
The chapter introduces incident and disaster response terminology, emphasizing a four-level severity scale for incidents: false alarms, minor incidents handled by on-duty IT staff, major incidents requiring the firm’s CSIRT (Computer Security Incident Response Team), and disasters affecting IT or threatening business continuity. I like the in-depth discussion on Intrusion Detection Systems (IDS), which are tools designed to capture and log suspicious network and host activities. They function like security cameras in a building, detecting incidents but not preventing them. IDSs have four major functions: logging (data collection), automated analysis, administrator actions, and management. Logging involves capturing discrete activities and storing them in sequential files for analysis. Automated analysis includes using attack signatures (known patterns of attacks) or anomaly detection (deviations from historical traffic patterns) to identify threats. IDSs generate alarms for high-threat conditions but must avoid flooding administrators with false positives. Alarms need to be specific and actionable.
IDSs also generate log summary reports, providing insights into various suspicious activities and threat priorities. They support interactive manual log analysis, allowing administrators to investigate attacks and filter out irrelevant data.
Lastly, effective management is crucial for IDSs to function properly. They require ongoing configuration, tuning, and maintenance to remain effective. Poor management can render an IDS ineffective despite its capabilities.
I like your comparison of IDSs to security cameras which both capture and log suspicious activity. Although there are some obvious differences, both ultimately help to find and store information about suspicious activity in an organization. Furthermore, IDSs are essential to recording network activity as they are the primary source of information relevant to when an incident occurs.
Chapter 10 of Boyle and Panko discusses Incident and Disaster Response. Specifically, the chapter covers the basics of a disaster response, the intrusion response process for major incidents, the functions and types of IDSs, the business continuity plan, and the IT disaster recovery process as well as responding to security incidents. One particular section of interest to me is the basic process of intrusion response for major incidents as this is one of the most essential things to know in the event of a major incident in your organization.
At the beginning of an incident there are three priorities: detection, analysis, and escalation. Detection is understanding when an incident occurred and how quickly that understanding occurs. Analysis is making sure that, when an incident is detected, to confirm the event is real as well as how much damage can occur and the necessary information for containment and recovery. Escalation is the process of handling the incident or escalating the incident to CSIRT or the business continuity team. The next step is containment, which is stopping the damage done from the incident through methods such as disconnection or black holing by dropping an attacker’s IP from further connecting to company resources. You can also collect data during this step if the damage is not severe. Once contained, recovery can begin to which the necessary steps of fixing backdoors, server issues, etc. need to be fixed through repairing, restoration, reinstallation, etc.
There are other steps that might also be relevant depending on the breadth of the attack. Apologizing to customers or employees may be necessary if enough harm was done from the attack and downplaying will only cause more reputational damage. It may also be necessary to conduct punishments towards certain employees or groups if applicable. However, persecution can also be conducted if enough evidence as well as enough of an outcome that outweighs the reputational and financial damage from persecution can come from it. Postmortem evaluation should also occur at the end of recovery to indicate what went right and what went wrong after the attack and what aspects of recovery need to be improved.
Great Job Kenneth, Your summary of Chapter 10’s discussion on Incident and Disaster Response encapsulates the crucial priorities and steps organizations must take during major incidents effectively. From detection to postmortem evaluation, each phase is pivotal in mitigating damage and restoring normal operations. Prioritizing incident response strategies, including escalation and containment, underscores the importance of swift and coordinated action in the face of cyber threats.
Great point about customer and service provider reaction Ken. A big takeaway I’ve seen from our case studies so far has been how a lot of the time organizations have inadequate customer or client response. Taking responsibility and doing everything you can to repair the damage caused to a client from a top-down organizational perspective is not only the moral thing to do, it is often a legal requirement and should be considered when creating any sort of DRP or backup plans
Boyle and Panko Chapter 10 is about Incident and Disaster Response. The most interesting part to me was section 10.2, which focuses on the intrusion response process for major incidents.
It involves detecting the incident, analyzing its nature and potential damage, and then escalating it to the appropriate team for handling. Detection can occur through various means, including technological tools like an Intrusion Detection System or through human observation, such as a non-technical employee noticing system malfunctions. Analysis involves understanding the incident in detail, often by reviewing log files to determine the cause and extent of the breach. Escalation is the process of handing over the incident to a specialized team like the Computer Security Incident Response Team (CSIRT) or business continuity team for further management.
An interesting fact that I never thought about before is that non-technical employees often play a crucial role in the detection of incidents, which really highlighting the importance of human observation alongside technological solutions in cybersecurity.
Nicholas, your assessment highlights a crucial aspect of Chapter 10, which is the nuanced and critical role of human intuition and observation in the cybersecurity incident response process. It emphasizes the synergy between technology, such as Intrusion Detection Systems, and the irreplaceable value of human vigilance. Combining technical and non-technical detection mechanisms ensures a robust defense against security breaches, which is why inclusive security awareness programs are essential. Such programs empower all employees to act as the first line of defense in identifying potential cybersecurity threats. This multifaceted incident detection and response approach is fundamental to building resilient and secure IT environments.
Chapter 10 of Boyle and Panko’s book talks about how to respond to incidents and disasters in the context of IT and business. It emphasizes the importance of careful planning, fast and accurate responses, and rehearsals to minimize damage. The chapter introduces a four-level severity scale for incidents, ranging from false alarms to disasters threatening a business’s functioning ability. It stresses the need for speed and accuracy at all levels. The chapter describes the stages of responding to significant security incidents, including detection, analysis, escalation, containment, and recovery. It also discusses Intrusion Detection Systems (IDSs) and their role in incident response.
Additionally, it highlights the significance of Business Continuity Planning (BCP) and IT Disaster Recovery (IT DRP) as essential components of an organization’s risk management strategy. These plans help address potential risks such as natural disasters, equipment failures, and cyber attacks. The book also explores the development of Computer Security Incident Response Teams (CSIRTs), which are interdisciplinary teams that play a vital role in incident management. They require experienced senior managers to lead them. A comprehensive approach to incident and disaster response is crucial, highlighting the importance of preparedness, practicing response plans, and the multi-faceted nature of managing incidents and disasters in the modern business landscape.
Kelly, the critical aspects of incident and disaster response, emphasizes the need for meticulous planning, rapid responses, and regular rehearsals to mitigate potential damage. The introduction of a severity scale for incidents, combined with a structured approach to response stages, underlines the importance of swift and accurate action across all levels of severity. Furthermore, the discussion on BCP, IT Disaster Recovery, and the establishment of Computer Security Incident Response Teams highlights the multilayered nature of managing incidents and disasters in today’s environment. Given the complexities involved how do you prioritize the various components of incident and disaster response planning within your organization’s risk management strategy?
I learned many concepts in this program, but my most favorite would probably be Incident and disaster response. Only because of all the concepts, this one requires the most of going outside of IT to find the solution, meaning that it requires the most outside-of-the-box thinking. In chapter 10, it goes into two specific parts of response that stood out to me. Those being apology and punishment. These may seem simple to understand, but both of these are things that some multi-billion dollar corporations struggle with. For apology, it discusses acknowledging responsibility and harm, then explain what happened and lastly, explain what action will be taken to compensate the person. A company worried about their reputation could hold back giving proper apologies and could hide info about the specifics of what happened, as it’s likely the reasoning could be behind the negligence of the company. They can also do this to lessen the damages of what needs to be compensated. As for punishment, lets say the attack was done by an internal employee, should they be fired? arrested? these are very difficult decisions to make that would typically need months, if not years to decide. This provides us with a solid reminder that no matter how much we know about IT, it’s important that we realize there may be a time when we need to use other skills, and that we work to refine those.
Great Post, I never really thought about how the company could hide a majority of the details of the attack, “nothing to see here” as that could show the public were the company could have political vulnerabilities. If companies did that, I could only imagine the extra damage or attacks that they could encounter for people wanting to follow suite and duplicate the original situation. Thats a hard decision to make, do you make an example of the attacker or do you “let it go” as far as public announcement?
Chapter 10 starts with explaining the basics of responding to a disaster. While reading I discovered that about 1% of concentrated attacks are successful and even the most robust system cannot stop all attacks to it is important that there is a good incident and response plan in place. Section 10.2 keys in on the intrusion response process which in my opinion which includes detection, learning that an incident has occurred; analysis which is trying to ascertain is the threat real and what is the potential damage that can happen. This also includes information gathering to assist in planning and recovery. Lastly, there is to escalate, meaning once you have complied the information from the detection and analysis phases, you will pass this information to the security response team to resolve the issue.
The saying goes that time is money and once an incident has been discovered, being able to gather as much information in these initial stages of an attack about can save your company money and often embarrassment. This is most important stage of an attack as who ever made the discovery is not the are the point of contact for all questions concerning the incident. This is why in the process for major incidents detection, analysis, and escalation are so important. Having good well-articulated notes as well as questions does a great deal to assist senior analyst to resolve these matters a quick as possible.
This chapter provides valuable insights into the fundamentals of incident and disaster response, stressing the importance of preparation and swift action. I agree that the intrusion response process, the encompassing detection, analysis, and escalation, plays a pivotal role in effectively managing security incidents. The initial stages of an attack are crucial for gathering key information to establish a prompt resolution and to minimize potential damage. How do you ensure that your incident response team remains agile and well-prepared to address evolving threats effectively in today’s evolving landscape?
Hi Erskine,
I agree with you that it is important to act swiftly after an incident to minimize impact and to mitigate potential damage. This also enables the organization to resume operations more quickly and reduce potential financial losses.
Hello Erskine,
I don’t know how exactly to describe this, but it’s a weird feeling knowing no matter what you do, an attack has the possibility of being successful. It brings both worry and acceptance. It brings worry because imagine having millions of dollars worth of information and you know no matter what you do, it can be stolen. I assume this is the premise behind working in the industry, that we tell clients an attack is likely to happen but in the event an attack does happen, here’s what we can do. It definitely can inspire corporations to take more precautions, but I also feel like some companies might follow the way of thinking that says if it happens, it happens and so what.
This week’s reading emphasizes the significance of developing a comprehensive Incident and Disaster Response Plan to mitigate the impact of protection incidents successfully. What stood out to me is the importance of everyday education and sporting activities to test the effectiveness of the incident reaction plan and ensure that employees are effectively organized to respond to diverse situations. By investing in continuous education, training, and team-building activities, organizations can strengthen their incident response capabilities and enhance their overall resilience in the face of adversity.
Akintunde, your focus on the importance of Incident and Disaster Response Plans in mitigating protection incidents is crucial in today’s cybersecurity landscape. I agree that regular education and drills are vital for testing the efficacy of these plans and ensuring employee readiness. How do you think organizations can strike a balance between maintaining a high level of preparedness through regular drills and minimizing disruption to daily operations?
I agree with you, continuous training is very crucial in ensuring a successful incident response plan. People are at the center of cybersecurity, While firms can leverage different technology and automation tools, they rely on people who possess the necessary knowledge to manage them effectively. Continuous testing also plays a crucial role in identifying gaps within our technological systems and incident response plan, ensuring that firms remain vigilant and proactive in addressing potential vulnerabilities.
Hello Akintunde,
Testing and Education are for sure some of the biggest parts of working in cybersecurity. I wonder how teams split up their time to decide which is best? do some days they only focus on incident response and other days they focus on presentations to educate the clients? or maybe they delegate the testing and education to the newer employees. On one hand, I think maybe they give it to newer employees because incident response requires more knowledge, but on the other side, I can imagine that testing and education would be left to the more experienced members since they understand concepts more and can teach it more correctly.
I am in harmony with your thoughts around the importance of everyday education. Not just once a quarter or few times a year. I have always said it security education should be engrained into the DNA of your company. You must make employees understand that they are the greatest defense but also the greatest threat to infrastructure security. I believe that if they understand how important their role is, users become somewhat prideful and would be more vigilant around these types of matters.
My favorite section of chapter 10 is 10.2 where it goes fully in-depth about the intrusion response for major incidents, going over how to contain the incident, recover from it with backups, remedy the situation by taking responsibility with public apologies as well as compensating customers and explaining what happened. The most interesting part however was going over how organizations will get around to punishing attackers and how hard it is to do so. To punish attackers will most of the time be a hard task for the organization as it’ll mostly be out of their hands to do so, they’ll have to contact both the authorities as well as or for civil suits an outside forensics firm to gather evidence that’ll be admissible in court. Their incident response team will also have to take great care in handling the initial response as they can often taint and erase evidence of intruders or even break the chain of evidence leading to doubt or inadmissibility of the evidence in court that’ll make it even harder to punish hackers, this isn’t even including how hard it is to charge international attackers. It is however way easier in some places to punish employees from within the company whether that be termination or charges but it still needs a great amount of evidence against them and can lead to a lot of bad press if they pursue charges as it admits an attack came from within to the public and can leads to large loss of faith in the organization.
As an incident response consultant, I agree with this week’s reading on the need of keeping data collecting integrity after an occurrence. It is critical to generate hash values for any evidence acquired, document any transfer of evidence using chain of custody forms, and create forensic copies where applicable. Failure to preserve unaltered evidence renders it inadmissible in court. Evidence preservation is not a fun aspect of cybersecurity, but it is necessary nonetheless.
Great Post Samuel. In my other audit class, they also pointed out how it is important to t collect data integrity after an occurrence. This is so important because it gives you a baseline for the next person that may look at it. May that be a judge or another analyst. In my lifecycle class, it is part of being within compliance as well with your data and the integrity of said data. This is also something that I learned that within a software team project, record keeping is part of being within compliance but also helps the company afloat in time of a disaster, whether that being an employee that writes the coding to a natural disaster of the companies building.
I agree with you, Samuel. A lot of firms now are integrating Digital Forensic Incident Response (DFIR) in their infrastructure which allows them to not only respond to incidents but also conduct digital forensic research which allows them to gather evidence of the crime and also learn how the attack happened so they can properly defend against similar attacks in the future, And indeed for digital forensic evidence to be admissible in court of Law firms must maintain a thorough chain of custody documents.
Hi Samuel,
I agree with you that it is important to keep the integrity of data. Maintaining data integrity after an incident is crucial to preserve the accuracy, reliability, and trustworthiness of the organization’s information assets. Without data integrity, there is a risk of compromised data being manipulated, corrupted, or altered, leading to incorrect decision-making and potential legal or regulatory consequences.
Andrew Young says
Chapter 10 of Boyle and Panko’s book describes disaster planning, recovery and analysis. The chapter goes into detail on various types of disasters, ranging from natural, to man made, and physical to digital, and describes the various tools that can be used to prevent, respond to and recover from these disasters. What stood out to me most overall in this chapter was that the overarching theme of disaster prevention and recovery seems to be thoroughness and preparedness. Often as IT professionals or even business owners, we don’t want to assume that a disaster will occur and want to hope that we never have to respond to one, but as the book points out, nobody is immune and disaster can strike unpredictably. Whether it’s having in place a solid physical recovery plan, or using data systems like network monitoring and data backups, having a clearly defined, practiced and thorough DRP is essential to ensuring that an organization can continue to function regardless of what might occur
Michael Obiukwu says
Hi Andrew,
I agree that the book provides an insightful exploration of disaster planning, recovery, and analysis. The chapter meticulously categorizes disasters into natural and man-made, thereby underlining the importance of tailored contingency plans. The authors’ comprehensive approach to disaster management underscores the necessity for constant vigilance, rigorous planning, and robust recovery strategies.
Kenneth Saltisky says
Hey Andrew,
You make an excellent point that nobody is immune or 100% secure from disasters and incidents and it’s better to plan in advance for when a disaster occurs. Not planning for the inevitable disaster or incident will leave an organization completely unprepared and it may take a long time for organizations to completely recover their networks and systems once an incident occurs.
Andrew Young says
Thank you Kenneth, yes, I think a lot of the time security professionals or organizations consider security from a preventative point but as we’ve learned through our classes so far, the only way to completely secure a system is to not use it at all. Therefor, just by virtue of our systems being in use, we should treat the risk of an incident as not a possibility, but an inevitability. Understanding that there will always be risks and there will always be incidents is necessary in understanding and reacting to risk and threats
Michael Obiukwu says
Boyle and Panko’s Chapter 10 provides insightful perspectives on incident and disaster response, underscoring the importance of meticulous preparation and proactive strategies. It emphasizes on the significance of risk assessment, incident response planning, and business continuity planning. The chapter highlights the criticality of a well-structured incident response team, equipped with clearly defined roles and responsibilities. It also underscores the need for regular testing and updating of response plans, ensuring their effectiveness in real-life scenarios. This narrative is a stark reminder that in the realm of information security, prevention is always better than cure. The chapter serves as a comprehensive guide for organizations to enhance their resilience against potential threats and disruptions.
Jeffrey Sullivan says
Great summary. One thing that stood out the most for me in this week’s chapter was the incident response section. I was surprised to find in section 10.2 that there are many ways to detect an attack and how sometimes a CIRS will sometimes let the hacker go one with what they are doing in the network, this way you can gather where they are, what they are doing and give you information on how to contain and get them out of the network while learning tactics for next time.
Jeffrey Sullivan says
What stood out for me in this chapter was the incident response section. Seeing that I’m on the audit side of the program, I don’t get to see many incidents and how to respond to them. First, there are three priorities at the beginning of the incident. One, you will have to quickly learn that there is an actual incident, which is called detection. Second, you will need to understand the incident to be sure that it is a real event, see what the damage level could be and do reconnaissance so you can plan for containment and recovery, that is called analysis. Lastly, you need to handle the incident with the staff and or escalate handling to the business continuity team which is also called CSIRT. During the detection phase, the chapter shows that a majority of the people who detect an attack or incident are nontechnical employees. I found that interesting but makes sense as the front-line employees are the ones that are out there the most on the systems. It is important for them to understand how to report such incidents to the IS department. Log files are one way to analyze the incidents and learn where and what. Understanding it is important as it could be a software glitch or an equipment problem. The more I talk to people in the field and the more I read this text, log files are brought up many times. In this week’s chapter in section 10.2, it shows that there are many ways to detect an attack. Simply analyzing the log files or an IDS alert are several ways to detect an attack. One really big surprise to me and the first time encountering this is that some companies will allow an attacker to continue working on the server this way the company can observe what they are doing as this information collected may aid in analysis and could potentially be evidence on prosecution. You never want them to carry on for too long but just enough to gather evidence of what they are doing and there should always be a senior business executive available to make a critical security related business decision. I’m curious, has anyone ever observed an attacker on a network and let them carry out an attack as you gather information etc.?
Michael Obiukwu says
Hi Jeff,
Thank you for this robust elucidation, the spotlight was on the incident response aspect, a realm often unseen from my audit-oriented perspective. The three-tiered approach – detection, analysis, and handling or escalation – was particularly illuminating. Interestingly, the frontline employees, often non-technical, are the primary detectors of such incidents. The role of log files in incident analysis was emphasized, aiding in distinguishing between software glitches and equipment issues. A surprising revelation was the strategic allowance of continued server access to attackers, enabling valuable data collection for potential prosecution. This raises the question: Have you ever deliberately allowed an attack to proceed for information gathering purposes?
Jeffrey Sullivan says
No, I have not but that did come as a surprise to me in the readings.
Mariam Hazali says
In the realm of security, there is a saying “It’s not a matter of if, but when an incident will occur” which means it’s just a matter of time before a cyber incident takes place. Therefore firms must prepare a comprehensive incident response plan. In Chapter 10 “Incident and Disaster Response” the author delves into different things firms should consider to create an incident response plan that works to quickly recover from disaster and ensure business continuity. The author explores various incident types and rehearsal methods like tabletop exercises and live tests to validate the effectiveness of an incident response plan.
I have always viewed business continuity from an IT perspective, Having either a hot site which is a replica of the production site and the firm can be up and running on short notice, or a cold site which is building but the firm will need to bring resources such as computer and data which takes long to set up, However, the author explained how business continuity planning extends beyond IT, encompassing the entire organization and outlining how a company will restore core business operations post-disaster. To develop a successful business continuity plan, a firm should first identify all major processes, assess their importance, and prioritize critical processes that require immediate focus. This approach ensures necessary resources and actions are outlined.
Another thing that the author emphasized is that a thorough incident response or business continuity plan is not sufficient without proper testing to validate its effectiveness and ensure key personnel are identified and understand their responsibilities. Regular updates on the plan should be conducted to reflect current changes
Michael Obiukwu says
Hi Mariam,
I agree with the adage in the security sphere, “It’s not a matter of if, but when an incident will occur,” underscores the inevitability of cyber incidents, necessitating robust incident response plans. Chapter 10 delves into crafting such plans, exploring various incident types and testing methods. While I’ve viewed business continuity from an IT lens, the author broadens this perspective to encompass the entire organization. To craft a successful plan, firms must identify and prioritize critical processes, ensuring resource allocation and action plans are outlined. The author stresses that plans must be regularly tested, updated, and understood by key personnel.
Ikenna Alajemba says
I agree with you. The chapter emphasizes the inevitability of cyber incidents and the need for comprehensive incident response plans. It covers incident types, rehearsal methods or tabletop exercise, and business continuity beyond IT, outlining steps to identify critical processes and regularly test and update plans for effectiveness and personnel readiness.
Ikenna Alajemba says
Chapter 10 delves into fundamental incident and disaster response concepts, highlighting the critical need for speed and accuracy in addressing various levels of incidents. A four-level severity scale is introduced, ranging from false alarms to catastrophic events threatening business continuity. These situations necessitate meticulous planning and rehearsals to ensure effective response strategies.
Major security incidents are discussed in detail, covering stages like detection, analysis, containment, and recovery, along with organizational aspects of the CSIRT. The complexities of punishment, especially regarding criminal prosecution versus employee discipline, are explored, underlining the challenges in legal repercussions.
Legal considerations encompass criminal versus civil law, jurisdictional complexities, international cybercrime laws, rules of evidence, and computer forensics, culminating in federal laws addressing cyber threats.
Also, the chapter transitions to Intrusion Detection Systems (IDSs), elucidating their functions, challenges like event correlation, and the shift towards distributed IDSs for enhanced security.
Finally, the importance of business continuity planning and IT disaster response, including the adoption of cloud-based hosting and data centers, underscores the multifaceted nature of safeguarding operations during crises, necessitating comprehensive planning for resilience and recovery.
Chidiebere Okafor says
Ikenna, your points are well noted especially the last one, business continuity and IT disaster response. This can include adopting strategies like cloud-based hosting and data centers to ensure resilience and recovery during crises. Overall, this chapter highlights the comprehensive nature of incident and disaster response, from planning and detection to legal considerations and technological solutions like IDSs, all aimed at safeguarding operations and ensuring business continuity in the face of security incidents and disasters.
Chidiebere Okafor says
The chapter introduces incident and disaster response terminology, emphasizing a four-level severity scale for incidents: false alarms, minor incidents handled by on-duty IT staff, major incidents requiring the firm’s CSIRT (Computer Security Incident Response Team), and disasters affecting IT or threatening business continuity. I like the in-depth discussion on Intrusion Detection Systems (IDS), which are tools designed to capture and log suspicious network and host activities. They function like security cameras in a building, detecting incidents but not preventing them. IDSs have four major functions: logging (data collection), automated analysis, administrator actions, and management. Logging involves capturing discrete activities and storing them in sequential files for analysis. Automated analysis includes using attack signatures (known patterns of attacks) or anomaly detection (deviations from historical traffic patterns) to identify threats. IDSs generate alarms for high-threat conditions but must avoid flooding administrators with false positives. Alarms need to be specific and actionable.
IDSs also generate log summary reports, providing insights into various suspicious activities and threat priorities. They support interactive manual log analysis, allowing administrators to investigate attacks and filter out irrelevant data.
Lastly, effective management is crucial for IDSs to function properly. They require ongoing configuration, tuning, and maintenance to remain effective. Poor management can render an IDS ineffective despite its capabilities.
Kenneth Saltisky says
Hi Chidiebere,
I like your comparison of IDSs to security cameras which both capture and log suspicious activity. Although there are some obvious differences, both ultimately help to find and store information about suspicious activity in an organization. Furthermore, IDSs are essential to recording network activity as they are the primary source of information relevant to when an incident occurs.
Kenneth Saltisky says
Chapter 10 of Boyle and Panko discusses Incident and Disaster Response. Specifically, the chapter covers the basics of a disaster response, the intrusion response process for major incidents, the functions and types of IDSs, the business continuity plan, and the IT disaster recovery process as well as responding to security incidents. One particular section of interest to me is the basic process of intrusion response for major incidents as this is one of the most essential things to know in the event of a major incident in your organization.
At the beginning of an incident there are three priorities: detection, analysis, and escalation. Detection is understanding when an incident occurred and how quickly that understanding occurs. Analysis is making sure that, when an incident is detected, to confirm the event is real as well as how much damage can occur and the necessary information for containment and recovery. Escalation is the process of handling the incident or escalating the incident to CSIRT or the business continuity team. The next step is containment, which is stopping the damage done from the incident through methods such as disconnection or black holing by dropping an attacker’s IP from further connecting to company resources. You can also collect data during this step if the damage is not severe. Once contained, recovery can begin to which the necessary steps of fixing backdoors, server issues, etc. need to be fixed through repairing, restoration, reinstallation, etc.
There are other steps that might also be relevant depending on the breadth of the attack. Apologizing to customers or employees may be necessary if enough harm was done from the attack and downplaying will only cause more reputational damage. It may also be necessary to conduct punishments towards certain employees or groups if applicable. However, persecution can also be conducted if enough evidence as well as enough of an outcome that outweighs the reputational and financial damage from persecution can come from it. Postmortem evaluation should also occur at the end of recovery to indicate what went right and what went wrong after the attack and what aspects of recovery need to be improved.
Samuel Omotosho says
Great Job Kenneth, Your summary of Chapter 10’s discussion on Incident and Disaster Response encapsulates the crucial priorities and steps organizations must take during major incidents effectively. From detection to postmortem evaluation, each phase is pivotal in mitigating damage and restoring normal operations. Prioritizing incident response strategies, including escalation and containment, underscores the importance of swift and coordinated action in the face of cyber threats.
Andrew Young says
Great point about customer and service provider reaction Ken. A big takeaway I’ve seen from our case studies so far has been how a lot of the time organizations have inadequate customer or client response. Taking responsibility and doing everything you can to repair the damage caused to a client from a top-down organizational perspective is not only the moral thing to do, it is often a legal requirement and should be considered when creating any sort of DRP or backup plans
Nicholas Nirenberg says
Boyle and Panko Chapter 10 is about Incident and Disaster Response. The most interesting part to me was section 10.2, which focuses on the intrusion response process for major incidents.
It involves detecting the incident, analyzing its nature and potential damage, and then escalating it to the appropriate team for handling. Detection can occur through various means, including technological tools like an Intrusion Detection System or through human observation, such as a non-technical employee noticing system malfunctions. Analysis involves understanding the incident in detail, often by reviewing log files to determine the cause and extent of the breach. Escalation is the process of handing over the incident to a specialized team like the Computer Security Incident Response Team (CSIRT) or business continuity team for further management.
An interesting fact that I never thought about before is that non-technical employees often play a crucial role in the detection of incidents, which really highlighting the importance of human observation alongside technological solutions in cybersecurity.
Kelly Conger says
Nicholas, your assessment highlights a crucial aspect of Chapter 10, which is the nuanced and critical role of human intuition and observation in the cybersecurity incident response process. It emphasizes the synergy between technology, such as Intrusion Detection Systems, and the irreplaceable value of human vigilance. Combining technical and non-technical detection mechanisms ensures a robust defense against security breaches, which is why inclusive security awareness programs are essential. Such programs empower all employees to act as the first line of defense in identifying potential cybersecurity threats. This multifaceted incident detection and response approach is fundamental to building resilient and secure IT environments.
Kelly Conger says
Chapter 10 of Boyle and Panko’s book talks about how to respond to incidents and disasters in the context of IT and business. It emphasizes the importance of careful planning, fast and accurate responses, and rehearsals to minimize damage. The chapter introduces a four-level severity scale for incidents, ranging from false alarms to disasters threatening a business’s functioning ability. It stresses the need for speed and accuracy at all levels. The chapter describes the stages of responding to significant security incidents, including detection, analysis, escalation, containment, and recovery. It also discusses Intrusion Detection Systems (IDSs) and their role in incident response.
Additionally, it highlights the significance of Business Continuity Planning (BCP) and IT Disaster Recovery (IT DRP) as essential components of an organization’s risk management strategy. These plans help address potential risks such as natural disasters, equipment failures, and cyber attacks. The book also explores the development of Computer Security Incident Response Teams (CSIRTs), which are interdisciplinary teams that play a vital role in incident management. They require experienced senior managers to lead them. A comprehensive approach to incident and disaster response is crucial, highlighting the importance of preparedness, practicing response plans, and the multi-faceted nature of managing incidents and disasters in the modern business landscape.
Alex Ruiz says
Kelly, the critical aspects of incident and disaster response, emphasizes the need for meticulous planning, rapid responses, and regular rehearsals to mitigate potential damage. The introduction of a severity scale for incidents, combined with a structured approach to response stages, underlines the importance of swift and accurate action across all levels of severity. Furthermore, the discussion on BCP, IT Disaster Recovery, and the establishment of Computer Security Incident Response Teams highlights the multilayered nature of managing incidents and disasters in today’s environment. Given the complexities involved how do you prioritize the various components of incident and disaster response planning within your organization’s risk management strategy?
Hashem Alsharif says
I learned many concepts in this program, but my most favorite would probably be Incident and disaster response. Only because of all the concepts, this one requires the most of going outside of IT to find the solution, meaning that it requires the most outside-of-the-box thinking. In chapter 10, it goes into two specific parts of response that stood out to me. Those being apology and punishment. These may seem simple to understand, but both of these are things that some multi-billion dollar corporations struggle with. For apology, it discusses acknowledging responsibility and harm, then explain what happened and lastly, explain what action will be taken to compensate the person. A company worried about their reputation could hold back giving proper apologies and could hide info about the specifics of what happened, as it’s likely the reasoning could be behind the negligence of the company. They can also do this to lessen the damages of what needs to be compensated. As for punishment, lets say the attack was done by an internal employee, should they be fired? arrested? these are very difficult decisions to make that would typically need months, if not years to decide. This provides us with a solid reminder that no matter how much we know about IT, it’s important that we realize there may be a time when we need to use other skills, and that we work to refine those.
Jeffrey Sullivan says
Great Post, I never really thought about how the company could hide a majority of the details of the attack, “nothing to see here” as that could show the public were the company could have political vulnerabilities. If companies did that, I could only imagine the extra damage or attacks that they could encounter for people wanting to follow suite and duplicate the original situation. Thats a hard decision to make, do you make an example of the attacker or do you “let it go” as far as public announcement?
Erskine Payton says
Chapter 10 starts with explaining the basics of responding to a disaster. While reading I discovered that about 1% of concentrated attacks are successful and even the most robust system cannot stop all attacks to it is important that there is a good incident and response plan in place. Section 10.2 keys in on the intrusion response process which in my opinion which includes detection, learning that an incident has occurred; analysis which is trying to ascertain is the threat real and what is the potential damage that can happen. This also includes information gathering to assist in planning and recovery. Lastly, there is to escalate, meaning once you have complied the information from the detection and analysis phases, you will pass this information to the security response team to resolve the issue.
The saying goes that time is money and once an incident has been discovered, being able to gather as much information in these initial stages of an attack about can save your company money and often embarrassment. This is most important stage of an attack as who ever made the discovery is not the are the point of contact for all questions concerning the incident. This is why in the process for major incidents detection, analysis, and escalation are so important. Having good well-articulated notes as well as questions does a great deal to assist senior analyst to resolve these matters a quick as possible.
Alex Ruiz says
This chapter provides valuable insights into the fundamentals of incident and disaster response, stressing the importance of preparation and swift action. I agree that the intrusion response process, the encompassing detection, analysis, and escalation, plays a pivotal role in effectively managing security incidents. The initial stages of an attack are crucial for gathering key information to establish a prompt resolution and to minimize potential damage. How do you ensure that your incident response team remains agile and well-prepared to address evolving threats effectively in today’s evolving landscape?
Akintunde Akinmusire says
Hi Erskine,
I agree with you that it is important to act swiftly after an incident to minimize impact and to mitigate potential damage. This also enables the organization to resume operations more quickly and reduce potential financial losses.
Hashem Alsharif says
Hello Erskine,
I don’t know how exactly to describe this, but it’s a weird feeling knowing no matter what you do, an attack has the possibility of being successful. It brings both worry and acceptance. It brings worry because imagine having millions of dollars worth of information and you know no matter what you do, it can be stolen. I assume this is the premise behind working in the industry, that we tell clients an attack is likely to happen but in the event an attack does happen, here’s what we can do. It definitely can inspire corporations to take more precautions, but I also feel like some companies might follow the way of thinking that says if it happens, it happens and so what.
Akintunde Akinmusire says
This week’s reading emphasizes the significance of developing a comprehensive Incident and Disaster Response Plan to mitigate the impact of protection incidents successfully. What stood out to me is the importance of everyday education and sporting activities to test the effectiveness of the incident reaction plan and ensure that employees are effectively organized to respond to diverse situations. By investing in continuous education, training, and team-building activities, organizations can strengthen their incident response capabilities and enhance their overall resilience in the face of adversity.
Alex Ruiz says
Akintunde, your focus on the importance of Incident and Disaster Response Plans in mitigating protection incidents is crucial in today’s cybersecurity landscape. I agree that regular education and drills are vital for testing the efficacy of these plans and ensuring employee readiness. How do you think organizations can strike a balance between maintaining a high level of preparedness through regular drills and minimizing disruption to daily operations?
Mariam Hazali says
I agree with you, continuous training is very crucial in ensuring a successful incident response plan. People are at the center of cybersecurity, While firms can leverage different technology and automation tools, they rely on people who possess the necessary knowledge to manage them effectively. Continuous testing also plays a crucial role in identifying gaps within our technological systems and incident response plan, ensuring that firms remain vigilant and proactive in addressing potential vulnerabilities.
Hashem Alsharif says
Hello Akintunde,
Testing and Education are for sure some of the biggest parts of working in cybersecurity. I wonder how teams split up their time to decide which is best? do some days they only focus on incident response and other days they focus on presentations to educate the clients? or maybe they delegate the testing and education to the newer employees. On one hand, I think maybe they give it to newer employees because incident response requires more knowledge, but on the other side, I can imagine that testing and education would be left to the more experienced members since they understand concepts more and can teach it more correctly.
Erskine Payton says
Hi Akintunde,
I am in harmony with your thoughts around the importance of everyday education. Not just once a quarter or few times a year. I have always said it security education should be engrained into the DNA of your company. You must make employees understand that they are the greatest defense but also the greatest threat to infrastructure security. I believe that if they understand how important their role is, users become somewhat prideful and would be more vigilant around these types of matters.
Alex Ruiz says
My favorite section of chapter 10 is 10.2 where it goes fully in-depth about the intrusion response for major incidents, going over how to contain the incident, recover from it with backups, remedy the situation by taking responsibility with public apologies as well as compensating customers and explaining what happened. The most interesting part however was going over how organizations will get around to punishing attackers and how hard it is to do so. To punish attackers will most of the time be a hard task for the organization as it’ll mostly be out of their hands to do so, they’ll have to contact both the authorities as well as or for civil suits an outside forensics firm to gather evidence that’ll be admissible in court. Their incident response team will also have to take great care in handling the initial response as they can often taint and erase evidence of intruders or even break the chain of evidence leading to doubt or inadmissibility of the evidence in court that’ll make it even harder to punish hackers, this isn’t even including how hard it is to charge international attackers. It is however way easier in some places to punish employees from within the company whether that be termination or charges but it still needs a great amount of evidence against them and can lead to a lot of bad press if they pursue charges as it admits an attack came from within to the public and can leads to large loss of faith in the organization.
Samuel Omotosho says
As an incident response consultant, I agree with this week’s reading on the need of keeping data collecting integrity after an occurrence. It is critical to generate hash values for any evidence acquired, document any transfer of evidence using chain of custody forms, and create forensic copies where applicable. Failure to preserve unaltered evidence renders it inadmissible in court. Evidence preservation is not a fun aspect of cybersecurity, but it is necessary nonetheless.
Jeffrey Sullivan says
Great Post Samuel. In my other audit class, they also pointed out how it is important to t collect data integrity after an occurrence. This is so important because it gives you a baseline for the next person that may look at it. May that be a judge or another analyst. In my lifecycle class, it is part of being within compliance as well with your data and the integrity of said data. This is also something that I learned that within a software team project, record keeping is part of being within compliance but also helps the company afloat in time of a disaster, whether that being an employee that writes the coding to a natural disaster of the companies building.
Mariam Hazali says
I agree with you, Samuel. A lot of firms now are integrating Digital Forensic Incident Response (DFIR) in their infrastructure which allows them to not only respond to incidents but also conduct digital forensic research which allows them to gather evidence of the crime and also learn how the attack happened so they can properly defend against similar attacks in the future, And indeed for digital forensic evidence to be admissible in court of Law firms must maintain a thorough chain of custody documents.
Akintunde Akinmusire says
Hi Samuel,
I agree with you that it is important to keep the integrity of data. Maintaining data integrity after an incident is crucial to preserve the accuracy, reliability, and trustworthiness of the organization’s information assets. Without data integrity, there is a risk of compromised data being manipulated, corrupted, or altered, leading to incorrect decision-making and potential legal or regulatory consequences.