In general, startups have a different risk profile than larger companies which means they can pursue options typically not available to larger firms. Given that they are trying to establish market share, the priority for startups is on their product and less on continuity planning. As such, they may pursue options that shift some of the risk to third parties so that the limited resources can focus on their product. For example, the startup could adopt a remote first work environment that exclusively uses cloud based applications for productivity. In essence, employees could work anywhere contingent that they have access to the internet. This reduces costs with maintaining a physical office/backup site. This model introduces risk elsewhere, e.g. security concerns with home networks, etc. but this may be acceptable to the firm given their stage in development.
I think the companies need to have accurate and effective BIA. With that, the companies will know where they invest to have a better cost-benefit analysis.
Hang
I agree with you the business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.
In general it may be difficult for a start-up company to create a contingency plan compared to more established organizations simply because they do not quite have the resources, and it is also not typically their main priority. The best way for them do to so without creating too much financial strain would be to create a realistic budget. Don’t invest so much in a plan for recovery so that you can’t escape from the hole you put yourself in. Priority assets should be the main concern of the plan, and initially only the most serious risks should be considered.
What considerations come into play when an organization is looking to determine if they should pursue prosecution of an attacker whose responsible for an intrusion or breach?
Before pursuing legal action, firms must have an understanding of the applicable laws that were broken by the attack. Attacks originating outside of the victim’s country are subject to the treatises (or lack thereof) governing prosecution of the attacker. It may not make sense (or be possible) to pursue legal action if there is no extradition agreement with the attacker’s country of residence.
As Boyle explains, BCP deals with disasters or higher impact incidents that stop you from performing day-to-day functionalities and affect revenue. However, incident response plans are just getting ready for incidents to avoid availability issues and downtime costs.
A seven-step contingency planning process that introduced in NIST SP 800 34r1 should apply for any size of organization. The differences are based on budgets, risk appetite, and number of their assets to protect.
Why is it important to preserve the integrity of evidence collected during a computer forensic investigation? What role do forensic experts play in this process?
Preserving the integrity of evidence is absolutely essential because investigators may need to refer back to the evidence and because the evidence is only admissible in court if its integrity has been meticulously preserved. Forensic experts are typically trained on the preservation of evidence, documentation on the chain of custody, and requirements for court-admissible evidence.
You must follow the principles of business continuity management. You should protect people first and evacuation plans and drills, also never allow staff members back into unsafe environments. Should have a systematic way to account for all employees and notify them.
I agree that protecting people is priority. Following the three components of a business continuity plan, organizations need to recover personnel first then recovery procedure, and data backup.
As others have said, human life is the absolute main priority, followed by ensuring all data is backed up. For business continuity, the most ideal scenario would be to have everybody able to seemly transition into a work from home type setting, as this would be the most convenient and least straining financially.
Because the security analyst should understand the condition before effective action can be taken. Initially, the security analyst will not even be sure whether the incident is security trouble, an equipment problem, or a software glitch. Section 10.2 stated that frequently, much of the intrusion analysis phase is done by reading through the log files for the time period in which the incident probably began. The goal is to learn how the attack was undertaken, who perpetrated it, and what has happened since the beginning of the incident.
Mohammed
I agree with your point and the observation and analysis would be considered of a security analyst to understand the approach of a good analysis about an attack,understand a clearer analysis for a repeatable process in identify common security vulnerabilities and weaknesses in their target security posture which may be exploitable and used by attackers. The goal will be to have a process that examines how the attackers conduct a proper understanding on how an attack can be analyzed is to understand the intrusion kill chain.
I believe this question has lots of dependent elements based on the organization. What you are trying to protect and how much an impact the incident would have are important questions to ask while deciding on the BCP budget.
I remember the average organization budget for BCP as 6% of the annual IT budget, but again it is important that an organization goes through the contingency plan development to decide the risk and protection level they would like to have.
Good question here and Miray has a strong point. I think it’s important for business and organizations to evaluate their IT assets, employees and resources that need to be protected in their business continuity planning.
This all really depends on the size of the business, as well as the type of business. Some organizations many not be prone to as many risks as others, and thus do not have to put as many resources into a strong BCP. There’s really no set dollar amount to determine a “good” business continuity plan.
The difference between NIDS and HIDS, Network-based intrusion detection system helps to detect malicious traffic on a network. Host intrusion detection system helps to investigate specific host-based actions.
HIDs examine specific host-based actions, such as what applications are being used, what files are being accessed and what information resides in the kernel logs. NIDs analyze the flow of information between computers, i.e., network traffic. They essentially “sniff” the network for suspicious behavior.
Hi Mohammed,
Blackholing can be used in an effort to contain or stop the damage of an attack. This approach works by dropping all future packets from the suspected attacker’s IP address. However, there are downsides to this step considering attackers typically have access to multiple different IP addresses and can quickly change their plan of action, making their next attempt more difficult to detect. Moreover, I found the logging of data collection to be beneficial because it captures discrete activities, such as the arrival of a packet or an attempt to log in. Consequently, it is the duty of the IDS administrator to analyze the raw data logged to respond to the incident correctly.
It helps reduce the downtime because you already have a plan or strategy to handle the incidents and helps financially as you were prepared before and not looking for last-second help. Most importantly, helps with a reputation as you can handle the situation before it gets to the rest of the world.
Its essential for minimizing potential damage and reducing interruptions in the aftermath of a disaster, also a quick recovery time or possible delays in getting things back up and running. It help improves security readiness and business reputation.
You’re exactly right. The only way to minimize the potential damage of a disaster is to plan ahead of time. The purpose of the recover plan is so that it is done before any disasters are present. If there is no plan in place then it will be a disorganized and costly response. And with no plan it is highly likely mistakes will be made.
A topic that I was already familiar with prior to reading this chapter was Business Continuity Planning. I learned a little bit about it from studying CompTIA’s certifications.
Was there anything you were already familiar with before you read about it? If so, did this chapter help you capitalize on the information you already knew?
I personally haven’t had much work experience related to business continuity. However, from my experience preparing for ISACA’s CISA exam there was a huge emphasis on perseverance of human life. I was a bit surprised this component of business continuity planning wasn’t mentioned within the chapter.
That sounds very interesting, as human life is indeed invaluable. I would definitely be interested in learning more about this topic within the topic of business continuity. I am sure that the information needed to pass the CISA exam is very insightful. I will have to take a look at the material and gain some knowledge on that topic. Thanks a lot for your reply to my question!
In order to facilitate a useful BIA it’s important to understand your environment in its entirety. It would be helpful if you worked for an organization that inventories all of its assets associated with all business processes. However, even if these items can be leveraged it’s important for the lead facilitating the BIA to to confirm the existence of these assets as well as identify any potential new ones to ensure its completeness and accuracy. From here, business processes can be prioritized in terms of recovery and the business can gain comfort all assets are accounted for and can be brought back online. to ensure operations can and will resume.
A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment
Organizations must continually adjust BCP plans as the business evolves. The first step to perform a BIA, which identifies key business processes and application interdependencies, while determining the financial impact if any operational function goes down. It’s important to remember that a BIA isn’t a one-off activity. Conducted regularly, a BIA will address any change including the addition of critical applications, switching vendors, consolidating facilities and more. Only by regularly conducting BIAs can organizations maintain resiliency.
Hi Corey,
As the largest and third strongest hurricane ever recorded to make landfall in the U.S, I would argue that Hurricane Katrina was one of the most destructive natural disasters of our time. Peaking at a Category 5, with winds up to 175 mph, Katrina devastated a number of cities, claiming the lives of approximately two-thousand people, displacing hundreds of thousands of families, and causing over $160 billion in damage. The flooding specifically, was caused largely as a result of fatal engineering flaws in the flood protection system (levees) around the city of New Orleans, precipitating most of the loss of lives. Many businesses collapsed because they were poorly prepared for the hurricanes. Within the failures of Katrina include the individual failures of government officials who failed to coordinate a national response to a truly catastrophic event.
For small companies, they have limit or no excess cash to invest in business continuity plans. Therefore, they need to be more aware of risks and mitigate them when customizing BCP. They can talk to insurance companies and get discounts. BCP is important to business, so small businesses can check other budgets to see if they can be reduced to get more BCP budget.
Smaller companies can consider using cloud providers to limit the costs associated with IT continuity. Business continuity can be greatly enhanced through documentation and regular training. Depending on the expertise and pay rate of employees, it may be more economical to prepare the BCP internally or to contract outside assistance.
That’s a great point about utilizing cloud providers to limit the cost. With smaller companies they will have smaller IT departments and security personnel which means fewer people able to prepare the BCP. Acquiring outside assists is a great option, if it can be afforded.
Hi Miray,
It is not uncommon for intrusion detection systems to flag legitimate activities as suspicious that result in false alarms. Based on the reading, false alarms can become problematic as they waste a great deal of scarce and expensive security time. Not to mention, if they happen too frequently, this may dull readiness to investigate each potential incident and allow real incidents to go unnoticed.
Great point, Elizabeth. The 2013 Target breach is a great example of this. The security operations team actually received alerts about the breach but they had been inundated with so many false positives that the alert was ignored.
We want to limit the number of false alarms we receive because it reduces the risk that a legitimate threat may sneak through the logs. Investigating each alarm requires resources and time to look into. Limiting the number of false alarms makes it so the system is operating as efficiently as possible and there are no incorrect alerts that are being investigated.
As the volume of false alarms increase it becomes much harder to spot actual alarms with high impact. From a networking perspective, it would also mean that your IDS/IDPS is not tuned for the network properly and can make analysis/forensics much more difficult during and after the attack.
I think honeypots can introduce risk to your environment. By risk, I mean that a honeypot, once attacked, can be used to attack, infiltrate, or harm other systems or organizations, different honeypots have different levels of risk. Some introduce very little risk, while others give the attacker entire platforms from which to launch new attacks. The simpler the honeypot, the less the risk. For example, a honeypot that merely emulates a few services is difficult to compromise and use to attack other systems. In contrast, a honeypot that creates a jail gives an attacker an actual operating system with which to interact.
An attacker might be able to break out of such a cage and then use the honeypot to launch passive or active attacks against other systems or organizations. Risk is variable, depending on how one builds and deploys the honeypot.
How could startup companies design information system contingency plans to save cost?
In general, startups have a different risk profile than larger companies which means they can pursue options typically not available to larger firms. Given that they are trying to establish market share, the priority for startups is on their product and less on continuity planning. As such, they may pursue options that shift some of the risk to third parties so that the limited resources can focus on their product. For example, the startup could adopt a remote first work environment that exclusively uses cloud based applications for productivity. In essence, employees could work anywhere contingent that they have access to the internet. This reduces costs with maintaining a physical office/backup site. This model introduces risk elsewhere, e.g. security concerns with home networks, etc. but this may be acceptable to the firm given their stage in development.
I think the companies need to have accurate and effective BIA. With that, the companies will know where they invest to have a better cost-benefit analysis.
Hang
I agree with you the business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.
In general it may be difficult for a start-up company to create a contingency plan compared to more established organizations simply because they do not quite have the resources, and it is also not typically their main priority. The best way for them do to so without creating too much financial strain would be to create a realistic budget. Don’t invest so much in a plan for recovery so that you can’t escape from the hole you put yourself in. Priority assets should be the main concern of the plan, and initially only the most serious risks should be considered.
What considerations come into play when an organization is looking to determine if they should pursue prosecution of an attacker whose responsible for an intrusion or breach?
Before pursuing legal action, firms must have an understanding of the applicable laws that were broken by the attack. Attacks originating outside of the victim’s country are subject to the treatises (or lack thereof) governing prosecution of the attacker. It may not make sense (or be possible) to pursue legal action if there is no extradition agreement with the attacker’s country of residence.
Why are business continuity plans more difficult to test than incident response plans?
As Boyle explains, BCP deals with disasters or higher impact incidents that stop you from performing day-to-day functionalities and affect revenue. However, incident response plans are just getting ready for incidents to avoid availability issues and downtime costs.
What are the differences between implementing a business contingency plan for large organizations vs small businesses?
A seven-step contingency planning process that introduced in NIST SP 800 34r1 should apply for any size of organization. The differences are based on budgets, risk appetite, and number of their assets to protect.
Why is it important to preserve the integrity of evidence collected during a computer forensic investigation? What role do forensic experts play in this process?
Preserving the integrity of evidence is absolutely essential because investigators may need to refer back to the evidence and because the evidence is only admissible in court if its integrity has been meticulously preserved. Forensic experts are typically trained on the preservation of evidence, documentation on the chain of custody, and requirements for court-admissible evidence.
What type of information we need to consider when choosing a business continuity center?
You must follow the principles of business continuity management. You should protect people first and evacuation plans and drills, also never allow staff members back into unsafe environments. Should have a systematic way to account for all employees and notify them.
I agree that protecting people is priority. Following the three components of a business continuity plan, organizations need to recover personnel first then recovery procedure, and data backup.
As others have said, human life is the absolute main priority, followed by ensuring all data is backed up. For business continuity, the most ideal scenario would be to have everybody able to seemly transition into a work from home type setting, as this would be the most convenient and least straining financially.
Why is good analysis important for the later stages of handling an attack?
Because the security analyst should understand the condition before effective action can be taken. Initially, the security analyst will not even be sure whether the incident is security trouble, an equipment problem, or a software glitch. Section 10.2 stated that frequently, much of the intrusion analysis phase is done by reading through the log files for the time period in which the incident probably began. The goal is to learn how the attack was undertaken, who perpetrated it, and what has happened since the beginning of the incident.
Mohammed
I agree with your point and the observation and analysis would be considered of a security analyst to understand the approach of a good analysis about an attack,understand a clearer analysis for a repeatable process in identify common security vulnerabilities and weaknesses in their target security posture which may be exploitable and used by attackers. The goal will be to have a process that examines how the attackers conduct a proper understanding on how an attack can be analyzed is to understand the intrusion kill chain.
How much should a business expect to spend on a good business continuity plan?
I believe this question has lots of dependent elements based on the organization. What you are trying to protect and how much an impact the incident would have are important questions to ask while deciding on the BCP budget.
I remember the average organization budget for BCP as 6% of the annual IT budget, but again it is important that an organization goes through the contingency plan development to decide the risk and protection level they would like to have.
Good question here and Miray has a strong point. I think it’s important for business and organizations to evaluate their IT assets, employees and resources that need to be protected in their business continuity planning.
This all really depends on the size of the business, as well as the type of business. Some organizations many not be prone to as many risks as others, and thus do not have to put as many resources into a strong BCP. There’s really no set dollar amount to determine a “good” business continuity plan.
What are some key differences between a NIDS and a HIDS?
The difference between NIDS and HIDS, Network-based intrusion detection system helps to detect malicious traffic on a network. Host intrusion detection system helps to investigate specific host-based actions.
HIDs examine specific host-based actions, such as what applications are being used, what files are being accessed and what information resides in the kernel logs. NIDs analyze the flow of information between computers, i.e., network traffic. They essentially “sniff” the network for suspicious behavior.
What is blackholing, and which tool is best for incident response?
Hi Mohammed,
Blackholing can be used in an effort to contain or stop the damage of an attack. This approach works by dropping all future packets from the suspected attacker’s IP address. However, there are downsides to this step considering attackers typically have access to multiple different IP addresses and can quickly change their plan of action, making their next attempt more difficult to detect. Moreover, I found the logging of data collection to be beneficial because it captures discrete activities, such as the arrival of a packet or an attempt to log in. Consequently, it is the duty of the IDS administrator to analyze the raw data logged to respond to the incident correctly.
What are the benefits of building a disaster recovery plan before any disasters occur?
It helps reduce the downtime because you already have a plan or strategy to handle the incidents and helps financially as you were prepared before and not looking for last-second help. Most importantly, helps with a reputation as you can handle the situation before it gets to the rest of the world.
Its essential for minimizing potential damage and reducing interruptions in the aftermath of a disaster, also a quick recovery time or possible delays in getting things back up and running. It help improves security readiness and business reputation.
Hi Oluwaseun,
You’re exactly right. The only way to minimize the potential damage of a disaster is to plan ahead of time. The purpose of the recover plan is so that it is done before any disasters are present. If there is no plan in place then it will be a disorganized and costly response. And with no plan it is highly likely mistakes will be made.
A topic that I was already familiar with prior to reading this chapter was Business Continuity Planning. I learned a little bit about it from studying CompTIA’s certifications.
Was there anything you were already familiar with before you read about it? If so, did this chapter help you capitalize on the information you already knew?
I personally haven’t had much work experience related to business continuity. However, from my experience preparing for ISACA’s CISA exam there was a huge emphasis on perseverance of human life. I was a bit surprised this component of business continuity planning wasn’t mentioned within the chapter.
Hello Bryan,
That sounds very interesting, as human life is indeed invaluable. I would definitely be interested in learning more about this topic within the topic of business continuity. I am sure that the information needed to pass the CISA exam is very insightful. I will have to take a look at the material and gain some knowledge on that topic. Thanks a lot for your reply to my question!
How is BIA done accurately and effectively?
In order to facilitate a useful BIA it’s important to understand your environment in its entirety. It would be helpful if you worked for an organization that inventories all of its assets associated with all business processes. However, even if these items can be leveraged it’s important for the lead facilitating the BIA to to confirm the existence of these assets as well as identify any potential new ones to ensure its completeness and accuracy. From here, business processes can be prioritized in terms of recovery and the business can gain comfort all assets are accounted for and can be brought back online. to ensure operations can and will resume.
A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment
Organizations must continually adjust BCP plans as the business evolves. The first step to perform a BIA, which identifies key business processes and application interdependencies, while determining the financial impact if any operational function goes down. It’s important to remember that a BIA isn’t a one-off activity. Conducted regularly, a BIA will address any change including the addition of critical applications, switching vendors, consolidating facilities and more. Only by regularly conducting BIAs can organizations maintain resiliency.
What is the biggest incident or disaster of our time and why?
Hi Corey,
As the largest and third strongest hurricane ever recorded to make landfall in the U.S, I would argue that Hurricane Katrina was one of the most destructive natural disasters of our time. Peaking at a Category 5, with winds up to 175 mph, Katrina devastated a number of cities, claiming the lives of approximately two-thousand people, displacing hundreds of thousands of families, and causing over $160 billion in damage. The flooding specifically, was caused largely as a result of fatal engineering flaws in the flood protection system (levees) around the city of New Orleans, precipitating most of the loss of lives. Many businesses collapsed because they were poorly prepared for the hurricanes. Within the failures of Katrina include the individual failures of government officials who failed to coordinate a national response to a truly catastrophic event.
How should a small company craft a BCP that is economical enough for their smaller budgets?
For small companies, they have limit or no excess cash to invest in business continuity plans. Therefore, they need to be more aware of risks and mitigate them when customizing BCP. They can talk to insurance companies and get discounts. BCP is important to business, so small businesses can check other budgets to see if they can be reduced to get more BCP budget.
Smaller companies can consider using cloud providers to limit the costs associated with IT continuity. Business continuity can be greatly enhanced through documentation and regular training. Depending on the expertise and pay rate of employees, it may be more economical to prepare the BCP internally or to contract outside assistance.
Hi Amelia,
That’s a great point about utilizing cloud providers to limit the cost. With smaller companies they will have smaller IT departments and security personnel which means fewer people able to prepare the BCP. Acquiring outside assists is a great option, if it can be afforded.
Why do we care about the number of false alarms we receive? ( if they don’t have a high impact as the major incidents or disasters)
Hi Miray,
It is not uncommon for intrusion detection systems to flag legitimate activities as suspicious that result in false alarms. Based on the reading, false alarms can become problematic as they waste a great deal of scarce and expensive security time. Not to mention, if they happen too frequently, this may dull readiness to investigate each potential incident and allow real incidents to go unnoticed.
Great point, Elizabeth. The 2013 Target breach is a great example of this. The security operations team actually received alerts about the breach but they had been inundated with so many false positives that the alert was ignored.
Miray,
We want to limit the number of false alarms we receive because it reduces the risk that a legitimate threat may sneak through the logs. Investigating each alarm requires resources and time to look into. Limiting the number of false alarms makes it so the system is operating as efficiently as possible and there are no incorrect alerts that are being investigated.
Hi Miray,
As the volume of false alarms increase it becomes much harder to spot actual alarms with high impact. From a networking perspective, it would also mean that your IDS/IDPS is not tuned for the network properly and can make analysis/forensics much more difficult during and after the attack.
Why don’t many organizations utilize honeypots? In my opinion they seem like a fairly viable IDS.
Alexander,
I think honeypots can introduce risk to your environment. By risk, I mean that a honeypot, once attacked, can be used to attack, infiltrate, or harm other systems or organizations, different honeypots have different levels of risk. Some introduce very little risk, while others give the attacker entire platforms from which to launch new attacks. The simpler the honeypot, the less the risk. For example, a honeypot that merely emulates a few services is difficult to compromise and use to attack other systems. In contrast, a honeypot that creates a jail gives an attacker an actual operating system with which to interact.
An attacker might be able to break out of such a cage and then use the honeypot to launch passive or active attacks against other systems or organizations. Risk is variable, depending on how one builds and deploys the honeypot.