• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.703 ■ Spring 2022 ■ David Lanter
  • Homepage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit 01 – Threat Environment
      • Unit 02 – System Security Plan
      • Unit 03 – Planning and Policy
      • Unit 04 – Cryptography
      • Unit 05 – Secure Networks
      • Unit 06 – Firewalls
      • Unit 07 – Mid-Term Exam
    • Second Half of the Semester
      • Unit 08 – Access Control
      • Unit 9 Host Hardening
      • Unit 10 Application Security
      • Unit 11 Data Protection
      • Unit 12 – Incident and Disaster Response
  • Deliverables
    • Assignments
    • Case Studies
      • Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Case Study 2 – Data Breach at Equifax
    • Participation
    • Team Project
  • Harvard Coursepack

Question to discuss with my classmates

March 30, 2022 by David Lanter 52 Comments

Filed Under: 12 - Incident and Disaster Response Tagged With:

Reader Interactions

Comments

  1. Yangyuan Lin says

    March 31, 2022 at 5:52 pm

    How could startup companies design information system contingency plans to save cost?

    Log in to Reply
    • Matthew Bryan says

      April 3, 2022 at 7:29 am

      In general, startups have a different risk profile than larger companies which means they can pursue options typically not available to larger firms. Given that they are trying to establish market share, the priority for startups is on their product and less on continuity planning. As such, they may pursue options that shift some of the risk to third parties so that the limited resources can focus on their product. For example, the startup could adopt a remote first work environment that exclusively uses cloud based applications for productivity. In essence, employees could work anywhere contingent that they have access to the internet. This reduces costs with maintaining a physical office/backup site. This model introduces risk elsewhere, e.g. security concerns with home networks, etc. but this may be acceptable to the firm given their stage in development.

      Log in to Reply
    • Hang Nu Song Nguyen says

      April 5, 2022 at 7:19 am

      I think the companies need to have accurate and effective BIA. With that, the companies will know where they invest to have a better cost-benefit analysis.

      Log in to Reply
      • Oluwaseun Soyomokun says

        April 5, 2022 at 8:57 am

        Hang
        I agree with you the business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.

        Log in to Reply
    • Alexander William Knoll says

      April 5, 2022 at 9:23 pm

      In general it may be difficult for a start-up company to create a contingency plan compared to more established organizations simply because they do not quite have the resources, and it is also not typically their main priority. The best way for them do to so without creating too much financial strain would be to create a realistic budget. Don’t invest so much in a plan for recovery so that you can’t escape from the hole you put yourself in. Priority assets should be the main concern of the plan, and initially only the most serious risks should be considered.

      Log in to Reply
  2. Bryan Garrahan says

    March 31, 2022 at 6:41 pm

    What considerations come into play when an organization is looking to determine if they should pursue prosecution of an attacker whose responsible for an intrusion or breach?

    Log in to Reply
    • Matthew Bryan says

      April 3, 2022 at 7:04 am

      Before pursuing legal action, firms must have an understanding of the applicable laws that were broken by the attack. Attacks originating outside of the victim’s country are subject to the treatises (or lack thereof) governing prosecution of the attacker. It may not make sense (or be possible) to pursue legal action if there is no extradition agreement with the attacker’s country of residence.

      Log in to Reply
  3. Shubham Patil says

    April 2, 2022 at 2:10 pm

    Why are business continuity plans more difficult to test than incident response plans?

    Log in to Reply
    • Miray Bolukbasi says

      April 4, 2022 at 12:01 pm

      As Boyle explains, BCP deals with disasters or higher impact incidents that stop you from performing day-to-day functionalities and affect revenue. However, incident response plans are just getting ready for incidents to avoid availability issues and downtime costs.

      Log in to Reply
  4. Elizabeth Gutierrez says

    April 2, 2022 at 4:30 pm

    What are the differences between implementing a business contingency plan for large organizations vs small businesses?

    Log in to Reply
    • Hang Nu Song Nguyen says

      April 5, 2022 at 7:30 am

      A seven-step contingency planning process that introduced in NIST SP 800 34r1 should apply for any size of organization. The differences are based on budgets, risk appetite, and number of their assets to protect.

      Log in to Reply
  5. Matthew Bryan says

    April 3, 2022 at 6:42 am

    Why is it important to preserve the integrity of evidence collected during a computer forensic investigation? What role do forensic experts play in this process?

    Log in to Reply
    • Amelia Safirstein says

      April 5, 2022 at 11:24 am

      Preserving the integrity of evidence is absolutely essential because investigators may need to refer back to the evidence and because the evidence is only admissible in court if its integrity has been meticulously preserved. Forensic experts are typically trained on the preservation of evidence, documentation on the chain of custody, and requirements for court-admissible evidence.

      Log in to Reply
  6. Ornella Rhyne says

    April 3, 2022 at 5:09 pm

    What type of information we need to consider when choosing a business continuity center?

    Log in to Reply
    • Mohammed Syed says

      April 3, 2022 at 11:13 pm

      You must follow the principles of business continuity management. You should protect people first and evacuation plans and drills, also never allow staff members back into unsafe environments. Should have a systematic way to account for all employees and notify them.

      Log in to Reply
      • Hang Nu Song Nguyen says

        April 5, 2022 at 7:36 am

        I agree that protecting people is priority. Following the three components of a business continuity plan, organizations need to recover personnel first then recovery procedure, and data backup.

        Log in to Reply
    • Alexander William Knoll says

      April 5, 2022 at 9:27 pm

      As others have said, human life is the absolute main priority, followed by ensuring all data is backed up. For business continuity, the most ideal scenario would be to have everybody able to seemly transition into a work from home type setting, as this would be the most convenient and least straining financially.

      Log in to Reply
  7. Oluwaseun Soyomokun says

    April 3, 2022 at 6:54 pm

    Why is good analysis important for the later stages of handling an attack?

    Log in to Reply
    • Mohammed Syed says

      April 3, 2022 at 11:32 pm

      Because the security analyst should understand the condition before effective action can be taken. Initially, the security analyst will not even be sure whether the incident is security trouble, an equipment problem, or a software glitch. Section 10.2 stated that frequently, much of the intrusion analysis phase is done by reading through the log files for the time period in which the incident probably began. The goal is to learn how the attack was undertaken, who perpetrated it, and what has happened since the beginning of the incident.

      Log in to Reply
      • Oluwaseun Soyomokun says

        April 5, 2022 at 9:19 am

        Mohammed
        I agree with your point and the observation and analysis would be considered of a security analyst to understand the approach of a good analysis about an attack,understand a clearer analysis for a repeatable process in identify common security vulnerabilities and weaknesses in their target security posture which may be exploitable and used by attackers. The goal will be to have a process that examines how the attackers conduct a proper understanding on how an attack can be analyzed is to understand the intrusion kill chain.

        Log in to Reply
  8. Jason Burwell says

    April 3, 2022 at 7:35 pm

    How much should a business expect to spend on a good business continuity plan?

    Log in to Reply
    • Miray Bolukbasi says

      April 4, 2022 at 11:58 am

      I believe this question has lots of dependent elements based on the organization. What you are trying to protect and how much an impact the incident would have are important questions to ask while deciding on the BCP budget.

      I remember the average organization budget for BCP as 6% of the annual IT budget, but again it is important that an organization goes through the contingency plan development to decide the risk and protection level they would like to have.

      Log in to Reply
    • Oluwaseun Soyomokun says

      April 5, 2022 at 9:39 am

      Good question here and Miray has a strong point. I think it’s important for business and organizations to evaluate their IT assets, employees and resources that need to be protected in their business continuity planning.

      Log in to Reply
    • Alexander William Knoll says

      April 5, 2022 at 9:29 pm

      This all really depends on the size of the business, as well as the type of business. Some organizations many not be prone to as many risks as others, and thus do not have to put as many resources into a strong BCP. There’s really no set dollar amount to determine a “good” business continuity plan.

      Log in to Reply
  9. Michael Duffy says

    April 3, 2022 at 10:58 pm

    What are some key differences between a NIDS and a HIDS?

    Log in to Reply
    • Mohammed Syed says

      April 3, 2022 at 11:39 pm

      The difference between NIDS and HIDS, Network-based intrusion detection system helps to detect malicious traffic on a network. Host intrusion detection system helps to investigate specific host-based actions.

      Log in to Reply
    • Shubham Patil says

      April 5, 2022 at 10:41 pm

      HIDs examine specific host-based actions, such as what applications are being used, what files are being accessed and what information resides in the kernel logs. NIDs analyze the flow of information between computers, i.e., network traffic. They essentially “sniff” the network for suspicious behavior.

      Log in to Reply
  10. Mohammed Syed says

    April 3, 2022 at 11:42 pm

    What is blackholing, and which tool is best for incident response?

    Log in to Reply
    • Elizabeth Gutierrez says

      April 4, 2022 at 9:10 pm

      Hi Mohammed,
      Blackholing can be used in an effort to contain or stop the damage of an attack. This approach works by dropping all future packets from the suspected attacker’s IP address. However, there are downsides to this step considering attackers typically have access to multiple different IP addresses and can quickly change their plan of action, making their next attempt more difficult to detect. Moreover, I found the logging of data collection to be beneficial because it captures discrete activities, such as the arrival of a packet or an attempt to log in. Consequently, it is the duty of the IDS administrator to analyze the raw data logged to respond to the incident correctly.

      Log in to Reply
  11. Amelia Safirstein says

    April 3, 2022 at 11:49 pm

    What are the benefits of building a disaster recovery plan before any disasters occur?

    Log in to Reply
    • Miray Bolukbasi says

      April 4, 2022 at 11:55 am

      It helps reduce the downtime because you already have a plan or strategy to handle the incidents and helps financially as you were prepared before and not looking for last-second help. Most importantly, helps with a reputation as you can handle the situation before it gets to the rest of the world.

      Log in to Reply
      • Oluwaseun Soyomokun says

        April 5, 2022 at 9:53 am

        Its essential for minimizing potential damage and reducing interruptions in the aftermath of a disaster, also a quick recovery time or possible delays in getting things back up and running. It help improves security readiness and business reputation.

        Log in to Reply
        • Ryan Trapp says

          April 5, 2022 at 12:04 pm

          Hi Oluwaseun,

          You’re exactly right. The only way to minimize the potential damage of a disaster is to plan ahead of time. The purpose of the recover plan is so that it is done before any disasters are present. If there is no plan in place then it will be a disorganized and costly response. And with no plan it is highly likely mistakes will be made.

          Log in to Reply
  12. Joshua Moses says

    April 3, 2022 at 11:58 pm

    A topic that I was already familiar with prior to reading this chapter was Business Continuity Planning. I learned a little bit about it from studying CompTIA’s certifications.

    Was there anything you were already familiar with before you read about it? If so, did this chapter help you capitalize on the information you already knew?

    Log in to Reply
    • Bryan Garrahan says

      April 5, 2022 at 7:46 pm

      I personally haven’t had much work experience related to business continuity. However, from my experience preparing for ISACA’s CISA exam there was a huge emphasis on perseverance of human life. I was a bit surprised this component of business continuity planning wasn’t mentioned within the chapter.

      Log in to Reply
      • Joshua Moses says

        April 5, 2022 at 11:30 pm

        Hello Bryan,

        That sounds very interesting, as human life is indeed invaluable. I would definitely be interested in learning more about this topic within the topic of business continuity. I am sure that the information needed to pass the CISA exam is very insightful. I will have to take a look at the material and gain some knowledge on that topic. Thanks a lot for your reply to my question!

        Log in to Reply
  13. Hang Nu Song Nguyen says

    April 4, 2022 at 12:03 am

    How is BIA done accurately and effectively?

    Log in to Reply
    • Bryan Garrahan says

      April 5, 2022 at 7:40 pm

      In order to facilitate a useful BIA it’s important to understand your environment in its entirety. It would be helpful if you worked for an organization that inventories all of its assets associated with all business processes. However, even if these items can be leveraged it’s important for the lead facilitating the BIA to to confirm the existence of these assets as well as identify any potential new ones to ensure its completeness and accuracy. From here, business processes can be prioritized in terms of recovery and the business can gain comfort all assets are accounted for and can be brought back online. to ensure operations can and will resume.

      Log in to Reply
    • Shubham Patil says

      April 5, 2022 at 10:40 pm

      A business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies. Potential loss scenarios should be identified during a risk assessment

      Organizations must continually adjust BCP plans as the business evolves. The first step to perform a BIA, which identifies key business processes and application interdependencies, while determining the financial impact if any operational function goes down. It’s important to remember that a BIA isn’t a one-off activity. Conducted regularly, a BIA will address any change including the addition of critical applications, switching vendors, consolidating facilities and more. Only by regularly conducting BIAs can organizations maintain resiliency.

      Log in to Reply
  14. Corey Arana says

    April 4, 2022 at 10:16 am

    What is the biggest incident or disaster of our time and why?

    Log in to Reply
    • Elizabeth Gutierrez says

      April 4, 2022 at 10:29 pm

      Hi Corey,
      As the largest and third strongest hurricane ever recorded to make landfall in the U.S, I would argue that Hurricane Katrina was one of the most destructive natural disasters of our time. Peaking at a Category 5, with winds up to 175 mph, Katrina devastated a number of cities, claiming the lives of approximately two-thousand people, displacing hundreds of thousands of families, and causing over $160 billion in damage. The flooding specifically, was caused largely as a result of fatal engineering flaws in the flood protection system (levees) around the city of New Orleans, precipitating most of the loss of lives. Many businesses collapsed because they were poorly prepared for the hurricanes. Within the failures of Katrina include the individual failures of government officials who failed to coordinate a national response to a truly catastrophic event.

      Log in to Reply
  15. Ryan Trapp says

    April 4, 2022 at 11:29 am

    How should a small company craft a BCP that is economical enough for their smaller budgets?

    Log in to Reply
    • Yangyuan Lin says

      April 5, 2022 at 9:38 am

      For small companies, they have limit or no excess cash to invest in business continuity plans. Therefore, they need to be more aware of risks and mitigate them when customizing BCP. They can talk to insurance companies and get discounts. BCP is important to business, so small businesses can check other budgets to see if they can be reduced to get more BCP budget.

      Log in to Reply
      • Amelia Safirstein says

        April 5, 2022 at 11:15 am

        Smaller companies can consider using cloud providers to limit the costs associated with IT continuity. Business continuity can be greatly enhanced through documentation and regular training. Depending on the expertise and pay rate of employees, it may be more economical to prepare the BCP internally or to contract outside assistance.

        Log in to Reply
        • Ryan Trapp says

          April 5, 2022 at 12:00 pm

          Hi Amelia,

          That’s a great point about utilizing cloud providers to limit the cost. With smaller companies they will have smaller IT departments and security personnel which means fewer people able to prepare the BCP. Acquiring outside assists is a great option, if it can be afforded.

          Log in to Reply
  16. Miray Bolukbasi says

    April 4, 2022 at 11:51 am

    Why do we care about the number of false alarms we receive? ( if they don’t have a high impact as the major incidents or disasters)

    Log in to Reply
    • Elizabeth Gutierrez says

      April 4, 2022 at 9:14 pm

      Hi Miray,
      It is not uncommon for intrusion detection systems to flag legitimate activities as suspicious that result in false alarms. Based on the reading, false alarms can become problematic as they waste a great deal of scarce and expensive security time. Not to mention, if they happen too frequently, this may dull readiness to investigate each potential incident and allow real incidents to go unnoticed.

      Log in to Reply
      • Amelia Safirstein says

        April 5, 2022 at 11:00 am

        Great point, Elizabeth. The 2013 Target breach is a great example of this. The security operations team actually received alerts about the breach but they had been inundated with so many false positives that the alert was ignored.

        Log in to Reply
    • Ryan Trapp says

      April 5, 2022 at 11:54 am

      Miray,

      We want to limit the number of false alarms we receive because it reduces the risk that a legitimate threat may sneak through the logs. Investigating each alarm requires resources and time to look into. Limiting the number of false alarms makes it so the system is operating as efficiently as possible and there are no incorrect alerts that are being investigated.

      Log in to Reply
    • Michael Duffy says

      April 5, 2022 at 11:12 pm

      Hi Miray,

      As the volume of false alarms increase it becomes much harder to spot actual alarms with high impact. From a networking perspective, it would also mean that your IDS/IDPS is not tuned for the network properly and can make analysis/forensics much more difficult during and after the attack.

      Log in to Reply
  17. Alexander William Knoll says

    April 5, 2022 at 9:04 pm

    Why don’t many organizations utilize honeypots? In my opinion they seem like a fairly viable IDS.

    Log in to Reply
    • Shubham Patil says

      April 5, 2022 at 10:38 pm

      Alexander,

      I think honeypots can introduce risk to your environment. By risk, I mean that a honeypot, once attacked, can be used to attack, infiltrate, or harm other systems or organizations, different honeypots have different levels of risk. Some introduce very little risk, while others give the attacker entire platforms from which to launch new attacks. The simpler the honeypot, the less the risk. For example, a honeypot that merely emulates a few services is difficult to compromise and use to attack other systems. In contrast, a honeypot that creates a jail gives an attacker an actual operating system with which to interact.

      An attacker might be able to break out of such a cage and then use the honeypot to launch passive or active attacks against other systems or organizations. Risk is variable, depending on how one builds and deploys the honeypot.

      Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • 01 – Introduction (2)
  • 01 – Threat Environment (3)
  • 02 – System Security Plan (6)
  • 03 – Planning and Policy (7)
  • 04 – Cryptography (6)
  • 05 – Secure Networks (7)
  • 06 – Firewalls (5)
  • 08 – Access Control (7)
  • 09 – Host Hardening (5)
  • 10 – Application Security (6)
  • 11 – Data Protection (4)
  • 12 – Incident and Disaster Response (5)
  • 13 – Review (1)
  • 13 – Team Project Presentations and Review for Final (1)
Fox School of Business

Copyright © 2025 · Course News Pro on Genesis Framework · WordPress · Log in