Incident Response, business Continuity & Disaster Recovery Concepts

Event

Any observable occurrence in a network or system.

Incident

An event that actually or potentially jeopardizes the the C-I-A of an

information system or the information the system processes, stores or transmits.

Intrusion

A security event, or combination of events, that constitutes a deliberate

security incident in which an intruder gains, or attempts to gain, access to a system or

system resource without authorization.

Breach

The loss of control, compromise, unauthorized disclosure or acquisition, or

any similar occurrence where: a person other than an authorized user accesses or

potentially accesses personally identifiable information; or an authorized user

accesses personally identifiable information for other than an authorized purpose.

Exploit

The specific attack.

Threat

Any circumstance or event with the potential to adversely impact either national or

organizational operations, assets, individuals through an information system via unauthorized

access, destruction, disclosure, modification of information and/or denial of service.

Vulnerability

Weakness in an information system, system security procedures, internal

controls or implementation that could be exploited by a threat source.

Zero Day

A previously unknown system vulnerability with the potential of exploitation

without risk of detection or prevention because it does not, in general, fit recognized patterns,

signatures or methods.

Preparation

Since incident will happen and adverse events will affect

business mission and objectives. This requires having a policy and a

response plan that will lead the organization through the crisis. For severe

incidents, some organization defines this as “Crisis Management”

Protect life, health and safety

Any decision and incident responder will

make should priority safety.

Reduction of impact

An IR process aims this so that organization can

prevent or resume operations as soon as possible.

Preparation, Detection and Analysis, Containment, Eradication and Recovery, Post-incident Activity

Components of an IR Plan

Preparation

Develop a policy approved by management.

• Identify critical data and systems, single points of failure.

• Train staff on incident response.

• Implement an incident response team.

• Practice Incident Identification. (First Response)

• Identify Roles and Responsibilities.

• Plan the coordination of communication between

stakeholders.

• Consider the possibility that a primary method of

communication may not be available.

Detection and Analysis

Monitor all possible attack vectors.

• Analyze incident using known data and threat intelligence.

• Prioritize incident response.

• Standardize incident documentation.

Containment

Gather evidence.

• Choose an appropriate containment strategy.

• Identify the attacker.

• Isolate the attack.

Post-Incident Activity

• Identify evidence that may need to be retained.

• Document lessons learned.

Incident Response Team

Should be cross-functional group of individuals which will represent the

management, technical and functional areas of responsibility most

directly impacted by a security incident. They should be from:

•Representative(s) of senior

management

•Information security professionals

•Legal representatives

•Public affairs/communications

representatives

•Engineering representatives

(system and network)

Security Operations Center

SOC

Security Operations Center or (SOC)

is a team composed of security analyst who

triages alerts, identify potential incidents which will be passed thru Incident Response

Team.

IR Team

Assist with investigating the incident. Their primary responsibilities are:

• Determine the scope of damage caused by the

incident.

• Identify whether any confidential information

was compromised.

• Implement any necessary recovery procedures

to restore security and recover from the

related damage.

• Supervise the implementation of any

additional security measures to improve

security and prevent recurrence.

business continuity plan

BCP

business continuity plan (BCP)

is the proactive

development of procedures to restore business operations

after a disaster or other significant disruption to the

organization. It needs to sustain business operations while

recovering from a significant disruption.

Communication

is a a key part of the BCP, this should

have multiple methodologies in case of disruption of

power, network or any other primary communications.

Disaster recovery plan

DRP

Disaster recovery plan (DRP)

guides the actions of emergency response personnel until the end goal is reached—which is to see the business restored to full last-known reliable operations

Business continuity planning

is about maintaining

critical business functions, disaster recovery

planning is about restoring IT and communications

back to full operations after a disruption.