Section 1: Cyber Incident Response Plan

Questions and Answers

What is the first step in developing a Cyber Incident Response Plan (IRP)?

• Outlining Communication Procedures
• Establishing Roles and Responsibilities (correct)
• Creating Backup Communication Methods
• Compiling Incident Information

Which component is NOT part of the IR team during an incident?

• Technical Personnel
• Marketing Manager (correct)
• Chief Information Security Officer
• Legal Counsel

What should be established to ensure communication during an incident?

• Backup communication methods (correct)
• Use of personal devices for communication
• Strict protocols to avoid communication
• Regular team meetings before an incident

In the context of a cyber IRP, which action is critical in addressing public relations?

Handling reporting of the incident to the media (B)

Which of the following is a crucial step when compiling incident information?

Informing stakeholders who may be affected (D)

What is the primary purpose of conducting a cyber risk assessment?

To provide executives with needed information for risk response (B)

Which of the following is NOT a benefit of conducting regular risk assessments?

Modification of business missions to increase profitability (C)

Which method of risk measurement is characterized by subjective evaluations of probability and impact?

Qualitative Assessment (D)

What is a key outcome of identifying risks during a cyber risk assessment?

Insight into improving organizational processes and infrastructure (B)

Which of the following statements correctly describes a quantitative assessment?

It utilizes numerical data to assess risk levels and costs (C)

What is one of the main phases of the risk assessment process?

Gathering information about potential threats (D)

How can organizations use the findings from risk assessments?

To make informed decisions about risk management strategies (B)

Why is the human factor considered a weak link in organizational cybersecurity?

Humans tend to make errors, increasing the risk of cyber threats. (A)

What approach should organizations take when implementing cybersecurity training for employees?

A tailored approach relevant to each employee's role. (A)

Which of the following is a crucial element of effective employee training in cybersecurity?

Continuous updates and relevant training sessions. (C)

What type of training sessions are suggested for keeping employees aware of cybersecurity threats?

Both classroom learning and practical phishing drills. (D)

What specific knowledge should employees acquire during cybersecurity training?

The role and responsibility in a cyber-smart environment. (D)

Which of the following best describes the consequence of inadequate cybersecurity training for employees?

The organization may face increased vulnerability to attacks. (B)

What is an essential consideration for organizations when organizing cybersecurity training?

Ensuring the training is relevant and ongoing. (A)

What should employees be particularly vigilant about through cybersecurity training?

The different types of cyber-attacks they may encounter. (C)

Why is it important for organizations to communicate effectively about cyber incidents?

To ensure collective responsibility and awareness. (C)

What is a potential consequence of not having up-to-date patches on a web server?

Vulnerability to control by attackers (A)

Which remediation step is suggested for inadequate input validation vulnerabilities?

Updating the application to include input validation (C)

What critical aspect should an incident response team examine during the lessons learned stage?

Areas for improving response effectiveness (C)

Why might personnel fail to recognize a cyber incident promptly?

Lack of sufficient training and expertise (D)

What should an incident response team do to protect evidence during a cyber incident?

Isolate and secure the evidence effectively (A)

In the context of incident response planning, what is the primary goal of developing an incident response plan (IRP)?

To prepare the organization for potential cyber-attacks (D)

What possible recommendation might follow an incident review that indicates prolonged containment efforts?

Advance training programs for response personnel (C)

What might signify that a database is poorly secured during an attack?

The database is located on the web server itself (D)

What should be included in the report prepared by the incident response team after an incident review?

Findings, recommendations, and changes to procedures (B)

What is a common reason for the corruption of evidence during an incident response?

Inadequate recognition of the need to protect evidence (D)

What is the maximum fine for non-compliance with the Personal Data Protection Act?

SGD 1 million (B)

Which of the following is NOT one of the key obligations regarding personal data protection?

Providing data to third parties without consent (C)

What could be a consequence of a data breach besides financial penalties?

Loss of reputation (D)

Which of the following organizations is recommended to familiarize themselves with personal data protection laws?

Organizations that collect personal data (B)

Which of these measures can organizations take to remain compliant with personal data laws?

Regularly refer to important legal websites (A)

What type of personal data is covered under the Personal Data Protection Act?

Any information that can identify an individual when combined (B)

What did the SingHealth hacking incident demonstrate about data protection?

Data breaches can lead to severe financial repercussions (D)

What type of actions can regulators impose for violation of personal data regulations?

Financial fines and penalties (B)

Which is a recommended best practice for organizations to maintain compliance?

Conduct regular security assessments (A)

Which statement best reflects the impact of non-compliance with personal data obligations?

It can lead to a combination of legal, reputational, and financial consequences (D)

Flashcards

Cyber Risk Assessment

A systematic process that helps organizations understand and prioritize their cybersecurity risks, enabling them to make informed decisions about how to protect their assets.

Risk Assessment

A process that involves identifying and evaluating the potential risks and threats that could impact an organization's ability to achieve its objectives.

Four Phases of Risk Assessment

The four main phases of a risk assessment: Identifying assets, analyzing threats, evaluating vulnerabilities, and determining risks.

Quantitative Risk Assessment

Uses cost and asset values to calculate risk using numbers. Helps determine the cost of protecting assets.

Qualitative Risk Assessment

Categorizes risks based on their probability and impact, using subjective assessment. Can be less accurate than quantitative assessments.

Benefits of Risk Assessments

Regularly conducted assessments help organizations understand existing and emerging threats to their operations and data, enabling proactive protection.

Measuring Risk

The process of using various methods to measure the likelihood of risks and their potential impact.

Why are employees a weak link in cybersecurity?

The people who operate a company's services and operations are crucial to its success, but they are also a potential vulnerability due to their susceptibility to cyberattacks.

What makes employee training effective?

Effective employee training should be tailored to each individual's role and regularly updated to cover new threats and best practices.

What are some of the threats that employees should be trained on?

Training should help employees recognize and protect against cyber threats, including phishing attacks, malware, and social engineering.

Why is employee reporting essential?

Training should include methods for employees to identify and report suspicious activity, which can help prevent larger breaches.

What communication skills should employees learn?

Training should teach employees how to communicate effectively about cyber incidents in a way that minimizes risk and ensures appropriate action is taken.

How does training foster a 'cyber-smart' environment?

Training should empower employees to actively participate in cybersecurity by promoting a culture of awareness and vigilance.

Why is consistent training essential?

Regularly updating training ensures employees stay up-to-date on emerging threats and best practices.

What are some ways to deliver cybersecurity training?

Cybersecurity training can take many forms, including online modules, interactive exercises, and simulations to mimic real-world scenarios.

How do phishing drills help with cybersecurity?

Phishing drills allow employees to practice avoiding deceptive emails and reported suspicious activity.

What is personal data?

Any information that can be used to identify a specific person.

What is the Personal Data Protection Act?

An act that requires organisations to comply with specific rules when collecting, using, and disclosing personal data.

How many obligations are there under the Personal Data Protection Act?

Organisations must comply with nine key obligations outlined in the Act.

What is one of the key obligations under the Personal Data Protection Act?

One of the key obligations is to safeguard personal data from unauthorised access.

What are the consequences of non-compliance with the Personal Data Protection Act?

If an organisation fails to comply with the Personal Data Protection Act, they can face significant fines.

What example highlights the consequences of a data breach?

The SingHealth hacking incident resulted in a combined penalty of SGD 1 million for SingHealth and their vendor.

What is the importance of staying updated on the Personal Data Protection Act?

Organisations should stay informed about the latest regulations and guidelines related to data protection.

Who are the regulatory bodies responsible for the Personal Data Protection Act?

The Cybersecurity Agency of Singapore and the Personal Data Protection Commission are the regulatory bodies.

What are the potential consequences of a data breach beyond fines?

Organizations may face consequences such as reputation damage, loss of trust, customer churn, financial loss, and remediation costs.

How can organisations protect themselves from data breaches?

By implementing robust security measures and adhering to industry best practices, organizations can minimize their risk of data breaches and comply with regulations.

Incident Response Team (IRT)

A team of professionals responsible for coordinating and responding to cyber incidents. This team typically includes individuals from legal, IT security, technical support, human resources, and public relations.

Developing a Cyber Incident Response Plan (IRP)

Creating a comprehensive plan that outlines the steps to be taken in response to a cyber incident. This includes identifying roles and responsibilities, communication protocols, and other critical components.

Establishing Roles and Responsibilities in a IRP

The first step in developing an IRP involves clearly assigning roles and responsibilities to individuals or teams within the organization. This ensures that everyone knows their role in the event of an incident.

Outlining Communication Procedures in an IRP

A crucial aspect of an effective IRP is outlining clear communication procedures for the incident response team. This includes defining the communication channels, meeting locations, and backup methods.

Compiling Incident Information in an IRP

Gathering and documenting all relevant information related to the cyber incident. This may include details about the attack, affected systems, and potential damage.

Input Validation

A method used to prevent attackers from exploiting vulnerabilities in web applications, such as SQL injection attacks.

Cybersecurity Risk Assessment

A systematic process for identifying and evaluating risks associated with cybersecurity, enabling organizations to prioritize mitigation efforts.

Patch Management

A strategy to identify and close security gaps in software, like outdated versions or missing updates.

Incident Response Plan (IRP)

A program that details how an organization responds to security incidents, ensuring a timely and effective response.

Lessons Learned Review

The process of examining an incident and response to identify areas for improvement and avoid repeating mistakes.

Database Relocation

Relocating critical databases to a protected environment, behind an additional firewall, to enhance security.

Risk Measurement

A security technique that involves assessing the likelihood and impact of risks, using qualitative or quantitative methods.

Evidence Preservation

A critical component of cybersecurity response involving protecting evidence from being altered or destroyed during the incident response process.

Study Notes

Best Practices in Cyber Security

• Cybersecurity landscape in Singapore is covered in a report published by the Cyber Security Agency.
• Key cyber threats in 2020 included website defacements (495), ransomware (89), phishing (47,000), malware (botnet drones 6,600), and cybercrime (16,117).
• COVID-19 pandemic sparked a global surge in cybercrime in 2020.
• More than 1,500 SingPass accounts were cracked, possibly exposing user information.

Cybersecurity Landscape in Singapore

• Cyber Security Agency has published the Singapore Cyber Landscape 2018 report which outlines key cyber threats.
• Phishing attempts reached 47,000 with a Singapore link.
• Ransomware cases increased by 154% in 2020 compared to 2019.
• Cybercrime accounted for 43% of overall crime in 2020.
• Website defacements decreased by 43% from 2019.
• 6,600 botnet drones were detected daily on average.

Vaccine-related Cyber-attacks

• The entire vaccine value chain was targeted, including research, production, regulation and distribution.
• Several state-sponsored APT groups targeted companies involved in COVID-19 vaccine development.
• The European Medicines Agency (EMA) was breached.

SolarWinds Supply-Chain Attack

• Hackers targeted victims through the trusted vendor SolarWinds.
• 18,000 organizations downloaded a tainted update of SolarWinds.
• Malware was injected named Sunburst.

Cyber Hygiene Habits

• Cybersecurity is everyone's responsibility.
• Employees should protect information assets from unauthorized access and modifications.
• Cyber hygiene habits help in deterring potential threats.

Risk Assessment

• A cyber risk assessment is the first step in the risk management process.
• This involves identifying potential risks and threats to an organization.
• Risk management helps organizations deploy controls in a cost-effective manner.

Security Processes and Technologies

• Identification, authentication, authorization, auditing, and accounting are crucial security controls.
• Mechanisms like passwords, biometrics, and tokens are used for authentication.
• Firewalls filter network traffic, preventing malicious activity.
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are crucial for detecting and mitigating potential threats.

Regulatory Developments on Cybersecurity

• Singapore has several legislative measures for cybersecurity: Computer Misuse Act, Cybersecurity Act, and Personal Data Protection Act.
• Hacking and unauthorized access are offences under the Computer Misuse Act.
• Singapore authorities like SingCERT provide alerts, advisories and patches for vulnerable software.
• Fines up to SGD100,000 or jail time can result for non-compliance of regulations.

Incident Preparedness and Response

• Cyber security incidents can cause confidentiality, integrity, and availability issues.
• Incident response management plans must contain phases including detection, response, mitigation and reporting.
• Incident response is crucial to minimize the impact of cyber security incidents.
• IT environments need methods for identifying threats like firewalls, antivirus systems and user reports.
• Response steps include investigating the incident, assessing the damage, and collecting evidence.
• Post incident, measures are critical to prevent similar events, like patching security flaws and updating security protocols.