Best Practices in Cyber Security PDF
Document Details
Uploaded by AthleticSilver740
NUS Faculty of Law
2020
Tags
Summary
This document provides best practices in cybersecurity, focusing on the cybersecurity landscape in Singapore. It covers topics such as cyber culture, cyber hygiene, the role of the Chief Information Security Officer (CISO), risk assessment, employee protection, and incident preparedness.
Full Transcript
NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide SECTION 1:...
NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide SECTION 1: Notes BEST PRACTICES IN CYBER SECURITY In this section, you will learn the following: Cybersecurity landscape in Singapore Cyber Culture and Cyber Hygiene in an Organization Role of the Chief Information Security Officer (CISO) Risk Assessment Employee Protection and Education Security Technologies Regulatory Developments on cybersecurity Incident Preparedness and Response Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 8 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide BEST PRACTICES IN CYBER SECURITY CYBERSECURITY LANDSCAPE IN SINGAPORE Cyber Security Agency has published the Singapore Cyber Landscape 2018 report and shows the following: Phishing 47,000 Ransomware 89 Website defacements 495 Malware (botnet drones) 6,600 Cybercrime 16,117 Major cybersecurity incidents / security breaches: The Cyber repercussions of the COVID-19 Pandemic The ongoing COVID-19 pandemic sparked a global surge in cybercrime in 2020 with more businesses shifting their activities online due to social Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 9 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide distancing requirements in the physical world. As a result, 384 COVID-19 related scams were reported in Singapore in 2020. More than 1,500 SingPass accounts have been cracked, possibly exposing user’s sensitive personal information eg address and salary. Vaccine-related Cyber-attacks The entire vaccine value chain, including research, production, regulation and distribution were also targeted. In November 2020, Microsoft reported that several state-sponsored APT groups had targeted seven companies directly involved in COVID-19 vaccine research and development, for the purpose of data theft. At around the same time, Europe’s drug regulator, the European Medicines Agency, was breached by hackers who “unlawfully accessed” documents related to Pfizer and BioNTech’s COVID-19 vaccine. SolarWinds supply-chain attack Towards the tail end of 2020, the world witnessed the uncovering of a massive supply chain attack where hackers targeted victims through their trusted vendor, US-based company SolarWinds, a dominant industry player which provides computer network monitoring services to corporations and government agencies around the world. SolarWinds was commonly used by numerous Fortune500 corporations and government agencies worldwide including the US Department of Homeland Security, the US Department of State, Cisco, Microsoft, and Intel. It was estimated that Around 18,000 organisations downloaded the tainted update and were exposed to the injected malware, which researchers named Sunburst. Creating a Cyber-Smart Culture Due to the pandemic, more and more individuals and businesses are expanding online, increasing the ever-large attack surface that attackers globally can exploit. This highlights the importance of being aware of common cyber-attack and how not to fall victim to it. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 10 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide Therefore, making people aware of the Policies and Procedures will help in protecting information. Through cyber security awareness program, employee can be equipped with the knowledge to identify and deter potential threat actors as well accept and commit that “cybersecurity is everyone’s responsibility”. Practicing basic cyber hygiene will strengthen the weakest link. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 11 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide What is Basic Cyber Hygiene? Cyber hygiene is defined as a means to appropriately protect and maintain IT systems and devices and implement cyber security best practices As shown below. Protecting systems and information requires implementation of best practices. This requires organization to invest in the best practices. Therefore, it is a balance between how much security the organization should have versus the benefits arising from the implementation of the controls. Risk Management comprising of Risk identification, analysis, evaluation and treatment of risks will help organizations to deploy the necessary controls in a cost- effective manner. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 12 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide Cyber Hygiene Habits It’s important for everyone accessing the organization network and information, from the intern to the CEO, to think and act securely. This means they must ensure that all information remains confidential and accessed, modified and available to authorized personnel only. The principles of cyber security are based on confidentiality (access to authorized personnel only), Integrity (modified by authorized personnel) and Available to authorized personnel. Poor Cyber Hygiene Habits may result in sensitive information being disclosed or altered or destroyed and impacting your business. This can be accomplished by doing the following: 1. Define a regulated process for software installation by end users. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 13 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide 2. Teach employees how to practice good cyber behavior. Teach employees how to manage their passwords, identify potential phishing efforts, and determine which devices to connect to the network. 3. Make a special effort to spot vulnerable applications that are in use and disable them. 4. Keep an inventory of hardware and software on the company network. 5. Back up your data! You can consider using a secure cloud solution or even buying secured server space. 6. Patch all applications right away, regularly. Unpatched systems are one the biggest risk factors in attacks. 7. Create complex passwords. 8. Limit the number of users with administrative privileges. 9. Upgrade aging infrastructure and systems. 10. Always use a firewall. 11. Make sure the entire network is virus definition updated. RISK ASSESSMENT What is a Risk Assessment? A cyber risk assessment is the first step in the risk management process, as well a key component of an organizations risk management program. In order to identify the potential risks and threats facing your company, we must evaluate current business operations and assets to identify what areas we need to prioritize resource allocation and security. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 14 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide This can be accomplished internally, or by bringing in a 3rd party in to evaluate the risks posed to your company and assets. The purpose of conducting a cyber risk assessment; is to provide executives with the information needed to determine appropriate responses to identified risks, as well as how risk assessments compliment the newly implemented risk management program. By conducting risk assessments, executives identify risks common to an organizations core missions, business functions, processes, and infrastructure support services. The Four Main Phases in the Risk Assessment Process: Benefits of Risk Assessments Conducting regular risk assessments provides organizations with the ability to determine existing and emerging risks and threats towards core business missions and functions. These assessments can support executive decision making and organizational activities in a variety of ways. Some of these benefits include but are not limited to: Development of an information security architecture. Defining business operations and services which rely on the functionality of Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 15 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide information systems and technology. Modification of business missions and functions to protect sensitive data until proper security controls are implemented. Implementation of critical and efficient security solutions. Continuous operation and maintenance of security solutions. Measuring Risk To help identify what areas in a business are the most vulnerable and at risk to an attack, we can evaluate the value of data crucial to us. To measure risk and importance of an asset, there are generally two calculation methods we can use: Quantitative Assessment Uses cost and asset values to calculate risk (numeric). Can be used to calculate how much it may cost to protect assets. Qualitative Assessment Categorizes risks based on probability and impact Subjective measurement but can be less accurate than quantitative. PRACTICAL TECHNIQUES FOR EMPLOYEE PROTECTION AND EDUCATION Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 16 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide The Need for Cybersecurity Awareness and Employee Training One of the most important strategies for implementing productive organizational cybersecurity, is by providing effective training to employees. With the "human factor" acting as one of the weakest links in an organization's cybersecurity, it is crucial to provide educational training to employees across the entire company. The people who drive the functionality of a business' operations and services are critical to the success of a company. However, if employees are not well prepared for the new threats facing the evolving digital environment, they cannot be expected to properly defend against them. Effective Employee Training When implementing training programs within a company, it is important to understand that you cannot take a "one and done” as well “one size fits all” approach. The training should be focused and relevant to their roles and responsibilities. Employees should be vigilant of various attacks, take precautions and protect the organization’s data and systems. The rapidly evolving domain of cyber-crime and new methods of cyber-attacks, create a necessity for employees to be updated and aware of attacks. Therefore, organization should provide continuous training. The training should include classroom and E-learning sessions as well phishing drills Topics to be covered in update sessions should include: The various threats employees are facing. Recent cyber-attacks on businesses. The role employees play in a "cyber-smart" business environment. Tools and techniques to identify and prevent cyber-attacks. Proper communication surrounding cyber incidents. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 17 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide SECURITY PROCESSES AND TECHNOLOGIES Identification, Authentication, Authorization, Auditing and Accounting are controls to protect access to business assets and information. The access control phases are: Identification – claiming identity when attempting to access systems Authentication – proving that you are the identity Authorization – defining permissions Auditing – record a log of events and activities Accounting – Review logs to check for violations Authentication Mechanisms Knows – Passwords, PINS, Passphrases – One factor and what you know Is – Biometrics, Fingerprint, Voice Pattern – two factor and what you are Has – token ,Identity badges, Physical Keys, Driver’s license – two factor and what Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 18 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide you have The more factors of authentication will make it difficult for unauthorised parties to access as they need to have the token or biometrics credentials besides password. Ask yourself – would you prefer ID and password when you access your bank application from home through Internet? Firewalls Firewalls are essential tools in managing and controlling network traffic. A firewall is a network device used to filter incoming (from Internet) and outgoing (to Internet) traffic based on defined set of rules, also called filter or access control lists. Firewalls is one of the tools to prevent malicious traffic from the Internet from entering into the organisation network. They can be also used to block traffic from one internal segment to another internal segment. E.g. prevents hacker on one compromised laptop on the internal segment to access another server/laptop on another segment However, firewall is unable to prevent malicious traffic which are able to meet the rules. For this, we need Intrusion Detection System (IDS) or Intrusion Prevention System to be in place. Intrusion Detection Systems (IDS) An intrusion detection system (IDS) inspects logs and real time traffic to detect intrusion attempts and systems failures. IDS are effective in detecting Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks. IDS alert administrators when someone or something is trying to compromise information system through malicious activities such as DDOS Attacks or security policy violations. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 19 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide The IDS examine the logs and real time traffic and detect malicious behavior using two techniques: signature-based and behavior-based. Signature based detection is also called knowledge-based detection or pattern matching detection. Signature based detection has a database of attack signatures. Real time traffic is matched against the database, and if the IDS finds a match it raises alert. The drawback is that it is effective only against known attack methods. IDS database must be regularly updated with new attack signatures Behaviour- based detection compares the logs and real time traffic against a baseline of normal performance to detect abnormal behavior. It is also called anomaly , statistical intrusion detection and heuristic based detection. Behaviour based IDS use the baseline, activity statistics, and heuristic evaluation techniques to compare current activity against previous activity to detect potentially malicious activity. Anomaly analysis allows to recognize and react to sudden increase in traffic volume or activity, multiple failed login attempts, logons of program activity outside normal working hours or sudden increase in error messages. All this could indicate an attack that a knowledge-based detection system may not recognize. A behavior-based IDS can be labelled as an expert system because it can learn and make assumptions about events. The drawback it often raised high number of false alarms An IDS detect an attack and alert the administrators without taking any action. This is called passive response The IDS which detects an attack and takes pro-active to terminate/kill the session is called active response. This is called Intrusion Prevention System (IPS). Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 20 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide Intrusion Prevention Systems (IPS) Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 21 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide An Intrusion Prevention System (IPS) is active IDS that attempts to Detect and block attacks before they reach the target systems. IPS is Placed in line with the traffic which means all traffic must pass through IPS.IPS uses knowledge-based and/or behavior-based detection. Logging Overview To monitor the systems and application are accessed and modified by authorized parties, all activities should be logged first. This means server and applications should records user and system activities such as: Normal activity Error conditions Configuration changes Policy changes User access to assets Incident alerts Unauthorized use of resources Non-privileged access to files User behavior patterns Clearing of sensitive data Access to audit trails The above activities are logged in the following: Security logs- records access to resources such as files and folders such as Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 22 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide account logon, account management, directory service access, logon, object access (for example, file access), policy change, privilege use System logs – records system events such as when system starts or stops., heartbeat and run-time error events from running applications application installations. Application logs- Applications running on servers or end user devices generate log record such as access to specific data objects such as table or views. Firewall logs- critical for security analysis, because they contain trails of almost all traffic flowing into and out of your network. Contains traffic data such as source and destination IP addresses/ports numbers. IPS logs – records top attacks, intrusions, attackers IP address and address Anti-virus (AV) logs – records devices infected with malware as well devices detected and cleaned Proxy logs – records sites visited by users and time spent on these sites , requests made by users and applications on a local network, as well as application or service requests made over the Internet, such as application updates. Change logs- records change requests, approvals and actual changes to a system Router, switches and Load balancer Logs - logs provide critical data about traffic flows, including destinations visited by internal users, sources of external traffic, traffic volumes, protocols used, Endpoint Logs - desktop, laptop, smartphone, server or workstation send events and status Syslog – consolidate events from above devices and systems at a centralized location. It processes large amounts of data, filter and generate alerts administrators. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 23 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide These logs should be protected from unauthorized access and modifications. The events are to a central system such as syslog. Syslog Receives raw system logs from sources mentioned above, identifying their structure or schema, and processes into a consistent, standardized data source for analysis. Syslog comprises of the following: Log Parsing - converts logs from end devices to structured format. Log Normalization and Categorization- merges events and involves adding meaning to events – identifying log data related to system events, authentication, local/remote operations, etc. Log Indexing - create an index of common attributes across all log data to help in searching for events and analysis Log Storage - to store the events Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 24 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide Monitoring and Investigation using Syslog Syslog helps to identify problems and patterns in production systems. Monitoring involves scanning log files, searching for patterns, rules or inferred behavior that indicates important events, and triggering an alert sent to operations or security staff. Analyzing those logs, is the most common way to identify anomalous or suspicious events, which might represent a security incident. Log monitoring can help identify problems before they are experienced by users. It can uncover suspicious behavior that might represent an attack on organizational systems. It can also help record baseline behavior of devices, systems or users, in order to identify anomalies that require investigation. These logs provide a record of system activity and can be used to re-construct activity leading up to and during security events. They provide a before and after picture of the state of resources, systems and applications which are necessary for incident investigation. Syslog allows events to be traced in forward and reverse order. This helps in tracking down problems, performance issues attacks, intrusions, security breaches, coding errors and policy violations. These logs have to be protected from unauthorized access and modifications.. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 25 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide The Singapore Computer Emergency Response Team (SingCERT), SingCERT ) facilitates the detection, resolution and prevention of cybersecurity incidents for the Singapore constituency. SingCERT broadcast timely alerts, advisories and security patches to highlight security vulnerabilities in software and hardware products, and provide updates on the latest cyber threat trends. REGULATORY DEVELOPMENTS ON CYBERSECURITY Compliance In Singapore there are several legislations that govern cybersecurity. They are: Computer Misuse Act Cybersecurity Act Personal Data Protection Act Computer Misuse Act Hacking (unauthorised access) is an offence under the Computer Misuse Act. Under the Act, any person who knowingly causes a computer to perform any function for the purposes of securing access without authority to any program or data held in any computer is guilty of an offence. Penalty: fine not exceeding SG5,000 or to imprisonment for a term not exceeding two years, or both. What about possession or use of hardware, software or other tools used to commit cybercrime? Under the Computer Misuse Act, such a possession is an offence. Anyone obtaining or retaining such items with the intent to use them to commit or facilitate commission of an offence. It is an offence to secure unauthorised access to any computer program or data, with the intent to commit an offence involving property, fraud or dishonesty, for example identity theft or identity fraud. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 26 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide Cybersecurity Act An Act to protect computer systems that deliver essential services in Singapore. Under the Act, essential services include the following: Services relating to energy Services relating to info-communications Services relating to water Services relating to healthcare Services relating to banking and finance Services relating to security and emergency services Services relating to aviation Services relating to land transport Services relating to maritime Services relating to functioning of Government Services relating to media Obligations of organisations that control the computer systems that run the above-mentioned essential services are wide-ranging and non-compliance can result in a penalty of up to SGD100,000 or a jail term of not more than 2 years. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 27 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide Personal Data Protection Act The Act requires organisations that collect, use and discloses personal data of individuals to comply with certain obligations and non-compliance with those obligations can result in heavy fines. Personal data is any information that when put together allows you to identify a person. Any organisation that collects, use and disclose the personal data of individuals, the employees, or their customers, must comply with the 9 key obligations. One of these obligations is to protect the personal data in their custody from unauthorised access. Non-compliance resulting with a breach of personal data can result in a fine of up to SGD1 million. The SingHealth hacking incidence resulted in a combined penalty of SGD 1 million to be paid by SingHealth and its vendor, IHIS. Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 28 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide Organisations should familiarise themselves with the above laws to avoid heavy penalties and fines. Getting updated with these laws can be done by regularly referring to the following: Websites of the regulatory bodies, i.e. the Cybersecurity Agency of Singapore and the Personal Data Protection Commission; and Singapore Statutes Online Regulators may impose fines if there is violation of the regulations or data breach. Besides fines, organisations may be impacted by loss of reputation, loss of integrity, loss of customers, loss of revenue and costs arising to remediate and recover from these attacks. By keeping systems secure and uphold best practices, a company can comply with the regulations and standards. INCIDENT PREPAREDNESS AND RESPONSE Respond Primary goal of any security program is to prevent security incidents. However, it is no longer question of will it happen but when will happen? Therefore, an organization must be prepared and able to respond to limit or contain the incident in a timely manner without impact to the organization objectives. The primary goal of incident response is to minimize the impact on the organization. A cyber security incident is any event that has negative impact on confidentiality, Integrity or Availability of an organization’s assets. Therefore, the organization should have incident response management plan. This plan should cover preparation of process and procedures, implementation and maintenance. The intent is to ensure effective response upon the detection of a cyber incident. The incident response management is handled in several phases as shown below Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 29 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide 1. Detection IT environments should have multiple methods of detecting potential incidents. The methods used to detect incidents are: Firewall, Proxy, Intrusion detection and prevention systems Anti-malware systems End users report irregular activity Upon receiving alert on potential incident, security team investigate the Event, confirm that it is a security incident and move to the Response phase. 2. Response The response varies depending on the severity of the incident. The organization activates computer security incident response Team (CSIRT) who assist with the investigation, assess the damage, Collect the evidence, report the incident and recovery. The quicker An organization can respond to incident, better chance they have in Limiting the damage. It is important to protect all data collected during the investigation 3. Mitigation Next step is to contain the incident from spreading. One of the primary goals of an effective incident response is to limit the effect or scope of an incident. 4. Reporting Reporting refers to reporting an incident within the organization and individuals outside the organization, who to report and how quick to report depends on the severity and sensitivity of the incident. E.g. there is a need to report a minor malware Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 30 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide infection to a CEO’s laptop as it may contain confidential information. Senior management needs to be notified of security breaches in time-frame specified in the incident response plan. E.g. WannaCry ransomware attack in 2017 infected more than 230,000 computers in more than 150 countries within a single day. The attack reportedly infected parts of United Kingdom’s national Health Service forcing some medical services to run on an emergency only basis. The CSIRT team investigated and reported to supervisors, and this reporting reached CEO on the same day of the attack. Organizations have legal requirement to report some incidents outside of the organization such as PDPC for data breaches and CSA for critical sector security incidents. 5. Recovery After investigators collect all appropriate evidence from a system, the next step is to recover the system or return it to a fully functioning state. This can be reboot for a minor incident to rebuilding the system for a major incident. When rebuilt from scratch, it is important to ensure that it is configured properly and is at least as secure it was before the incident. 6. Remediation In this phase, personnel look at the incident and attempt to identify what caused the incident and recommend preventive measures to prevent it from happening again. This is called root cause analysis. A root cause analysis examines the incident to determine what allowed it to happen, For example if attackers successfully accessed a database through a website, personnel would examine all the elements of the file to determine what allowed th hackers to succeed, If the root cause analysis identifies the vulnerability that can be mitigated, this stage will recommend a change. It could be that the web server did not have up to date patches, allowing the attackers to gain control of the server. Remediation steps might include implementing a patch management program. Perhaps the web-site application was not using adequate input validation technique, allowing a successful SQL injection attack. Remediation would involve updating the Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 31 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide application to include input validation. May be the database is located on the web server instead of in a backend database server. Remediation might include moving the database to a server behind an additional firewall. 7. Lessons learnt During the lessons learned stage, personnel examine the incident and the response to see if there are any lessons to be learned. The incident response team will be involved in this stage as well as other employees who are knowledgeable about the incident, While examining the response to the incident, personnel look for any areas where they can improve their response. For example, if it took a long time for the response team to contain the incident, the examination tries to determine why. It might be that personnel don’t have adequate training and did not have the knowledge and expertise to respond effectively. They may not have recognized the incident when they received the first notification, allowing the attack to continue longer than necessary. Incident response team may not have recognized the need to protect evidence and inadvertently corrupted it during the response. The incident response team will prepare a report on lessons learnt review. The report will include findings, recommendations such as changes to procedures, additional controls and changes to policies. Management will decide what recommendations to implement. Incident Response Planning Developing and incident response plan (IRP) is a key component to preparing your organization for a cyber-attack or data breach. Developing an IRP provides the company with guidelines, techniques and procedures for taking measures of response in the event of a cyber incident. When developing a cyber IRP, the process should be similar to creating a disaster recovery or business continuity plan, but with a focus on a specified area of risk. There are various components involved in setting up a cyber IRP, however it does not entail a tedious process, and can be fairly simple once we gain an understanding Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 32 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide of the steps we need to take. Step 1: Establishing Roles and Responsibilities Designate assigned leaders to take charge in the event of an incident. Prepare a response team comprised of professionals from various specialties. The IR team could look like the following: Legal Counsel Chief Information Security Officer/Chief Information Officer Technical Personnel (Network and Security Infrastructure) Human Resources Public Relations Assign backup roles in case a team member is unavailable during an incident. Outline individual roles for each member on the established team. Step 2: Outlining Communication Procedures How the team will communicate during an incident: Where the team meet to coordinate response. Establish if it is safe to communicate over company systems/networks/email. Create backup communication and coordination methods in case attack causes major service disruption. Establish what law enforcement/governmental agencies to contact in the case of a major incident concerning sensitive personal information. Contact stakeholders who may possibly be affected by breach. Establish how public relations should handle reporting the incident. Share incident information with cybersecurity community to generate awareness. Step 3: Compiling Incident Information Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 33 of 126 LHUB_ver1.1 NICF - Cybersecurity Awareness Programme (SF) Learner’s Guide Draft incident reports containing highly detailed information surrounding the incident: When the incident occurred. What was the cause of the incident? Establish who lead the incident response team for accountability. How the team responded. Did the response comply with pre-established procedures. Step 4: Simplify Action Checklist Create a prioritized action list to be completed immediately. Take potentially compromised systems offline. Conduct initial incident interview with first responders to gain critical knowledge of incident. Get digital forensic analysts on site to develop safe copies of any affected critical systems and information. Establish response actions for aftermath days. Step 5: Test, Review, and Update Regularly test the IRP - at least once a year - possibly two to three times for larger companies. Following the test, record and review any failures within the plan, and note any possible areas which can use improvements. Update the IRP based on the reviews conducts following the test. Quiz Done on PollEV. 1. Which of the following are NOT security controls to protect access to business assets and information? Authorization Copyright © 2020 NTUC LearningHub Pte Ltd. © Cybint Solutions. All rights reserved Page 34 of 126 LHUB_ver1.1
