Chapter 19 - 01 - Understand Incident Response Concepts_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 01_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 02_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 03_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 04_ocred_fax_ocred.pdf
- Chapter 19 - 03 - Describe Incident Handling and Response Process - 05_ocred_fax_ocred.pdf
- Chapter 14 - Monitoring and Incident Response.pdf
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Incident Response Module Flow @ @ \> 1...
Certified Cybersecurity Technician Exam 212-82 Incident Response Module Flow @ @ \> 1 1 >> Understand Understand Incident Incident Response Concepts Response Concepts @ 2 )> Understand the Role of First Responder in Incident Response 3 > Describe Incident Handling and Response Process cll. All Rights Reserved. Reproduct Understand Incident Response Concepts Understanding the concept of incident response (IR) will help handle security breaches effectively and minimize the damages from a cybersecurity attack. The objective of this section is to help you understand the approach, goals, and advantages of IR. It will highlight the roles and responsibilities of an incident handling and response team. Module 19 Page 2112 Certified Cybersecurity Technician Copyright © by EG-Council EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Incident Response Incident response (IR) is the process of taking organized 0660006 and careful steps when reacting to a security incident 060 It involves a sequence of steps that begin with first identifying and reporting an incident IR processes differ from organization to organization according to their business and operating environment The Incident Handling and Response Team is a group of specialized people who collectively respond, remediate, @© mitigate, recover, and communicate the impact of incidents involving computer security breaches The IH&R team works on an incident response plan when 0 dealing with a security incident Incident Response Incident response (IR) is the process of taking organized and careful steps when reacting to a security incident. It involves a sequence of steps that begin with first identifying and reporting an incident. IR is a systematic approach that is adopted to handle security incidents with minimal damage, recovery time, and costs. In the process of responding to an incident, information such as the vulnerability of the network that caused the attack to occur, who initiated the attack, and the kind of devices and files that are affected are known. IR processes differ from organization to organization according to their business and operating environment. The incident handling and response team is a group of specialized people who collectively respond, remediate, mitigate, recover, and communicate the impact of incidents involving computer security breaches. The IH&R team works on an incident response plan when dealing with a security incident. Goals of IR = To detect if an incident occurred and if it is an actual security incident or a false positive ®=* To maintain or restore Business Continuity *= To reduce the impact of an incident = To analyze the cause of an incident = To prevent future attacks or incidents = To improve security and incident response = To prosecute illegal activity Module 19 Page 2113 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Advantages of IR Equips the organization with safe procedures to be followed when an incident occurs Saves time and effort, which is otherwise wasted when fixing an encountered incident Helps the organization learn from past experiences and recover from losses more quickly The skills and technologies required to tackle an incident are determined in advance. Saves the organization from legal consequences arising from a severe incident Helps determine similar patterns across incidents and handle them more efficiently Module 19 Page 2114 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Roles and Responsibilities of IH&R Team Depending on the organization, an in-house or an external IH&R team holds different titles, roles, and responsibilities for an incident response O Anindividual or group of individuals from the management with leadership and decision-making Management authority Information QO Anindividual from the information security team who has experience in discovering and Security Team containing incidents QO An individual who is aware of the information system and network areas. They may be system or network administrators Physical A - - - e Security Staff Q Anindividual who is responsible for physical security and identifying the extent of any damage Attorney QO An individual responsible for providing legal advice Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibite Roles and Responsibilities of IH&R Team (Cont’d) Representative An individual responsible for handling employee issues for an employee involved in an incident PR Specialist { An individual responsible for conveying company details after an incident Einancial I An individual who assesses the financial loss to a company from an incident Auditor An individual responsible for all actions of the IR Team and IR Function. They may be an executive-level AR e I employee such as a CISO, or another corporate representative IR Manager I An individual who receives the initial IR alerts and leads the IH&R team in all IR activities IR Assessment A group of individuals who make decisions on the classifications and the severity of the incident identified. Team The team comprises representatives from IT, Security, Application, Support, and other business areas An individual responsible for the remediation and resolution of the incident that occurred. They IR Custoc - I include technical experts and application support representatives. cil. All Rights Reserved. Reprod Roles and Responsibilities of IH&R Team The IH&R team is a group of specialized people who collectively respond to, investigate, remediate, mitigate, and communicate the impact of incidents involving computer security breaches. The IH&R team plays a very important role in the organization. However, maintaining such a team separately can involve huge costs and other resources. Therefore, organizations generally use their current employees who are experts in their fields to constitute the IH&R team in addition to a few dedicated members. Module 19 Page 2115 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response The IH&R team can include persons including network and system administrators, managers, stakeholders, employees, and security operations center analysts. Typical roles and responsibilities of IH&R team members may vary based on the organization’s IR activities. Management: In an organization, the management includes the top-most authoritative decision makers. It may include a single entity or a group of entities who make decisions when an incident occurs. The management should be the first entity to learn about an incident. They decide the steps to be taken after the occurrence of an incident is confirmed. Information Security Team: The team consists of a group of individuals who possess the skills to detect and analyze security incidents. They can easily identify the nature, category, and scope of the incident. IT Staff: IT Staff comprises the individuals who are either system or network administrators. They detect the incident by analyzing network traffic, system logs, and service packages and patches, among others, and report it to the management or the IH&R team. They execute the first response step to avoid further damage. Physical Security Staff: Physical security staff contribute to the handling of and response to physical security incidents. They can also be the first responders to a physical security incident. They actively report the occurrence of a physical security incident such as fire, theft, damage, and unauthorized access to the management. Attorney: The attorney is a legal advisor for the organization. Attorneys play a major role in ensuring that any evidence collected is admissible in a court of law. They can also help an organization recover from a financial loss due to an incident. HR Representative: An internal employee may be involved in a security incident. In these situations, Human Resources (HR) becomes involved when the IH&R team detects that an internal employee is involved in the security incident. HR provides the IH&R team with the best possible solution for dealing with any employee involved in an incident. PR Specialist The Public Relations (PR) department serves as a primary contact for the media and informs the media about an event. They update the website information, monitor media coverage, and are responsible for stakeholder communication, including to the following: o Board o Foundation personnel o Donors o Suppliers/vendors Module 19 Page 2116 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response * Financial Auditor Financial Auditors are individuals who assess the financial loss of the organization after an incident. The auditor is responsible for accounting for all losses that occurred as a result of the incident. The auditor is responsible for reporting the financial imbalance in the organization’s account. = |R Officer The IR Officer is an individual who oversees all IR activities in an organization. IR officers are executive employees who are responsible for how the IH&R team functions. Every action taken by the IH&R team is reported back to the IR Officer who further reports to the management of the organization. = IR Manager The IR Manager must be a technical expert who understands security and incident management. The IR Manager focuses on the incident and analyzes how to handle it from a management and a technical point of view. They are responsible for the actions performed by the incident analysts and reporting the information to the IR Officer. = |R Assessment Team The IR Assessment Team comprises individuals who prioritize the occurrence of an incident based on the amount of loss it caused to the organization. The team comprises individuals from various domains such as IT, security, application support, and other business areas. * |R Custodians IR Custodians are either technical experts or application support representatives. They play an important role when an application incident occurs. To respond to the incident, IR Custodians create an action framework that is further shared with the management. Module 19 Page 2117 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.
