Certified Cybersecurity Technician Incident Response PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Certified Cybersecurity Technician Incident Response PDF
- Week 3 Lecture 1 Cybersecurity: Risk Management and Incident Response PDF
- ITSM Midterm Reviewer PDF
- Incident Response Activities PDF
Summary
This document describes the preparation phase of incident handling and response for certified cybersecurity technicians. It focuses on establishing an incident response process, assessing assets, security policies, and other crucial elements. The preparation step involves defining the mission, vision, scope, and obtaining management approvals.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Incident Response Step 1: Preparation for Incident Handling...
Certified Cybersecurity Technician Exam 212-82 Incident Response Step 1: Preparation for Incident Handling and Response Established s IR x“o) Determine Handling the Need (IR) & Response For Proc Incident Implement IR Plan Processes? Jwo > Mandiing & Response (IR) Processes g e This phase involves Evaluate the Current Security Security Poster vision, and scope of Determine the Need Need for Change in IR Processes IH&R; obtain e vv v' management approvals |E Obtain Obtain Management Management 3¢ %o NO and and N. funding; develop. funding; )N and Evaluate Current IR Processes D B ] H e Fundin, Additionl Additional Contros ™,..26120 Controls Required? Required? implement security ¥. >. S policies; build an IR team;., $H ; Develop IR Plan, Policies, and -t oevelop :‘r:::'u:::d“‘md YES BH ather systems il Management ! Obtain r:m:;:m “g:'uh Determine Changes ". 8gather systems, Y ¥ Determing Changes -v Approvals and Funding ovals and Funding hardware, hardware, and and software software Inin IRIR Processes Processes :- tools required for IR; tools required for IR; i ’ ST Define Incident Response Criteria. v prioritize assets and Update the Existing Update the Existing 1v s Harden I Inf tics BSpytsatnesm 8Security services; 2 o. and create a Pro mm ‘ IR Processes —— S L :: plan for smooth Organize Resources ! communication during the incident L. All Rights Reserved. Reproduction Reproduction is Strictly Strict Prohibited Step 1: Preparation for Incident Handling and Response Preparation is the first and most important phase in the incident handling process; it enables an organization to establish an efficient IR process. In this stage, the organization will assess its assets, organizational structure, security policies, services, requirements for incident procedures, and other crucial elements of incident handling. Crucially, this stage enables organizations to take precautionary measures before an incident occurs; thus, the success of an IR process depends on the preparation phase. In this stage, the organization will define the mission, vision, and scope of IH&R; obtain management approvals and funding; develop and implement security policies; build an IR team (a team of experts capable of handling any computer security incidents); gather systems, hardware, and software tools required for IR; prioritize assets and services; and create a plan for smooth communication during the incident. Preparation is the readiness to respond prior to the actual occurrence of an incident event. Requirements for preparation include the following. = Establishing a reasonable group of defense/controls depending on the threats posed on the following: o Open systems that are vulnerable to attacks o Secured systems with no IR o Systems dealing with incidents that are to be secured = Developing a group of methods to deal with incidents: o Measures to be considered in different situations by the staff Module 19 Page 2132 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response (@) Contact information (@) Keeping information from other neighboring organizations (@) Assigning people to participate in the IR effort [e) Determining risk levels and limits = Acquiring resources and people to solve problems: Monetary resources are required for hardware, software, training, and special equipment for analysis and forensics. Examples of resources include PDAs, safe vaults, Intrusion Detection System (IDS) software, and database server software. = Developing an infrastructure that supports IR: The overall business strategy should be developed to incorporate mechanisms into processes in order to respond to incidents. (@) Line of authority and management should be in place. (@) Defenses/controls specifically matching the resources of the network must be chosen. [e) IR procedures must be followed effectively. Resources should be provided with proper finances. Contact details should be maintained. Evidence of IRs are to be stored. Legal issues should be appropriately addressed. System administrators are responsible for the preparation stage. Their responsibilities include the following: e Ensuring password policies e Disabling default accounts e Configuring appropriate security mechanisms e Executing and enabling system logging and auditing e Patch management e Ensuring proper backups e Ensuring the integrity of file systems e |dentifying abnormal behavior in the system Module 19 Page 2133 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Established IR Determine the Need For Incident............. = proseseas Implement l IR Plan IR PI Processes? Processes? ¥ NO > Handling & Response (IR) Processes * R - B v &7} YES &7 Define IR Vision and Mission =2 “=> Evaluate the Current Security Poster Determine the Need for Change in IR Processes H : =zv v v' Obtain Management % NO Approval and Funding Approval and Funding Additional Controls.................... Evaluate Current IR Processes ‘H Required? Required? \d : Develop IRIR Plan, Develop Policies, and Plan, Policies, and YES & V' ' Ev Procedures Procedures — Obtain Management Determine Changes - iz o I an:g: m:pt vv Approvals and Funding in IR Processes et A Define Incident Response Criteria v, Ev Update the Existing 'B Harden Information System Security IR Processes Create IRT and 1 Organize Resources ' --« A Figure 19.2: IH&R preparation phase—process flow Module 19 Page 2134 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response Incident Response Plan The IR plan determines the future course of action for |I establishing, managing, and strengthening incident response capabilities fl) IR plan should: “ 4‘ ] » Address the mission and vision statements - > Meet the goals of incident response initiative » Comply with the statement of senior management approval »> Include strategies to achieve set goals and timelines » Have an organized approach to incident response » Identify incident response key performance indicators that organization can use for future reference » Provide a statement of interoperability » Add value to other organizational processes » Make efficient use of all the resources » Strengthen the organization’s security Copyright © by EC iL. All All Rights Rights Reserved. Reserved. Reproduction Reproduction isis Strictly Strictly Prohibited, Prohibited Incident Response Plan The IH&R creates an incident response plan (IRP) before handling and responding to the incidents. An IRP is a set of guidelines that are required when responding to an incident in a dedicated and formal manner. The IR plan determines the future course of action for establishing, managing, and strengthening incident response capabilities. The plan contains the elements required for executing the IR effectively. These plans include response instructions for any detected incidents. The IRP includes the company requirements such as size, structure, and functions. The plan identifies the resources required for managing the incidents. = |R plan should: o Address the mission and vision statements o Meet the goals of incident response initiative O o Comply with the statement of senior management approval O o Include strategies to achieve set goals and timelines O o Have an organized approach to incident response (@] o ldentify incident response key performance indicators that organization can use for future reference o Provide a statement of interoperability o Add value to other organizational processes o Make efficient use of all the resources o Strengthen the organization’s security Module 19 Page 2135 Certified Cybersecurity Technician Copyright © by EG-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Incident Response *= An IRP should include the following: o Aim of the IRP o Objectives and approaches o Methodology of the IR o Standards to assess IR efficiency o Observing the current status of IR = Components of an IRP: o Name and contact information of the IH&R team o System details such as data flow diagrams and network diagrams of the incident o The complete process required while recording and handling an incident o Report security incidents to the Information Security and Policy (ISP), who appoints a security analyst to handle the incident o Respond to the incident in a timely manner Module 19 Page 2136 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.