Information Assurance & Security Module 2 PDF

INFORMATION ASSURANCE & SECURITY MODULE 2 Learning Objectives Understand the steps involved in an Incident Response Plan (IRP) and the roles and responsibilities of the incident response team. Evaluate different incident management framework Apply incident management framework to real-world scenarios to effectively manage and mitigate security incidents. Distinguish Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP), including their respective goals and components. Develop a basic Disaster Recovery Plan and Business Continuity Plan. Outline strategies for maintaining business operations during and after a disaster. Operational security (OPSEC) is a security and risk management process that prevents sensitive What is information from getting into the wrong hands. Operational Another OPSEC meaning is a Security? process that identifies seemingly innocuous actions that could inadvertently reveal critical or sensitive data to a cyber criminal. How Did OPSEC Come Into the Picture? OPSEC first came about through a U.S. military team called Purple Dragon in the Vietnam War. The counterintelligence team realized that its adversaries could anticipate the U.S.’s strategies and tactics without managing to decrypt their communications or having intelligence assets to steal their data. They concluded that the U.S. military forces were actually revealing information to their enemy. Purple Dragon coined the first OPSEC definition, which was: “The ability to keep knowledge of our strengths and weaknesses away from hostile forces.” Why is OPSEC Important? OPSEC is important because it encourages organizations to closely assess the security risks they face and spot potential vulnerabilities that a typical data security approach may not. OPSEC security enables IT and security teams to fine-tune their technical and non- technical processes while reducing their cyber risk and safeguarding them against malware-based attacks. Incident Response and Management Incident management and response are crucial elements of any cybersecurity program. Every incident provides lessons and opportunities for improvement, and higher education leaders should never assume that similar incidents won't happen again. Security Incident Lifecycle The first and most important step in the incident response lifecycle is preparation. Preparation ahead of an incident is what will allow you to respond more quickly and effectively in the midst of chaos. Preparation takes different forms as it affects different aspects of the cycle, so let’s use a common taxonomy—people, process, and technology, keeping in mind that they are interrelated. What qualifies as an incident? Threat Detection and Real Time Monitoring Cybercrime is one of the biggest issues facing today's intensely digital, data-driven society. Digital threats like identity theft and data breaches have been threatening to rip apart the world as we know it for the last several years. What's even more terrifying is, it's still on the rise. Q3 of 2021 alone saw more data breaches than all of 2020, combined. What Is Real Time Threat Detection? Real-time threat detection refers to the ability of a cybersecurity system to identify and respond to potential security threats as they happen. This proactive approach is vital in preventing attacks before they can cause significant damage, ensuring that threats are detected and mitigated in the shortest possible time frame. How Real Time Threat Detection Works There are a lot of different kinds of threat detection. That means there are a lot of different ways that security tools can detect threats. User and Attack Behavior Analytics - focus on identifying and responding to threats based on the behavior of users and attackers within an organization's network. These analytics use advanced algorithms, machine learning, and data analysis techniques to detect abnormal activities that could indicate potential security threats. Create Intruder Traps - Some things are just too good to pass up. Security teams understand this tendency, so they'll create scenarios that are too appealing for cybercriminals to pass up. These are called intruder traps. Hunting Threats - Real time threat detection doesn't simply sit around and wait for cybersecurity threats. It can also pro-actively seek out security risks it might not know about yet. Benefits Of Real Time Threat Detection Eliminates Unnecessary Work - eliminates the need for your IT team or cybersecurity firm to have to manually monitor or scan your network for cybersecurity risks. This has numerous benefits for you and your organization. Catches Unknown Risks Monitors ALL Network Activity - The generic image of automated security tools is of a pop- up warning you against some sort of questionable software you've downloaded from the internet. Protects Against AI - Some of these AIs and bots can be amazingly sophisticated. They can monitor the behavior of verified users and modify their text or tone to match existing users. They can even get around many common bot detection solutions such as CAPCHA or ReCAPCHA. Monitors EVERY Network Interaction - In some circumstances, where security is of the utmost importance, you need to examine every network interaction. This includes users with authorized logins. This can sometimes account for millions of accounts making who knows how many requests on a network. Incident Triage and Prioritization Incident triage is the step where you evaluate an incident and decide how to tackle it. You might start this stage when you receive a complaint or report, or immediately after an incident (such as a security breach or workplace injury). Triaging is a key aspect of incident response. Without it, you could add legal trouble to an already stressful situation. For instance, if you don’t notify customers of a data breach within the timeframe set out in your local regulations, you could be hit with a fine. Collect Reports Step one of incident triage is collecting the complaints or reports. To streamline your triaging process, design your reporting system to be as thorough as possible. The form should include spots for the involved parties, date(s) of the incident(s), the nature of the incident, and a free-text box for details. Determine Seriousness Next, you must analyze the incident and decide how serious it is. The higher the level of seriousness, the faster and more sensitively it should be dealt with. Gauge Legal Consequences While it’s a separate step from determining seriousness, gauging the report’s potential legal consequences helps you identify what stage the incident is in and how quickly you need to address it. Choose an Investigator Next, choose an investigator or team to tackle the allegations. Fox says that the seriousness of the incident, as well as its potential consequences for the involved parties and your organization, should determine whether you handle the case internally or with external help. Make a Timeline Finally, create a timeline for addressing the incident. This doesn’t have to be a full investigation timeline, but should include the order of next steps and rough deadlines for each one. It might sound like the simplest step, but shifting your schedule around during incident triage takes a lot of thoughtful work. That’s why it’s essential that not just any team member completes the task. Disaster Recovery and Business Continuity Planning Disaster recovery and business continuity are tightly related. In the 1970s, organizations started preparing Disaster Recovery (DR) plans, which were mainly focused on natural disasters. In the 1980s and onwards, the focus shifted to a more holistic view, named Business Continuity (BC). What is a Business Continuity Plan? A business continuity plan details how a business will continue operating and serving its customers, even in the face of a dramatic event like a natural disaster, major IT failure, or a cyberattack. The end goal is to preserve a company’s financial viability, market position, reputation, and customers, even in the face of a crisis. Business continuity planning covers every aspect of the business including: Business processes—how can a process continue working even if critical equipment or supplies were missing? Human resources—how can critical staff continue performing their work if, for example, workstations are destroyed or there is no Internet connection? Business partners and suppliers—how can suppliers continue their work with the company if, for example, lines of communication or road transport is unavailable? 7 Chapters of a Business Continuity Plan A typical business continuity plan contains the following sections: 1. Goals of the plan—should quantify which parts of the business are considered critical and how smoothly they should be able to operate during a crisis 2. Budget—resources allocated to business continuity planning and preparation 3. Personnel—who is responsible for maintaining the business continuity program and executing practical steps during a crisis. Which other stakeholders exist—senior management, legal, PR, customers, partners, etc—and how they should be involved or notified. 4. Business Impact Analysis—a holistic review of critical business processes, their weak points and how they are likely to be affected by different types of disasters. 5. Proactive strategies—processes that should be carried out on a regular basis to prevent or more easily overcome disasters. 6. Immediate reactive strategies—what the organization should do at the moment disaster strikes to continue operations. This will typically include temporary measures, for example, delivering electricity using a portable generator while power is out. 7. Long-term reactive strategies—what the organization should do on “day two”, after the disaster has ended, to fully recover and rebuild systems to their original state. What is a Disaster Recovery Plan? A disaster recovery (DR) plan is a document that helps an organization react to a disaster and take action to prevent damages, and quickly recover operations. IT disaster recovery is a subset of disaster recovery, which focuses on IT aspects of DR, such as minimizing downtime of servers, databases and employee workstations, and bringing critical systems back online. An IT disaster recovery plan enumerates the tools and procedures to make this happen. 7 Chapters of an IT Disaster Recovery Plan Here is the typical structure of a DR plan: 1. Goals – what the organization aims to achieve in a disaster, including the Recovery Time Object (RTO), the maximum downtime allowed for each critical system, and the Recovery Point Object (RPO), the maximum amount of acceptable data loss. 2. Personnel – who is responsible for executing the DR plan. 3. IT inventory – list hardware and software assets, their criticality, and whether they are leased, owned or used a service. 4. Backup procedures – how and where (exactly on which devices and in which folders) each data resource is backed up, and how to recover from backup. 5. Disaster recovery procedures – emergency response to limit damages, last-minute backups, mitigation and eradication (for cybersecurity threats). 6. Disaster recovery sites – a robust DR plan includes a hot disaster recovery site – an alternative data center in a remote location that has all critical systems, with data replicated or frequently backed up to them. Operations can be switched over to the hot site when disaster strikes. 7. Restoration – procedures for recovering from complete systems loss to full operations. Basic Steps to Creating Your IT Disaster Recovery Plan Building a disaster recovery plan is not as simple as writing a document. You need to do careful research to understand the needs of your organization and the risks it faces. You also need to carefully coordinate the plan with all stakeholders, test it to make sure it works, and continuously update it to make sure it stays relevant. Follow these steps to create a working disaster recovery plan: Basic Steps to Creating Your IT Disaster Recovery Plan 1. Map out your assets identify what you need to protect, including network equipment, hardware, software, cloud services, and most important, your critical data. For each item note its physical or virtual location, relation to other assets, vendor and version, networking parameters, etc. Basic Steps to Creating Your IT Disaster Recovery Plan 2. Identify criticality and context understand how your assets are used and their importance to the business. Classify assets into high impact, medium impact and low impact, by identifying how likely they are to disrupt business operations. Basic Steps to Creating Your IT Disaster Recovery Plan 3. Risk assessment identify which threats are likely to face the business as a whole and specific assets. Interview the staff who work on critical systems and ask them what are the most likely causes of service interruption. Basic Steps to Creating Your IT Disaster Recovery Plan 4. Define recovery objectives consult with senior management and operations staff to understand what would be the impact of interruption to each critical system for one minute, one hour, one day, or more. Use this information to define your RTO and RPO. Basic Steps to Creating Your IT Disaster Recovery Plan 5. Select disaster recovery setup and tooling using your knowledge of assets to be protected, risks and required RTO/RPO, envision your final disaster recovery setup. Will you have a hot DR site? Where will it be located, and will it be cloud-based or self- hosted? Which backups or replicas will you maintain? Where will they be located? Select the software or hardware, cloud services or partners that can help you achieve the required setup. Basic Steps to Creating Your IT Disaster Recovery Plan 6. Budgeting as important as disaster recovery is to your business, you will have a limited budget. Present several options to management, each with a progressively higher price tag but better RTO/RPO and/or support for more critical services. Allow them to decide on the right balance between risk and investment in DR technology. Basic Steps to Creating Your IT Disaster Recovery Plan 7. Approval put together an agreed draft of your DR plan based on feedbacks from management and get final sign off on the plan. Basic Steps to Creating Your IT Disaster Recovery Plan 8. Communicate the plan circulate your document to the disaster recovery team, to senior management, and to anyone else who will be involved with or affected by DR procedures. Basic Steps to Creating Your IT Disaster Recovery Plan 9. Test and review test the plan by conducting a realistic disaster drill, and seeing if and how staff act according to the plan. Learn from the test and modify the plan and procedures accordingly. You should periodically review the plan – at least every six months – to ensure it is still relevant and reflects the current organizational structure and IT setup. Business Continuity vs. Disaster Recovery Plan The terms business continuity plan and disaster recovery plan are sometimes used interchangeably. Business Continuity Plan IT Disaster Recovery Plan Aimed at ensuring business operations continue Aimed at ensuring minimal damage to IT assets in a during and after a crisis, to preserve financial stability disaster and speedy, complete recovery and reputation Inventory of all critical business assets—staff, suppliers, Inventory of IT assets—network equipment, servers, vehicles, buildings, etc. endpoints, etc. Business Impact Analysis of all threats affecting Analysis of threats affecting IT infrastructure business operations Includes an ongoing proactive component to prevent Only focused on reactive measures in case disaster and prepare for disaster happens Group Activity You are the newly appointed IT Security Manager at a mid-sized company. Recently, the company has faced several cybersecurity incidents, including a ransomware attack that encrypted critical data. The company is now focused on enhancing its Operational Security and incident response capabilities. Tasks: 1. Incident Response Plan: Develop a basic Incident Response Plan (IRP) for your company. Your plan should include: Key steps to be taken when a security incident occurs. The roles and responsibilities of team members during an incident. A communication strategy for internal and external stakeholders. 2. Real-Time Threat Detection Implementation: Propose a strategy for implementing real-time threat detection in your company's IT infrastructure. Explain: The types of tools or technologies you would recommend. How User and Attack Behavior Analytics could be integrated into the system. The expected benefits of adopting real-time threat detection. 3. Business Continuity vs. Disaster Recovery: Create a comparison chart that outlines the differences between Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP). Include at least three key differences and provide examples of scenarios where each plan would be critical.

Information Assurance & Security Module 2 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue