Domain 2 Domain 2 Agenda

Incident Response, Module 1: Incident Response

Business Continuity and Module 2: Business Continuity
Module 3: Disaster Recovery
Disaster Recovery Module 4: Summary
Concepts
 Incident Response Concepts

Breach Event Incident Exploit

Intrusion Threat Vulnerability Zero Day

3
Breach
The loss of control, compromise,
unauthorized disclosure,
unauthorized acquisition, or any
similar occurrence

4
Event
Any observable occurrence in a
network or system.

5
Incident
An event that potentially affect the
Confidentiality, Integrity or
Availability of an information
system or the information the
system processes, stores or
transmits.

6
Exploit
A particular attack. It is named
this way because these attacks
exploit system vulnerabilities.

7
Intrusion
A security event, or combination
of events, that constitutes a
deliberate security incident in
which an intruder gains, or
attempts to gain, access to a
system or system resource
without authorization.
8
Threat
Any circumstance or event with
the potential to adversely impact
organizational operations

9
Vulnerability
Weakness in an information
system, system security
procedures, internal controls or
implementation that could be
exploited by a threat source.

10
Zero Day
A previously unknown system
vulnerability with the potential of
exploitation without risk of
detection or prevention because it
does not, in general, fit
recognized patterns, signatures
or methods.
11
 The Goal of Incident Response
• Every organization must be prepared for incidents
• The priority of any incident response is to protect life, health
and safety. When any decision related to priorities is to be
made, always choose safety first
• The incident response process is aimed at reducing the impact
of an incident so the organization can resume the interrupted
operations as soon as possible.
Incident Response Plan Components

13
 Preparation
• Develop a policy approved by management.
• Identify critical data and systems, single points of failure (one layer of
protection).
• Implement an incident response team.
• Train staff on incident response.
• Identify Roles and Responsibilities.
• Practice Incident Identification. (First Response)
• Plan the coordination of communication between stakeholders.

14
 Detection and Analysis
• Monitor all possible attack vectors (a path that a hacker takes to
exploit cybersecurity vulnerabilities). How the attack was made??
• Analyze incident using known data and threat intelligence.
• Prioritize incident response.
• Standardize incident documentation (everyone knows what need
to be done).

15
 Containment
• Gather evidence (Integrity).
• Choose an appropriate containment strategy.
• Identify the attacker.
• Isolate the attack.

Additional documents to be used during this stage:

⦿ Chain of Custody: the documentation or paper trail that records
the sequence of custody, control, transfer, analysis, and disposition of
materials, including physical or electronic evidence

16
 Post-Incident Activity
• Identify evidence that may need to be retained (e.g., legal purposes).
• Document lessons learned.

• Repeat >>

17
Incident
Response
Team
18
A typical incident response team is a cross-functional group of
individuals who represent the management, technical and
functional areas of responsibility most directly impacted by a
security incident. Potential team members include the following:

• Representative(s) of senior management

• Information security professionals
• Legal representatives
• Public affairs/communications representatives
• Engineering representatives (system and network)

20
These teams are commonly known as computer incident
response teams (CIRTs) or computer security incident response
teams (CSIRTs). When an incident occurs, the response team
has four primary responsibilities:
• Determine the amount and scope of damage caused by the incident.
• Determine whether any confidential information was compromised during the
incident.
• Implement any necessary recovery procedures to restore security and recover from
incident-related damage.
• Supervise the implementation of any additional security measures necessary to
improve security and prevent recurrence of the incident.

21
Domain 2 Domain 2 Agenda
Incident Response, Module 1: Incident Response
Business Continuity and Module 2: Business Continuity
Module 3: Disaster Recovery
Disaster Recovery Module 4: Summary
Concepts
The Importance of Business
Continuity
Sustain business operations while recovering from
a significant disruption.

Natural Disaster 3
 Business Continuity Plan (BCP)
Business continuity planning (BCP) is the
proactive development of procedures to
restore business operations after a
disaster or other significant disruption to
the organization.
Members from across the organization
should participate in creating the BCP
to ensure all systems, processes and
operations are accounted for in the
plan.
4
 Key parts of Business Continuity:
1. Communication – multiple contact methodologies and backup
numbers (Phone Tree)
2. Procedures and checklists - know exactly who is responsible for
which action (“RED BOOK” – with multiple copies)
3. Management must be included to activate the business
continuity plan (How/when to enact the plan)
4. Critical contact numbers for the supply chain, as well as law
enforcement and other sites outside of the facility.
5
Business Impact Analysis (BIA)
An analysis of an information system’s
requirements, functions, and interdependencies
used to characterize system contingency
requirements and priorities in the event of a
significant disruption.

6
Domain 2 Domain 2 Agenda
Incident Response, Module 1: Incident Response
Business Continuity and Module 2: Business Continuity
Module 3: Disaster Recovery
Disaster Recovery Module 4: Summary
Concepts
Disaster Recovery
The activities necessary to restore IT and
communications services to an organization during
and after an outage, disruption or disturbance of
any kind or scale.

3
Disaster Recovery Plan (DRP)
Policies, procedures and processes related to
recovering critical business functions, technologies,
systems and applications after the organization
experiences a disaster.
** To see the business restored to full last-known
reliable operations.
4
 Disaster Recovery vs Business Continuity

⦿ Business Continuity planning is about maintaining

critical business functions.
⦿ Disaster Recovery planning is about restoring IT
and communications back to full operations after a
disruption.
5
 Components of Disaster
Recovery Plan
1. Executive summary providing a high-level overview of the plan
2. Department-specific plans
3. Technical guides for IT personnel responsible for implementing and
maintaining critical backup systems
4. Full copies of the plan for critical disaster recovery team members
5. Checklists for:
- Recovery Team: to help guide their actions during the chaotic atmosphere of a
disaster
- IT Personnel: technical guides helping them get the alternate sites up and
running.
- Managers and public relations personnel: simple-to-follow, high-level
documents to help them communicate the issue accurately
6
7
A disaster is when an organization’s critical business function(s) cannot be performed at an
acceptable level within a predetermined period following a disruption.
8
Domain 2 Domain 2 Agenda
Incident Response, Module 1: Incident Response
Business Continuity and Module 2: Business Continuity
Module 3: Disaster Recovery
Disaster Recovery Module 4: Summary and Questions
Concepts
 Quiz
Domain 2 Review Questions
Q1. What is the first stage within the Incident Response Plan?

A. Detection and Analysis

B. Containment, Eradication and Recovery
C. Preparation
D. Post-Incident Activity

5
Q2. The goal of an Incident Response Plan is to:

A. Organizations to be prepared for incidents

B. Protect life, health and safety
C. Reducing the impact of an incident
D. Organization can resume the interrupted operations as soon as
possible

6
Q3. All the below are parts of the Incident Response preparation
phase, except:

A. Train staff on incident response

B. Identify roles and responsibilities
C. Develop an approved policy
D. Monitor all possible attack vectors

7
Q4. Which of the below is the best team to speak with
government about a breach the affected citizens’ personal
information:
A. CISO office
B. Senior Management
C. Security Manager
D. Legal office

8
Q5. One of the below concerns about restoring IT and
communications back to full operations after a disruption:

A. Business Continuity Plan

B. Disaster Recovery Plan
C. Incident Response Plan
D. A+B

9
Q6. A Business Continuity Plan must be tested (select 2):

❑ Annually
❑ Every 6 months
❑ After any significant change
❑ On a predefined intervals

10
Q7. Which of the following defines the amount of data a company
is willing to lose (can afford to lose) during disasters?

A. Recovery Time Objective (RTO)

B. Recovery Point Objective (RPO)
C. Backups
D. Risk avoidance

11
Q7. ________ must be able to detect incidents, but ________
only can activate the business continuity plan.

A. Senior management, Security Manager

B. IR Team, Senior Management
C. Senior Management, IT Team
D. All employees, Senior Management

12
Q8. Members from across the organization should participate in
creating the Business Continuity Plan (BCP).

A. True
B. False

13
Q9. Senior Management will have technical guides helping them
get the alternate sites up and running.

A. True
B. False

14
Q10. Critical business processes and information systems can be
best prioritized using:

A. Business Impact Analysis (BIA)

B. Business Continuity Plan (BCP)
C. Disaster Recovery Plan (DRP)
D. Recovery Point Objective (RPO)

15