In week 7, analyze the impact that business continuity planning has on risk management

11 Aug In week 7, analyze the impact that business continuity planning has on risk management

Posted at 02:14h in Information Systems by

In week 7, analyze the impact that business continuity planning has on risk management. You must use at least one scholarly resource. Every discussion posting must be properly APA formatted.

500 words

risk3e_ppt_ch15.pptx

CHAPTER 15

Mitigating Risk with a Computer Incident Response Team Plan

Learning Objective(s) and Key Concepts

Perform business continuity, disaster, and incident response planning.

Definition of a computer incident response team (CIRT) plan

Purpose of a CIRT plan

Elements of a CIRT plan

How a CIRT plan can mitigate an organization’s risk

Best practices for implementing a CIRT plan

Learning Objective(s)

Key Concepts

Computer Security Incident

A violation or imminent threat of a violation of a security policy or security practice

Examples

Denial of service (DoS) attack

Malicious code

Unauthorized access

Inappropriate usage

Multiple component

What Is a Computer Incident Response Team Plan?

Computer incident response team (CIRT)

A group of people who respond to incidents

A CIRT plan

Formal document that outlines an organization’s response to computer incidents

Formally defines a security incident

May designate the CIRT team

Purpose of a CIRT Plan

Helps organizations identify and prepare for computer incidents

Applies critical thinking to solve potential problems

Helps develop best responses to reduce damage

Outlines the purpose of the response effort

The five Ws: what, where, who, when, and why

Growth of Incidents

1988 – one incident was news

2003 – 137,529 incidents

Today – off the charts

Elements of a CIRT Plan

CIRT members

IT staff and security professionals who understand risks and threats posed to networks and systems

Roles, responsibilities, and accountabilities

CIRT policies

Incident handling process

Communication escalation procedures

Incident handling procedures

CIRT Members

Team leader

Information security members

Network administrators

Physical security personnel

Legal

Human resources (HR)

Communications

Responsibilities

Developing incident response procedures

Investigating incidents

Determining the cause of incidents

Recommending controls to prevent future incidents

Protecting collected evidence

Using a chain of custody

Accountabilities

Accountable to the organization to provide a proactive response to any incident

Expected to minimize the impact of any incident

Expected to keep up to date on security threats and possible responses

Dedication on the part of each team member

CIRT Policies

May be simple statements or contained in appendixes at the end of the plan

Provide the team with guidance in the midst of an incident

Primary policy to consider: whether or not CIRT members can attack back

Best practice is not to escalate an attack into a two-sided conflict

Leave retribution to law enforcement.

Other policies may be related to:

Evidence

Communications

Safety

Incident Handling Process

Four phases defined by NIST SP 800-61

Handling DoS Attack Incidents

DoS attacks attempt to prevent a system or network from providing a service by overwhelming it to consume its resources.

Indications that a DoS attack is occurring:

User reports of system unavailability

Intrusion detection system (IDS) alerts on the attack

Increased resource usage on the attacked system

Increased traffic through the firewall to the attacked system

Unexplained connection losses

Unexplained system crashes

Suspected attack can be confirmed by reviewing available logs

Handling DoS Attack Incidents (Cont.)

Distributed denial of service (DDoS) attack from a botnet

What are the implications on the attacked server?

Handling Malware Incidents

Primary protection is antivirus software

Secondary protection is to train and educate users

Create checklists that identify what users should do if their systems are infected

If malware infects an email server, isolate the server

Configure web browsers and email readers to prevent the execution of malicious mobile code

Viruses

Worms

Mobile code

Trojan horses

Handling Unauthorized Access Incidents

Examples:

Viewing or copying sensitive data without authorization

Using social engineering

Guessing or cracking passwords and logging on with these credentials

Running a packet sniffer, such as Wireshark, to capture data transmitted on the network

Hardening steps:

Reducing the attack surface

Keeping systems up to date

Enabling firewalls

Enabling IDSs

Handling Inappropriate Usage Incidents

Examples:

Spamming coworkers

Accessing websites that are prohibited

Circumventing security policies

Using file sharing or P2P programs

Sending files with sensitive data outside the organization

Launching attacks from within the organization against other computers

Means of prevention:

Security policies and acceptable use policies (AUPs)

Alerts

Log reviews

Reports by other users

Data loss prevention (DLP) software

Handling Multiple Component Incidents

Multiple component incident is a single incident that includes two or more other incidents, which are related to each other but not always immediately apparent

Steps to take:

Identify the root cause of an incident.

Remote the root cause, if possible.

Example:

Incident 1: A user opens a malicious email attachment infects the system.

Incident 2: The malware releases a worm that infects other computers on the network.

Incident 3: The malware contacts a server, which forms a botnet. Infected systems on the network find other systems to infect.

Communication Escalation Procedures

Escalation

When someone determines an event is an incident and declares it

One of the first steps is to recall one or more CIRT members

If the incident is worse than expected:

CIRT member can escalate the response

Organization can activate the full CIRT

If ordinary communications are hampered:

CIRT members can be issued push-to-talk phones or walkie-talkies

A war room can be set up for face-to-face communications

Incident Handling Procedures

Calculating the impact and priority

Using a generic checklist

Handling DoS attack incidents

Handling malware incidents

Handling unauthorized access incidents

Handling inappropriate usage incidents

Calculating the Impact and Priority (Example)

Current effect rating

Minimal because the attack is currently affecting only one web server in the web farm. Score of 10. This rating will be used for 25 percent, or one-quarter, of the overall impact score (10 × .25 = 2.5).

Projected effect rating

Medium because the attack has the potential to spread to more web servers in the web farm. Score of 50. This rating will be used for 25 percent, or one-quarter, of the overall impact score (50 × .25 = 12.5).

Criticality rating

Medium because the web server does affect a mission-critical system in a single location. Score of 50. This rating will be used for 50 percent, or one-half, of the overall impact score (50 × .50 = 25).

Calculating the Impact and Priority (Example) (Cont.)

The following formula can then be used to determine the impact:

(Current effect rating × .25) + (Projected effect rating × .25) + (Criticality rating × .50)

(10 × .25) + (50 × .25) + (50 × .50)

2.5 + 12.5 + 25

Incident impact score = 40

Using a Generic Checklist

Verify that an incident has occurred

Determine the type of incident

Determine the impact or potential impact of the incident

Report the incident

Acquire any available evidence on the incident

Contain the incident

Eradicate the incident

Recover from the incident

Document the incident

Handling DoS Attack Incidents

Containment

Add filters at routers or firewalls to block the traffic based on the IP address, port, or protocol used in the attack

Recovery

Repair and test the affected system

Contact the Internet service provider (ISP)

Eradication

Identify vulnerabilities and take steps to mitigate them

Handling Malware Incidents

Containment

Identify infected systems

Eradication

Run full scans on systems

Recovery

Replace deleted or quarantined files needed for system operation

Disconnect them from the network

Determine why antivirus software didn’t detect the malware

Remove all elements of the malware from the system

Disinfect, quarantine, or delete infected files

Verify the system is no longer infected

Run another full scan before returning the system to operation

Handling Unauthorized Access Incidents

Containment

Eradication

Recovery

Identify and isolate attacked system from the network

Block all traffic at firewall; log attempts to connect

Disable internal account (if source) and verify least privilege

Identify weaknesses that allowed attack to succeed

Verify system hardening

Disable/delete addl accounts created during attack

Resolve vulnerabilities

Reconnect, verify, and test systems

Consider adding monitoring, such as an IDS

Handling Inappropriate Usage Incidents

Containment

Eradication

Recovery

Disable user’s account until management takes action

Require specific user training before access is returned

Document activity in employee’s record

Enable account after appropriate action has been completed

How Does a CIRT Plan Mitigate an Organization’s Risk?

Quick and focused response to incidents

Clearly defined roles and responsibilities

Enhanced understanding of needed skills

Enhanced ability to respond to threats and attacks

Best Practices for Implementing a CIRT Plan

Define a computer security incident

Include policies in CIRT plan to guide members

Provide training

Develop CIRT checklists

Subscribe to security notifications

Summary

Definition of a computer incident response team (CIRT) plan

Purpose of a CIRT plan

Elements of a CIRT plan

How a CIRT plan can mitigate an organization’s risk

Best practices for implementing a CIRT plan

10/11/2020

Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteEdu. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.

Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.

Do you need an answer to this or any other questions?

Do you need help with this question?

Get assignment help from WriteEdu.com Paper Writing Website and forget about your problems.

WriteEdu provides custom & cheap essay writing 100% original, plagiarism free essays, assignments & dissertations.

With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Chat with us today! We are always waiting to answer all your questions.

Click here to Place your Order Now

11 Aug In week 7, analyze the impact that business continuity planning has on risk management

About Us

Quick Links

Recent Posts