Cybersecurity for Beginners
Incident Management Best Practices
Volume 2
Mike Miller
Copyright
All rights reserved. No part of this book may be reproduced in any form or by any electronic, print or mechanical means, including information storage and retrieval systems, without permission in writing from the publisher.
Copyright 2020 Mike Miller
Disclaimer
This book is produced with the goal of providing information that is as accurate and reliable as possible. Professionals should be consulted as needed before undertaking any of the action endorsed herein. Under no circumstances will any legal responsibility or blame be held against the publisher for any reparation, damages, or monetary loss due to the information herein, either directly or indirectly. This declaration is deemed fair and valid by both the American Bar Association and the Committee of Publishers Association and is legally binding throughout the United States. The information in the following pages are considered to be a truthful and accurate account of facts, and as such any inattention, use or misuse of the information in question by the reader will render any resulting actions solely under their purview.
Table of Contents
Introduction
In this book, we're going to look at incident management. That includes incident handling and response. In the following chapters, we're going to learn how to define an incident, how an organization may classify an incident, and we're going to look at incident management, policies, procedures, and so on. All of these contribute to the business developing an incident response strategy. Here's what we're going to cover during this first part of the book. We're going to define incidents. You're going to get the definitions, but you're also going to learn how an organization should define incidents within its own context and environment. We will talk about the fundamentals of incident management, and these concepts will help you develop and maintain an incident management program. You'll also learn how to define and classify incidents in a variety of ways using different criteria such as impact, severity, manmade, natural, accidental, and so on. Lastly, you'll learn about incident management policies and plans and how you can only have a good incident management program if you have effective policies and well-written incident response plans.
Chapter 1 How to define Incidents
First of all, let's talk about what incidents are. What's an incident? Well, an incident is a negative event, and what's an event? Well, and event is anything that can be observed. A negative event could impact the organization or its systems or data in a bad way. Incident management is how well the organization manages unexpected negative events. The goals of incident management are to reduce impact to the organization, its data, and its systems and to restore normal business operations as quickly as possible. Incident response is a subset of incident management, and these are the organization's capabilities, resources, people, processes, and procedures, everything the organization can throw at an adverse event to react to it. An adverse event could include things like a cyber attack, a tornado, or an insider threat, or an insider accident. Lets talk about the difference between natural events and human-created incidents. A natural event is an environmental incident such as we see tornados, hurricanes, earthquakes or fires. These are things that are difficult to predict and on occasion very difficult to guard against or to protect against. Then you have human-created incidents, or manmade incidents. These are things like hacking attacks, terrorism, arson or accidents that may occur in the workplace. These are all human-created incidents. You can classify an incident in one of these two ways or other categories, which we will see later on in the book when we talk about defining and classifying incidents.
Chapter 2 Basic concepts of Incident Management
Let's talk about some fundamentals of incident management that you need to know in order to successfully have a good incident management program. First of all, what are the goals of incident management? Well, they're simple. We want to identify incidents as quickly as possible. We want to determine what they're all about, and get more information about them so we know how to respond to them. We want to determine the severity of them and to classify them. We want to be able to respond to them quickly and effectively so we can contain the damage from an incident. In conclusion, we want to keep the business going, we want to bring it back up to normal operations, and we also want to prevent future incidents if possible. Another goal could be to implement all the controls and countermeasures that we need to decrease the risk of any future incidents from happening. As part of incident management, we need to do some things before an incident occurs. This means we need to develop our incident response plan, policy, procedure and strategy. We need to find out how we're going to classify incidents in terms of impact and severity. We also need to get our people together, appoint people for the team, and train them well. Another thing we have to do early on is establish a chain of command in our notification and alert procedures because we have to be able to alert and notify the right people up the chain when an incident happens.
We've talked about incident management and how that falls under risk, but let's talk more about that. Incident management is kind of a subset of risk management. Incident management helps us to reduce risk to a degree because we are quickly containing damage from an incident and to respond to risk because the incident is a risk to the organization. Knowing risk, we talk about threats exercising vulnerabilities and the likelihood of an impact resulting from those things. This threat exercising vulnerability is our negative event, or our incident. This is how that connects back to risk. One way we can try to find out what incidents may happen to us is to do threat modelling. Also, analyse all of our vulnerabilities to see what threats could exploit them. This will help us find out what incidents could happen and how severe they might be in terms of impact to the organization. One thing that people mistakenly think is that incident management only involves the IT department or the security department, and that's not true. Incident management involves just about every department in the company. The IT department, but also the HR department, legal department, any public relations or PR or media relations department, and so on. All these departments help incident management because they contribute to different aspects of what we might do in response to an incident. HR might contribute in that it might be the internal employee that causes the incident or is the malicious actor. The legal department wants to ensure that we're doing everything legally, ethically, with due diligence, due care, and reducing liability. The public relations department wants to communicate with the media the right information at the right time. Other aspects of the organization are important as well, such as insurance and risk programs because they will be at the end of the incident to help take care of costs and so on. Compliance programs are significant because a lot of compliance vehicles require you to have an incident management program. Privacy is another aspect that we may get involved with when we respond to an incident because customer data or personal data might be compromised, so we have to know how to react to that in terms of privacy.
Lets talk about an incident management system. You don't just walk around and write all this on sticky notes. You have to have an incident management system to help you collect data, sort it, get it to the right people, analyse it, and so on. That's what an incident management system can help you do. You can record all the aspects of an incident, capture all the data, and keep it in one centralized location. You can use it to analyse an incident. You can also get input from a wide variety of sources including network intrusion detection systems, host-based intrusion detection systems, security information event management or SIEM systems. You can get data from log files and other data sources as well, and you can collect all this and put it in your incident management system so that you have a comprehensive set of data to analyse. In incident management, how do we know we're doing a good job? A well-designed incident management program should deal with unexpected events or incidents very well. We need to be able to detect and identify incidents as quickly as possible. We must have well-established procedures in our incident response plan that have been practiced and defined. We've to cautiously picked and chosen our team members for the incident response team, and we've trained them well for the incidents that we may have. Another thing that we want incident management to do is be cost effective, have a cost-effective response for incidents. One thing that we need to do as well is regularly test our incident response capabilities and we've talked about exercises and tests before. Moreover, if an incident management program is well designed, then it should allow for us to collect metrics to measure how well we're doing and analyse that data. It also should allow us to look at an incident and all the lessons learned involved and find out what the root cause was and how we can prevent that incident from happening again. We use these lessons learned to prevent further incidents and also to increase how well we respond to incidents because we're going to learn a lot during any incident about what we should and shouldn't be doing.