ISACA CISM – Domain 04 – Information Security Incident Management Part 1

1. Lesson 1: Incident Management Overview Part1

Now in this domain, we’re going to take a look at the information security incident management. And what we’re going to do is we’re going to talk a lot about the different parts of incident management. First as an overview of what it is, it’s organization, the resources you’ll need, the objectives of having it, ways of measuring it through metrics and indicators. Then we’re going to talk about defining the incident management procedures. Also take a look at defining things like the current state of the incident response capability, how to develop an incident response plan, how that incorporates with your business continuity disaster recovery procedures, talk about ways of testing both the BCP and the DRP, as well as executing response and the discovery plans. And then talk about finally wrapping it up with a post incident activities and investigation.

2. Incident Management Overview Part2

So we can think of as an overview with incident management, as a way of having a response to your risk management, the idea of the risk management and we’re going to get into more details and talk about risk management even in more depth. But the idea is that we realize that as we are doing, conducting the risk management and we’re trying to prioritize, we’re trying to figure out what vulnerabilities could be exploited, what kind of losses we could have. We have to come up with this plan of how we’re going to take care of those items, but then also know that we need to have a team that is going to respond to those particular incidences. So that’s kind of the idea. It’s more or less the emergency operations part of your risk management.

And again, it could be something that you institute even because it’s outside of what you saw in the risk management. It could be something that we need to have a team that’s ready to respond from something that might have been unintended or maybe unanticipated as far as the different types of attacks. And now remember, when we talk about attacks all throughout this domain, the attacks are going to come in many different forms. Not just some of you might think hackers, but it could be environmental attacks, it could be issues with the power grid, it could be man made, it could be natural disasters. All of these different types of risks are going to be what we kind of call attacks as we go through.

And the idea of this team that we’re going to talk about and how to put it together, how to plan and how to put it together, that’s the overview.What we’re going to do is we’re going to try to find a way to, number one, know how to notify this team besides putting it together and have a response plan in place. Because what we want to do is lower the amount of loss that could occur from whatever this attack or incident is going to be. And that’s again, the big thing of what we’re looking for. In fact, some of the types of attacks that I didn’t even mention could be things like theft of information, it could be accidents, I mean, it could be as simple as one time I was teaching a class, I told a story that we were talking about planning for power outages. And no sooner than I said that the power went out to the building because somebody hit a pole that had a transformer and the power was gone.

So again, our goal is to be able to understand how to plan for these contingencies and how to have a team that is ready to be able to respond so that we can try to not only minimize loss, minimize downtime, but also get to a recovery point as quickly as possible. We’re going to talk about times where our plan might say we have a maximum tolerable downtime. Kind of the idea might be that for some companies that if, let’s say, your database of customers was down for a week, would you still be in business? Probably not. That’s a long time for your customers to not be able to work with your company. So we’re going to talk about all of those things as we put this together. And I kind of as an overview, I’m trying to give you this big picture of what we want to be more detailed about and how to go about putting this together.

3. Incident Management Overview Part3

So hopefully I’ve pretty well described what the purpose of incident management is. We actually can call it incident management and response because really that is what we’re putting this together for, isn’t it? How to respond to some type of incident or attack or whatever you want to throw into that as a word or a synonym for incident. And of course what we’re trying to do is we have to do a couple of things. And again, remember, this is as an overview. One of the things we have to do is know how to identify when an incident has occurred. I mean, if we don’t know how to identify it, how do we know to respond? And that’s a big deal because it could be the help desk that might be taking a routine or what they think is a routine call and realizing that they’re trying to maybe help troubleshoot some sort of desktop problem or network connectivity problem.

But do they know how to ask the right questions? Do they know what the indicators are that could help them identify saying hey, this is an actual incident, a security incident. And by the way, that’s really what most of this is that we’re talking about is security incidences. Again, security does not mean just hacking. That’s just one aspect of a security incident. So the helpdesk, again as an example, needs to be able to know how to identify. Well, what about users? Even regular users should be able to know. And so there’s a lot we have to go through to be able to adequately help everybody as a part of this team to be able to identify. And then once identified, the next question is how do they respond? Well, we’re going to hope that what they’re going to do is get to an incident response team.

An IRT that they can contact, that the team can then respond and be able to figure out how to take care of, as I said before, reducing the losses and trying to get to a point of restoration, containment and everything else that we’re going to talk about. Now remember, it’s hard for you to be able to plan for every contingency but nonetheless, we have to be able to know how to identify when there is a problem, how to respond, whether it’s unexpected or if it’s expected or if it’s disruptive. Like, again, severe weather, earthquakes, fires, all of those can become things that we can think of as disruptive events. And again, the goal is that at least the objective, as it says, is that we want to control that impact. That’s the big deal right there. We want to reduce, right, lower the losses, right? We want to lower the downtime. We want to increase how quickly we can recover and resume business.

And so that’s a lot of what we’re trying to do, get back to these acceptable levels all the way through there. Now, when I talk about these different types of incidences or attacks. And I know I’ve said this, but I think if I just write it down here so we can make sure that we’re all on the same page, they could be technical in nature. Now, a technical attack, what could that be? Something like a denial of service, maybe? It could be a hacker. It could be a mistake. Somebody deletes the wrong file, just deletes information that shouldn’t have been deleted. So there’s just a lot of parts of this. Like I said, it could be something man made that was supposed to be an M. There we go. Man made. And we’ll take a look at these. As I said, as we go through here, they could be natural. So there’s a lot of different things that we are wanting to cover when we do talk about incident management.

4. Types of Events Part1

So I suppose a better word than attack might be an event. And as I said, an event is something that could cause a disruption in services, in business, could be a disruption even towards the personnel that are working for your company. As I said, one of the types of events is technical. Alright? So technical is I guess if you look at a lot of what you see here is technical is that we might be talking about things that are involving software or even the network. Something that is dealing with our information systems. Obviously malware in the form of viruses, worms, the rest of it could be very dangerous for us. And some attacks could be a denial of service or even a distributed denial of service, depending on how badly somebody wants to be able to take you down.

It could be system intrusions where again we could talk about the hackers. By the way, remember that the hackers could be from the inside or the outside or both. Could be a disgruntled employee, the accidental one. That is, I think, a big deal. We have a lot of thoughts about different types of security systems that deal with something like file access. If you can think about the idea of file access, what would it take for somebody accidentally or purposely who has permissions to get into a file to be able to delete that information? Well, you see, that’s where we want to be able to take these contingencies into play and talk about backups and restores or talk about how much data we’re willing to lose if we don’t have the appropriate type of backups I’m going to put on here.

Besides accidental purposeful too, because it could be purposeful. I’ve seen a number of stories where employees who maybe were fired start deleting all their files and costing companies millions of dollars. And then of course, look at that system or process failure. It could be an application, I’ll say an app bug. It could be a piece of hardware that fails. I mean, hard drives do fail, right? Storage area, networks can go down, networks can go down, routers and switches and the rest of them causing outages. All of those could be, again, a part of a technical aspect that we want to be able to have some sort of plan of how to respond. And that’s what we’re really looking at is how we’re going to respond to each of these. And that’s a big part of what we’re looking at when we talk about incident management.

5. Types of Events Part2

As I was talking about events, of course, some of them could be physical. So physical is a big deal. And there’s a lot of things that I could actually add on to the physical part of this besides what you see here listed. I mean, because I consider things like having adequate power, power supply, backup power we call the ups or the uninterrupted power supply as a solution, venting, heating, air conditioning, right. Having the right physical environment for your servers, for your network devices. Because we know if you have too much moisture, too much heat, the rest of it, things will die. Obviously, theft is a big deal. I know in some of the advanced hacking classes we used to teach the students how to pick locks and to be able to kind of prove that a Tumblr lock is not an adequate prevention of theft.

But theft can come in so many different ways as well. It could be, let’s say, theft of a laptop. How many times have we heard about government agents, people from the FBI, having their laptop stolen, not having their data encrypted on those hard drives? And now whoever has that laptop has all of that information and these are all things we can plan for, right? Because I just gave you a solution we could plan for here by encrypting data that’s on those laptops or on those drives or on your backups that you store off site. Social engineering is probably at least 50% of what we would call all of the successful hacks that occur, whether it’s somebody just watching you type in your password, calling you on the phone, getting your information from you to be able to use to keep getting more and moredata till they get a password or access into a location or of course, of course, natural disasters.

Right now we’re even seeing issues in the Northeast with severe weather. What does that mean to us? Well, that may have an impact on people being able to get to work to make your company successful. Yes, that would be another type of an event, something that we should think about or whether or not it’s anything else that might be like storms, hurricanes, the rest of it. So really what we’re saying is an event and if I were to dovetail it down to here, an event. And again, remember, we’re talking about incident management and we want to know that we’re planning for as many of these events, what we’ll later call an incident and knowing how to reduce losses. But it’s anything that can cause a loss and that then is going to be an event and it should be responded to.

And as I said, it’s going to be difficult to be able to plan for all of the different types of events. But if you live in a hurricane country, certainly that’s something I would think that we would have an incident management type of response to that we would have planned for. If you live in a mountainous state in the middle of a country, you probably aren’t going to worry about hurricanes, but you might worry about other types of natural disasters that could come along. So again, these are a part of what we’re trying to deal with when we think about how to put together basically the incident management and to come up with what we’re later going to talk about, the incident response teams and their plan of attacks.

6. Goals of Incident Management Part1

So overall, the goals of incident management, and I think I’ve stated this pretty well, it’s what type of activities that we’re going to take. Now these are preplanned, right? We preplanned the activities that we’re going to take with the idea of, as it says here, to minimize the possibility of occurrences. Now that is something we can do on some different aspects. Like with theft, we could go to magnetic key cards if we wanted to or we could put in security guards or things that we can look at to minimize the possibility of an occurrence. The other part of these activities is that we want to lessen the impact. And again, by lessening the impact, let’s stick with theft. If I chose again to encrypt my information. All right, so somebody may have stolen an employee’s laptop, maybe the CEO’s laptop.

But knowing that the information is encrypted and it may take years for them to be able to successfully be able to get that data off of the drive, should hopefully lessen the impact, not the impact of having to recreate the data for the person who lost their laptop. Or of course, and I would say this is the true goal of what we’re doing with incident management is trying to do both. Minimize the possibility of occurrence, lessen the impact. Now we’re going to talk about there are some limitations and that’s a big deal. There are some limitations. Number one, some of the things we do to minimize this type of activity or event from occurring could be that it costs too much money to be able to implement. I just mentioned hiring guards. That’s an add on to payroll. It might not be a feasible solution. So we have to look at other ways of minimizing it.

But nonetheless, whether we invested in doing the minimization or not, if an incident occurs, we also have to focus with our response team on how to lessen that impact. So all of this is done by planning. And of course now what we have to do is we kind of have to come up with an idea of how do we do the planning. One of the big aspects of our planning is going to be this risk and business impact studies, risk analysis, business impact analysis or assessment that should be done for prioritization. And it can be as easy as this. It could be as easy as just making a chart. And in this chart you could list what the risk is. And let’s say the risk is theft of data. Or let’s say the risk could be somebody performing an exploit against your database server. And then what we can do is we can look at that with the likelihood of that occurring and theft.

Maybe we might say the likelihood is just a three out of whatever scale you want to do. Out of five, maybe exploits could be a four depending on the type of target. And then of course we want to ask this question what would be the impact? And again now we could put the impact in monetary values. There’s a lot of different charts but I’m just trying to show this as an example. And if I say the impact of the theft I might say is a two and the impact of the exploit might be a five. And then if you just do a simple multiplication of the two of them together so just multiply them together and this would be a six, this would be a 20. What does it do? It kind of helps you say, okay, if we’re going to start doing the planning of risk and business impacts here we are we’re at least being able to find a way of doing a prioritization of those.

Now that’s one aspect. There’s another aspect as well and that is if we really think about impact because impact is one that we really want to pay attention to. Because again we have to also focus on what’s important, what keeps this company and organization going. And that’s an important aspect of everything that we’re doing. Remember, everything we are planning does have to coincide with what some people call the business goals. I call it the business needs. And to me the business needs is that the business needs to stay in business. I know it sounds redundant but the idea is if your company makes widgets we’ve got to figure out how to keep them making widgets. Because if they don’t keep making those widgets then they’re not going to stay in business. And then all of this is kind of moot, won’t be a place, an organization for us to support.

• Category: Uncategorized