CYBERSECURITY SOLUTIONS

WEEK V – LECTURE 9: LEARNING OBJECTIVE

 Steps involved in building an incident response

management program that responds to any
cybersecurity incident in an effective and timely manner

 Key ingredients of cyber resilience – Business continuity

planning
WEEK IV – LECTURE 8: RECAP

 Contingency planning and risk management (part 2)

 Cyber security strategic planning

 Risk assessment and risk management

SURVEY

 Please fill up the survey

 Online questionnaire, is accessible through Student Hub. You will find the link to the course evaluations by going
to the My CU Account page, then opening the Academic menu.
WHY IS IT A NECESSITY TO HAVE A CYBERSECURITY INCIDENT RESPONSE
PLAN?

 Quicker Mitigation:
 An incident response plan enables organizations to respond swiftly, minimizing the impact of cyber incidents
 Organized Approach:
 It provides a structured and organized approach to managing and responding to cyber threats, ensuring that the right steps
are taken in a coordinated manner
 Strengthens Overall Security:
 The plan contributes to increased cybersecurity resilience, protecting the organization from potential threats and
vulnerabilities
 Builds Trust:
 Having a well-defined incident response plan builds trust with stakeholders, demonstrating that the organization is prepared
to handle cyber incidents effectively
 Compliance:
 It helps organizations comply with regulatory requirements and industry standards that mandate the implementation of
incident response capabilities
WHY IS IT A NECESSITY TO HAVE A CYBERSECURITY INCIDENT RESPONSE
PLAN?

 Faster Recovery:
 The plan reduces the response time and overall cost associated with cyber incidents, facilitating a faster recovery process
 Minimizes Damage:
 It mitigates the impact of cyber attacks, remediates vulnerabilities, and secures the organization, minimizing the damage
caused by incidents
 Utilizes Resources Efficiently:
 The plan ensures that manpower, tools, and resources are efficiently utilized to tackle cyber threats and minimize their impact
on operations
 Public Consumption:
 In the age of social media, cyber incidents can quickly become public matters, making a well-prepared response essential
 Inevitability of Cyberattacks:
 Security incidents are all inevitable, making a proactive incident response plan a necessity to minimize damage and recovery
time
WHAT SHOULD INCIDENT RESPONSE PLAN INCLUDE?

 A Mission Statement:
 Clearly define the purpose and objectives of the incident response plan. Everything starts with policy.
 Formal Documentation of Roles and Responsibilities:
 Identify and document the specific roles and responsibilities of individuals and teams involved in the incident response
process.
 Communication Strategy:
 Establish a clear communication plan, including who needs to be informed of a security breach, which communication
channels should be used, and what level of detail should be provided.
 Incident Response Procedures:
 Develop detailed steps that incident response teams will use to respond to an incident, based on recognized incident
response frameworks.
 Clear Guidelines for Informing Stakeholders:
 Provide clear guidelines on how to inform operations, senior management, affected parties inside and outside the
organization, law enforcement, and the press.
WHAT SHOULD INCIDENT RESPONSE PLAN INCLUDE?

 Training and Job Requirements for Incident Response Roles:

 Define the training and job requirements for incident response roles, ensuring that team members are
adequately prepared to fulfill their responsibilities.
 Regulatory Compliance Considerations:
 Ensure that the plan complies with relevant regulatory requirements and industry standards, such as PCI DSS.

 Incident Recovery Team:

 Define the group of people assigned to implement the incident response plan, typically members of the IT staff
who collect, preserve, and analyze incident-related data.
 Communication Strategy:
 Clarify who needs to be informed of a security breach, which communication channels should be used, and what
level of detail should be provided.
DEVELOPING IRP
WHAT ARE THE KEY FACTORS TO BE TAKEN INTO CONSIDERATION WHEN
BUILDING A PLAN?

 Risk Assessment:
 Conduct a thorough risk assessment to identify potential threats, vulnerabilities, and risks specific to the organization's
environment, assets, and operations.
 Regulatory and Legal Requirements:
 Consider regulatory obligations, legal requirements, and industry standards relevant to the organization's operations, such as
data protection laws, industry regulations, and contractual obligations.
 Business Objectives and Critical Assets:
 Align the incident response plan with the organization's business objectives and critical assets to prioritize response efforts
and focus resources on protecting the most valuable and sensitive assets.
 Technology and Infrastructure:
 Implement technical controls, monitoring tools, and security solutions to detect, prevent, and respond to security incidents
effectively.
WHAT ARE THE KEY FACTORS TO BE TAKEN INTO CONSIDERATION WHEN
BUILDING A PLAN?

 Incident Response Team and Training:

 Establish an incident response team comprising skilled personnel from IT, security, legal, communications, and
other relevant departments.
 Testing and Exercise:
 Regularly test and exercise the incident response plan through tabletop exercises, simulations, and drills to
identify gaps, weaknesses, and areas for improvement.

 Vendor and Third-Party Relationships:

 Consider the organization's relationships with vendors, suppliers, and third-party service providers that may be
involved in incident response activities.
BUILDING IRP STAGES

 Preparation:
 This phase involves establishing the foundation for an effective incident response, including defining the CSIRT (Computer
Security Incident Response Team) and developing an incident response plan.
 Detection and analysis:
 During this phase, the focus is on identifying and analyzing security events to determine if they are indeed security incidents.
This involves monitoring, collecting, and analyzing data to detect potential security incidents.
 Containment:
 Once a security incident has been confirmed, the next step is to contain it to prevent further damage. This may involve
isolating affected systems, restricting user access, or shutting down certain services.
 Eradication:
 In this phase, the goal is to fully remove the threat and restore affected systems to a secure state. This may involve patching
vulnerabilities, removing malware, or rebuilding systems.
 Post incident activities:
 This includes documenting lessons learned, updating the incident response plan, and providing feedback to
improve future response efforts.
NIST INCIDENT RESPONSE
GROUP ACTIVITY

 Equifax breach readers’ digest:

 The breach occurred after Equifax security officials failed to install a software upgrade that had been recommended

 You are hired right after this breach to conduct IRP. Based on the NIST stages discussed, provide a
summary report for each of the activities in the 5 stages
 Who are the key players involved? What is the responsibility of management during this process?
WHAT ARE THE BEST PRACTICES FOR HANDING CYBERSECURITY
INCIDENTS?

SANS Institute Incident Handling Process:

 Description: Developed by the SANS Institute, this framework outlines a step-by-step process for responding to
cybersecurity incidents effectively.
 Stages:
 Preparation: Establish incident response policies, procedures, and tools, and train personnel to respond to incidents.
 Identification: Detect and classify security incidents based on predefined criteria and indicators of compromise.
 Containment: Take immediate action to contain the incident and prevent further damage or unauthorized access.
 Eradication: Remove the root cause of the incident from affected systems and restore them to a known good state.
 Recovery: Restore affected systems, data, and services to normal operation while minimizing disruption to business
operations.
 Lessons Learned: Conduct a post-incident review to identify areas for improvement, update incident response procedures,
and enhance incident handling capabilities.
WHAT ARE THE BEST PRACTICES FOR HANDING CYBERSECURITY
INCIDENTS?

International Organization for Standardization

 ISO/IEC 27035 provides guidelines for the establishment, implementation, maintenance, and continual improvement
of an information security incident management process.
 Stages:
 Preparation: Develop an incident response plan, establish incident response team roles and responsibilities, and conduct
training and awareness programs.
 Detection and Reporting: Implement monitoring and detection mechanisms to identify security incidents, and establish
procedures for reporting incidents internally and externally.
 Assessment and Response: Assess the nature and scope of the incident, contain the incident to prevent further damage,
and initiate response actions to mitigate the impact.
 Lessons Learned and Improvement: Conduct a post-incident review to analyze the effectiveness of the incident
response process, identify areas for improvement, and implement corrective actions.
HOW DO ORGANIZATIONS MEASURE THEIR INCIDENT MANAGEMENT
MATURITY?

 Incident Management Capability Maturity Model (CMM):

 This model describes a maturity curve with capability levels such as INITIAL, REPEATABLE, DEFINED, MANAGED, and
OPTIMIZED, providing a framework for organizations to assess and improve their incident management processes
 NIST Cybersecurity Framework:
 The NIST framework allows organizations to understand their current cybersecurity posture, set goals for improvement, and
establish a plan for reducing cybersecurity risk
 Top 10 Incident Management Metrics:
 Organizations can also measure incident management maturity by tracking and monitoring key metrics such as incidents over
time, mean time to acknowledge (MTTA), mean time to resolve (MTTR), customer impact, and others
 ENISA CSIRT Maturity Assessment Model:
 This model applies a three-tiered approach, guaranteeing that the team has a basic level of maturity and providing a
framework for stimulating the development and maturity of incident response teams
WHAT DOES INCIDENT MANAGEMENT LOOK LIKE IN CYBER RESILIENT
ORGANIZATIONS?

 Integrated Incident Response Plan:

 Embracing an integrated incident response plan that is underpinned by a business continuity strategy and augmented by
specialized external services to improve the organization's ability to manage and recover from cyber incidents
 Effective Incident Response Strategy:
 Developing a robust incident response strategy to detect, mitigate, and recover from cyberattacks while minimizing potential
damage
 Holistic Approach to Incident Planning:
 Taking a holistic approach to incident planning, which involves conducting thorough risk assessments, establishing cross-
functional incident response teams, investing in advanced detection and monitoring solutions, fostering transparent
communication, and embracing a cybersecurity culture
 Defending Against Cyber Threats:
 Demonstrating the ability to defend against cyber threats, having adequate cybersecurity risk management, and ensuring
business continuity during and after cyber incidents
WHAT IS BUSINESS CONTINUITY

 Maintaining Operations:
 Business continuity involves implementing strategies and plans to ensure that critical business
functions and processes can continue operating or be quickly restored in the event of disruptions,
such as natural disasters, cyber attacks, or other unforeseen incidents.
 Minimizing Downtime:
 Business continuity aims to minimize downtime and disruptions to business operations by identifying
and mitigating potential risks, developing contingency plans, and implementing resilient infrastructure
and processes.
 Ensuring Resilience:
 Business continuity emphasizes building resilience within an organization by establishing robust
recovery strategies, redundant systems, and alternate facilities or resources to support
uninterrupted business operations during and after disruptive events.
HOW DOES MANAGEMENT PLAN FOR BUSINESS CONTINUITY?

 Business Continuity Planning:

 Developing proactive and reactive plans to help the organization avoid interruptions to its operations.
 Risk Management Processes:
 Establishing risk management processes and procedures to prevent operational interruptions and maintain essential
functions during and after unpredictable events and potential threats.
 Clear and Comprehensive Guidelines:
 Creating clear and comprehensive guidelines for maintaining essential functions during unexpected events, ensuring
that there is no question about how to move forward with business processes.
 Defined Levels of Response:
 Including different levels of response in the business continuity plan to ensure that the organization can continue to
operate and deliver its products and services during and after a crisis.
 Proactive Measures:
 Implementing proactive measures designed for the prevention of interruptions to organizational activities, as well as
the identification and implementation of measures to prevent crises and disasters from occurring.
HOW DO THEY ENSURE THAT THE BUSINESS CAN CONTINUE TO OPERATE
DURING A DISRUPTION?

 Establishing a Business Continuity Management (BCM) System:

 This involves creating a team to manage the various processes and obtaining commitment and support from top
management.
 Risk Assessment and Business Impact Analysis (BIA):
 Identifying and evaluating the risks or possible disruptions the organization is exposed to, as well as assessing the
potential impact on different business functions.
 Identifying threats:
 Identify the type of the organization is perceived to be under and start creating scenarios based on those threats

 Developing Strategies and Business Continuity Plan (BCP):

 Creating detailed strategies and plans to maintain, recover, and resume critical business functions as quickly as possible.

 Readiness Plan:
 Regularly testing the BCP, training personnel, and periodically reviewing the plan to ensure its effectiveness and make
improvements as needed.
WHAT IS BCP
HOW ARE BUSINESS OBJECTIVES DIFFERENT FROM SECURITY OBJECTIVES?

Business Objective Security Objective

Focus on strategic goals such as revenue growth, Specifically related to safeguarding the organization's
market expansion, and customer satisfaction. assets, data, and operations from potential threats and
risks.

Geared towards driving the overall success and growth Aimed at ensuring the confidentiality, integrity, and
of the organization. availability of the organization's resources and
information.

Outward-facing and growth-oriented. Inward-facing and risk-mitigation-oriented.

HOW CAN WE ENSURE THERE IS AN ALIGNMENT BETWEEN THE TWO?

 Integrating Security into Business Continuity Plans:

 Seamlessly integrating security measures into the organization's business continuity plans to ensure that critical
business functions are protected during disruptions
 Understanding the Business:
 Gaining a deep understanding of the organization's mission, vision, and strategic goals to align security objectives with
broader business objectives
 Collaborating with Executives and Boards:
 Partnering with top executives and boards to ensure that security objectives are in line with the organization's overall
business goals
 Speaking the Language of Business:
 Learning to communicate security needs in terms that resonate with business leaders, such as risk reduction, cost-
effectiveness, and impact on productivity and service uptime
 Measuring and Demonstrating Value:
 Developing metrics that directly connect cybersecurity objectives with wider business goals, and demonstrating the
value of security initiatives in terms that are meaningful to the business
BC TABLETOP EXERCISE
GROUP DISCUSSION

 Consider an insider threat to manufacturing company. Provide

the below:
 The significance of integrating security measures into business
continuity plans.
 Strategies for understanding and communicating the alignment between
security and business objectives.
 The role of leadership in prioritizing and demonstrating commitment to
security objectives.
WHAT IS THE CURRENT CYBERSECURITY THREAT LANDSCAPE FOR
BUSINESSES FROM EXECUTIVE'S PERSPECTIVE?

 Ransomware Epidemic:
 Ransomware attacks have reached epidemic proportions, with cybercriminals
targeting organizations of all sizes and industries.
 Supply Chain Vulnerabilities:
 Supply chain attacks have emerged as a prominent threat, with adversaries
exploiting vulnerabilities in third-party vendors and suppliers to infiltrate the
networks of larger organizations.
 Nation-State Cyber Threats:
 Nation-state actors continue to pose a serious threat to businesses, engaging in
espionage, intellectual property theft, and cyber warfare activities.
WHAT IS THE CURRENT CYBERSECURITY THREAT LANDSCAPE FOR
BUSINESSES FROM EXECUTIVE'S PERSPECTIVE?

 Data Privacy Regulations:

 The regulatory landscape for data privacy and protection is evolving rapidly, with stringent
requirements such as the General Data Protection Regulation (GDPR) imposing strict compliance
obligations on businesses.
 Financial and Reputation:
 Cybersecurity risks extend beyond direct financial impacts and can create existential company risk
or human safety issues if not managed effectively,
 Insider Threats:
 Insider threats, whether malicious or unintentional, remain a persistent concern for organizations.
 Cybersecurity Skills Shortage:
 The shortage of skilled cybersecurity professionals exacerbates the challenges faced by businesses in
defending against cyber threats. Recruiting and retaining talent are critical for building effective
cybersecurity defenses.
WHY ARE CYBER INCIDENTS INCREASING AND WHAT IS THEIR IMPACT ON
BUSINESS CONTINUITY?

 The increasing frequency and severity of cyber attacks, including ransomware, phishing,
and supply chain attacks, contribute to the rise in cyber incidents.
 The shift to remote work and the accelerated digital transformation have expanded
the attack surface, providing cybercriminals with more opportunities to exploit
vulnerabilities.
 The growing interconnectedness of devices and systems, such as the Internet of Things
(IoT), has created new entry points for cyber attacks, further increasing the risk
landscape.
 The impact of cyber incidents on business continuity includes financial losses from
operational disruption, recovery costs, and potential regulatory fines and legal fees.
 Reputation damage resulting from a cyber incident can lead to customer loss, reduced
investor confidence, and long-term brand devaluation.
WHY ARE CYBER INCIDENTS INCREASING AND WHAT IS THEIR IMPACT ON
BUSINESS CONTINUITY?

 Data loss or theft can have severe consequences, including non-compliance with data
protection regulations, loss of intellectual property, and compromised sensitive
information.
 Operational disruption caused by cyber incidents can lead to productivity losses, supply
chain interruptions, and customer service disruptions, affecting overall business
operations.
 Legal and regulatory consequences may arise from data breaches or non-compliance with
privacy laws, leading to lawsuits, penalties, and ongoing legal challenges.
 Increased cybersecurity costs are often necessary to remediate vulnerabilities, enhance
security measures, and recover from cyber incidents, impacting overall business expenses.
 Cyber incidents can lead to insurance premium increases as insurers adjust rates to
account for higher cyber risk exposure and potential future claims.
IMPACT OF CYBER ON BUSINESSES
WHAT ARE THE COMMON MISTAKES MADE BY BUSINESSES?

 Lack of Funding:
 Many businesses, especially state, local, tribal, and territorial (SLTT) governments, face challenges due to a lack of funding for
cybersecurity initiative
 Insufficient Cybersecurity Planning:
 Some businesses lack comprehensive cybersecurity planning, including disaster recovery and business
continuity planning, leaving them vulnerable to cyber incidents
 Underestimating Cybersecurity Risks:
 Despite recognizing the need for cybersecurity, many businesses fall short in adequately mitigating the risks associated with
potential threats, leaving them exposed to significant vulnerabilities
 Thinking They're Too Small a Target:
 Many businesses underestimate their attractiveness as targets for cyber attacks, leading to a lack of preparedness and
vulnerability
WHAT ARE THE SECURITY GAPS?

 Human Error:
 Human error is a significant cause of cybersecurity breaches, with 95% of breaches attributed to this factor according to IBM
 Bad Online Habits:
 This includes using the same passwords across multiple accounts, sharing personal details publicly, and logging onto public
wireless networks without protection, making businesses vulnerable to various cyber threats
 Configuration Mistakes:
 Errors in system configurations, such as leaving default passwords, open services, and unencrypted documents, can lead to
costly security gaps and data breaches
 Lack of Regular Testing:
 Failing to test disaster recovery and business continuity plans before a disaster occurs can result in unaddressed
shortcomings and inefficiencies in the plans