Professional Documents
Culture Documents
Data Security Chapter Four Summarize
Data Security Chapter Four Summarize
Data Security Chapter Four Summarize
Planning Levels
Strategic planning transforms broad plans into specific, measurable, achievable, and time-
bound objectives for an organization's major divisions or operations. Tactical planning focuses
on short-term undertakings, breaking each goal into incremental objectives with delivery dates
within a year. It includes budgeting, resource allocation, and personnel. Tactical plans include
project plans, budgets, reviews, and reports. CISOs and security managers use tactical plans to
organize, prioritize, and acquire resources for major projects, supporting the overall strategic
plan.
Operational planning organizes daily tasks and communication for departments, reflecting
organizational structure. Frequent feedback and communication between teams and
management levels improves the planning process's manageability and success.
New accounts, reported attacks, and IDPS notifications indicate a strong likelihood of an
incident. Definite indicators include use of dormant accounts, changes to logs, and reports of
suspected attacks. Administrators must determine the significance of these events and
determine if the notification is significant or a routine operation. Hacker tools can be installed
on office computers to scan internal networks and support attack profiles. Without proper
authorization, these tools can be detected as threats.
Organizations often have policies prohibiting the installation of such tools without CISO
permission. Notifications from partners, peers, and hackers can indicate an incident. Other
incident indicators include loss of availability, integrity, confidentiality, violation of policy,
and violation of law. These actions can impact an organization's reputation and potentially lead
to disciplinary action.
Incident Reaction
Incident reaction involves implementing a plan to stop, mitigate, and recover from incidents
quickly.
Notification of Key Personnel: An incident is detected by help desks, users, or systems
administrators, and the right people must be notified in the right order. Organizations maintain
an alert roster, which can be sequential or hierarchical. The process must be maintained and
tested for accuracy. Other personnel may not be included in the scripted notification, and
management should be notified early to avoid undue alarm. If the incident spreads beyond the
target organization's resources or is part of a large-scale assault, the IR planning team must
determine who to notify and offer guidance on additional notification steps.
Documenting an Incident: Documenting an incident or disaster allows organizations to learn
about the event, record actions, and serve as a case study. It also ensures proper response,
protects due care, and aids future training sessions.
Incident Containment Strategies: Incident reaction focuses on stopping or containing the
incident's scope or impact. Incident containment strategies vary depending on the incident and
damage caused. Organizations must determine which information and systems are affected
before implementing containment strategies. Approaches include severing communication
circuits, monitoring, and dynamically applying filtering rules to limit network access. Ad hoc
controls can be used to stop attacks on networks using vulnerabilities in SNMP. These controls
can include disabling compromised accounts, reconfiguring firewalls, temporarily disabling
specific services or processes, or taking down e-mail-supporting applications. Containment
involves isolating affected channels, processes, or computers, stopping losses, and regaining
control of affected systems. The incident response manager determines the length of the
interruption.
Incident Recovery: Incident recovery involves identifying necessary resources, assessing
damage, computer forensics, repairing vulnerabilities, addressing safeguard shortcomings, and
restoring systems data and services after containment.
Prioritization of Efforts: Incident aftermath may cause confusion; recovery operations should
follow IR plan.
Damage Assessment: Incident damage assessment can take minutes or weeks depending on
the extent of damage. It uses various sources to determine the type, scope, and extent of
damage. Computer forensics involves collecting, documenting, and maintaining computer
evidence for use in formal or informal proceedings. Special training is required for those
examining damage to ensure they are prepared for potential criminal or civil actions.
Recovery: The recovery process from an incident involves identifying vulnerabilities,
addressing safeguards, evaluating monitoring capabilities, restoring data from backups,
restoring services and processes, and continuously monitoring the system to prevent future
incidents. This process involves addressing backup strategies, restoring services and processes,
and continuously monitoring the system to ensure the organization's safety and prevent future
incidents. Hackers often boast in chat rooms, attracting peers to try similar attacks. Maintain
vigilance during the incident response (IR) process and restore confidence in the organization's
communities. Issue a memorandum stating minor incidents and assure minimal damage.
Conduct an after-action review (AAR) to update the IR plan and serve as a training case for
future staff.
Backup Media: Technical Details offers backup management strategies, including DAT, QIC,
DLT, CD-ROM, DVD options, and specialized drives.
Online and Cloud Backup: Organizations are adopting cloud-based architectures for
improved performance, resilience, and shifting operations risk to key suppliers. This shifts
responsibility for backup and recovery to the service provider, requiring accounting for
operational capability and security in contracts and audit requirements. Cloud computing offers
three offerings: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure
as a Service (IaaS). Clouds can be public, community, or private, with public clouds being the
most common. Ownership can be public, community, or private. Security is crucial, and
organizations must obtain it through a warranty and rigorous service agreements.
Automated Response: New technologies in incident response extend traditional systems,
enabling autonomous responses based on preconfigured options. However, legal issues like
tracking suspects and counterattack liabilities remain unresolved, requiring better tools for
security professionals.