Security Policies Discussion Questions POST :1 1. Preparation This phase will be the workhorse of your incident response planning, and in the end, the mo
Security Policies Discussion Questions POST :1
1. Preparation
This phase will be the workhorse of your incident response planning, and in the end, the most crucial phase to protect your business. Part of this phase includes:
Ensure your employees are properly trained regarding their incident response roles and responsibilities in the event of a data breach. Develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan.
Questions to address
Has everyone been trained on security policies?
Have your security policies and incident response plan been approved by appropriate management?
Does the Incident Response Team know their roles and the required notifications to make?
Have all Incident Response Team members participated in mock drills?
2. Identification
This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas.
Questions to address
When did the event happen?
How was it discovered?
Who discovered it?
Have any other areas been impacted?
What is the scope of the compromise?
Does it affect operations?
Has the source (point of entry) of the event been discovered?
3. Containment
When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it. However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to determine where the breach started and devise a plan to prevent it from happening again.
Questions to address
What’s been done to contain the breach short term?
What’s been done to contain the breach long term?
Has any discovered malware been quarantined from the rest of the environment?
What sort of backups is in place?
Does your remote access require true multi-factor authentication?
Have all access credentials been reviewed for legitimacy, hardened and changed?
Have you applied all recent security patches and updates?
4. Eradication
Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.
Whether you do this yourself or hire a third party to do it, you need to be thorough. If any trace of malware or security issues remains in your systems, you may still be losing valuable data, and your liability could increase.
Questions to address
Have artifacts/malware from the attacker been securely removed?
Has the system been hardened, patched, and updates applied?
Can the system be re-imaged?
5. Recovery
This is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach.
Questions to address
When can systems be returned to production?
Have systems been patched, hardened and tested?
Can the system be restored from a trusted back-up?
How long will the affected systems be monitored and what will you look for when monitoring?
What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion detection/protection, etc)
6. Lessons Learned
Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and discuss what you’ve learned from the data breach. This is where you will analyze and document everything about the breach. Determine what worked well in your response plan, and where there were some holes. Lessons learned from both mock and real events will help strengthen your systems against the future attacks.
Questions to address
What changes need to be made to the security?
How should the employee be trained differently?
What weakness did the breach exploit?
How will you ensure a similar breach doesn’t happen again?
No one wants to go through a data breach, but it’s essential to plan for one. Prepare for it, know what to do when it happens, and learn all that you can afterward.
Post 2:
An incident response plan should be set up to address a suspected data breach in a series of phases. The preparation phase is about ensuring you have the appropriate response plans, policies. In identification phase you will work out whether you are dealing with an event or an incident. This is where understanding your environment is critical stage. You will want to work with the business to limit the damage caused to systems and prevent any further damage from occurring. When we have a clean system ready to restore to determine when to bring the system back in to production These lessons will allow you to incorporate additional activities and knowledge back into your incident response.
Effective responses to a security breach:
We need to install patches to resolve viruses and technology flaws.
Need to reset passwords for user accounts that may have been compromised.
We need to disable network access for computers known to be infected by viruses or other malware.
Taking steps to recall or delete information such as recalling emails, asking unintended recipients to destroy copies.
Identifying who and what has been affected.
Assessing how the data could be used against the victims. If the data contains information that could be used for identity theft or other criminal activity.
Actions for each phase:
Preparation
Ensuring your employees are properly trained regarding their incident response roles and responsibilities in the event of data breach.
Develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan.
Detection
Logs which should be systematically reviewed to look at anomalous and suspicious activity with Users.
Containment
This is also a good time to update and patch your systems, review your remote access protocols.
Developing a containment strategy, identifying and mitigating the hosts and systems under attack, and having a plan for recovery.
Eradication
Finding and eliminating the root cause of the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.
Timely scan the systems for the trace of any malware.
Recovery
Recertify any component that was compromised as both operational and secure.
Ensure your long-term containment strategy includes returning all systems to production to allow also locking down user accounts.
Follow-up
Reviewing lessons learned and having a plan for evidence retention
Training the employees on how to avoid phishing scams.