Incident Response Proposal
Executive summary
Cybersecurity threats So far have grown in terms of complexity and volume. To counter or to stop it entirely is entirely impossible. Systems will always be vulnerable so long as human involvement exists in an information system. Therefore, even the slightest vulnerability can server as an entry point for a possible unanimous attack, which can result in devastating damage to the organization. The proposal research question tries to investigate the importance of having a good incidence response to help organizations to protect their information upon detection of a possible threat. The paper discusses various stages proposed for incidence response and also a well-structured form on how incidence response should take place. The organization has continued to incur huge losses resulting from the data breach, which calls for research on incidence response.
Introduction
Modern society has been highly integrated with information systems. Information systems comprise of social-technical, formal, and organizational systems consisting of technology, structures, people, and all operations carried out for storage and distribution of information. Recently there is increasing dependence on information systems, which raises security concerns as cybersecurity issues continue to emerge. A wide range of information supported within the system, such as individual data, warfare information, and other sensitive information such as health information, needs a high level of privacy. Security on details on these populations calls for protection. The level of complexity in today’s cybersecurity attacks has increased in both complexity and volume, which results in a big challenge for information security personnel to thwart all possible attacks and achieve maximum data protection needed. This research proposal aims to try to investigate all possible ways cyberattacks can be detected and resolved before they compromise sensitive information.
Problem statement
Current information is faced with an unpredictable data breach, which results in considerable losses to the organization. The existing systems also lack the correct approach to deal with cyber-attacks, which leave the most organization with a significant deficit which can hardly be recovered. These issues result from poor planning on how to carry out the incident response. Don't use plagiarised sources.Get your custom essay just from $11/page
Objectives
The main objective of carrying out this research proposal is to demonstrate how good incident response can help organizations recover from any incident or breach of their systems. The research also aims at identifying the key sectors where vulnerability within the system may exist to come up with a hardened approach to cybersecurity mitigation.
Project Constraints
The research is expected to cover weaknesses within the existing systems. The study will be limited to the various personnel within the organization who are directly impacted by the security breach.
Assumptions
The security level for a given information system is not robust enough to withstand potential or existing cyber-attack strategies. There is a possible security breach for any information system within an organization. The security breach, in this case, if from an external source.
Key Terms:
Incident – refers to an event of a security breach.
Vulnerability- It is a weakness in the system entry.
Point of entry- refers to the origin of the breach into the system
Quarantine – refers to disconnecting the affected device from the network
Network – a set of interconnected devices
Compromise – To take control of the slave device data or the entire system data.
Literature Review
As of recent occurrences and those which occur daily, it is clear that computer compromising can take place anytime. It does not depend on which device to attack, and it is a matter of the exact time it will be compromised. The real deal becomes how fast to respond to the attack and prevent any loss and also evade any future compromises (Lavsdes, 2012).
According to Winkler (2011), to return to the attack timely, some set of procedures must, therefore, be put in place and tested thoroughly in case any attack is launched. The incidence response is a process which, before it is implemented, it is vital to know and perceive what led to the compromise. The incidence response process also entails the cyber forensics (Lavsdes, 2012). This deals with identifying, analyzing, and evaluating the achieved evidence stored in digital devices. In this article, we will, therefore, deal with the stages in incidence response and cyber forensics investigation. We will target different systems of different organizations. We will also put in use various open-source tools to make sure the article implements its purpose.
Amoud & Roudies (2017) depict that the defense of cyber assets is done differently across various organizations. In large organizations, the mechanisms put in place to defend the cyber assets differ from those in small ones. In large organizations, a tool such as intruder detection is implemented (Author, 2007). This mechanism keeps track of network activities, and upon discovery of any unauthorized access, it alerts the related personnel. This leads to initiating appropriate actions by the security personnel to investigate and acknowledge the security concern. After accepting the threat, the staff puts efforts to defend the organization’s network assets. The above process can be implemented using automated software. This is mostly done when the organization deals with a large amount of data over its network. This is more reliable than a person taking control of the security concerns once they arise. Also, it is less costly as only a group of personnel can match this automated software. This research mostly involves the factors that affect the efficiency of Cyber Security Incidence Response Teams (csirts). A simulated environment can, therefore, be implemented to monitor how the cybersecurity incidence response team works. Once a follow-up study is done to compare how the Cyber Security Incidence Response Teams take time to respond to various threats, the results show a minute deviation from how a professional CSIRT responds to the risks (Kovacich, 2017).
Related Studies
Gurkok (2017), argues that the most recent and complicated attacks on large organizations such as Google are thrived by different purposes and motivations from different groups. They highlight that the groups’ goal is to attack the weakest points of the organizations using advanced cyber systems. It is due to this that a substantial industry has launched to develop software tools that will govern the network activities (Amoud & Roudies, 2017). This simplifies the detection of any potential attacks. While these software products are essential, their usefulness depends on the Cyber Security Incidence Response Teams to determine alerts, start the responses, and compile the data from the software to know the occurrences of the attacks.
Kauthamy, Ashrafi & Kuilboer (2017), highlight more about Cyber Security Incidence Response Teams. He states that the number of people in the CSIRT differs according to the type of organization. Also, the composition of Cyber Security Incidence Response Teams depends on the number of cyber professionals and the work they can perform, by their expertise (Kauthamy et al., 2017). The work of the Cyber Security Incidence Response Teams is to collect information about a threat and an attack and the evidence concerning the attack. When the information about the risk is spotted, the CSIRT performs a series of activities to counter the threat. The events are enabled by the teams’ understanding of a computer system and the network system. The ability of a particular organization to deal with a threat, therefore, depends mostly on the CSIRT and how they emphasize group work (White, 2018).
Kotenko, Konovalov and Shorov (2014) suggest that gameplay between attackers and defenders is the Cyber Security Incidence Response Team would yield much in terms of detecting attacks and responding onto them. Attackers come with a model to initiate a threat. The defenders would do the opposite. This two-way interaction, when captured, can be utilized by different organizations to help in monitoring these threats and responding to them. Currently, this paper describes a model-based simulation of game theory. However, organizations can implement live attacks. This will make the experience live. Through this game theory, the majority of the threats can be covered.
Incident response plan
To carry the research on cybersecurity incident response, developing a good plan will help address all the fields within the research question. The plan developed has six distinct phases which will help security professionals to detect any cyber-attack or data breach in the system and carry out the necessary action. The plan developed calls for proper training and regular updates concerning data security within the current system. The plan is designed according to the PCI DSS requirement, which includes the following rules for any business:
12.10.2 – ensure the incidence response plan is tested periodically within a year.
12.10.3 – individual employees should be assigned to monitor and respond to incidences on a 24/7 basis (Onwubiko, 2017).
12.10.4 – every staff assigned incident response duties should be adequately trained regularly.
12.10.05 – Alerts should be set for file-integrity, intrusion detection, and intrusion prevention monitoring systems.
12.10.6 – a process for managing and updating incidence response systems should be set to take place in the situation as changes within an organization.
Project Schedule
| Time in weeks | Event | Expected activity |
| Week 1 | Preparation | Funding all necessary tool needed for incident response |
| Week 1 | Identification | Try to identify any security breach by either carrying out a mock test or existing breach |
| Week 3 | Mitigation | Try to come up with counter-mechanism to suppress the incident. |
| Week 4 | Eradication | Try to resolve the issue entirely by ensuring preventive measures are established. |
| Week 5 | Progress analysis | Asses all the goals met so far by setting up a preventive plan to the system |
| Week 6 | Documentation | Hold a meeting with the incident response team and document all the achievements and other implementations to the system |
Proposed Work-break down structure
For active research on incidence response, this research proposal adopts the analogous approach by assessing the existing procedures set to deal with incidence response. To design an effective plan, six main phases need to be implemented. These phases are demonstrated in the chart below based on how they follow each other.
Source (Author)
Preparation
The step builds the critical foundation towards successful incidence response. The preparation business is the workhorse and the most crucial stage towards the protection of any business. The level involves carrying out extensive training to the organization employees on their respective roles and responsibilities in case of cyberattacks. Another activity proposed is developing drill scenarios to imitate for regular evaluation of incidences. The stage also involves ensuring aspects related to incident response such as software, hardware training, and execution resources are funded early enough before the case is reported. The preparation phase will involve address issues such as training all individuals on security concerns and policies. Questions such as whether the plan has been approved by appropriate management will be addressed under the preparation phase. All incidence response personnel should be involved in mock trials to ascertain the robustness of the plan.
Identification phase
At this stage, the organization will try to determine whether there is any breach of their system. Different areas within the organization can be the origin of the breach. At this phase, a brief report about the incidence is given. The report is expected to include the exact time of the event, the source of information about the event, and how it was identified. Other information such as the incident scope, the area affected, and general effects on the current processes are also documented. Then, the team tries to assess the entry point of the breach to carry out proceeding steps.
Containment
In case a breach in the system has been determined, the expected action involves deleting all vulnerable files. However, this research proposal aims to ensure entry points are noted and necessary measures put in place to prevent future similar incidences. Containment involves “breach quarantine” to prevent further spread to the entire business (Winkler, 2011). The steps to be required include; disconnected the breach entry point from the network. The organization is expected to have both long-term and short-term containment methodologies ready (Thompson, 2018). At this stage, developing redundant back-up for the organization’s data is useful in ensuring information is never lost completely. Systems can be returned to normal after the breach. To implement the phase, regular updates to the systems will be required as well as providing a multi-factor authentication for any remote devices.
Eradication
At this phase, all root causes for the breach are eliminated. Removing breach causes may involve updating the systems, hardening authentication features, and also removing all malware safely. The order at this stage should be returned to its normal operations.
Recovery phase – this stage involves restoring the entire system to its normal operations. All the affected systems at this phase should be ready to resume their normal activities. The system should run effectively without fear of a future related breach. All tools for preventing the next attack should be in place to guarantee safety from such violations.
Lesson Learned from the Breach
At this phase, all stakeholders and personnel in the incidence response team should hold a meeting to discuss the various lessons learned from the breach. At this point, proper documentation of the entire offense is carried out. Depending on whether a mock event or a real event is used, analyzing the lesson learned from a given system gives strength for the current system and prevents it from future attacks.
Motivation on Incidence Response
Industries and other organizations continually report on technical, evolving, and also unheard-of-social strategies that facilitate cyberattacks keeping system penetrates from defenders. These techniques are often equipped with capabilities such as fact phased control. Kaspersky’s security organization report shows that the financial stress on data breaches at international level records about $120 000, for medium and small business and $1.23 million for large organizations. The estimated financial losses, according to the Kaspersky report, increases by almost a fifth each year, causing huge injuries to organizations (Kaspersky, 2019). Other losses recorded as a result of a data breach include loss of user trust and vendor reputation, therefore, leading to immeasurable damages to most organizations.
Project Milestone
There is no existing research on incident response hence an excellent opportunity to extract all the underlying information for a robust incident response plan. All related studies indicate huge losses to the companies as a result of a data breach. However, the existing research does not give the best approach to deal with the security breach in the current systems.
Conclusion
A data breach at an organization level is a continuous process. A good strategy should be developed to help identify and suppress the breach in its early stages before it spreads to the entire network. Extensive research on incident response should be done to help organizations to prepare for future threats adequately to thwart any data breach before they cause damage to the system.
References
Amoud, M., & Roudies, O. (2017). Dynamic adaptation and reconfiguration of security in mobile devices. 2017 International Conference On Cyber Incident Response, Coordination, Containment & Control (Cyber Incident). doi:10.1109/cyberincident.2017.8054639
Author, N. G. (2007). Cyber Security Assessment Report: Adventium Labs. doi:10.2172/948582
Gurkok, C. (2017). Cyber Forensics and Incidence Response. Computer and Information Security Handbook, 603-628. doi:10.1016/b978-0-12-803843-7.00041-7
Kaspersky: The State of Industrial Cybersecurity. (2019). Network Security, 2019(9), 4. doi:10.1016/s1353-4858(19)30104-7
Kauthamy, K., Ashrafi, N., & Kuilboer, J. (2017). Mobile Devices and Cyber Security – An Exploratory Study on User’s Response to Cyber Security Challenges. Proceedings of the 13th International Conference on Web Information Systems and Technologies. doi:10.5220/0006298803060311
Kotenko, Reznik, & Shorov. (2014). Security protocols verification combining existing approaches and tools. SPIIRAS Proceedings, 0(8), 292. doi:10.15622/sp.8.14
Kovacich, G. (2017). Information Warfare and the Information Systems Security Professional. Information Systems Security, 6(2), 45-55. doi:10.1080/10658989709342535
Lavsdes, D. S. (2012). Cyber Security Objectives. Cyber Security Policy Guidebook, 39-67. doi:10.1002/9781118241530.ch3
Onwubiko, C. (2017). Security operations center: situation awareness, threat intelligence and cybercrime. 2017 International Conference On Cyber Incident Response, Coordination, Containment & Control (Cyber Incident). doi:10.1109/cyberincident.2017.8054636
Thompson, E. C. (2018). The Significance of Incident Response. Cybersecurity Incident Response, 1-10. doi:10.1007/978-1-4842-3870-7_1
White, R. (2018). Recent cases. Notes. Repudiatory breach and the definition of dismissal. Alcan Extrusions v Yates. Industrial Law Journal, 26(3), 252-258. doi:10.1093/ilj/26.3.252
Winkler, V. (. (, 2011). Securing the Cloud: Data Security. Securing the Cloud, 125-151. doi:10.1016/b978-1-59749-592-9.00005-1