Block 4 Part 2 Incident management - Coggle Diagram
Block 4 Part 2 Incident management
Last week you studied security operations, which broadly speaking include many of the proactive steps that can be taken to reduce the number and impact of security incidents. It is important to acknowledge that, regardless of the level of planning and mitigations put in place, incidents will almost certainly still occur.When an incident does arise, an important step an organisation must take is deciding how to respond to and manage the incident. An inadequate response can have significant ramifications for the organisation, such as damage to reputation and loss of customers. A humorous example of responding poorly to an incident is shown in Figure 4.23.
Responding poorly to an incident
A three pane Dilbert cartoon is shown. In the first pane, Dilbert, The Boss and Alice are shown seated at a table. The Boss is saying, “Our customers are complaining because we let hackers get their personal data”. In the second pane an exterior view of the office is shown with The Boss continuing to say, “So we’ve decided to change the name of the company and wear disguises until it all blows over”. In the final pane on the far right The Boss is attaching a fake moustache to his face and is seen passing a bag of fake moustaches to Alice. Whilst doing this he is saying, “Take a moustache from the bag and pass it round”.
This week will start in
with exploring what is meant by ‘incident management’. A brief overview of the various guidance available on incident management is provided in Section 2, with a particular focus on one widely adopted approach.
1 Defining incident management
It is important to understand what is meant by an ‘incident’. This section will explore this, as well as extending this to the context of
. The section will close with a review of the aims of
A process spans the entire life cycle of an incident. Typical activities that take place during this process include liaising with incident response teams and external stakeholders, such as senior managers, news media, lawyers and regulatory authorities.
A process that focuses upon detecting, reporting, assessing, responding, dealing with and learning from incidents.
resulting in the potential disclosure of an
Any observable event (malicious or benign), such as a user connecting to a network share, an employee opening a door using a Radio-Frequency Identification (RFID) card, or a website being taken offline.
Something that is of value to an organisation or individual.
1.1 What is an incident?
The concept of an ‘incident’ was first introduced in Block 1 Part 1, where it was defined as.Incident – a security event that potentially compromises an individual or organisation.
An important phrase in this definition is
. In any organisation, numerous observable
take place on a routine basis. Examples include a user connecting to a network share, an employee opening a door using a Radio-Frequency Identification (RFID) card, a website being taken offline, a visitor being granted access to a building, a firewall blocking a small-scale port scan from outside the perimeter, and a user’s permissions on a network resource being elevated. While any of these examples could be malicious, they can also be part of normal, benign behaviour. For example, port scans are sometimes performed by an internet service provider as part of their
monitoring and are not malicious (although there can sometimes be legal ambiguity with such practices).
It is helpful, therefore, to differentiate events that are benign from those that compromise an individual or organisation. You can think of ‘compromise’ here as meaning ‘having an unplanned and adverse impact on the
(CIA) of an individual or organisation’. Note the emphasis on ‘unplanned’. Events that are planned, such as the maintenance of a server that requires a reboot, impact on availability but are not considered an ‘incident’.
A key concept in the CIA Triad, confidentiality is the property that information is only made available or disclosed to authorised individuals, entities or processes.
A key concept in the CIA Triad, integrity is the property of safeguarding the accuracy and completeness of assets against unauthorised access or modification.
A key concept in the CIA Triad, availability is the property of being accessible and usable on demand by an authorised entity.
It is easy to think of incidents as taking place over a short period of time but this isn’t always the case. In early 2020, the outbreak of the COVID-19 pandemic led to a significant and extended impact on many organisations; for example, the UK government requirement that all employees must work from home during lockdowns, where possible. Working from home during the COVID-19 pandemic is discussed in the following case study.
Case study – Working from home under COVID-19
Photograph of an adult woman working from home using a laptop and making a phone call. Two children are shown in the background.
1 more item...
1.2 What is incident management?
An important point to note is that incidents are inevitable in any organisation, regardless of how many mitigating and risk avoidance measures are taken. Rather than aspiring to have no incidents (which is unrealistic), organisations should seek to improve their resilience. In practice, this means organisations need to develop and regularly review policies and procedures designed to minimise the impact of any incidents (you will encounter more on these preparations in Section 2.2).
When they happen, incidents can have an impact in one or more areas. The impact of the WannaCry attack (discussed in Block 1 Part 2) was felt in areas that are outlined below in Table 4.8
Table 4.8 Example impact areas of the WannaCry incident