----------------------- Page 1-----------------------

Introduction to Cybersecurity

----------------------- Page 2-----------------------

Incident Management

----------------------- Page 3-----------------------

Learning Objectives

By the end of this lesson, you will be able to:

Develop an incident management and response system

Explain the process of digital forensics

Describe business continuity and disaster recovery

----------------------- Page 4-----------------------

Developing an Incident Management and Response System

----------------------- Page 5-----------------------

Incident

It is an adverse event that can cause damage to an organization’s assets,

reputation, or personnel.

----------------------- Page 6-----------------------

Incident Management

The process of developing and maintaining the capability to manage incidents

within an organization.

----------------------- Page 7-----------------------

 Incident Response

It is the capability to effectively prepare for and respond to unanticipated events

to

control and limit damage and maintain or restore normal operation.

----------------------- Page 8-----------------------

Incident vs Incident Response

Incident

Unplanned interruption to an IT service

ITIL 2011

Incident Management

This process ensures that:

● Normal service operation is restored

● Business impact is minimized

----------------------- Page 9-----------------------

Incident Response Plan

It is a set of instructions to help IT staff detect, respond to, and recover

from network

security incidents.

300 billion passwords

exist worldwide in 2020

These types of plans address issues like:

 Cybersecurity Data Loss Service
Outage

----------------------- Page 10-----------------------

Incident Response Plan

Defines policies, roles, responsibilities,

and actions

Is the operational component of an

incident

management process

Incident Response Plan

Details actions, personnel, and

activities

Requires support from the senior management

----------------------- Page 11-----------------------

Incident Management Stages

Identification of Determination of Gathering evidence

Adjustments to

incidents the root cause

response strategies

Detect Mitigate Recover

Learn

Respond Report
Remediate
Prevent occurrence

Who, How, When, Occurs at various

of
similar incidents

Why levels

----------------------- Page 12-----------------------

Incident Response Metrics

Number of Time to contain the

Time to resolve

incidents Dwell time incidents

the incidents

Number of people Total cost required to Not

meeting SLAs

affected resolve the incident

----------------------- Page 13-----------------------

Incident Management Team (IMT)

Team training prepares a group of individuals to function together as an

Incident Management Team or IMT.

Incident Management Team

----------------------- Page 14-----------------------

Incident Management Team (IMT)

Training programs for the IMT

Mentoring teams
Induction to IMT On-the-job training

Formal training

----------------------- Page 15-----------------------

Gap Analysis

Assesses the differences in performance between a business information system and

software applications

Current state

Desired state

Gap analysis provides information on the

actions required.

----------------------- Page 16-----------------------

Gap Analysis

Current State Desired State

Compare the two levels to identify:

Processes that needs to be Resources needed to achieve

improved the objectives

----------------------- Page 17-----------------------

Digital Forensics

----------------------- Page 18-----------------------

 Digital Forensics

Digital forensics is the process of revealing and interpreting electronic data,

which recovers and

investigates the information found in digital devices.

----------------------- Page 19-----------------------

Goal of Digital Forensics

Examine digital media to identify, analyze, preserve, recover, and

present facts and opinions about digital information.

----------------------- Page 20-----------------------

Forensics Investigation Process

Identification Collection Analysis

Decision

Preservation Examination
Presentation

Goal: Preserve any evidence in its most original form while performing a
structured investigation.

----------------------- Page 21-----------------------

Forensic Process Best Practices

Ask investigator to work

only on the secondary

image

Store the primary image in a

Timestamp evidence to show
 library
when it was collected

Capture deleted files, slack

Ensure the destination is

spaces, and unallocated clusters

sanitized before collecting the

through original image

images

----------------------- Page 22-----------------------

Forensics Investigative Assessment Types

Network analysis

Media analysis

Traffic Log
Path

Software analysis analysis analysis

tracing

Hardware/Embedded device

review

----------------------- Page 23-----------------------

Forensics Investigative Assessment Types

Network analysis

Media analysis
Timeline

Disk imaging
analysis
Software analysis

Hardware/Embedded device

review

Registry
Volume shadow

analysis
analysis

----------------------- Page 24-----------------------

Forensics Investigative Assessment Types

Network analysis

Media analysis

Reverse Malicious code

Exploit

engineering review
review

Software analysis

Hardware/Embedded device

review

----------------------- Page 25-----------------------

Forensics Investigative Assessment Types

Network analysis

Media analysis
 Dedicated
Dedicated

Software analysis appliance Firmware

memory

attack points
inspections

Hardware/Embedded device

review

----------------------- Page 26-----------------------

Digital Evidence

It is defined as information and data value to an investigation that is stored,

received, or

transmitted by an electronic device.

----------------------- Page 27-----------------------

Digital Evidence

Stored and Is associated with

transmitted in a electronic crime

binary form

Commonly found in Used

to prosecute crimes

digital devices

----------------------- Page 28-----------------------

Digital Evidence: Admissible in Court

Relevant Complete
 The evidence

should be:

Sufficient Reliable

----------------------- Page 29-----------------------

Evidence Life Cycle

Collection and Presentation in

identification court

Storage, preservation, Return of evidence

and transportation to owner

----------------------- Page 30-----------------------

Chain of Custody

It is a chronological documentation developed from the information gathered at the

crime scene.

----------------------- Page 31-----------------------

Chain of Custody

It is a history that shows how

It should follow the evidence

the evidence was collected,

analyzed, transported, and

through its entire life cycle

preserved

The copies created should

The evidence must be labeled
 be independently verified
with information of who

and tamperproof
secured and validated it

----------------------- Page 32-----------------------

Business Continuity and Disaster Recovery (BCDR)

----------------------- Page 33-----------------------

Business Continuity Planning and Disaster Recovery

Business continuity planning Disaster

recovery

Is having a plan to deal with major Is an organization’s

ability to recover

disruptions from a
disaster

----------------------- Page 34-----------------------

Seven Phases of a Business Continuity Plan

The seven phases of business of a business continuity plan is a complex arrangement

of

critical processes that allows continuation of business activities after an

emergency.

Phases

----------------------- Page 35-----------------------

Seven Phases of a Business Continuity Plan

Develop a business continuity plan policy

 Conduct a business impact analysis

Establish recovery targets

Develop recovery and continuity strategies and plans

Test recovery and continuity plans and procedures

Train personnel

Update and maintain the plan periodically

----------------------- Page 36-----------------------

Business Impact Analysis

It is a systematic process to determine and evaluate the potential effects of an

interruption to critical business operations.

----------------------- Page 37-----------------------

Disaster Recovery Sites

Acceptable

risk

Key business Risk

processes
tolerance

Business

impact
 analysis

Structure and
Critical IT and

culture
physical resources

----------------------- Page 38-----------------------

Disaster Recovery Sites

It is a facility that an organization uses to recover and restore its technology

infrastructure and operations.

Recovery Point Recovery Time

Objective (RPO) Objective (RTO)

----------------------- Page 39-----------------------

Recovery Time Objective

It is the maximum desired length of time allowed between an unexpected failure and
the

resumption of normal operations.

----------------------- Page 40-----------------------

Recovery Point Objective

It is the maximum data loss from the onset of a disaster.

----------------------- Page 41-----------------------

Maximum Tolerable Downtime

This is when the process is unavailable and creates irreversible consequences.

----------------------- Page 42-----------------------

Types of Disaster Recovery Sites

Cold site Warm site

Hot site

----------------------- Page 43-----------------------

Disaster Recovery Testing

It examines each step in the Disaster Recovery Plan.

----------------------- Page 44-----------------------

Types of Disaster Recovery Testing

Document review Walk-through test Simulation

test

Parallel test Cutover test

----------------------- Page 45-----------------------

Cloud, Virtualization, BYOD, and IOT Security

----------------------- Page 46-----------------------

Virtualization

It is a technology that enables multiple operating systems to run side-by-side on

same processing hardware.

Flexibility

Performance
 Cost

Reliability

Scalability

----------------------- Page 47-----------------------

Virtualization

It adds a software layer between an operating system and underlying computer

hardware.

----------------------- Page 48-----------------------

Virtualization

Pros Cons

• Efficient • Single point of failure

• Weaker in security and

• Higher availability and

lower cost privacy

----------------------- Page 49-----------------------

Hypervisor

It is a process that separates computer operating systems and applications

from the physical hardware.

----------------------- Page 50-----------------------

Hypervisor
 It uses host machines to help maximize the effective use of computing resources.

Memory Network bandwidth CPU cycles

----------------------- Page 51-----------------------

Hypervisor

Host-based virtual machine

Guest virtual machine

It is an instance of a desktop operating system that It

refers to a virtual machine that is installed,

runs on a centralized server. executed,

and hosted on the local physical machine.

----------------------- Page 52-----------------------

Case Study: Hypervisor Attack

This is the software code which can be installed as a thin hypervisor to control
the machine

under it and intercept the communication between the guest machine and the host
machine.

Blue Pill

----------------------- Page 53-----------------------

Cloud Computing

It is the use of remote servers on the internet to store, manage, and process data.

----------------------- Page 54-----------------------

Cloud Computing Characteristics

Broad network
 access

Measured services

Rapid elasticity

On-demand

Resource
access

pooling

Cloud Computing Features

----------------------- Page 55-----------------------

Categorization of Cloud: Service Categories

Infrastructure

as a Service or

IaaS

Cloud computing

can be broken

down into three

main services:

Software as Platform as

a Service or a service or

SaaS PaaS

----------------------- Page 56-----------------------

Categorization of Cloud: Deployment Categories

 Computing infrastructure that offers
cloud service

Public cloud

Private cloud

Hybrid cloud

Community cloud

----------------------- Page 57-----------------------

Categorization of Cloud: Deployment Categories

A cloud infrastructure in an
organization

Public cloud

Private cloud

Hybrid cloud

Community cloud

----------------------- Page 58-----------------------

Categorization of Cloud: Deployment Categories

Derived from both public and

private clouds

Public cloud
Private cloud

Hybrid cloud

Community cloud

----------------------- Page 59-----------------------

Categorization of Cloud: Deployment Categories

An infrastructure between organizations

to share data

Public cloud

Government
Country

Private cloud

Hybrid cloud On premises

Off premises

Community cloud

----------------------- Page 60-----------------------

Cloud Security Challenges

Multitenancy Privacy

Multiple
Virtualization

jurisdiction complexity
----------------------- Page 61-----------------------

Bring Your Own Device

It refers to the policy of permitting employees to bring personal devices.

BYOT BYOPC

Bring your own Bring your own

technology personal computer

BYOP

Bring your own

phone

----------------------- Page 62-----------------------

Bring Your Own Device: Security

It is a security software used by an IT department to monitor, manage, and

secure employees' mobile devices.

Mobile Device Management

----------------------- Page 63-----------------------

Bring Your Own Device: Security

It is similar to mobile device management. However, it manages the entire

network of devices.

Enterprise Mobility Management

----------------------- Page 64-----------------------

 IoT (Internet of Things)

Internet of Things (IoT) is the network of devices that connect, interact, and

exchange data.

----------------------- Page 65-----------------------

IoT Security Challenges

Insufficient testing and updating Brute-forcing

IoT malware and ransomware Data security and privacy

concerns

----------------------- Page 66-----------------------

Key Takeaways

Incident management is a process of developing and maintaining the

capability of managing incidents within an organization.

Digital forensics examines digital media with the aim of

identifying, preserving, recovering, analyzing, and presenting

facts and opinions about digital information.

Business continuity deals with major disruptions, whereas disaster

recovery is an organization’s ability to recover from a disaster

and/or unexpected events and resume operations.