April 14, 2025 • 32 mins
Cybersecurity incidents aren't a matter of if, but when. Are you prepared to respond effectively?
Sean Gerber takes us through the complete incident response lifecycle, breaking down the seven essential phases every security professional must master. From developing comprehensive response plans to conducting effective post-incident analysis, this episode provides actionable guidance for both CISSP candidates and working cybersecurity practitioners.
The stakes couldn't be higher for small and medium-sized businesses, with a staggering 43% of cyber attacks specifically targeting SMBs. Most lack adequate protection due to limited budgets and resources. Sean explores practical solutions including leveraging AI tools to develop baseline response plans, implementing critical security controls like multi-factor authentication, and establishing clear communication protocols for when incidents occur.
What sets this episode apart is Sean's emphasis on the human element of security. "Every employee is a sensor," he reminds us, highlighting how proper training and awareness can transform your workforce into your first line of defense. He balances technical recommendations with strategic insights, including how to approach different types of incidents from ransomware to insider threats.
Whether you're preparing for the CISSP exam or strengthening your organization's security posture, this episode delivers the perfect blend of theoretical knowledge and real-world application. The incident response process outlined here will not only help you pass certification exams but could mean the difference between a minor security event and a catastrophic breach.
Ready to transform how you prepare for and respond to cybersecurity incidents? Listen now and discover why having a tested, comprehensive incident response plan is your best defense against the inevitable attack.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
All right, let's get started.
Good morning, it's Sean Gerberwith CISSP Cyber Training and I
hope you all are having abeautiful day today.
Today is an amazing day.
We're going to be talking aboutthe incident response process
and some key factors that youneed to be aware of as it
relates to that.
One, for taking the CISSP andtwo.
(00:42):
Two, as a cybersecurityprofessional who is going to be
helping save the planet from theevil hacker horde, and that's
your ultimate goal, right?
So, as you're going to pass theCISSP, you want to be out there
to help people and to helpcompanies be successful, and
then, financially, you want togain from that, right?
That's all it's all about.
Well, we're going to be talkingabout incident response and
(01:02):
kind of how the plans you shouldbe some key things you need to
be aware of as it relates to theCISSP exam.
But before we do, what I'mtrying to do is bring in more
content, a few articles thathave been out there in the news
that you can help you as a CISSPand as a security professional
within your organization.
Also know I'm going to bemaking some changes, obviously,
(01:23):
to CISSP.
Cyber training is going to staythe same, but I'm going to be
launching a new podcast calledreduce cyber risk.
I actually had used both thereduce cyber risk podcast and
the CISSP podcast, kind of onein the same, but I'm going to
relaunch the reduce cyber riskpodcast to have specifically
focused on SMB protection, basedon small, medium-sized
(01:43):
businesses and governmentalorganizations that are small,
that need protection from theevil hacker horde, and the
ultimate goal is just to kind ofhelp expand that exposure so
that people are better preparedfor the event that there's going
to be a cyber incident.
Because guess what?
As you all are listening tothis, you know it's not a matter
of if, it's a matter of when.
Okay, so this is an articlethat came out in Computer World.
(02:06):
Now this was sponsored by Cisco, so obviously it has a Cisco
slant to it.
But there's some key things as asecurity professional, you need
to be aware of.
That would really help reduceyour organization's
cybersecurity footprint.
Right, and some of the issuesthey may have.
Now, the comment they bring upis about 43% of cyber attacks
(02:26):
are aimed at SMBs.
So if you're not familiar withan SMB is it's a small, medium
sized business.
So you could have somethingfrom a small machine shop of
five people up to as many as amedium sized businesses like
over a billion in gross sales.
So I mean that's a largeorganization.
So you're talking a wide swathof individuals and companies
that could be affected by thesevarious attacks, and the reason
(02:49):
these SMBs are, in many cases,attacked more often than some of
the larger companies.
One is the larger companies canthwart it, but two and two, the
SMBs usually don't have thesame kind of budget that a
medium or a large company mayhave.
So one of the things that it'srecommended is that it's
increasing your technologyinvestment, and this IDC is a
(03:11):
company that is similar toGartner and they go out and they
give recommendations on whatyou should do, and obviously the
recommendation is that you needto have security as part of
your company's mindset, theirculture, and you need to invest
more in the security stack thatmight be available out there for
you.
Now, as you're consideringprotecting your organization.
One of the things we alwaystalk about here is making sure
(03:32):
you have patches.
You have all of the supportrequests up to date.
Everything is in place to helpprotect your company from the
various vulnerabilities that areout there.
Now Cisco recommends these fourmain things that you should do
to help deal with emergingthreats, and we're just gonna
briefly go over them.
And we've talked about this inin this overall CI cybersecurity
, the CISSP, but one of thethings there's firewall and DNS
(03:56):
protection.
You need to have some level ofhigh quality firewalls and DNS
protection for your organization.
Now.
They obviously include theirMeraki firewalls and umbrella as
their products, but you need tohave something out there that's
in good quality that you coulduse within your organization,
and these firewalls could bevirtual.
They could be hardware based,depending upon your organization
(04:17):
and how it is architected.
It will depend a lot about whattype of firewalls you want to
use.
But again, I know these arebasic concepts, but it's
important to understand that alot of these things if you do
the basics, you willdramatically reduce the risk to
your organization.
Obviously, multi-factorauthentication Cisco has Duo
that they use.
(04:38):
You can use Ping, any othertypes of multi-factor
authentication that are outthere.
In many cases, these are veryplug and play.
They're they're designed veryquickly to be integrated within
a small or medium-sized business, so there's lots of opportunity
there that you can do this, andit's not super expensive to
integrate these type ofmulti-factor solutions.
Another option is singlesign-on.
(04:59):
Now, this is which allows you,obviously, your employees to use
use one set of credentials tolog into multiple applications
and then that way, they don'thave to remember various
passwords.
So that's an important part inthis overall plan as well.
If you have some level ofsingle sign-on and potentially
it's even incorporated withinyour multi-factor stack, that
will help reduce the risk ofemployees having passwords that
(05:22):
they will reuse over and overagain, which will then
dramatically reduce your risk aswell.
So Duo in the case of Cisco,will do all that for you, and
I've used Duo in the past.
Great product works, awesome,and it may give you what you
actually need Endpointprotection, obviously, when
you're dealing with.
Do you have like a CrowdStrikeor do you have a McAfee?
(05:43):
Do you have some sort ofendpoint protection on?
And then, do you have any VPNsthat are allowing access within
your environment, any virtualprivate networks that you have.
You want to make sure that youhave all of those documented and
all of those well protected, Imean, and these are basic things
, right?
So if you're studying yourCISSP, you're going well, yeah,
this is what most people shouldbe doing, and you're right they
(06:04):
should be doing it, but I see ittime and time again that
they're not doing it.
So, therefore, you, as a personwho's studying for your CISSP,
need to come to them and providethese kind of tools to help
them pass not probably pass,well, pass the, not the test but
pass the hack that's headingtheir way.
So, but it's up to you to helpprovide that information for
(06:25):
them.
Okay, let's roll into what we'regoing to be talking about today
.
Okay, so, as this relates to7.6.1 of the CISSP, okay, so, as
we get started, we're going tobe getting into domain 7.6.1 ish
, and that's going to cover onethrough, I think, dot one
through dot seven, but it'swe're going to be covering the
(06:46):
incident response processthrough from the ISC squared
book on the certifiedinformation security
professional, and this ischapter 17 of what you would
deal with.
So, if you're matching this upto what the book would have.
You're going to be able to seethat chapter 17.
These are some of the keyconcepts you're going to have to
know for incident response.
So we're going to kind of gothrough each of these and how
(07:06):
you would deal with it One forthe test and then two, how you
can transpose that informationthat you learn into your daily
activities.
So, first thing, we're going totalk about preparing.
So you're going to prepare, andthis is the pre-incident phase.
You want to make sure that, asyou are, before you even go to
an organization and you'resitting there going, okay, I'm
ready for my incident you wantto have an incident response
(07:28):
plan at least drafted in yourmind and then put that on paper
and then from there you can helpdevelop.
How do you want to deal withthe overall incident if it were
to happen.
Now, one of the things that canbe very valuable in this and
I'm a big proponent of use thetechnology to help you be
successful in the fact ofutilize AI to help you,
(07:50):
especially if you're in a newcompany or you're just getting
started Utilize AI to help youcreate these various scenarios
or these various situations thatyou have to help you create
this best product that you couldpotentially get, and this comes
down to incident response plancreation.
I would recommend that you goout and have either Microsoft
Copilot, have a chat, gpt, havemaybe BARD, create for you an
(08:16):
incident response plan.
Now this response plan willgather the information on the
internet, put something togetherand it will put it in a paper
format for you to be able toutilize it.
Now it's very generic.
It's not going to be enough foryou to go.
Okay, here you go, here's myincident response plan.
It's going to force you to.
You're going to have to diginto it and add to it, but it's
(08:37):
a great way to give you anoutline to help you create a
product that you can then putwithin your organization.
It'll help you create a productthat you can then put within
your organization.
It'll help you create this.
Really, you need to have a verycomprehensive and detailed
incident response plan thatincludes roles, responsibilities
, communication channels and theoverall escalation procedures,
and this is one that we'vetalked about in CISSP.
(08:59):
Cyber training is what is yourplan and how are you going to
execute on your plan?
And then you need to test yourplan, and that's one of the key
factors is around training anddrills.
You do need to conduct regulartabletop exercises with your
various teams to test this outNow.
The teams will include whenyour management, but it'll also
include your infrastructurefolks, people that are doing
(09:20):
your IT work, your HR people andyour PA PR.
You know your public relationsfolks or maybe your public
affairs type folks, and ifyou're in a small and
medium-sized company, you'reprobably going well.
That's probably like fourpeople and that might be all you
need, but I would alsorecommend that you have the
owner of that organization withyou as well.
It's important that the ownerunderstands what is going into a
(09:42):
cyber incident and how wouldthat person run from that or run
that incident as well.
So it's important that you dothis and then, as you do these
regular tabletops, you want tocome up with different scenarios
around these.
Now, these could be a ransomwaretype scenario.
These could be a insider threattype scenario.
When you're talking insiderthreat, you're going well.
(10:02):
How would that?
Let's talk about a small,medium-sized business.
What does that mean?
That means you maybe you havean engineer, that this engineer
is thinking of leaving thecompany and this engineer wants
to take the information thathe's created working for this
small company and then transposeit to another, take it to
another company.
You want to be able to.
How would you deal with that?
How would you deal with all ofa sudden your entire hard drive
(10:24):
is gone because somebody copiedit?
Those are things that you'regoing to want to go through on a
training so that you understandhow to respond to them, both
one from an internal process,but potentially even from a law
enforcement situation.
So those are the kind oftraining and drills you want to
go through and that's how youwant to have that prepared in a
pre-incident situation so thatyou're available and ready to
(10:46):
act on it once the situationwould occur.
You also want to consider whatare some tool acquisitions and
configuration pieces that youwant to put in place prior to
this all occurring.
Now, this could be a situationwhere you have forensic type,
analysis types of tools in place.
Maybe you have a SIM, which isyour security incident event
management type of tool that youhave in place.
(11:07):
It could be as simple as youhave a, maybe a communication
process that's available,already purchased, ready to go
in the event there's an issue,you may decide.
You know what.
I'm not going to purchase anyof these things I'm just going
to, but I know what tools I'mgoing to use in the event
something bad were to happen.
Now, I wouldn't recommend thatlast one.
I actually would recommendpurchasing the products as well,
(11:30):
just because it's really hardto test it if you don't actually
have it, but you're going tohave to dedicate resources to go
and do this.
But if you integrate thesetools one, you purchase them.
Two, you test them, and thenyou test them on a frequent
basis when that situation doesoccur, you will have the ability
to respond to it very, veryquickly, much quicker than if
(11:52):
you didn't even, obviously,practice for it.
Okay, so now we're going to talkabout the detection, more or
less the identification phase.
So this comes into.
You want to ensure that duringthis piece of this, you have in
place all of the necessary toolsto be able to detect there's a
bad thing happening, just likewe talked about with the article
about Cisco.
(12:12):
You want to ensure you havefirewalls in place.
You want to ensure that notjust that they're enabled, but
there's logs that are beinggenerated from these firewalls,
that are being sent to varioussystems and these critical
systems.
You could have a situationwhere you have the firewall up.
It's maybe your internetfront-facing firewall.
It's up, it's limiting trafficcoming into your company.
(12:32):
But let's say the bad guys orgirls get into your environment.
Well, if you don't have thelogging enabled and it's not
going into a SIM or somebody'snot monitoring it, then you may
not even understand that you hadan issue.
When, all of a sudden,everything blows up and you're
like well, I didn't realize wehad an issue.
Well, yeah, because if nobody'swatching the firewalls or
nobody's monitoring thesesystems, you may not ever know.
(12:57):
Now, one thing you may thinkabout as a security professional
is it may not be where you buythe tools internally.
Maybe you outsource thiscapability to a third party.
I know CrowdStrike is a greatexample of this.
Crowdstrike will actually has amanaged service provider
product that will then, in turn,you can sign up for it and they
(13:18):
will manage and monitor all ofyour infrastructure and ensure
that nothing bad will happen.
This is a really good productfor small, medium-sized
businesses, because they justdon't have the money or the
resources to be able to buy allthis information or buy all this
infrastructure.
You also want to create alertsfor any sort of suspicious
activity that may have attempted.
Now, what you want to considerand this is I recommend.
(13:39):
This is why I'm not a bigproponent of certifications, but
I am a proponent of taking someof the courseware that goes
with the certification.
So, as an example, if you haveindividuals within your
organization that maybe studyfor the certified ethical hacker
program, the certificationgetting the cert is fine, but
understanding the trainingbehind the certified ethical
(14:01):
hacker is really important,because you understand a bit
more of how does an attackerlook at an organization and
therefore you can put in placesome alerts that would trigger
in the event that there is apotential issue.
And so that's really importantfactor is that if you, you have
to understand the mind of theadversary.
If you don't understand themind of the adversary, you odds
(14:25):
are highly likely that you willnot truly be able.
They will get around you.
They will work around your path.
One of the things I've talked toa couple of friends of mine
that are here locally that workfor a strong cyber organization
and they work on the red teampiece of this.
They're going against somecompanies that I've worked with
in the past, and one of thecomments that I've made to them
(14:46):
is you know, most timescybersecurity professionals will
look at the.
They call it the low hangingfruit, which I actually hate
that term.
It is stuff that's easy, right.
So if you have tools that aretelling you that if you fix this
problem it's a high or criticalissue, then security
professionals go, oh great,let's fix it.
High, critical, fixed it, boomdone.
Security professionals go ohgreat, let's fix it.
(15:07):
High, critical, fixed it, boomdone.
That's great.
But what about the medium ones?
And if you're an attacker, willan attacker leverage a medium
vulnerability?
And I will say, yes, they willdo that all day long because
they know that they can do thatunder the wire and you won't
even look for them.
So I say all of this tobasically be understanding the
mind of an attacker, is a reallygood thing for putting alerts
in your organization tounderstand if somebody's trying
(15:30):
to gain access to your companyand this could be multiple
failed login attempts, it couldbe account service accounts that
may be used and off times oroff hours.
All of those things can help beset up to alert for suspicious
activities.
The other thing is networktraffic analysis.
You really want to look in forany sort of network traffic that
might be occurring that is outof the ordinary.
(15:52):
Do you have unexpected spikesin your network traffic?
Are your IDS your intrusiondetection and prevention systems
?
Are they flagging on potentialthreats and may look like a
false positive, but are theytruly a false positive?
Are they something that isactually legit?
And so, therefore, it'simportant that you understand
the patterns and the behaviorsof these systems so that you can
(16:15):
ensure that they're properlybeing mitigated and monitored.
And also, if you do hire out athird party to do some of this
for you, it's imperative thatyou know your network so that
you can explain this to thisthird party what may be a false
positive and what may not be afalse positive.
So that's just kind ofsomething to consider.
Last thing is behavior analysis,or analytics.
(16:36):
You need to understand thebehaviors of your people.
Do they have access tosensitive files?
Are there compromised accountsthat maybe they're leveraging
that you didn't?
Maybe there's something that'sbeen an account with a
contractor that has been dormantfor a while and now that's
being leveraged?
Those behavioral analytics area key factor in also discovering
(16:59):
if you have a problem.
So, again, that's the detectionphase.
Okay, so let's roll into theresponse phase Now.
In the response phase, this ishow do you respond in the event
something were to happen.
So let's say you have malwarethat hits your organization and
it hits multiple workstations.
How are you going to deal withthat?
Are you going to isolate it?
Are you going to segregate itoff?
(17:19):
Are you going to do like I knowsomeone in another company when
they got hacked, they juststarted ripping devices out of
the wall?
Are you going to do that?
Probably wouldn't be a goodidea, but maybe that's your only
choice, maybe that's all youcan do.
So it's important.
How would you isolate theseinfected machines on the network
to prevent further spreading ofthe malicious software You're
(17:41):
going to have to figure out howdo you contain it.
Then, when you're dealing with,how would you respond in the
fact of, how would you eradicateit?
So if you have a web serverthat's hosting it and it gets
attacked and it has being themalicious software is all over
it, how would you eradicate itoff of a web server?
And maybe, if you have, thatweb server is your only
front-facing server, that one isyour company, everybody sees,
(18:05):
okay, so that would be bad, butit's not the end of the world,
but maybe, just maybe, that'sthe only web server that you
have that communicates with theoutside world at all.
That's it.
So if there's any sort of ediconnections, which is your
electronic data interchange, anysort of funds that are
transferred between yourorganization and another, and
(18:25):
it's through that one web server, well, what?
What happens?
You take it down.
What are you going to do Now?
You can't communicate outbound,you can't transfer funds.
It just depends on yourorganization.
That could be a critical pieceof system that was within your
company that you would have toknow about.
So you also want to look at howwould you, would you reduce the
malicious files?
(18:45):
How would you patch forvulnerabilities?
And then how would you hardenup the security settings for
that specific server.
Is that server a physicalserver sitting in a rack
somewhere in rack space, ormaybe in your own data center?
Or is it a virtual serverthat's sitting in aws that you
can turn around and then maybeblow away and start all over
again?
I don don't know, but that'ssomething you have to consider
(19:06):
and know.
How would you eradicate thisproblem from your organization?
Now, the eradication could bemultiple steps too.
It could be something where youoriginally just get yourself up
and operational, but then youhave to go through a very
arduous process of removing thesoftware from these various
systems.
Then the last part of this,from eradication, is how would
(19:27):
you recover in this situation?
So like say, for example, youget a denial of service attack
and it hits your online webserver.
How would you bring this back?
One but two how would you beable to monitor that you're not
getting a DDoS attack again inthe future?
Now, that may require you cando it at the server itself, but
it's a really bad place to do it.
(19:48):
You may have to work with otherorganizations, like Cloudflare,
or you may have to buy anotherproduct that does denial of
service mitigations for you.
So those are things you'regoing to have to be aware of as
it relates to trying to recoverfrom this type of an event.
Now step four is the mitigationpiece of this.
're gonna have to work like wetalked about in when you're
mitigating this problem, acouple different areas.
(20:09):
One, you deal with workarounds,and then two, you deal with
isolation.
We kind of talked about thiswith the denial of service
attack.
How would you work around thatdenial of service attack?
How would you deal with gettingyour products back or your
systems back online?
And again, it could be fromcloudflare and they're shunting
all the traffic.
It it could be.
The fact is that you start out,stand up a whole new internet
(20:30):
presence and you work out ofthere.
You're going to have to figureout what would be your temporary
workaround to be able to dealwith this situation.
If there's a criticalvulnerability, how would you
patch this and how could you doa temporary patch until a
permanent patch is fixed?
So let's just say it's a zeroday for a specific application
and you know there's zero daysout there.
(20:52):
You know that the applicationdoes not have a patch.
How would you mitigate theproblem?
How would you manage theproblem?
Is it a front-facing website oris it internal to your
organization?
You may have to understand, youknow what.
If this server gets compromisedbecause there's a zero day on
it and it's front facing, youmay want to take it down.
You may not want to leave it up.
(21:13):
You may want to move it intoyour network and allow a reverse
proxy to basically bring datainto that specific server and
that specific server only.
So there's some differentscenarios you're going to have
to work through to ensure thatyou don't have the network
compromised.
You want to isolate that serverfrom other parts to again to
prevent lateral movement.
(21:33):
So what does that mean?
That means that if you havethat server let's say it's on
the front, it's a web server andit's available to the internet
but it's got a criticalvulnerability that you can't
patch immediately.
What could you do?
These are just some options.
You could bring them into yournetwork.
You could have a reverse proxyset up so that if anybody wants
to gain access to this server,they have to go to a specific
(21:55):
address.
That would then in turn putthem into your, drop them into
your network to gain access tothis server.
But by doing that you wouldalso then limit that that server
nothing else can communicate tothat server except to the
internet, and that would limitthe amount of exposure of
someone trying to get into yournetwork where they could do
lateral movement within yourcompany.
(22:16):
Now that may be fine for a veryshort period of time, but in
many cases, if it's sitting as aweb server in the front on the
internet, odds are high.
You want it to communicate withother things.
So sitting it internal to yournetwork and not being able to
communicate may defeat thepurpose a bit.
So you're going to have to justdecide.
How would you manage that?
And so that's where you'll workwith your architects to figure
(22:37):
out what is the best course ofaction around it.
Now, when you deal withreporting, what could you do as
it relates to dealing with thereport?
What are some different aspectsthat you can come into when it
comes to reporting?
Well, data breach reporting, asyou can see, is getting to
become a huge factor, especiallywhen it comes to regulations.
I am dealing with this all thetime.
(22:59):
I see this from both China, Isee it from the United States
and in Europe as well.
There's new regulations thatare coming out that are forcing
security professionals to beexperts in so many things.
The NIS2, it's N-I-S-2 out ofEurope is a huge factor in new
and emerging technologies, andit's putting a lot of
restrictions on companies thatare putting in this technology
(23:22):
in Europe.
You need to be aware of that.
Well, if there's an incidentthat occurs, who are you going
to call?
Not Ghostbusters.
You need to be aware of that.
Well, if there's an incidentthat occurs, who are you going
to call?
Not Ghostbusters.
You could call Ghostbusters,but they may not help you a lot,
but when it comes to anincident, are you going to call
the CEO.
You want to have a plan, andthis part comes down to part of
the beginning, where you have anincident response process to
call in the event that there isan incident.
(23:43):
I call the CEO, I call the CIO,I call IT, I call a regulator.
Do I deal with a regulator thatis in my space?
In the United States, you havethe Environmental Protection
Agency.
Is there a regulator you got totalk to with them?
Do you have to deal withDepartment of Homeland Security
China?
It's the MIIT.
Who do you talk to there?
(24:04):
You're going to have to haveall of these various types of
responses planned and ready togo.
You also need to make sure,though, that, if you do have it
we've mentioned this at CISSP,cyber Training multiple times
just because you have a breachdoes not mean you need to notify
somebody immediately Now ifthey have the notification
(24:24):
requirements.
Yes, you need to meet whateverthe compliance requirements are
around breach notification, butwe talked about this before.
When it comes to breachnotification, you need to have
some lawyer friends, everybody,get in a room and decide what is
a breach notification.
When will we do a breachnotification?
Reason is because that termdon't leave that up to just your
(24:50):
interpretation or the lawyer'sinterpretation of what it is and
have that well defined andunderstood by all parties.
It's an important factor, oneof the most important factors, I
can tell you and, as it relatesto incident management, have
that defined and you know whatit's like.
It's like Mike Tyson said.
I love this quote.
He goes you have a plan whenyou go in the ring until you get
hit in the face and then yourplan goes out the window and you
(25:12):
have a new plan.
Well, that's the same thingwith this incident response
process.
You have a plan until themalware hits you in the face and
then you come up with a newplan, but at least you've
discussed the plan, so you knowwhat you may or may not do.
Actions taken you need to havetheir successful phishing attack
and the compromises thatpotentially could happen with
employee credentials.
You need to understand how theincident was handled and then
(25:34):
how you deal with passwordresets, user education and so
forth.
So, again, those are all thethings that can happen through a
reporting process relating toincident response.
You also need to have some sortof lesson learned process that
you would go through related tothis, which we'll get into the
next, that's in section seven.
But when you're dealing withreporting, having a lessons
(25:55):
learned plan one dealing withthe regulators and with your
senior leadership, is animportant factor as well.
Step six this is where you'redealing with recovery.
How do you recover from thesituation?
And this comes into do you haveimages that are already built
that you can recover from One?
You need to validate that.
Why it crashed, why you hadthis situation.
(26:17):
Was it because of malicioussoftware?
Was it because of maybe a newhardware update?
Was it due to somebody justhitting star dot, star, delete,
what was it?
You'll need to understand thoseand recover from that.
But do you have a plan torecover with these systems?
Is the recovery something thatis relatively simple to do?
So if you have backup systems,can you just restore from these
(26:41):
backups with a push of a button?
Is it to the point where it'sjust it's all images and we can
restore?
Not a problem.
That is where you want to be.
That is the ultimate litmustest is that you don't have to
let it worry you about businessresiliency and that you can stay
operational no matter what thesituation, no matter what the
(27:01):
time, what you may run into.
You also need to have amonitoring plan put in place.
This would deal around.
Do you have any sort of?
If someone defaces your website, how would you know that
someone defaced it?
Is that just the fact thatsomeone tells you, or do you
have some sort of alerting andmonitoring to let you know that
that potentially could happen?
You always need to make surethat you have you're monitoring
(27:22):
the site and you're havingpeople tell you that if
something seems out of theordinary or different, that they
alert you and let you know assoon as they possibly can.
It's important that theycommunicate all the time and
that you, as a securityprofessional, are constantly
reaching out to them, trying toget that communication going
with them.
Last thing is remediation andlessons learned.
(27:44):
So you want to make sure thatyou have some sort of
remediation put in place to dealwith any of these issues that
may come up, and this comes downto a plan.
This is your incident responseplan.
Part of your incident responseplan may not be the fact that,
okay, I'm going to respondbecause it's an incident.
Well, what if you just discoverthat you have systems that are
outdated, that need to bepatched?
(28:04):
How are you going to respond tothat.
What is your patch managementplan?
And then also, do you have anysort of user training, that's,
teaching people how to deal withthese risks as well?
This comes down to phishingincidents.
How would you handle that?
Do you have a process in placeto teach your employees around
phishing incidents and not just,okay, they discover there's an
(28:24):
incident, how do they report theincident?
I try to come back to the factthat every employee is a sensor.
Every employee is one that willtell you if something does not
seem right within yourorganization.
The problem with that, though,is sometimes people will report
stuff that isn't necessarybecause they don't know, and it
causes a lot of churn.
But I would rather have thechurn of someone reporting
(28:47):
something that is not right,that actually was a false
positive, than someone that justdecides not to report something
that was legitimately a phish,and now I have a much bigger
problem that I could have hadresolved much earlier.
And then the last thing, whenit deals with the incident
response, is your lessonslearned.
You want to have a plan as itrelates to how would you deal
(29:09):
with lessons learned from yourpostmortem, to policy updates,
to training enhancements.
So what does a postmortem mean?
You go through this processwhen your incident is done.
You walk through what happenedgood, what happened bad, where
could we add benefit?
Where could we take somethingaway?
Where could we add benefit?
Where could we take somethingaway?
(29:30):
And then you make policyupdates to this situation so
that, when the situation occursagain, that you don't make the
same mistakes twice.
Now it may be a policy update,it may be the fact that you have
a better communication planwith your people, but whatever
that is, you make these updates.
You make these changes to yourorganization quickly and
(29:50):
effectively so that the nexttime the situation occurs, you
now can learn from it and moveon.
And then you make some trainingenhancements.
I would highly recommend thatyou have some level of training
from all of the people involvedin the exercise that you're
dealing with this incident, aswell as follow on employees to
tell them hey, this incidentoccurred, these are the findings
we got out of it.
(30:10):
And here's some specifictraining specifically for you.
Now I will tell you thatsharing findings with all your
employees may not be the bestoption.
I was just gonna kind of coucha little bit of what I said.
Sharing the findings with thesenior leadership, that's
important.
Sharing it with all theemployees probably not the best
idea.
One, you don't want them toknow some of the the things that
(30:33):
happen, but I would share withyour employees that you did do a
tabletop exercise.
It was successful, and that youhad some great learnings that
would affect them directly.
Just because they need to knowthat you're doing these things.
One from I just tno.
I trust no one, uh but also tothe fact that you know they need
to know that you're doing thesethings to help protect the data
, and it's their responsibilityas an employee to highlight any
(30:56):
problems they run into.
They, too, should bring that upto leadership and ensure that
it's protected.
Okay, that's all I have fortoday.
On the incident response, thisagain was 7.6.1.
You can get this in chapter 17of the ISC squared book and you
can go ahead and listen to thiswhile you're reading along and
it will give you some guidanceand direction.
(31:17):
All right, I hope you guys havea wonderful, wonderful day and
we will catch you all on theflip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge.
All right, let's get started.
Good morning, it's Sean Gerberwith CISSP Cyber Training and I
hope you all are having abeautiful day today.
Today is an amazing day.
We're going to be talking aboutthe incident response process
and some key factors that youneed to be aware of as it
relates to that.
One, for taking the CISSP andtwo.
(00:42):
Two, as a cybersecurityprofessional who is going to be
helping save the planet from theevil hacker horde, and that's
your ultimate goal, right?
So, as you're going to pass theCISSP, you want to be out there
to help people and to helpcompanies be successful, and
then, financially, you want togain from that, right?
That's all it's all about.
Well, we're going to be talkingabout incident response and
(01:02):
kind of how the plans you shouldbe some key things you need to
be aware of as it relates to theCISSP exam.
But before we do, what I'mtrying to do is bring in more
content, a few articles thathave been out there in the news
that you can help you as a CISSPand as a security professional
within your organization.
Also know I'm going to bemaking some changes, obviously,
(01:23):
to CISSP.
Cyber training is going to staythe same, but I'm going to be
launching a new podcast calledreduce cyber risk.
I actually had used both thereduce cyber risk podcast and
the CISSP podcast, kind of onein the same, but I'm going to
relaunch the reduce cyber riskpodcast to have specifically
focused on SMB protection, basedon small, medium-sized
(01:43):
businesses and governmentalorganizations that are small,
that need protection from theevil hacker horde, and the
ultimate goal is just to kind ofhelp expand that exposure so
that people are better preparedfor the event that there's going
to be a cyber incident.
Because guess what?
As you all are listening tothis, you know it's not a matter
of if, it's a matter of when.
Okay, so this is an articlethat came out in Computer World.
(02:06):
Now this was sponsored by Cisco, so obviously it has a Cisco
slant to it.
But there's some key things as asecurity professional, you need
to be aware of.
That would really help reduceyour organization's
cybersecurity footprint.
Right, and some of the issuesthey may have.
Now, the comment they bring upis about 43% of cyber attacks
(02:26):
are aimed at SMBs.
So if you're not familiar withan SMB is it's a small, medium
sized business.
So you could have somethingfrom a small machine shop of
five people up to as many as amedium sized businesses like
over a billion in gross sales.
So I mean that's a largeorganization.
So you're talking a wide swathof individuals and companies
that could be affected by thesevarious attacks, and the reason
(02:49):
these SMBs are, in many cases,attacked more often than some of
the larger companies.
One is the larger companies canthwart it, but two and two, the
SMBs usually don't have thesame kind of budget that a
medium or a large company mayhave.
So one of the things that it'srecommended is that it's
increasing your technologyinvestment, and this IDC is a
(03:11):
company that is similar toGartner and they go out and they
give recommendations on whatyou should do, and obviously the
recommendation is that you needto have security as part of
your company's mindset, theirculture, and you need to invest
more in the security stack thatmight be available out there for
you.
Now, as you're consideringprotecting your organization.
One of the things we alwaystalk about here is making sure
(03:32):
you have patches.
You have all of the supportrequests up to date.
Everything is in place to helpprotect your company from the
various vulnerabilities that areout there.
Now Cisco recommends these fourmain things that you should do
to help deal with emergingthreats, and we're just gonna
briefly go over them.
And we've talked about this inin this overall CI cybersecurity
, the CISSP, but one of thethings there's firewall and DNS
(03:56):
protection.
You need to have some level ofhigh quality firewalls and DNS
protection for your organization.
Now.
They obviously include theirMeraki firewalls and umbrella as
their products, but you need tohave something out there that's
in good quality that you coulduse within your organization,
and these firewalls could bevirtual.
They could be hardware based,depending upon your organization
(04:17):
and how it is architected.
It will depend a lot about whattype of firewalls you want to
use.
But again, I know these arebasic concepts, but it's
important to understand that alot of these things if you do
the basics, you willdramatically reduce the risk to
your organization.
Obviously, multi-factorauthentication Cisco has Duo
that they use.
(04:38):
You can use Ping, any othertypes of multi-factor
authentication that are outthere.
In many cases, these are veryplug and play.
They're they're designed veryquickly to be integrated within
a small or medium-sized business, so there's lots of opportunity
there that you can do this, andit's not super expensive to
integrate these type ofmulti-factor solutions.
Another option is singlesign-on.
(04:59):
Now, this is which allows you,obviously, your employees to use
use one set of credentials tolog into multiple applications
and then that way, they don'thave to remember various
passwords.
So that's an important part inthis overall plan as well.
If you have some level ofsingle sign-on and potentially
it's even incorporated withinyour multi-factor stack, that
will help reduce the risk ofemployees having passwords that
(05:22):
they will reuse over and overagain, which will then
dramatically reduce your risk aswell.
So Duo in the case of Cisco,will do all that for you, and
I've used Duo in the past.
Great product works, awesome,and it may give you what you
actually need Endpointprotection, obviously, when
you're dealing with.
Do you have like a CrowdStrikeor do you have a McAfee?
(05:43):
Do you have some sort ofendpoint protection on?
And then, do you have any VPNsthat are allowing access within
your environment, any virtualprivate networks that you have.
You want to make sure that youhave all of those documented and
all of those well protected, Imean, and these are basic things
, right?
So if you're studying yourCISSP, you're going well, yeah,
this is what most people shouldbe doing, and you're right they
(06:04):
should be doing it, but I see ittime and time again that
they're not doing it.
So, therefore, you, as a personwho's studying for your CISSP,
need to come to them and providethese kind of tools to help
them pass not probably pass,well, pass the, not the test but
pass the hack that's headingtheir way.
So, but it's up to you to helpprovide that information for
(06:25):
them.
Okay, let's roll into what we'regoing to be talking about today
.
Okay, so, as this relates to7.6.1 of the CISSP, okay, so, as
we get started, we're going tobe getting into domain 7.6.1 ish
, and that's going to cover onethrough, I think, dot one
through dot seven, but it'swe're going to be covering the
(06:46):
incident response processthrough from the ISC squared
book on the certifiedinformation security
professional, and this ischapter 17 of what you would
deal with.
So, if you're matching this upto what the book would have.
You're going to be able to seethat chapter 17.
These are some of the keyconcepts you're going to have to
know for incident response.
So we're going to kind of gothrough each of these and how
(07:06):
you would deal with it One forthe test and then two, how you
can transpose that informationthat you learn into your daily
activities.
So, first thing, we're going totalk about preparing.
So you're going to prepare, andthis is the pre-incident phase.
You want to make sure that, asyou are, before you even go to
an organization and you'resitting there going, okay, I'm
ready for my incident you wantto have an incident response
(07:28):
plan at least drafted in yourmind and then put that on paper
and then from there you can helpdevelop.
How do you want to deal withthe overall incident if it were
to happen.
Now, one of the things that canbe very valuable in this and
I'm a big proponent of use thetechnology to help you be
successful in the fact ofutilize AI to help you,
(07:50):
especially if you're in a newcompany or you're just getting
started Utilize AI to help youcreate these various scenarios
or these various situations thatyou have to help you create
this best product that you couldpotentially get, and this comes
down to incident response plancreation.
I would recommend that you goout and have either Microsoft
Copilot, have a chat, gpt, havemaybe BARD, create for you an
(08:16):
incident response plan.
Now this response plan willgather the information on the
internet, put something togetherand it will put it in a paper
format for you to be able toutilize it.
Now it's very generic.
It's not going to be enough foryou to go.
Okay, here you go, here's myincident response plan.
It's going to force you to.
You're going to have to diginto it and add to it, but it's
(08:37):
a great way to give you anoutline to help you create a
product that you can then putwithin your organization.
It'll help you create a productthat you can then put within
your organization.
It'll help you create this.
Really, you need to have a verycomprehensive and detailed
incident response plan thatincludes roles, responsibilities
, communication channels and theoverall escalation procedures,
and this is one that we'vetalked about in CISSP.
(08:59):
Cyber training is what is yourplan and how are you going to
execute on your plan?
And then you need to test yourplan, and that's one of the key
factors is around training anddrills.
You do need to conduct regulartabletop exercises with your
various teams to test this outNow.
The teams will include whenyour management, but it'll also
include your infrastructurefolks, people that are doing
(09:20):
your IT work, your HR people andyour PA PR.
You know your public relationsfolks or maybe your public
affairs type folks, and ifyou're in a small and
medium-sized company, you'reprobably going well.
That's probably like fourpeople and that might be all you
need, but I would alsorecommend that you have the
owner of that organization withyou as well.
It's important that the ownerunderstands what is going into a
(09:42):
cyber incident and how wouldthat person run from that or run
that incident as well.
So it's important that you dothis and then, as you do these
regular tabletops, you want tocome up with different scenarios
around these.
Now, these could be a ransomwaretype scenario.
These could be a insider threattype scenario.
When you're talking insiderthreat, you're going well.
(10:02):
How would that?
Let's talk about a small,medium-sized business.
What does that mean?
That means you maybe you havean engineer, that this engineer
is thinking of leaving thecompany and this engineer wants
to take the information thathe's created working for this
small company and then transposeit to another, take it to
another company.
You want to be able to.
How would you deal with that?
How would you deal with all ofa sudden your entire hard drive
(10:24):
is gone because somebody copiedit?
Those are things that you'regoing to want to go through on a
training so that you understandhow to respond to them, both
one from an internal process,but potentially even from a law
enforcement situation.
So those are the kind oftraining and drills you want to
go through and that's how youwant to have that prepared in a
pre-incident situation so thatyou're available and ready to
(10:46):
act on it once the situationwould occur.
You also want to consider whatare some tool acquisitions and
configuration pieces that youwant to put in place prior to
this all occurring.
Now, this could be a situationwhere you have forensic type,
analysis types of tools in place.
Maybe you have a SIM, which isyour security incident event
management type of tool that youhave in place.
(11:07):
It could be as simple as youhave a, maybe a communication
process that's available,already purchased, ready to go
in the event there's an issue,you may decide.
You know what.
I'm not going to purchase anyof these things I'm just going
to, but I know what tools I'mgoing to use in the event
something bad were to happen.
Now, I wouldn't recommend thatlast one.
I actually would recommendpurchasing the products as well,
(11:30):
just because it's really hardto test it if you don't actually
have it, but you're going tohave to dedicate resources to go
and do this.
But if you integrate thesetools one, you purchase them.
Two, you test them, and thenyou test them on a frequent
basis when that situation doesoccur, you will have the ability
to respond to it very, veryquickly, much quicker than if
(11:52):
you didn't even, obviously,practice for it.
Okay, so now we're going to talkabout the detection, more or
less the identification phase.
So this comes into.
You want to ensure that duringthis piece of this, you have in
place all of the necessary toolsto be able to detect there's a
bad thing happening, just likewe talked about with the article
about Cisco.
(12:12):
You want to ensure you havefirewalls in place.
You want to ensure that notjust that they're enabled, but
there's logs that are beinggenerated from these firewalls,
that are being sent to varioussystems and these critical
systems.
You could have a situationwhere you have the firewall up.
It's maybe your internetfront-facing firewall.
It's up, it's limiting trafficcoming into your company.
(12:32):
But let's say the bad guys orgirls get into your environment.
Well, if you don't have thelogging enabled and it's not
going into a SIM or somebody'snot monitoring it, then you may
not even understand that you hadan issue.
When, all of a sudden,everything blows up and you're
like well, I didn't realize wehad an issue.
Well, yeah, because if nobody'swatching the firewalls or
nobody's monitoring thesesystems, you may not ever know.
(12:57):
Now, one thing you may thinkabout as a security professional
is it may not be where you buythe tools internally.
Maybe you outsource thiscapability to a third party.
I know CrowdStrike is a greatexample of this.
Crowdstrike will actually has amanaged service provider
product that will then, in turn,you can sign up for it and they
(13:18):
will manage and monitor all ofyour infrastructure and ensure
that nothing bad will happen.
This is a really good productfor small, medium-sized
businesses, because they justdon't have the money or the
resources to be able to buy allthis information or buy all this
infrastructure.
You also want to create alertsfor any sort of suspicious
activity that may have attempted.
Now, what you want to considerand this is I recommend.
(13:39):
This is why I'm not a bigproponent of certifications, but
I am a proponent of taking someof the courseware that goes
with the certification.
So, as an example, if you haveindividuals within your
organization that maybe studyfor the certified ethical hacker
program, the certificationgetting the cert is fine, but
understanding the trainingbehind the certified ethical
(14:01):
hacker is really important,because you understand a bit
more of how does an attackerlook at an organization and
therefore you can put in placesome alerts that would trigger
in the event that there is apotential issue.
And so that's really importantfactor is that if you, you have
to understand the mind of theadversary.
If you don't understand themind of the adversary, you odds
(14:25):
are highly likely that you willnot truly be able.
They will get around you.
They will work around your path.
One of the things I've talked toa couple of friends of mine
that are here locally that workfor a strong cyber organization
and they work on the red teampiece of this.
They're going against somecompanies that I've worked with
in the past, and one of thecomments that I've made to them
(14:46):
is you know, most timescybersecurity professionals will
look at the.
They call it the low hangingfruit, which I actually hate
that term.
It is stuff that's easy, right.
So if you have tools that aretelling you that if you fix this
problem it's a high or criticalissue, then security
professionals go, oh great,let's fix it.
High, critical, fixed it, boomdone.
Security professionals go ohgreat, let's fix it.
(15:07):
High, critical, fixed it, boomdone.
That's great.
But what about the medium ones?
And if you're an attacker, willan attacker leverage a medium
vulnerability?
And I will say, yes, they willdo that all day long because
they know that they can do thatunder the wire and you won't
even look for them.
So I say all of this tobasically be understanding the
mind of an attacker, is a reallygood thing for putting alerts
in your organization tounderstand if somebody's trying
(15:30):
to gain access to your companyand this could be multiple
failed login attempts, it couldbe account service accounts that
may be used and off times oroff hours.
All of those things can help beset up to alert for suspicious
activities.
The other thing is networktraffic analysis.
You really want to look in forany sort of network traffic that
might be occurring that is outof the ordinary.
(15:52):
Do you have unexpected spikesin your network traffic?
Are your IDS your intrusiondetection and prevention systems
?
Are they flagging on potentialthreats and may look like a
false positive, but are theytruly a false positive?
Are they something that isactually legit?
And so, therefore, it'simportant that you understand
the patterns and the behaviorsof these systems so that you can
(16:15):
ensure that they're properlybeing mitigated and monitored.
And also, if you do hire out athird party to do some of this
for you, it's imperative thatyou know your network so that
you can explain this to thisthird party what may be a false
positive and what may not be afalse positive.
So that's just kind ofsomething to consider.
Last thing is behavior analysis,or analytics.
(16:36):
You need to understand thebehaviors of your people.
Do they have access tosensitive files?
Are there compromised accountsthat maybe they're leveraging
that you didn't?
Maybe there's something that'sbeen an account with a
contractor that has been dormantfor a while and now that's
being leveraged?
Those behavioral analytics area key factor in also discovering
(16:59):
if you have a problem.
So, again, that's the detectionphase.
Okay, so let's roll into theresponse phase Now.
In the response phase, this ishow do you respond in the event
something were to happen.
So let's say you have malwarethat hits your organization and
it hits multiple workstations.
How are you going to deal withthat?
Are you going to isolate it?
Are you going to segregate itoff?
(17:19):
Are you going to do like I knowsomeone in another company when
they got hacked, they juststarted ripping devices out of
the wall?
Are you going to do that?
Probably wouldn't be a goodidea, but maybe that's your only
choice, maybe that's all youcan do.
So it's important.
How would you isolate theseinfected machines on the network
to prevent further spreading ofthe malicious software You're
(17:41):
going to have to figure out howdo you contain it.
Then, when you're dealing with,how would you respond in the
fact of, how would you eradicateit?
So if you have a web serverthat's hosting it and it gets
attacked and it has being themalicious software is all over
it, how would you eradicate itoff of a web server?
And maybe, if you have, thatweb server is your only
front-facing server, that one isyour company, everybody sees,
(18:05):
okay, so that would be bad, butit's not the end of the world,
but maybe, just maybe, that'sthe only web server that you
have that communicates with theoutside world at all.
That's it.
So if there's any sort of ediconnections, which is your
electronic data interchange, anysort of funds that are
transferred between yourorganization and another, and
(18:25):
it's through that one web server, well, what?
What happens?
You take it down.
What are you going to do Now?
You can't communicate outbound,you can't transfer funds.
It just depends on yourorganization.
That could be a critical pieceof system that was within your
company that you would have toknow about.
So you also want to look at howwould you, would you reduce the
malicious files?
(18:45):
How would you patch forvulnerabilities?
And then how would you hardenup the security settings for
that specific server.
Is that server a physicalserver sitting in a rack
somewhere in rack space, ormaybe in your own data center?
Or is it a virtual serverthat's sitting in aws that you
can turn around and then maybeblow away and start all over
again?
I don don't know, but that'ssomething you have to consider
(19:06):
and know.
How would you eradicate thisproblem from your organization?
Now, the eradication could bemultiple steps too.
It could be something where youoriginally just get yourself up
and operational, but then youhave to go through a very
arduous process of removing thesoftware from these various
systems.
Then the last part of this,from eradication, is how would
(19:27):
you recover in this situation?
So like say, for example, youget a denial of service attack
and it hits your online webserver.
How would you bring this back?
One but two how would you beable to monitor that you're not
getting a DDoS attack again inthe future?
Now, that may require you cando it at the server itself, but
it's a really bad place to do it.
(19:48):
You may have to work with otherorganizations, like Cloudflare,
or you may have to buy anotherproduct that does denial of
service mitigations for you.
So those are things you'regoing to have to be aware of as
it relates to trying to recoverfrom this type of an event.
Now step four is the mitigationpiece of this.
're gonna have to work like wetalked about in when you're
mitigating this problem, acouple different areas.
(20:09):
One, you deal with workarounds,and then two, you deal with
isolation.
We kind of talked about thiswith the denial of service
attack.
How would you work around thatdenial of service attack?
How would you deal with gettingyour products back or your
systems back online?
And again, it could be fromcloudflare and they're shunting
all the traffic.
It it could be.
The fact is that you start out,stand up a whole new internet
(20:30):
presence and you work out ofthere.
You're going to have to figureout what would be your temporary
workaround to be able to dealwith this situation.
If there's a criticalvulnerability, how would you
patch this and how could you doa temporary patch until a
permanent patch is fixed?
So let's just say it's a zeroday for a specific application
and you know there's zero daysout there.
(20:52):
You know that the applicationdoes not have a patch.
How would you mitigate theproblem?
How would you manage theproblem?
Is it a front-facing website oris it internal to your
organization?
You may have to understand, youknow what.
If this server gets compromisedbecause there's a zero day on
it and it's front facing, youmay want to take it down.
You may not want to leave it up.
(21:13):
You may want to move it intoyour network and allow a reverse
proxy to basically bring datainto that specific server and
that specific server only.
So there's some differentscenarios you're going to have
to work through to ensure thatyou don't have the network
compromised.
You want to isolate that serverfrom other parts to again to
prevent lateral movement.
(21:33):
So what does that mean?
That means that if you havethat server let's say it's on
the front, it's a web server andit's available to the internet
but it's got a criticalvulnerability that you can't
patch immediately.
What could you do?
These are just some options.
You could bring them into yournetwork.
You could have a reverse proxyset up so that if anybody wants
to gain access to this server,they have to go to a specific
(21:55):
address.
That would then in turn putthem into your, drop them into
your network to gain access tothis server.
But by doing that you wouldalso then limit that that server
nothing else can communicate tothat server except to the
internet, and that would limitthe amount of exposure of
someone trying to get into yournetwork where they could do
lateral movement within yourcompany.
(22:16):
Now that may be fine for a veryshort period of time, but in
many cases, if it's sitting as aweb server in the front on the
internet, odds are high.
You want it to communicate withother things.
So sitting it internal to yournetwork and not being able to
communicate may defeat thepurpose a bit.
So you're going to have to justdecide.
How would you manage that?
And so that's where you'll workwith your architects to figure
(22:37):
out what is the best course ofaction around it.
Now, when you deal withreporting, what could you do as
it relates to dealing with thereport?
What are some different aspectsthat you can come into when it
comes to reporting?
Well, data breach reporting, asyou can see, is getting to
become a huge factor, especiallywhen it comes to regulations.
I am dealing with this all thetime.
(22:59):
I see this from both China, Isee it from the United States
and in Europe as well.
There's new regulations thatare coming out that are forcing
security professionals to beexperts in so many things.
The NIS2, it's N-I-S-2 out ofEurope is a huge factor in new
and emerging technologies, andit's putting a lot of
restrictions on companies thatare putting in this technology
(23:22):
in Europe.
You need to be aware of that.
Well, if there's an incidentthat occurs, who are you going
to call?
Not Ghostbusters.
You need to be aware of that.
Well, if there's an incidentthat occurs, who are you going
to call?
Not Ghostbusters.
You could call Ghostbusters,but they may not help you a lot,
but when it comes to anincident, are you going to call
the CEO.
You want to have a plan, andthis part comes down to part of
the beginning, where you have anincident response process to
call in the event that there isan incident.
(23:43):
I call the CEO, I call the CIO,I call IT, I call a regulator.
Do I deal with a regulator thatis in my space?
In the United States, you havethe Environmental Protection
Agency.
Is there a regulator you got totalk to with them?
Do you have to deal withDepartment of Homeland Security
China?
It's the MIIT.
Who do you talk to there?
(24:04):
You're going to have to haveall of these various types of
responses planned and ready togo.
You also need to make sure,though, that, if you do have it
we've mentioned this at CISSP,cyber Training multiple times
just because you have a breachdoes not mean you need to notify
somebody immediately Now ifthey have the notification
(24:24):
requirements.
Yes, you need to meet whateverthe compliance requirements are
around breach notification, butwe talked about this before.
When it comes to breachnotification, you need to have
some lawyer friends, everybody,get in a room and decide what is
a breach notification.
When will we do a breachnotification?
Reason is because that termdon't leave that up to just your
(24:50):
interpretation or the lawyer'sinterpretation of what it is and
have that well defined andunderstood by all parties.
It's an important factor, oneof the most important factors, I
can tell you and, as it relatesto incident management, have
that defined and you know whatit's like.
It's like Mike Tyson said.
I love this quote.
He goes you have a plan whenyou go in the ring until you get
hit in the face and then yourplan goes out the window and you
(25:12):
have a new plan.
Well, that's the same thingwith this incident response
process.
You have a plan until themalware hits you in the face and
then you come up with a newplan, but at least you've
discussed the plan, so you knowwhat you may or may not do.
Actions taken you need to havetheir successful phishing attack
and the compromises thatpotentially could happen with
employee credentials.
You need to understand how theincident was handled and then
(25:34):
how you deal with passwordresets, user education and so
forth.
So, again, those are all thethings that can happen through a
reporting process relating toincident response.
You also need to have some sortof lesson learned process that
you would go through related tothis, which we'll get into the
next, that's in section seven.
But when you're dealing withreporting, having a lessons
(25:55):
learned plan one dealing withthe regulators and with your
senior leadership, is animportant factor as well.
Step six this is where you'redealing with recovery.
How do you recover from thesituation?
And this comes into do you haveimages that are already built
that you can recover from One?
You need to validate that.
Why it crashed, why you hadthis situation.
(26:17):
Was it because of malicioussoftware?
Was it because of maybe a newhardware update?
Was it due to somebody justhitting star dot, star, delete,
what was it?
You'll need to understand thoseand recover from that.
But do you have a plan torecover with these systems?
Is the recovery something thatis relatively simple to do?
So if you have backup systems,can you just restore from these
(26:41):
backups with a push of a button?
Is it to the point where it'sjust it's all images and we can
restore?
Not a problem.
That is where you want to be.
That is the ultimate litmustest is that you don't have to
let it worry you about businessresiliency and that you can stay
operational no matter what thesituation, no matter what the
(27:01):
time, what you may run into.
You also need to have amonitoring plan put in place.
This would deal around.
Do you have any sort of?
If someone defaces your website, how would you know that
someone defaced it?
Is that just the fact thatsomeone tells you, or do you
have some sort of alerting andmonitoring to let you know that
that potentially could happen?
You always need to make surethat you have you're monitoring
(27:22):
the site and you're havingpeople tell you that if
something seems out of theordinary or different, that they
alert you and let you know assoon as they possibly can.
It's important that theycommunicate all the time and
that you, as a securityprofessional, are constantly
reaching out to them, trying toget that communication going
with them.
Last thing is remediation andlessons learned.
(27:44):
So you want to make sure thatyou have some sort of
remediation put in place to dealwith any of these issues that
may come up, and this comes downto a plan.
This is your incident responseplan.
Part of your incident responseplan may not be the fact that,
okay, I'm going to respondbecause it's an incident.
Well, what if you just discoverthat you have systems that are
outdated, that need to bepatched?
(28:04):
How are you going to respond tothat.
What is your patch managementplan?
And then also, do you have anysort of user training, that's,
teaching people how to deal withthese risks as well?
This comes down to phishingincidents.
How would you handle that?
Do you have a process in placeto teach your employees around
phishing incidents and not just,okay, they discover there's an
(28:24):
incident, how do they report theincident?
I try to come back to the factthat every employee is a sensor.
Every employee is one that willtell you if something does not
seem right within yourorganization.
The problem with that, though,is sometimes people will report
stuff that isn't necessarybecause they don't know, and it
causes a lot of churn.
But I would rather have thechurn of someone reporting
(28:47):
something that is not right,that actually was a false
positive, than someone that justdecides not to report something
that was legitimately a phish,and now I have a much bigger
problem that I could have hadresolved much earlier.
And then the last thing, whenit deals with the incident
response, is your lessonslearned.
You want to have a plan as itrelates to how would you deal
(29:09):
with lessons learned from yourpostmortem, to policy updates,
to training enhancements.
So what does a postmortem mean?
You go through this processwhen your incident is done.
You walk through what happenedgood, what happened bad, where
could we add benefit?
Where could we take somethingaway?
Where could we add benefit?
Where could we take somethingaway?
(29:30):
And then you make policyupdates to this situation so
that, when the situation occursagain, that you don't make the
same mistakes twice.
Now it may be a policy update,it may be the fact that you have
a better communication planwith your people, but whatever
that is, you make these updates.
You make these changes to yourorganization quickly and
(29:50):
effectively so that the nexttime the situation occurs, you
now can learn from it and moveon.
And then you make some trainingenhancements.
I would highly recommend thatyou have some level of training
from all of the people involvedin the exercise that you're
dealing with this incident, aswell as follow on employees to
tell them hey, this incidentoccurred, these are the findings
we got out of it.
(30:10):
And here's some specifictraining specifically for you.
Now I will tell you thatsharing findings with all your
employees may not be the bestoption.
I was just gonna kind of coucha little bit of what I said.
Sharing the findings with thesenior leadership, that's
important.
Sharing it with all theemployees probably not the best
idea.
One, you don't want them toknow some of the the things that
(30:33):
happen, but I would share withyour employees that you did do a
tabletop exercise.
It was successful, and that youhad some great learnings that
would affect them directly.
Just because they need to knowthat you're doing these things.
One from I just tno.
I trust no one, uh but also tothe fact that you know they need
to know that you're doing thesethings to help protect the data
, and it's their responsibilityas an employee to highlight any
(30:56):
problems they run into.
They, too, should bring that upto leadership and ensure that
it's protected.
Okay, that's all I have fortoday.
On the incident response, thisagain was 7.6.1.
You can get this in chapter 17of the ISC squared book and you
can go ahead and listen to thiswhile you're reading along and
it will give you some guidanceand direction.
(31:17):
All right, I hope you guys havea wonderful, wonderful day and
we will catch you all on theflip side, see ya.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com