What is the OODA Loop?
- “Observe, Orient, Decide, Act”
- Organizations use OODA loop to determine which incident response tools to use.
What tools are in the Observe category of the OODA Loop?
- Intrusion detection systems
- Vulnerability scanners
- Availability monitoring
What are the 4 phases of an incident response plan?
PLEASE DON’T COME PLEASE
1) Planning
2) Detection and analysis
3) Containment, eradication, and recovery
4) Post-incident review
What is a cybersecurity EVENT?
- It is a singular occurrence of a change in a system or network.
- Examples include: network scans and failed login attempts that are stopped before the system is compromised.
- The change in network may come from inside or outside the organization and may result from normal operation, error, or fraud.
- It’s NOT a malicious or evil thing!
What is a cybersecurity INCIDENT?
- It involves a violation of security policies, procedures, or acceptable use policies.
- It has a negative effect on the confidentiality, integrity, or availability of an organization’s data or systems.
- There is MALICIOUS INTENT and EVIL here!
What is a post-incident analysis of a security incident?
It is an analysis that is part of an advisory (consulting) engagement and is done in order to develop recommendations for decision making
What are 3rd party losses?
They are losses suffered by customers and business partners
What is the job of an incident response manager?
- His job is to oversee all incident response team activity.
- This activity includes the detection, analysis, and containment of an incident.
- Communicate incident response requirements to relevant stakeholders
- Test the incident response plan at least annually
- Take corrective action when the incident response plan is not followed
What responsibility does an incident response manager have?
- Communicate incident response requirements to relevant stakeholders
- Declare when an incident has occurred
- Test the incident response plan annually
Why should an incident response plan include the organization’s cybersecurity insurance policy number/info?
- Because an insurance policy transfers the risk of loss to the insurance company in exchange for insurance premiums.
- Cybersecurity insurance covers 1st party losses (costs incurred directly by the organization) and 3rd party losses (liabilities owed to external people).
Which group selects members for the incident handling and incident response teams?
Senior management
What are the 3 staffing models for incident response plans?
- In-house staffed
- Partially outsourced
- Fully outsourced
How can internal and external auditors evaluate if an entity responded to cybersecurity incidents?
They can do so in accordance with a documented incident response plan
What are goals of incident response plans?
To ensure proper reporting
What are some pre-incident services offered by cybersecurity insurance companies?
- Self-assessments
- Online training
- Consultations
- Incident response planning
