Professional Documents
Culture Documents
by
Naeif Ibrahim
W
A Capstone Project Submitted to the Faculty of
Utica College
IE
May 2021
EV
ii
Abstract
organization to better address internal and external threats. The project answered the following
incident response plans? How does implementing an incident response plan help organizations
prevent or mitigate internal and external network threats? How should an incident response team
be structured? As technology advances, new cyber threats emerge and are becoming more
complex. The need to fix an incident as soon as possible is important in reducing the damage it
can cause. The problem is that organizations are unprepared to handle incidents properly due to
W
inadequate or not implementing an incident response capability. To protect the organization from
IE
incidents, the project discusses structuring an incident response team depending on the size and
resources of the organization. With a cybersecurity policy in place, personnel will understand
EV
their roles and the procedures in place to act immediately when an incident occurs. Organizations
prepares organizations’ personnel to properly deal with network threats. Staff will know how to
isolate and discover the severity of an incident. Then, the staff will contain and eradicate the
underlying causes of the network threat to recover systems and networks. A well-organized
incident response plan is important in protecting sensitive data, assets, customer information,
iii
Table of Contents
Statement of the Problem ................................................................................................................ 1
Growing Concerns with Legislation and Policy ......................................................................... 5
Literature Review............................................................................................................................ 8
Incident Response Team Structure ........................................................................................... 10
Incident Team Experience and Roles ................................................................................... 13
Preparation ................................................................................................................................ 14
Identification ............................................................................................................................. 16
Containment .............................................................................................................................. 17
Investigation .............................................................................................................................. 20
Eradication ................................................................................................................................ 20
Recovery ................................................................................................................................... 21
Post-Incident Activity ............................................................................................................... 21
Discussion of the Findings ............................................................................................................ 23
W
Cybersecurity Issues and Being Unprepared ............................................................................ 24
Developing an Incident Response Team................................................................................... 26
Recommendations ................................................................................................................. 27
IE
Mitigating Risks with an Incident Response Plan .................................................................... 28
Recommendations ................................................................................................................. 29
Conclusion .................................................................................................................................... 30
References ..................................................................................................................................... 33
EV
PR
iv
Statement of the Problem
The purpose of this research project was to evaluate incident response plans to provide
recommendations for organizations to better address internal and external network threats. The
project intended to answer the following questions: What issues do organizations encounter due
to inadequate or not implementing incident response plans? How does implementing an incident
response plan help organizations prevent or mitigate internal and external network threats? How
Peer-reviewed scholarly articles, journals, and books were utilized for this research paper.
In addition, the National Institute of Standards and Technology (NIST) framework was utilized
W
in gathering information on an effective incident response plan. This project will benefit both
IE
organizations and individuals that are interested in incident response plans. Organizations that
utilize Internet of Things (IoT) to conduct business and other needs will benefit from this
EV
research. As this project explored the effectiveness of an incident response plan to prepare for
incident response. Attacks linked to cybersecurity have not only been more frequent and
complex, but also more destructive and disruptive. New forms of incidents related to security are
frequently emerging. Preventive measures based on the outcome of risk assessments can
minimize the number of accidents, but it is not possible to avoid all incidents. Therefore, an
incident response capability is needed to identify incidents quickly, reducing damage and
et al., 2012).
1
When information is the primary target, hackers attempt to steal the data. However, the
recent trends suggest that they are seeking to damage data integrity instead of exfiltrating it.
Methods of attack are also developing. Cyber criminals target and attempt to exploit human error
involved in a system to gain access to systems even when the targeted system has many security
measures implemented. This illustrates that humans are the weakest and most frequently targeted
Cyber-attacks, for different reasons, are inevitable from an organizational viewpoint. One
explanation is that companies do not detect all potential exploits and they cannot remove the
human element, the weakest link in the cyber security process. Therefore, to reduce the impact
W
on their businesses when attacks occur, they need to take not only preventive steps, but also
IE
corrective measures to deal with cyber-attacks in various ways. The goal of incident management
frameworks is to reduce the possible harm from network and human error incidents and to
EV
recover faster from such events (Shinde & Kulkarni, 2021).
A weak incident response plan or no incident response plan can lead to legal
repercussions, loss of sales, brand harm, and loss of consumer confidence. Such issues could call
PR
into question the survival chances of a business following a serious cyber security attack. The
U.S. retail chain Target encountered a serious cyber security attack in 2013. A lack of internal
control and incident response preparation were the principal causes of the attack. The legal
ramifications and compensation from the incident eventually cost $18.5 billion to resolve
The Equifax data breach that occurred in 2017 caused significant harm to their brand.
The event resulted in a breach of the data of 147 million customers of Equifax. The organization
made the mistake of not disclosing the specifics of the data breach with their clients at the right
2
time due to the lack of incident management planning. This incited customer frustration that led
to a court dispute and a settlement of lawsuits where Equifax ended up paying the individuals
investment advisor, was charged $75,000 by the Securities and Exchange Commission (SEC) for
failing to set up the necessary cybersecurity policies and procedures in advance of a July 2013
breach. After an unknown hacker infiltrating R.T. Jones’ third-party vendor, the
attacker obtained access to sensitive information and compromised the personal identifiable
information (PII) of nearly 100,000 people, including thousands of customers of the company.
W
The incident left the customers of R.T. Jones exposed to fraud theft and caused the decision of
IE
the SEC for breaking Rule 30(a) of Regulation S-P under the US Securities Act of 1933.
According to the former Co-Chief of the SEC Enforcement Division’s Asset Management Unit,
EV
Marshall S. Sprung, “Firms must adopt written policies to protect their client’s private
information and they need to anticipate potential cyber security events and have clear procedures
in place rather waiting to react once a breach occurs” (Reuvid, 2018, sec. 1.3).
PR
In February 2015, Kaspersky Lab and Interpol reported that approximately $1 billion was
stolen over a two-year period from financial institutions globally by a cyber-criminal group made
up of members from China, Ukraine, and Russia. The Moscow-based security company called
the crime crew Carbanak. The criminal case demonstrates that financial institutes are as
susceptible to cyber-attacks as retailers that carry card information or telcos and utilities among
preparedness when it comes to withstanding and recovering from a cyber-attack. The study
3
found that an overwhelming majority of surveyed entities are still unprepared to react
appropriately to cyber threats, with seventy-seven percent of respondents suggesting that they do
not have a consistently implemented cybersecurity incident response plan throughout their
business. Around fifty-four percent of the organizations surveyed that have a plan in place do not
routinely test their plans, which can make them less equipped to handle the dynamic processes
and collaboration effectively that may take place during an attack. Although, studies show that
enterprises that can react rapidly and effectively to contain a cyber incident in thirty days, save
over $1 million on the overall cost of a data intrusions on average. The study concluded in 2019
W
constant (Lalan, 2019).
IE
The study also examined the effect of automation on cyber resilience. Automation refers
to allowing security mechanisms that enhance or substitute human intervention in identifying and
EV
containing of cyber vulnerabilities or breaches. Machine learning, artificial intelligence,
analytics, and orchestration are based on these techniques. Only twenty-three percent of
respondents said they were big automation users, while seventy-seven percent said their
PR
companies only use automation mildly, insignificantly, or not at all. Companies that use
automation heavily can prevent, detect, respond, and contain a cyber incident faster than the
resilience, as companies that have completely implemented security automation have saved $1.5
million on the overall price of a cyber intrusion. Compared to organizations that have not
leveraged automation, which had a higher amount total cost of a cyber incident (Lalan, 2019).
companies indicated that their ability to efficiently handle resources and needs was hampered by
4
a lack of personnel. Survey respondents suggested that they lack the number of staff to
adequately manage and evaluate their incident response plans. Moreover, only thirty percent of
participants reported that cybersecurity staffing is adequate to ensure a high level of cyber
high or high in recruiting and retaining professional cybersecurity staff. Adding to the difficulty
of skills, almost half of the participants (forty-eight percent) stated their company implements
too many different protection methods, increasing organizational uncertainty and decreasing
W
Cyber-attacks have escalated since 1988, and many cybersecurity problems encountered
IE
since the turn of the century are still troublesome. Although, technical capabilities have increased
by leaps and bounds, security mechanisms and protocols struggle to stay current with the rapidly
EV
evolving field. They are often rendered useless quicker than new software and hardware can be
Homeland Security and Government Affairs, exposed alarming statistics about the government’s
inability to keep security threats under control was published. The study suggests that
government networks were the victim of 48,000 identified cyberattacks, including thousands
more unsuspected incidents. In addition, only four out of ten cyber breaches are identified by
civilian authorities, and with reporting to the public becoming much worse, most attacks are
unknown to the public, except on rare occasions when hackers publish their attacks. Although,
different organizations are vulnerable to these cyber threats, the recurring theme among them is
that common and fixable vulnerabilities are usually exploited by the intrusions. Out-of-date
Reproduced with permission of copyright owner. Further reproduction prohibited without permission.