Lesson 2: Hardware and Software 

A. Hardware:

Hardware refers to the physical elements of a computer. This is also sometime called the machinery or the
equipment of the computer. Examples of hardware in a computer are the keyboard, the monitor, the mouse
and the central processing unit. However, most of a computer's hardware cannot be seen; in other words, it
is not an external element of the computer, but rather an internal one, surrounded by the computer's casing
(tower). A computer's hardware is comprised of many different parts, but perhaps the most important of
these is the motherboard. The motherboard is made up of even more parts that power and control the
computer.

In contrast to software, hardware is a physical entity. Hardware and software are interconnected, without
software, the hardware of a computer would have no function. However, without the creation of hardware
to perform tasks directed by software via the central processing unit, software would be useless.

Hardware is limited to specifically designed tasks that are, taken independently, very
simple. Software implements algorithms (problem solutions) that allow the computer to complete much
more complex tasks.

personal computer hardware

B. Software
System
Software, commonly known as programs or apps, consists of all the instructions that tell the hardware how right. Ap
to perform a task. These instructions come from a software developer in the form that will be accepted by left. Mor
the platform (operating system + CPU) that they are based on. For example, a program that is designed for applicati
the Windows operating system will only work for that specific operating system. Compatibility of software indicated
will vary as the design of the software and the operating system differ. Software that is designed for the
Windows XP may experience a compatibility issue when running under Windows 2000 or NT. B
Mullins
Software is capable of performing many tasks, as opposed to hardware which can only perform mechanical
tasks that they are designed for. Software provides the means for accomplishing many different tasks with
the same basic hardware. Practical computer systems divide software systems into two major classes: Diagramm
very sim

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
  System software: Helps run the computer hardware and computer system itself. System software
includes operating systems, device drivers, diagnostic tools and more. System software is almost
always pre-installed on your computer.
 Application software: Allows users to accomplish one or more tasks. It includes word processing,
web browsing and almost any other task for which you might install software. (Some application
software is pre-installed on most computer systems.)

Software is generally created (written) in a high-level programming language, one that is (more or less)
readable by people. These high-level instructions are converted into "machine language" instructions,
represented in binary code, before the hardware can "run the code". When you install software, it is
generally already in this machine language, binary, form.

algorithm
prog
public d

C. Firmware

Firmware is a very specific, low-level program for the hardware that allows it to accomplish some specific
task. Firmware programs are (relatively) permanent, i.e., difficult or impossible to change. From the higher-
level view of software, firmware is just part of the hardware, although it provides some functionality beyond
that of simple hardware.

Firmware is part of devices (or device components) such as a video card, sound card, disk drive and even the
motherboard. The AMIBIOS image to the right is from a Baby AT Motherboard.

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
C. Introduction to Computers

Types of Computers

 Supercomputer

Supercomputers are fast because they are actually many computers working together.

Supercomputers were introduced in the 1960's as the world's most advanced computer. These
computers were used for complex calculations such as forecasting weather and quantum physics. Today,
supercomputers are one of a kind; they are fast and very advanced. The term supercomputer is always
evolving as tomorrow's normal computers are today's supercomputer. As of May 2011, Sunway Taihu
Light is ranked on the TOP500 list as the fastest supercomputer. It consists of 40,960 CPUs each with 256
processing cores (a quad-core has four). Although it is energy efficient, supercomputers are still room-
sized machines.

 Mainframe

Mainframes are computers in which all the processing is done centrally, and the user terminals are
called "dumb terminals" since they only input and output (and do not process). In modern systems, a PC
or a web app often acts as the dumb terminal.

Mainframes are computers used mainly by large organizations for critical applications, typically bulk
data processing such as a census. Examples: banks, airlines, insurance companies, and colleges. They
support hundreds of users simultaneously.

At SRU, the mainframe handles registration, records, reports, and various Human Resource functions.
You are much more likely to use a mainframe in your professional career (today) than a supercomputer.

Today, mainframes exist as a concept more than as hardware. (NASA unplugs last mainframe.)

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
D. Server

Servers are similar to mainframes in that they serve many uses with the main difference that, usually,
the users (called clients) do much of their own processing. The server processes are devoted to sharing
files and managing access rights.

A server is a central computer that contains collections of data and programs. Also called a network
server, this system allows all connected users to share and store electronic data and applications. Two
important types of servers are file servers and application servers.

An application server hosts various applications or programs that you can use without having to install
them directly on your system. At SRU, once you have installed the Citrix client interface the Citrix
server(s) provide access to many applications used across campus. Web apps, like Google Docs, work in
essentially the same way.

A file server manages your files. At SRU, the H: (home drive) and I: (class works) drives show up on any
computer you log into as "network drives". These files are not actually located on your computer's hard
disk, but appear to be so.

A web server is essentially a file server located somewhere in the Internet. You request files (or web
pages) by clicking on a (hyper) link or typing in a URL. The file is displayed by your browser as a web
page. Much of the web has been developed using this client-server model. Example client request for
the SRU home page: http://www.sru.edu/

E. Cloud Computing

Although "the cloud" is not a single computer system, it seems that this is a good place to discuss it.
First, it is worth noting that servers are also often not a single computing system. All of our Google
queries aren't sent to a single machine on the Internet, but it acts that way. This is somewhat like cloud
services (in fact Google offers cloud services).

In cloud computing, your PC acts as a client, perhaps with little more hardware and software than is
needed to run an operating system and a web browser. Cloud applications are run on some (unknown)
application server in the Internet and your data is stored on some (unknown) file server in the Internet.

This offers the potential of significant costs savings, especially in business settings where you otherwise
have to have many computers, each with their own hardware and software.

F. Workstation

Workstations are high-end, expensive computers that are made for complex procedures and are
intended for one user at a time. Some of the complex procedures consist of science, math and

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
engineering calculations and are useful for computer design and manufacturing. Workstations are
sometimes improperly named for marketing reasons. Real workstations are not usually sold in retail.

Perhaps the first computer that might qualify as a "workstation" was the IBM 1620.

In current terminology, a desktop personal computer (or even a terminal) connected to a server,
mainframe, or network is often called a workstation. In addition, the line separating workstations from
personal computers is blurring as PCs become more powerful and workstations become cheaper.

G. Personal Computer or PC

PC is an abbreviation for a Personal Computer, it is also known as a Microcomputer. Its physical

characteristics and low cost are appealing and useful for its users. The capabilities of a personal
computer have changed greatly since the introduction of electronic computers. By the early 1970s,
people in academic or research institutions had the opportunity for single-person use of a computer
system in interactive mode for extended durations, although these systems would still have been too
expensive to be owned by a single individual. The introduction of the microprocessor, a single chip with
all the circuitry that formerly occupied large cabinets, led to the proliferation of personal computers
after about 1975. Early personal computers, generally called microcomputers, were sold often in kit
form and in limited volumes and were of interest mostly to hobbyists and technicians. By the late 1970s,
mass-market pre-assembled computers allowed a wider range of people to use computers, focusing
more on software applications and less on development of the processor hardware. Throughout the
1970s and 1980s, home computers were developed for household use, offering some personal
productivity, programming and games, while somewhat larger and more expensive systems (although
still low-cost compared with mainframes) called workstations were aimed for office and small business
use.

H. Smartphones

Smartphones are hand-held computers. The current generation of smartphones run an amazing array of
applications, making them quite general purpose. Their primary inadequacy at this time is the limitations
for directly connected I/O devices, like a printer. They have a keyboard and touch screen for input, with
only a screen for output. Bluetooth wireless networking (the same you may use for a phone headset)
handles the problem of connecting peripherals, and the Internet, which can be viewed as both an input
and an output device for our purposes, handles more.

The number of mature applications for smartphones is growing rapidly (as is cloud computing). Also, "In
an InformationWeek online survey of 1,139 business technology professionals, 30% of smartphone users
say they use their devices for enterprise connectivity, and 37% either occasionally or frequently leave
their laptops at home in favor of their smartphones."[InformationWeek] In all likelihood, the
smartphone will become the mobile platform for business and personal use in the near future.

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
I. Other devices

We have talked about the convergence of technologies in computing devices for years. We seem to be
at the cusp of change in 2011, with a plethora of mobile devices, such as the Xoom and the iPad 2 (there
is even a game system that makes phone calls), attempting to tap into the same market as smartphones,
book readers and even laptops. Without the benefit of a crystal ball, I predict that the range of hand-
held devices in the future will mimic the range of laptops and netbooks today. You will choose based on
your primary use and cost, while hoping the company you work for provides you with a high-end device.

J. Microcontroller

Microcontrollers are mini computers that enable the user to store data and do simple commands and
tasks with little or no user interaction with the processor. These single circuit devices have minimal
memory and program length but can be integrated with other processors for more complex
functionality. Many such systems are known as Embedded Systems. Examples of embedded systems
include cell phones and car safety and control systems. Embedded systems are limited to specific tasks,
but are often part of a much more complex system.

Today a personal computer is an all rounded device that can be used as a productivity tool, a media
server and a gaming machine. The modular construction of the personal computer allows components
to be easily (at least for desktop units) swapped out when broken or upgraded.

Although occasionally "PC" is used to refer to the family of computers descended from the original IBM-
PC, it is now typically used for any general purpose computing platform available (according to price) for
the home market, including laptops and Apple computers.

I. Cyber-security

Ultimate guide to cyber-security incident response

Learn actionable incident response strategies that your IT and enterprise security teams can use to meet
today's security threats and vulnerabilities more effectively.

Here's why cyber-security incident response is something your entire organization has to care about:
Hackers are likely trying to invade your network, and security vulnerabilities likely make this easier than
you would believe.

Indeed, we have evolved from a time when executive leaders were mostly disconnected from the
information security function to an era where cyber-security is top of mind for many such former
naysayers. And for good reason: There's likely not a day that goes by that your organization isn't under
attack or otherwise exposed to IT-related security risks.

Security threats and vulnerabilities and the subsequent incidents and breaches that they can lead to,
affect organizations of all kinds. Literally every business-both large and small across every industry-is a
target for criminal hackers and careless employees alike. The question is- What are you doing about it?

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
This is where Incident Response (IR) comes into play:

*What is incident response?

Incident response is the process of detecting security events that affect network resources and
information assets and then taking the appropriate steps to evaluate and clean up what has happened.
Cyber-security incident response is critical to today's businesses because, simply put, there is so much to
lose. From the simplest of malware infections to unencrypted laptops that are lost or stolen to
compromised login credentials and database exposures, both the short- and long-term ramifications of
these incidents can have a lasting impact on the business.

*Why do you need it?

Security breaches can require notification, resulting in customer distrust, reputation loss, regulatory
fines, legal fees and cleanup costs. And these can all come at once -- in ways that even the most
financially secure of businesses can have trouble absorbing.

Networks, software and end users can only reach a certain level of resilience. Oversights will occur, and
mistakes will happen. What matters is what you have done, in advance, to minimize the impact of a
security incident on your organization. You can't prevent hackers from existing, but you can be proactive
in prevention and response. That's why having a functional team, the proper technologies and a well-
written incident response plan are essential for being able to respond to such events in a prompt and
professional manner.

An important aspect of understanding incident response is fleshing out the necessary elements in your
security program to differentiate between threats and vulnerabilities:

 Threat: An indication or stimulus, such as a criminal hacker or dishonest employee, that's

looking to exploit a vulnerability for ill-gotten gains.

 Vulnerability: A weakness in a computer system, a business process or people that can be

exploited.

Threats exploit vulnerabilities, which, in turn, create business risk. The potential consequences include
unauthorized access to sensitive information assets, identity theft, systems taken offline, and legal and
compliance violations.

Related terms include the following:

 Breach: An incident where sensitive information, such as intellectual property or customer

records, is exposed.

 Hack (sometimes referred to as an attack): The act of a criminal hacker (or hackers) or a rogue
user doing something such as taking your systems offline, planting or spreading malware, or
stealing information assets.

 Incident: An attack that's successful in draining computing resources, obtaining unauthorized

access, or otherwise putting information assets and related network resources at risk.

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
  Network (or security) event: A term that lawyers often to use to refer to potential security
issues that haven't yet been confirmed or the details of which aren't ready to be released to
outside parties or the public.

Attacks don't always lead to incidents, and incidents don't always lead to breaches. They're all
considered network events and are often played down until the details can be obtained. It all depends
on what took place and what can be determined after the fact.

The purpose of this guide is to give IT and enterprise security teams actionable strategies to meet
today's security threats and vulnerabilities more effectively. This is regardless of whether you have an
existing IR program or you're just getting started. It can also serve to help get business executives on
board with this critical function of a well-run information security program and highlight ways users may
need more security training. You can use this information to improve your incident response
capabilities, share it with executive management to further their understanding and get buy-in on your
security initiatives, and even use it as a basis for your policies and ongoing user security awareness and
training efforts.

 Building an IR team

A good incident response program starts with building a great team. Without the right people, security
policies, processes and tools mean very little. An IR team is made up of a cross-functional group of
people from diverse parts of the business, including IT and security, operations, legal and public
relations. One or more of these roles could -- and should -- be at the executive management level. The
reason for this is to ensure the highest level of decision-making and that the business's best interests are
kept in mind.

*What does an IR team do?

The overall goal of an incident response team should be to detect and respond to security incidents in
order to minimize their impact on the business. Such teams are often referred to as a computer security
incident response team (CSIRT) or a computer emergency response (or readiness) team (CERT). A larger
group of IR professionals are often pulled together into a security operations center (SOC), whose scope
is broader than incident response. The name of your IR team is largely irrelevant because its goals are
the same.

Whatever the name, the IR team should be working to support its role in the overall incident response
plan, which itself should complement the goals of your information security program and overall
business. Team goals might include working on response times and impact minimization, conducting
periodic meetings and performing tabletop exercises. In order for these goals to work, they need to be
very specific, written in the present tense and include steps that must be accomplished along with
deadlines to help with accountability. The following are examples of IR team goals that might be
developed by the team itself or an overarching security committee:

 We develop metrics for analyzing our IR program initiatives that involve monitoring and
alerting, communication among team members, and technology evaluations.

 We update our IR plan document periodically and consistently.

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
  We create and execute three separate tabletop exercises for IR simulations.

 We engage our security committee and executive management to report on incidents, actions
taken and additional improvements needed for incident response.

The IR team -- or program manager -- would flesh out each of these goals with specific steps needed to
meet each one, along with deadlines so that everyone on the team knows what's expected and what to
aim for.

Another thing to keep in mind with your incident response team goals is to make sure that they are both
reasonable and achievable and, most importantly, that they are being reviewed and followed.
Otherwise, they can become an afterthought and evolve into a liability rather than an asset. It's even
more complicated if, after an incident or confirmed breach, someone finds that documented procedures
were nonexistent or not followed at all.

An essential part of cyber-security incident response is understanding the various team member roles
and responsibilities. After all, what good are goals if you don't have the right people on board, or you
have people working on the team but their expectations are not clear? At a minimum, you should
outline in your IR plan, or elsewhere, specific roles and responsibilities.

 Incident response skills

The IR team should include the following:

 Technical team: IT and security team members.

 Executive sponsor: A senior executive charged with overseeing information security.
 Incident response coordinator: The person responsible for ongoing management of the team
and incidents.
 Media relations coordinator: Your PR representative in charge of interfacing with the news
media and related outlets once a breach occurs.
 Forensic analyst: A forensics expert internal to the company or an outside adviser.
 Outside consultant: A third-party information security or incident response expert.
 Legal counsel: Your corporate attorney or outside law firm that would represent your
organization as needed for incidents and breaches.

Incident response requires a number of skills. At the heart of an IR team is the core group of technical
staff and incident responders who defend an organization against cyber threats. These members are
skilled at security and can execute on tasks such as monitoring the network for vulnerabilities and
breaches and taking the appropriate measures where necessary.

As for incident responders, these team members use data to spot and assess the scope or urgency of
incidents and perform other ongoing IR duties. They may also report on trends, educate the
organization's users and liaise with law enforcement. There are specific questions that can help
organizations better hire these team members.

But technical skills are not all that's required for successful incident response. As noted above, a solid IR
team will need cross-functional members who can execute on nontechnical tasks, such as talking with

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
the media and responding to legal issues. The actual titles for each of these roles can vary from
organization to organization depending on your existing staff structure, staff expertise and your specific
business needs. The important thing is that you have the right people on board.

In terms of team building, rather than pulling people into your IR team who may not want to be there,
seek out those in the organization who are interested in the topic and are eager to add value to this
critical aspect of security. Each IT and security team member has his or her own interests, and incident
response may not be one of them. Moreover, it's critical to have both technical and nontechnical people
on your IR team. The technical people will know the network environment and can help dig into the
details in system logs, network packet captures, vulnerability scanner reports and the like. Nontechnical
people can help lead the oversight and team communications required to keep everyone in the know,
ask the not-so-obvious questions, and help in the decision-making process so that business interests are
properly represented. You might consider linking to an overall business communication plan that may
exist.

 IR methodology

An incident response plan is a go-to document for when the going gets rough with security issues. It
outlines who, what, when, why and how of addressing security events, incidents, and, once confirmed,
breaches. It's important because the last thing you need to be doing under duress is figuring out how to
respond to these challenges. In fact, when you don't have a documented plan, you'll be reacting. And
when you react, you lose your ability to reason. You're flying by the seat of your pants. You can't think
clearly, and you're quite likely not going to make good decisions. By having a documented IR plan, you
can respond with clarity and direction and avoid letting emotions drive your response efforts.

 Creating an incident response plan

An incident response plan should be developed by the team or IR coordinator in advance and should
contain the components detailed in the chart below.

Incident plan element Purpose and scope

Overview
Outline of roles and responsibilities
Detailed list of incidents requiring action
Detection, investigation and containment
procedures
Introduces the plan; details high-level goals, the
scope of what's covered and assumptions that
have been considered.
Lists and discusses the duties and expectations of
each of the team members.
Outlines the specific threats, exploits and
situations that require formal incident response
actions. The possibilities are endless, but could
include denial-of-service attacks, malware
infections, email phishing and lost or stolen
laptops. Note: This is arguably the most
important part of the incident response plan.
The beginning of the actual incident response
procedures that you plan to use; this includes

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
 directives on tasks such as analyzing the
situations, notifying team members, getting
outside parties involved, securing the network,
confirming the incident, gathering evidence and
reporting on findings.
Eradication steps Provides the general steps for cleaning up the
incident and may include network traffic and
system log analysis, forensics review and
subsequent vulnerability testing to confirm
resolution.
The recovery phase Details tasks in the recovery phase, such as
reinstalling or reimaging hosts, resetting
passwords, and adjusting firewall rules and
related network configurations.
Breach notification Outlines the how and when to alert those
impacted by a confirmed breach as required by
contracts or law.
Follow-up tasks Discusses additional reports, enhanced
documentation and lessons learned that might
come out of this phase.
Call list (in the appendix) Provides contact information for incident
response team members and involved outside
vendors, such as internet service providers and
cloud service providers.
Testing scenarios (appendix) Outlines specific testing scenarios that have been
or will be carried out.
Revision history (appendix) Outlines details on plan updates and
improvements, including who did it and when it
was done.

Everyone's plan will look a little different depending on specific needs. However, the essentials covered
by this template are standard and should be included in every organizations' plan. There are IR best
practices and other resources available from organizations that you might consider integrating into your
plan.

NIST, US-CERT, ISACA and ISO/IEC all provide frameworks that organizations can use as guidance. For
example, the NIST "Computer Security Incident Handling Guide" includes an incident response
framework in the form of an IR lifecycle -- preparation; detection and analysis; containment, eradication
and recovery; and post-incident activity.

Additional frameworks are available from the SANS Institute, the Institute of Electrical and Electronics
Engineers, the Internet Engineering Task Force and the European Union Agency for Network and
Information Security.

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
An incident response plan should not be combined with documents on other organizational security
plans and procedures, such as such as an overview of security policies or disaster recovery and business
continuity plans. Instead, it works best as a stand-alone document that all your incident response team
members know about and have easy access to -- both on the network and in hard-copy form. In addition
to consulting frameworks from the organizations mentioned above, it can help to start with an IR plan
template to guide you in the right direction.

Creating an incident response plan requires the expertise and input of all your incident response team
members. A good way to go about establishing a plan -- or, even, fleshing out your existing one -- is to
divvy up the various parts to the necessary team members. Once everyone has fleshed out their section,
the incident response team can pull it all together into a single document and start working on editing
and forming the final version. Keep in mind that your incident response plan is not unlike any given
security policy; it's a work in progress. So, you want to make sure that it's reviewed periodically and
adjusted appropriately as changes to your network, security and business come about.

To put a fine point on it: Your IR plan needs to be kept current, or it cannot keep your organization safe.

*How, when and why to use IR tools?

If information security is considered a strategic function of the business (and it often is), then incident
response would be a tactical component of the security program. A military concept associated with the
decisions and actions needed for effective incident response -- dubbed the OODA loop -- is a cycle where
you observe, orient, decide and act. The essence of the OODA loop is to use situational awareness and
information to see impactful events, such as security incidents, unfold so you can quickly respond and
gain an advantage toward thwarting the threat. This enables you to minimize the impact of threats on
your business.

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
The OODA loop can be utilized as an overall approach to incident response and can also help define
which security tools you use in the process. Whether from the functions of prevention, detection or
response, there are numerous incident response tools that can be used in this regard. For example, the
visibility provided by packet analysis, system resource examination and file integrity monitoring are
technologies you can use to fulfill the observe component of the OODA loop. Technologies that use real-
time threat indicators and threat intelligence can provide context on attacks and be used to fulfill the
orient component of the OODA loop. The decide component could be fulfilled by tools that provide
forensic details, including replays of what happened in order to shed light on context and technical
information. This can help you make more informed decisions on what to do -- or what not to do --
during the incident response process. Finally, the act component of the OODA loop can be fulfilled by
activities such as blocking, redirecting or quarantining threats in order to minimize their effects on your
network and information assets.

While cyber-security incident response is a process, technology can automate certain functions to help
minimize the time involved and eliminate errors. IR-focused technology vendors provide tools for
functions such as the following:

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
  net flow and traffic analysis;
 vulnerability management;
 security incident and event management;
 endpoint detection and response;
 firewall, intrusion prevention and denial-of-service mitigation; and
 forensic analysis

Most technology products in this space are commercial, so you'll need the budget -- sometimes a big
one -- for both capital and operating expenditures associated with these tools. As an alternative, there
are open source software offerings for most of these areas. You'll have to decide whether open source
can meet your specific business requirements and what level of effort will be involved in doing so. You
must also consider whether the open source software will be around over the long haul after you've
invested so much in establishing your incident response efforts.

You can't simply depend on IR tools to run your entire incident response program.

Of course, as with any new technical control you put in place, you'll need to make sure you have the
staff and expertise. Having the necessary resources is critical not only in terms of initial design and
implementation, but also with day-to-day administration, troubleshooting and so on.

One final point: Does it make sense to fully integrate the OODA loop with your incident response
efforts? It depends. You might at least consider it as a guideline for your approach to incident response
and customize your methodology according to your needs. Similarly, you can't simply depend on IR tools
to run your entire incident response program. The reality is, the success of the IR function depends on
many factors, such as business culture, security buy-in, network design, budget and people. As with your
incident response plan document, your IR methodology and tools are going to be unique based on your
specific business requirements. If you follow the core OODA steps and use incident response tools
where appropriate, that will put you at an advantage -- ahead of the curve -- and that's where you need
to be.

 Incident response problem-solving

Problem-solving is a key part of incident response. Even though the OODA loop is about decision-
making, it's important to not get caught up in the process of it or any other IR methodology. It's easy to
get sidetracked and lose sight of what's important, and that's prioritization. Looking at this from the
perspective of incidents requiring actions discussed above, you must be able to prioritize what to focus
your efforts on and know which ones you can ignore. You go about doing this by considering which
security events are urgent, which are important and how you'll need to respond to the various
scenarios. The best way to do this is to view security events, incidents and confirmed breaches in terms
of the following:

1. What's urgent but not important?

2. What's important but not urgent?
3. What's both urgent and important?

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
An example of an urgent but not important issue would be a malware infection on a branch office sales
workstation that only connects to the office network or internet via guest Wi-Fi. An example of an
important but not urgent issue is a new, recently imaged laptop that is lost but that doesn't yet contain
any business-related information. Examples of an urgent and important situation is a distributed denial-
of-service attack against an e-commerce website, a malware infection affecting production servers and
phishing attempts against executives that have led to the compromise of network credentials. Urgent
and important scenarios are those where something bad is happening to a critical business resource or
asset and you know that something must be done quickly.

The average small business, midmarket corporation or large enterprise has countless vulnerabilities that
have yet to be acknowledged.

You'll find that many security issues you're forced to address fall into the first two categories above.
Although they may need to be addressed in some way, they'll likely only serve as a distraction. This is
why you must be good at filtering out the noise and focusing on the things that really matter for your
particular environment. The third category -- both urgent and important -- is where you'll find most of
your incident response resources should be dedicated. What's important is that you take the bigger
picture into account and address the security events that are most impactful towards your critical
network resources and information assets.

In today's technology-centric world where decisions are often made for us, it's becoming more of a
struggle to find IT and security staff who can truly solve problems, especially when under the pressure of
a security event. As it relates to incident response in your security program as a whole, ensure that
problem-solving involves the proper areas, which include defining the problem, determining all possible
solutions, deciding on the best solution and then taking purposeful action.

 Prevention is key

Prevention is critical to incident response. You create a great IR program so you are ready to mitigate
cyber-attacks and deal with security mishaps and exploits. However, your first line of defense is to keep
your network safe and your users empowered and security-aware. The security incidents that can create
the most damage are those that exploit the gullibility of your network users, malware, and
misconfigured computer systems and software that can be exploited for further enumeration and
penetration. The average small business, midmarket corporation or large enterprise has countless
vulnerabilities that have yet to be acknowledged, much less addressed. Knowing what we know today
and having such advanced tools at our disposal, there's simply no reason to offer low-hanging fruit to
hackers. Weak passwords, missing patches and unsecured information can easily lead to an incident or
confirmed breach. Unfortunately, that's typically how incidents and breaches occur, so it's up to the
incident response team or the security committee to determine where the gaps and opportunities lie
and then vow to not let them lead to the downfall of your business.

Rather than implementing more paperwork and technical controls policies, processes and technologies
-- many of which can serve as mere bureaucracy or a false sense of security -- what's often needed most
is discipline. The discipline to acknowledge security threats and vulnerabilities. The discipline to
acknowledge weaknesses in your information security program, including incident response. The

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019
discipline to take reasonable steps to prevent most incident scenarios. And the discipline to have the
proper visibility and control in place to minimize the impact of the exploits that do get through.

Incident response is not just an IT and security issue that's overseen and executed by technical
professionals. Instead, it's a core business function that's arguably as important as anything on the legal,
financial or operations side of the business. Business leaders must understand that information security
is a critical underpinning of the enterprise that must be supported at the highest of levels. Unless and
until critical aspects of security are mastered, including incident response, it's a matter of time before
the going gets rough, the questioning begins and intrusive investigations ensue. It's unreasonable to
expect a perfect security program. Still, it's better to get started on improving your incident response
efforts now before you're forced to.

BSTM-II APPLIED BUSINESS TOOLS & TECHNIQUES

Defining Business Tools, bizfluent.com; Kevin Beaver, Principle Logic, LLC, Published: 28 Jun 2019