What is the incident response cycle? Compare and contrast its various phases? Do you think any one of the phases is more important than the others? Why or why not?
Incident response cycle refers to a series of stages undergone by a security event starting from the point of its identification as a security incident or compromise, up to the point at which it is reported and resolved (Andreasson, 2012).
Incident Response Cycle Phases:
- Identification: Here, the information security office identifies potential information security issues from diverse sources such as contact from system owners, impacted or affected parties, or external parties.
- Assessment and classification: the situation is assessed by the information security office (ISO) to determine if it should be categorized as an incident or event (Andreasson, 2012).
- Determining the severity of incident: ISO assesses the potential and scope from each incident. The severity of an incident depends on the likely threat that it poses to other services and resources (Appel, 2014).
- Containment and Eradication: Following the successful identification of an incident, the relevant security personnel endeavors to isolate the equipment affected as a way of overcoming secondary attacks or threats
- System Restoration: this entails taking the appropriate steps to ensure that the secured system has been reconnected to the network
While all these steps are crucial, I feel that the identification phase carries more weight because failure to make the correct diagnosis may mean that the problem will not be solved.
The second key finding detailed in the 2013 US State of Cybercrime Survey was, “Many leaders underestimate their cyber-adversaries’ capabilities and the strategic financial, reputational, and regulatory risks they pose.” How can this possibly still be the case in this day and age, where the information resources available to leaders are so varied and thorough?
While leaders have access to thorough and varied information resources, majority of them underestimate the capabilities of cyber-adversaries and the resultant reputational, regulatory, and strategic financial risks that they pose. This is because most of the leaders do not fully understand the ecosystem-wide risks posed by cybercrime (PWC, 2013). In addition, most leaders are not acquainted with how to integrate information-sharing and threat intelligence into elaborate and proactive defense programs against cyber attacks. Also, leaders have limited knowledge to enable them to identify and mitigate cyber attacks effectively, while their effectiveness in understanding and application of cybersecurity technology is also wanting.
What do you think is the cause of this unfortunate underestimation?
Majority of the leaders have no idea that the environment is getting increasingly hostile. Consequently, they only tend to take action when it is already too late, after counter-attacks have occurred. This is partly due to the fact that most companies rarely appreciate the importance of assessing risks before a disaster has struck. In addition, we also have a number of leaders who may not be in a position to have access to the company’s cyber-security strategy. In addition, such leaders may also have limited access to the response information to cyber-security that the company has put in place (Appel, 2014). Alternatively, these leaders could lack a direct connection with the law enforcement liaison process that the company has put in place.
And, more importantly, what types of things would you recommend to a leader in your organization to help correct this deficiency, and why?
To correct the above deficiency, the following recommendations have been made to organizations when dealing with issues of cyber-security. There is need for leaders of an organization to play a leading role in ensuring that they receive fundamental cyber-security education. They get acquainted with the risks that cyber-security attacks pose for the organization, and this will motivate them to seek remedial actions to deal with such threats, including effective monitoring of potential security threats to the organization. In addition, this will also inculcate the need for such leaders to collaborate with various government agencies in various nation-wide cyber-security strategies, as a way of protecting the organization from potential external threats.
Andreasson, K.J. (2012). Cybersecurity: Public Sector Threats and Responses. Roca Baton, FL.: CRC Press.
Appel, E.J. (2014). Cybervetting: Internet Searches for Vetting Investigations, and Open-Source
Intelligence, Second Edition. Roca Baton, FL.: CRC Press.
PWC (2013). Key findings from the 2013 US State of Cybercrime Survey.