Introduction to Incident Response Management

1. Incident Response
Management
Unit 1
Don Caeiro

2. Definition of “Incident”
» An incident is an adverse event (or threat of an adverse event) in a
computer system
» Adverse events include the following general categories:
 Compromise of Confidentiality
 Compromise of Integrity
 Denial of Resources
 Intrusions
 Misuse
 Damage
 Hoaxes

3. WHAT IS A DATA BREACH?
• A personal data breach means a
breach of security leading to the
accidental or unlawful
destruction, loss, alteration,
unauthorised disclosure of, or
access to, personal data
transmitted, stored or otherwise
processed.
• Article 4 (12) - GDPR

4. OR TO THINK ABOUT IT ANOTHER WAY…
• Confidentiality
• Integrity
• Availability

5. Cyber Incident Statistics

6. 6
Cyber Security Stats
94%
of organisations worldwide have suffered a data breach
as a result of a cyberattack in the past 12 months
$133k
Average cost of ransomware attacks in
2019
6 MONTHS
Average time to
detect a breach
92%
Attacks launched by
phishing emails
EVERY 14
SECONDS
Time businesses
fall victim to
ransomware attacks
86%
Of UK businesses will
suffer a phishing attack
in 2023
Between 1st Jan 2005 to 18th April 2018
there were 8,854 recorded breaches, in
the first half of 2019 there were 3,800
recorded breaches
In March 2020, ransomware attacks
increased 148% over baseline levels from
February 2020 amid the COVID-19
outbreak.
43%
Of cyber attacks aimed
at small businesses
45 MINUTES
Length of time cyber
criminals can go from
initial entry to ransoming
the entire network
94%

7. Cyber Incident Statistics
• The average cost of a data breach is projected to reach $4.2
million by 2023 (IBM).
• Over 60% of businesses that experience a cyber attack close
their doors within six months
• In 2023, it is estimated that cybercrime will cost businesses
$10.5 trillion annually
• 53% of companies have experienced a third-party data breach
in the past year
• This year there will be 300 billion passwords in use globally

8. Cyber Incident Statistics
• The average cost of a ransomware attack is projected to
reach $11.5 million by 2023.
• In 2023, it is projected that there will be a shortage of 3.5
million cybersecurity professionals globally
• Cyber attacks targeting healthcare organizations are
projected to increase by 50% by 2023
• 67% of organizations believe that they are vulnerable to
insider threats

9. Cyber Incident Statistics
• 60% of organizations do not have a cybersecurity
incident response plan in place
• 90% of cyber attacks involve social engineering
tactics
• This year, 2023, it is projected that there will be 22.5
billion IoT devices in use globally

10. Top data breach stats for 2023
• Number of data breaches in July 2023: 87
• Breached records in July 2023: 146,290,598
• Number of data breaches in 2023: 694
• Number of breached records in 2023: 612,368,642
• Biggest data breach of 2023 so far: Twitter (220 million
breached records)
• Biggest data breach in the UK: JD Sports (10 million
breached records)
• Most breached sectors: Healthcare (199), education
(119), public (88)

11. Computer security incident

12. What is an Incident
A computer security incident is any action
or activity – accidental or deliberate – that
compromises the confidentiality, integrity,
or availability of data and information
technology resources.
Incidents also include the use of technology
for criminal activities such as: fraud, child
porn, theft, etc…
Policy violations may also be considered
security incidents.

13. INFORMATION AS BUSINESS ASSET

14. Information asset
• collection of knowledge or data that is organized,
managed and valuable
• An organization needs to classify, manage the lifecycle of
and control access to information assets.
• Different types of information can be put together into a
single asset if they are related. For example, all the text
documents, spreadsheets and slide decks related to one
project may be treated as a single information asset.

15. Information asset
• any document created by an organization could be
considered an information asset
• examples of information assets would be program
source code, research documents, strategic slide
decks and databases.

16. Information asset
• Personal data of customers
• Payroll processing applications
• Server running enterprise software
• Employee's laptop
• Employee's mobile phone
• Data backup
• Any hardware (computers, servers, printers, etc.)
• Services (cloud services, electricity supply, air-conditioning etc.)
• Cloud storage
• VPNs
• Access management processes

17. DATA CLASSIFICATION

18. Data Classification
• It is essential to classify information according to its actual value and level
of sensitivity in order to deploy the appropriate level of security.
• A system of classification should ideally be:
– simple to understand and to administer
– effective in order to determine the level of protection the information
is given.
– applied uniformly throughout the whole organization (note: when in
any doubt, the higher, more secure classification should be employed).

19. Data Classification
• With the exception of information that is already in the public domain,
information should not be divulged to anyone who is not authorized to
access it or is not specifically authorized by the information owner.
• Violations of the Information Classification Policy should result in
disciplinary proceedings against the individual.
• Number of information classification levels in an organization should be a
manageable number as having too many makes maintenance and
compliance difficult.

20. Data Classification
• Top Secret: Highly sensitive internal documents and data. For example, impending
mergers or acquisitions, investment strategies, plans or designs that could
seriously damage the organization if lost or made public. Information classified as
Top Secret has very restricted distribution indeed, and must be protected at all
times. Security at this level is the highest possible.
• Highly Confidential: Information which is considered critical to the organization’s
ongoing operations and could seriously impede or disrupt them if made shared
internally or made public. Such information includes accounting information,
business plans, sensitive information of customers of banks (etc), patients' medical
records, and similar highly sensitive data. Such information should not be copied
or removed from the organization’s operational control without specific authority.
Security should be very high.

21. Information Classification
• Proprietary: Procedures, project plans, operational work routines, designs and specifications that define the
way in which the organization operates. Such information is usually for proprietary use by authorized
personnel only. Security at this level is high.
• Internal Use Only: Information not approved for general circulation outside the organization, where its
disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or
serious damage to credibility/reputation. Examples include: internal memos, internal project reports, minutes
of meetings. Security at this level is controlled but normal.
• Public Documents: Information in the public domain: press statements, annual reports, etc. which have been
approved for public use or distribution. Security at this level is minimal.

22. INFORMATION WARFARE

23. Information Warfare
• Definition:
“..actions taken to achieve information superiority in
support of national military strategy by affecting
adversary information and information systems”
Source: U.S Defense Information Systems Agency DISA

24. Information Warfare
• Three General Categories:
• Offensive
– To deny, corrupt, destroy, or exploit adversary’s information
• Defensive
– To safeguard ourselves and allies from similar actions
• Exploitation
– To exploit information in a timely fashion, to enhance our decision/action cycle
and disrupt the adversary’s cycle

25. Information Warfare
• Operation Desert Storm
– Knocked out communications systems
– Attempted to disrupt economy prior to the operation
• UN in Bosnia
– Knocked out communications
– Disrupt the economy
– Propaganda and Misinformation

26. KEY CONCEPTS OF INFORMATION
SECURITY: VULNERABILITY, THREAT
AND ATTACKS

27. Security concepts and relationships

29. Examples of threats

30. CATEGORIZATION: LOW LEVEL, MID-
LEVEL, HIGH LEVEL

31. Classification of Security Incidents
The CSIRT will classify each incident as a Class 1, Class 2, or Class 3 incident
based upon risk severity. The following criteria are used to determine incident
classification:
Expanse of
Service
Disruption
Data
Classification
Legal Issues
Policy
Infraction
Public
Interest
Threat
Potential
Business
Impact

32. Class 1 Incident: Low Severity
A Class 1 incident is any incident that has a low impact to university information technology
resources and is contained within the unit.
• The following criteria define Class 1 incidents:
1. Data classification: Unauthorized disclosure of confidential information has not occurred.
2. Legal issues: Lost or stolen hardware that has low monetary value or is not part of a mission
critical system.
3. Business impact: Incident does not involve mission critical services.
4. Expanse of service disruption: Incident is within a single unit.
5. Threat potential: Threat to other information technology resources is minimal.
6. Public interest: Low potential for public interest.
7. Policy infraction: Security policy violations determined by the university.

33. Class 2 Incident: Moderate Severity
A Class 2 incident is any incident that has a moderate impact to university
information technology resources and is contained within the unit.
• The following criteria define Class 2 incidents:
1. Data classification: Unauthorized disclosure of confidential information has not been
determined.
2. Legal issues: Lost or stolen hardware with high monetary value or that is part of mission critical
system.
3. Business impact: Incident involves mission critical services.
4. Expanse of service disruption: Incident affects multiple units within the university.
5. Threat potential: Threat to other university information technology resources is possible.
6. Public interest: There is the potential for public interest.
7. Policy infraction: Security policy violations determined by the university.

34. Class 3 Incident: High Severity
A Class 3 incident is any incident that has impacted or has the potential to impact other
external information technology resources and/or events of public interest.
• The following criteria define Class 3 incidents:
1. Data classification: Unauthorized disclosure of confidential information has occurred outside the
university.
2. Legal issues: Incident investigation and response is transferred to law enforcement.
3. Business impact: Threat to other university information technology resources is high.
4. Expanse of service disruption: Disruption is wide spread across the university and/or other entities.
5. Threat potential: Incident has potential to become wide spread across the university and/or threatens
external, third-party information technology resources.
6. Public interest: There is active public interest in the incident.
7. Policy infraction: Security policy violations determined by the university.

35. Incident
Handling Checklist

39. Need for
Incident Response

40. Need for Incident Response
• Cyber incidents are not just technical problems –
they’re business problems.
• Protect Your Data
• Protect Your Reputation & Customer Trust
• Protect Your Revenue

41. • End of Unit 1