Incident Response Plan

● Incident Response Plan
● Detection
● Prevention
● Response

Incident Response Plan:
Incident Response Planning is the documented and coordinated method of
addressing and managing a security breach or attack.
This incident response plan outlines: The response personnel and the
strategies that will be used to mitigate the incident
Incident response enables an organization to be prepared for the unknown as
well as the known incident.

Incident Response Plan:
1. Detection:
Incident Response Plan:
2. Prevention:
Incident Response Plan:
3. Response:
Steps for IRP:
The key phases of an incident response plan:
1. Preparation: Preparing users and IT staff to handle potential
2. Identification: Determining the incident
3. Isolation: Limiting the damage of the incident and isolating affected
systems to prevent further damage
Steps for IRP:
4. Elimination: Finding the root cause of the incident, removing
affected systems from the production environment
5. Recovery: Permitting affected systems back into the production
environment, ensuring no threat remains
6. Analysis & Documentation: Completing incident documentation,
performing analysis to learn from the incident and potentially
improve future response efforts
Security information and event management (SIEM) is an approach to security
SIEM provide an integrated view of an organization’s information technology
(IT) security.
It is used in large enterprise or organizations.
SIEM is an industry-standard term, with a composition of 2 term:
1. SEM (Security Event Management)
2. SIM (Security Information Management)

SIEM is a two part process:
SEM based on the Real-time monitoring of security events. It monitor the
entire enterprise edge devices and save the database to a location that
support single viewpoint review.
SIM manages the database which is reviewed and analyzed by automated
and human interpreters.
Steps to Cybersecurity
Implement an effective governance structure, maintain board engagement
produce appropriate information security policies which should include:
User education and awareness training
Monitoring policies and procedures for all networks and systems
Incident management procedures, including response and disaster recovery
Network security policies and procedures
Management and control of user privileges
Secure configuration guidance
Malware protection procedures
Control of removable media usage
Monitoring of mobile and home working procedures


● Business Continuity Plan
● Disaster Response Plan
● Training and Awareness
● Security Certainty

Business Continuity Plan
A Business Continuity Plan (BCP) is a document that consists of the critical
information (plan) an organization needs during a time of emergency or
These risks ranges from cyberattacks to natural disasters to human error.
In BCP, the plans and procedure are developed through a regular program
of personal training, plan testing and maintenance.
A proper BCP decreases the chance of a costly outage.

Business Continuity Plan
A business continuity plan has three key elements:
● Resilience
● Recovery
● Contingency

Steps for BCP
A business continuity plan involves the following:
1. Analysis of organizational threats
2. listing primary tasks that required to keep the organization operational
3. Easily located management contact information
4. Explaining staff about emergency exit plan if disastrous event occur.
5. Information of data backups and organization site backup
6. Collaboration among all department of the organization
7. Buy-in from everyone in the organization
Disaster Recovery Plan:
A disaster recovery plan (DRP) include set of procedures to recover and
protect a business IT infrastructure to unplanned incidents.
The disaster could be natural, environmental or man-made.
Man-made disasters could be intentional (terrorist attack) or unintentional (
such as the breakage of a man-made dam).
It involves an analysis of business processes and continuity needs.

Disaster Recovery Plan
In Disaster Recovery Planning, the remote sites are constructed to provide
services and continue operations.
Type of secondary sites constructed are:
● Cold Backup Site
● Warm Backup Site
● Hot Backup Site

Disaster Recovery Plan
Issues considered by organization while determining recovery strategy
● Budget
● Resources — people and physical facilities
● Management’s position on risks
● Technology
● Data
● Suppliers
Once disaster recovery strategies have been developed and approved, they
can be translated into disaster recovery plans.

Steps for DRP
A Disaster Recovery Planning involves the following:
1. Establishing the scope of the activity
2. Gathering network infrastructure documents
3. Identifying most serious attacks and vulnerabilities
4. Identifying most critical assets
5. Reviewing the history of unplanned incidents and their results, and
their handled plan
6. Identifying the current DR strategies
7. Identifying the emergency response team
8. Management review and approve the disaster recovery plan
9. Testing the plan
10. Updating the plan when any change is occur in management
11. Implementing a DR plan audit.

Training & Awareness

1. Vulnerability Scanning:
A vulnerability scanner is a computer program designed to assess
computers, computer systems, networks or applications for weaknesses.
It determine where a system can be exploited and/or threatened by
accessing week points.
It use software that find out security flaws and create a database on the
basis of these known flaws.

Security Certainty
1. Vulnerability Scanning:
It generating a report of the findings flaws that an individual or an
enterprise can use to tighten the network’s security.
Most popular vulnerability scanning tools are Microsoft Baseline Security
Analyzer (MBSA), Nmap, Nessus and openVAS.
2. Network Penetration testing:
Penetration testing (also called pen testing) is the method of testing a
computer system or network to find vulnerabilities that an attacker could
Penetration tests are sometimes called white hat attacks because in a pen
test, the good guys are attempting to break in the system and provide
solution to further harden the system.
Pen tests can be automated with software applications or they can be
performed manually.
2. Network Penetration testing:
This process includes gathering information about the target before the
test, identifying possible entry points, attempting to break in and reporting
back the findings.
The main objective of penetration testing is to determine security
Tools used for penetration testing are : Aircrack-ng and Metasploit

Cyber Security Planning

1. Cyber Security Planning
○ Business Continuity Plan
○ Incidence Response Plan
○ Disaster Response Plan
○ Succession Plan
2. Computer Forensics
Cyber Security Planning:
Cyber Security Planning in an organization or business is done to protect
the infrastructure from damages caused by unexpected incidence cyber
attacks and natural disasters etc.
Type of Planning:
● Business Continuity Plan
● Disaster Response Plan
● Incident Response Plan
● Succession Plan

1. Business Continuity Plan:
BCP is a plan that allows a business team to plan in advance what it needs
to do to ensure that its key products and services continue to be delivered
in case of a disaster or cyber attack.
2. Disaster Recovery Plan:
DR Plan allows a business to plan what needs to be done immediately
after a disaster or attack to recover from the event. It include set of
procedures to recover and protect a business IT infrastructure.
3. Incident Response Plan:
Incident response planning is the documented and coordinated method of
addressing and managing a security breach or attack.
This incident response plan outlines: The response personnel and the
strategies that will be used to mitigate the incident.
4. Succession Plan:
It is a process in which new leaders are identified and developed to
replace the old leaders when they retire, leave or die.
The organization ensure that employees are recruited and developed to
fill each key role in the company.
The goal of this planning to make the business continuity in case most
important person left its work.
Computer Forensics
Computer Forensics is a process of collecting, analysing and reporting on
digital data in such a way that is presentable in a court of law.
It is used in detection and prevention of crime or any disputes.
Forensics is done in steps:
1. Securing Areas
2. Documenting Scene
3. Data collection
Top Computer Forensics certifications are CCE, GIAC etc


● Physical Security
● Network Security
● Endpoint security

Security is the degree of protection from harm.
It applies to any vulnerable and valuable asset such as a person, community,
item, nation or organization.
Security in IT is the defense of digital data and IT assets against internal and
external, malicious and accidental threats.
The defense includes detection, prevention and response to threats by using
various security policies, software tools and IT services.

Types of security used to harden the network, system and organization are
1. Physical Security
2. Network Security
3. Endpoint Security

Physical Security:
Physical security is the protection of personnel, hardware, software, networks
and data from physical action.
It includes protection from fire, flood, natural disasters, theft, vandalism and
Physical security is obtained by:
1. Access Control
2. Monitoring by Surveillance and testing

Physical Security:
1. Access Control:
Steps for prevention and controlling access to Physical resources are:
● Lock the doors of network closet or equipment rooms and giving
access keys and cards to trustworthy staff.
● Locking front door of institution or enterprise to prevent ‘tailgating’.
(Mantrap system is used to prevent tailgating.)
● Using Biometric authorization for opening a door or getting access to
any physical resources such as fingerprint reader, facial recognition
cameras, voice analyzer etc.
2. Monitoring by Surveillance and testing:
Authorized peoples are kept under surveillance to prevent insider threats.
Monitoring is done using video surveillance of facilities and assets.
Two type of video surveillance is used :
● Closed Circuit Television (CCTV)
● IP cameras

Physical Security

CCTV Camera
1. CCTV camera are analog
2. Analog camera connects over
RJ Cable and does not need
any network.
3. Analog camera cannot be
accessed directly by mobile
4. Video quality is not so good.
5. Analog cameras need
hardware for recording.

IP Camera
1. IP camera are digital cameras.
2. IP Camera needs network and
connects using CAT6 Cable
3. IP Camera can be access from
anywhere using the IP Address
without any DVR/NVR
4. IP Cameras give better video
then CCTV Camera.
5. IP Camera video can be
recorded on a PC/Workstation
small software.

Network Security
Network security is a specialized field in networking that include protection of
computer network infrastructure.
Network securities are designed to protect the usability and integrity of your
network and data.
It includes both hardware and software technologies.
It consists of the policies and practices adopted to prevent and monitor
unauthorized access, misuse, modification of computer network and network
Steps involve in providing security to computer network are:
● Securing and controlling user account (Username and password)
● Installation of ‘Edge’ devices which work with the coordination of other
devices and controllers.
● Using Posture Validation approach, in this a node or device is verify on
certain conditions before it is allowed to connect to a network.
● Installing querying agents such as persistent agent and non-persistent
● Testing guest or Quarantine network.
Endpoint Security:
Endpoint Security is a security applied to endpoint devices such as computer,
mobile phones etc which communicates with other devices on a network.
Endpoint Security on the network include clients and servers — that send or
receive data, services or applications.
It is a process of securing individual computer or device.
Technique used to secure Endpoint devices are:
1. Malware and Anti-Malware.
2. Using Strong password at endpoint device

Endpoint Security:
Prevention from Malware attack:
When a malware attack occur at end devices then the system become slow,
application crashes out or web browser open unwanted websites.
To deal with malware attack perform these tasks:
● Installing Anti-Malware program
● Providing training to the user how to prevent the occurrence of attack
and if attack occur, how to deal with it.
● Patching and updating should be done properly.
Anti-Malware Program:
Anti-Malware software or program protects against attack caused by many
types of malware such as viruses, worms, Trojan horses, spyware and adware.
It work in two modes:
● Active seek & destroy mode
● Passive entry mode (Virus Shield)


● Cryptography
● Encryption technique
○ Symmetric Key Algorithm Standard (SKAS)
○ Asymmetric Key Algorithm Standard (AKAS)
● Non-Repudiation technique
○ Digital Signature
○ Public Key Infrastructure (PKI)

Cryptography is a cornerstone of the modern electronic security
Cryptography is a technique of converting data into a format that is
unreadable for an unauthorized user using different codes.
Information security uses cryptography to maintains data integrity during
transmitting and while storing.
Cryptography also aids in Encryption and non-repudiation.

In network, data is transmitted in the form of 1 and 0.
Encryption is a process of converting user data into a code in such a way that
only authorized parties can access it.
Encryption can be one in two ways:
● Symmetric Key Algorithm Standard (SKAS)
● Asymmetric Key Algorithm Standard (AKAS)

● Symmetric Key Algorithm Standard (SKAS):
In this algorithms, the same cryptographic keys are used for both
encryption and decryption of data.
SKAS use DES (Data Encryption Standard) which is a first standard used for
Rivest Cipher 4 (RC4) was a very popular SKAS algorithm technique used
to encrypt data from 2001 to 2013.
Now most of the TCP/IP applications use Algorithm Encryption Standard
(AES) technique.
● Symmetric Key Algorithm Standard (SKAS):
SKAS has one serious drawback that if anyone get a hold of the key can
encrypt and decrypt data easily.
So there is a need to create a new method which allow the encrypter to
send a key to the decrypter without the fear of intervention
So that method is AKAS (Asymmetric key algorithm standard)
● Asymmetric Key Algorithm Standard (AKAS):
In this method of cryptography, the two different cryptographic keys are
used for both encryption and decryption of data.
In AKAS, Public Key Cryptography is used to exchange the key securely
between two communicating devices.
The two key generated are : Private key is used by sender to encrypt the
data and Public key is used by receiver to decrypt the data.
These two keys are called key pairs and are generated at same time and
designed to work together.

Non Repudiation
Non Repudiation is a process of making sure that the party with which we are
signing any contract or a communication cannot deny the authenticity of their
signature on a document.
It provide assertion of authentication with high assurance that the person or
entity with which we are dealing are genuine.
Non Repudiation is done by Digital Signatures or PKI
● Digital Signature:
It is a digital code which is attached to an electronically transmitted
document or message to verify its contents and the sender’s identity.
Digital Signature are hash of messages encrypted by a private key.
Digital signature solve the problem of tampering and impersonation in
digital communications.
It is widely used by e-mail user.
Non Repudiation:
● Public Key Infrastructure (PKI):
It is a set of rules and regulations need to create, manage, use and store
digital certificates and manage public-key encryption.
PKI is used to facilitate the secure electronic transfer of data for a
different network activities such as e-commerce, internet banking and
confidential email.
● Public Key Infrastructure (PKI):
The Digital certificates are used to verify the exchange of public keys in
When someone wants to create a secure website then he or she have to
buy a certificate signed by a certificate authority (CA) such as Verisign,
Thawte or GoDaddy.

Public Key Infrastructure (PKI): consists of
● Certificate Authority (CA)
● Registration Authority
● Central Directory
● Certificate Management System
● Certificate Policy

Security Architecture

● Security Architecture
● Four stages of Adaptive Security Architecture
● Security Architecture Feature
● Benefits

Security Architecture
Security architecture is the design artifacts
It describe how to apply the security controls and how they relate to the
overall systems architecture.
It addresses the necessities and potential risks involved in a certain scenario or

Four Stages of Security Architecture
Security Architecture is a real-time network security model.
Four Stages of Security Architecture are:
● Preventive
● Detective
● Retrospective
● Predictive

Four Stages of Security Architecture
● Preventive: include precautionary policies, products and processes
● Detective: detects the threat that bypass the preventive layer
● Retrospective: finds the issue, analyse it and present new preventive
● Predictive: monitor all the activities and keeps the security team on alert
by providing them detail information.

Security Architecture Features
The key features of security architecture:
● Dependency
● Standardization
● cost-effective
● Different Forms
● Security Control
Benefits of Security Architecture
Adaptive Security Architecture provide organisations and businesses the
following benefits:
● Real-time Monitoring and Responses
● Filtering and Prioritization
● Reduce Threat Amplification
● Shrink the Attack Surface
● Decrease the Attack Velocity
● Reduce Remediation Time

Steps for Risk Management Part 2

● Steps for Risk Management
○ Risk Ownership
○ Risk Monitoring
○ Risk Control
● Steps to lower the cyber risk

4. Risk Ownership
A Risk owner is any individual, generally a project team member.
Risk owners assess the risks, and report the status of the risk to the project
manager on a regular basis.
Depending on the project, there are separate risk register meeting or
discussed as part of the weekly progress/ status meeting.
When a risk or opportunity actually occurs, the Project Manager will either
initiate contingency action, or deal with the issue under Change Control.
Copyright © TELCOMA. All Rights Reserved
5. Risk Mitigation
Risk Mitigation is a systematic reduction in the extent of exposure to a risk
and/or the probability of its occurrence.
In this process, organization introduces specific measures to minimize or
eliminate unacceptable risks associated with its operations.
Risk mitigation measures can be directed towards :
● reducing the severity of risk consequences,
● reducing the probability of the risk materializing, or
● reducing the organization exposure to the risk.

5. Risk Mitigation
Types of Risk Mitigation Strategies:
● Risk Acceptance
● Risk Avoidance
● Risk Limitation
● Risk Transference

6. Risk Monitoring
Risk monitoring is the process which trace and evaluates the levels of risk in an
organisation or system.
The purpose of risk monitoring is to keep track of the risks that occur and the
effectiveness of the responses which are implemented.
Risk Monitoring is essential process because risk is not static.