Creating a CIRT Response Plan for a Typical IT Infrastructure Essay

Creating a CIRT Response Plan for a Typical IT Infrastructure Essay

Introduction When a company experiences a computer incident, its security team that collects and monitors incidents must make a decision. That decision is whether the incident is benign, or whether it signals a greater problem, such as an attempted (or successful) security breach.

When people hear “security breach,” they often imagine sinister hackers bypassing firewalls to steal top secret plans. The attack might be one of thousands, a “noisy” spray of exploits across a network. Or the attack might be targeted solely at one company and, as the attacker hopes, more stealthy.

BUY A PLAGIARISM-FREE PAPER HERE

In any case, as different pieces of evidence are collected, it becomes easier to confirm whether a breach really has occurred and, if so, how it must be handled by a specialized team of security professionals. These special teams are referred to as computer incident response teams (CIRTs). A CIRT team operates on the actions laid out in a CIRT plan. The purpose of a computer incident response team (CIRT) plan is to mitigate risks found in the seven domains of a typical IT infrastructure.

When tasked to manage a security breach, a CIRT team will identify, analyze, and contain the extent of the security breach. Then they will get rid of the breach and whatever traces—a virus or other malware—were left behind. Next, as some business functions might have been affected, the CIRT team helps recover from the breach. Lastly, the CIRT team discusses and improves its CIRT plan based on lessons learned during a review session.

In this lab, you will explain how CIRT plans mitigate risks, you will identify where CIRT monitoring and security operation tasks occur throughout an IT infrastructure, you will identify the security controls and countermeasures that mitigate risk, and you will create a CIRT response plan. Creating a CIRT Response Plan for a Typical IT Infrastructure Essay

Learning Objectives Upon completing this lab, you will be able to:

Explain how a CIRT plan can help mitigate risks found in the seven domains of a typical IT infrastructure.

Creating a CIRT Response Plan for a Typical IT Infrastructure

Identify where CIRT monitoring and security operation tasks occur throughout an IT infrastructure.

Identify security controls and security countermeasures to mitigate risk throughout the IT infrastructure and to aid in security incident response.

Create a CIRT response plan for the Mock IT infrastructure by using the six-step incident-response methodology.

Deliverables Upon completion of this lab, you are required to provide the following deliverables to your instructor:

1. Lab Report file; 2. Lab Assessments file. Creating a CIRT Response Plan for a Typical IT Infrastructure Essay

Hands-On Steps

Note: This is a paper-based lab. To successfully complete the deliverables for this lab, you will need access to Microsoft® Word or another compatible word processor. For some labs, you may also need access to a graphics line drawing application, such as Visio or PowerPoint. Refer to the Preface of this manual for information on creating the lab deliverable files.

1. On your local computer, create the lab deliverable files.

2. Review the Lab Assessment Worksheet. You will find answers to these questions as you proceed through the lab steps.

3. Review the Mock IT infrastructure for a health care IT infrastructure servicing patients with life-threatening conditions (see Figure 1).

Figure 1 Mock IT infrastructure

4. In your Lab Report file, identify and then document the security controls and security countermeasures you can implement throughout Figure 1 to help mitigate risk from unauthorized access and access to intellectual property or customer privacy data.

5. Review the steps for creating a CIRT plan as outlined in the following table:

Step Description of Step Preparation What tools, applications, laptops, and

communication devices are needed to address computer/security incident response for this specific breach?

Identification When an incident is reported, it must be identified, classified, and documented. During this step, the following information is needed: validating the incident; identifying its nature, if an incident has occurred; identifying and protecting the evidence; and logging and reporting the event or incident.

Containment The immediate objective is to limit the scope and magnitude of the computer/security-related incident as quickly as possible, rather than allow the incident to continue to gain evidence for identifying and/or prosecuting the perpetrator.

Eradication The next priority is to remove the computer/security-related incident or breach’s effects.

Recovery Recovery is specific to bringing back into production those IT systems, applications, and assets that were affected by the security-related incident.

Post-Mortem Review Following up on an incident after the recovery tasks and services are completed is a critical last step in the overall methodology. A post-mortem report should include a complete explanation of the incident and the resolution and applicable configuration management, security countermeasures, and implementation recommendations to prevent the security incident or breach from occurring again.

Note: The post-mortem review is arguably the most important step as CIRT team members re-evaluate their actions with the valuable luxury of hindsight. When the CIRT members are able to look back to compare what they saw and how it related to what happened next, they can continually improve what they offer the organization.

6. In your Lab Report file, create a CIRT response plan approach according to the six-step methodology unique to the risks associated with the item you choose from the following:

 Internet ingress/egress at ASA_Student  Headquarters’ departmental VLANs on LAN Switch 1 and 2 with cleartext

privacy data  Remote branch office locations connected through the WAN  Data center/server farm at ASA_Instructor

Note: This completes the lab. Close the Web browser, if you have not already done so.

Evaluation Criteria and Rubrics The following are the evaluation criteria for this lab that students must perform:

1. Explain how a CIRT plan can help mitigate risks found in the seven domains of a typical IT infrastructure. – [25%]

2. Identify where CIRT monitoring and security operation tasks occur throughout an IT infrastructure. – [25%]

3. Identify security controls and security countermeasures to mitigate risk throughout the IT infrastructure and to aid in security incident response. – [25%]

4. Create a CIRT response plan for the Mock IT infrastructure by using the six-step incident-response methodology. – [25%]

Creating a CIRT Response Plan for a Typical IT Infrastructure Essay