[CYBER SECURITY]

4 PRIVACY
UNIT
Data privacy, also called information privacy, is an aspect of data protection that
addresses the proper storage, access, retention, immutability and security of
sensitive data.

Data privacy is typically associated with the proper handling of personal data or
personally identifiable information (PII), such as names, addresses, Social
Security numbers and credit card numbers. However, the idea also extends to
other valuable or confidential data, including financial data, intellectual property
and personal health information. Vertical industry guidelines often govern data
privacy and data protection initiatives, as well as regulatory requirements of
various governing bodies and jurisdictions.

Data privacy is not a single concept or approach. Instead, it's a discipline

involving rules, practices, guidelines and tools to help organizations establish
and maintain required levels of privacy compliance. Data privacy is generally
composed of the following six elements:

1. Legal framework. Prevailing legislation enacted and applied to data

issues, such as data privacy laws.
2. Policies. Established business rules and policies to protect employees
and user data privacy.
3. Practices. Best-practices put in place to guide IT infrastructure, data
privacy and protection.

UNIT - IV 1
[CYBER SECURITY]

4. Third-party associations. Any third-party organizations, such as cloud

service providers, that interact with data.
5. Data governance. Standards and practices used to store, secure,
retain and access data.
6. Global requirements. Any differences or variations of data privacy and
compliance requirements among legal jurisdictions around the world
such as the U.S. and European Union (EU).

Data privacy is a subset of the broader data protection concept. It includes

traditional data protection -- such as data backups and disaster recovery
considerations -- and data security. The goal of data protection is to ensure the
continued privacy and security of sensitive business data, while maintaining the
availability, consistency and immutability of that data.

There are three key elements to keeping data safe: Data security, access control
and data protection.
Why is data privacy important?
The importance of data privacy is directly related to the business value of data.
The evolving data economy is driving businesses of all sizes to collect and store

UNIT - IV 2
[CYBER SECURITY]

more data from more sources than ever before. Data is used for a range of
business reasons, including the following:

 to identify customers, understand their needs and provide goods and

services to them;
 to understand the business infrastructure, facilities and human
behaviors based on data from networks and devices;
 to glean insight from databases and data sources; and
 to train machine learning and AI systems.

Data privacy is a discipline intended to keep data safe against improper access,
theft or loss. It's vital to keep data confidential and secure by exercising
sound data management and preventing unauthorized access that might result
in data loss, alteration or theft.

For individuals, the exposure of personal data might lead to improper account
charges, privacy intrusion or identity theft. For businesses, unauthorized access
to sensitive data can expose intellectual property, trade secrets and confidential
communications; it can also adversely affect the outcome of data analytics.

Data privacy lapses, also referred to as data breaches, can have a serious effect
on all parties involved. Individuals affected by a data breach may find improper
financial and credit activity in their name, compromised social media accounts
and other issues. A business may face significant regulatory consequences, such
as fines, lawsuits, and irreparable damage to their brand and reputation. With
the integrity of its data compromised, a business may not be able to trust its
data and need a response plan.

UNIT - IV 3
[CYBER SECURITY]

A comprehensive data privacy strategy requires several elements.

What are the laws of data privacy?
Regulatory legislation drives many data privacy practices because government
entities recognize the potential negative effects of data breaches on citizens and
the greater economy. Numerous laws require and enforce data
privacy functions and capabilities.

In the U.S., laws and regulations concerning data privacy have been enacted in
response to the needs of a particular industry or section of the population.
Examples include:

 Children's Online Privacy Protection Act (COPPA) gives parents

control over what information websites can collect from their kids.
 Health Insurance Portability and Accountability Act (HIPAA) ensures
patient confidentiality for all healthcare-related data.
 Electronic Communications Privacy Act (ECPA) extends government
restrictions on wire taps to include transmission of electronic data.
 Video Privacy Protection Act (VPPA) prevents the wrongful disclosure
of an individual's PII stemming from their rental or purchase of
audiovisual material.

UNIT - IV 4
[CYBER SECURITY]

 Gramm-Leach-Bliley Act (GLBA) mandates how financial institutions

must deal with the individual's private information.
 Fair Credit Reporting Act (FCRA) regulates the collection and use of
credit information.

While some U.S. data protection laws are enacted at the federal level, states
may also ratify and enact data privacy laws. Examples of state-level data privacy
laws include the following:

 California Consumer Privacy Act (CCPA)

 California Privacy Rights Act (CPRA)
 Virginia's Consumer Data Protection Act (VCDPA)
 Colorado Privacy Act (CPA)
 New York SHIELD Act
 Utah Consumer Privacy Act (UCPA)
 Connecticut Personal Data Privacy and Online Monitoring Act (CPDPA)

The EU has the General Data Protection Regulation (GDPR), which governs the
collection, use, transmission and security of data collected from residents of its
27-member countries. GDPR regulates areas such an individual's ability to
consent to provide data, how organizations must notify data subjects of
breaches and individual's rights over the use of their data.

UNIT - IV 5
[CYBER SECURITY]

Data privacy vs. data security

Data privacy and data security are closely related ideas, but they aren't
interchangeable.

 Data privacy focuses on issues related to collecting, storing and

retaining data, as well as data transfers within applicable regulations
and laws, such as GDPR and HIPAA.
 Data security is the protection of data against unauthorized access,
loss or corruption throughout the data lifecycle. Data security can
involve processes and practices, along with a variety of tools such as
encryption, hashing and tokenization to guard data at rest and in
motion.

Data privacy is a subset of data security. That is, data privacy can't exist without
data security.

What are the challenges of data privacy?

Data privacy isn't easy or automatic, and many businesses struggle to meet
requirements and counter threats in an ever-changing regulatory and security
landscape. Some of the biggest data privacy challenges include the following:

 Privacy is an afterthought. Many businesses deal with data privacy

long after implementing a business model and IT infrastructure,
UNIT - IV 6
[CYBER SECURITY]

leaving business and technology leaders scrambling to understand and

address complex requirements. Data privacy should be treated as a
fundamental business goal, with policies, training, tools and IT
infrastructure designed to meet privacy needs from the ground up.
 Poor data visibility. The old axiom, "you can't manage what you can't
see," applies to data privacy. Organizations need a clear
understanding what data is present, its level of sensitivity and where
it's located. Only then can a business make decisions about security
and data privacy.
 Too much data. A business can be responsible for managing petabytes
of data comprising various files, databases and stores located across
storage devices and cloud repositories. It's easy to lose track of data,
allowing sensitive content to elude security, privacy and retention
guidance. A business must have the right tools and policies to manage
enormous and growing data volumes.
 More isn't always better. Businesses are starting to understand that
data must have context and value -- retaining all data forever is
expensive and presents storage, protection, attack and legal discovery
risks. Modern businesses must set balanced data retention
policies about the amount of data collected, its value to the business
and what constitutes reasonable retention needs.
 Too many devices. Modern businesses must embrace remote access,
wireless, bring-your-own device, IoT, smart device and other
technologies. With all these moving pieces, it becomes harder to
manage those devices while controlling data storage and access. Data
privacy in this complex environment demands careful infrastructure
management, strong access controls, comprehensive monitoring and
well-considered data governance policies.
 Too many regulations. Any given business may be subject to data
privacy regulations at various levels, including federal, state, province
and industry. An enterprise that does business in another state,
province or country is then subject to those prevailing controls, as well.

UNIT - IV 7
[CYBER SECURITY]

New controls appear regularly, and they can change over time. This
presents a vast, complex and fluid regulatory landscape.
What are the benefits of data privacy compliance?
Proper data privacy compliance can yield four major benefits for a business,
including:

 Lower storage costs. Storing all data forever can be costly and risky.
Companies that make rational decisions about what data to collect
and store, and implement the minimum retention time for that data,
reduce costs for primary and backup data storage.
 Better data use. Data is time-sensitive. A business making better data
collection and retention decisions can benefit from timely and better-
quality data -- which translates into more accurate and relevant
analytical results.
 Better business reputation and brand. The reputation of a business
can be as important as its product or service. A business that
successfully adopts and adheres to data privacy practices can
demonstrate care for customer data and data privacy, leading to a
better reputation and a stronger brand. Conversely, a business that
experiences a major data breach can suffer irreparable damage to its
reputation and brand.
 Regulatory compliance. Proper data privacy compliance can protect a
business from the litigation and fines that come with data privacy
breaches.

DATA MINING
The data mining tutorial provides basic and advanced concepts of data mining.
Our data mining tutorial is designed for learners and experts.

Data mining is one of the most useful techniques that help entrepreneurs,
researchers, and individuals to extract valuable information from huge sets of
data. Data mining is also called Knowledge Discovery in Database (KDD). The
knowledge discovery process includes Data cleaning, Data integration, Data

UNIT - IV 8
[CYBER SECURITY]

selection, Data transformation, Data mining, Pattern evaluation, and Knowledge

presentation.

Our Data mining tutorial includes all topics of Data mining such as applications,
Data mining vs Machine learning, Data mining tools, Social Media Data mining,
Data mining techniques, Clustering in data mining, Challenges in Data mining,
etc.

What is Data Mining?

The process of extracting information to identify patterns, trends, and useful

data that would allow the business to take the data-driven decision from huge
sets of data is called Data Mining.

In other words, we can say that Data Mining is the process of investigating
hidden patterns of information to various perspectives for categorization into
useful data, which is collected and assembled in particular areas such as data
warehouses, efficient analysis, data mining algorithm, helping decision making
and other data requirement to eventually cost-cutting and generating revenue.

Data mining is the act of automatically searching for large stores of information
to find trends and patterns that go beyond simple analysis procedures. Data
mining utilizes complex mathematical algorithms for data segments and
evaluates the probability of future events. Data Mining is also called Knowledge
Discovery of Data (KDD).

Data Mining is a process used by organizations to extract specific data from huge
databases to solve business problems. It primarily turns raw data into useful
information.

Data Mining is similar to Data Science carried out by a person, in a specific

situation, on a particular data set, with an objective. This process includes
various types of services such as text mining, web mining, audio and video
mining, pictorial data mining, and social media mining. It is done through
software that is simple or highly specific. By outsourcing data mining, all the
work can be done faster with low operation costs. Specialized firms can also use
new technologies to collect data that is impossible to locate manually. There are
tonnes of information available on various platforms, but very little knowledge
is accessible. The biggest challenge is to analyze the data to extract important
information that can be used to solve a problem or for company development.

UNIT - IV 9
[CYBER SECURITY]

There are many powerful instruments and techniques available to mine data
and find better insight from it.

Types of Data Mining

Data mining can be performed on the following types of data:

Relational Database:

A relational database is a collection of multiple data sets formally organized by

tables, records, and columns from which data can be accessed in various ways
without having to recognize the database tables. Tables convey and share
information, which facilitates data searchability, reporting, and organization.

Data warehouses:

A Data Warehouse is the technology that collects the data from various sources
within the organization to provide meaningful business insights. The huge
amount of data comes from multiple places such as Marketing and Finance. The
extracted data is utilized for analytical purposes and helps in decision- making
for a business organization. The data warehouse is designed for the analysis of
data rather than transaction processing.

UNIT - IV 10
[CYBER SECURITY]

Data Repositories:

The Data Repository generally refers to a destination for data storage. However,
many IT professionals utilize the term more clearly to refer to a specific kind of
setup within an IT structure. For example, a group of databases, where an
organization has kept various kinds of information.

Object-Relational Database:

A combination of an object-oriented database model and relational database

model is called an object-relational model. It supports Classes, Objects,
Inheritance, etc.

One of the primary objectives of the Object-relational data model is to close the
gap between the Relational database and the object-oriented model practices
frequently utilized in many programming languages, for example, C++, Java, C#,
and so on.

Transactional Database:

A transactional database refers to a database management system (DBMS) that

has the potential to undo a database transaction if it is not performed
appropriately. Even though this was a unique capability a very long while back,
today, most of the relational database systems support transactional database
activities.

Advantages of Data Mining

o The Data Mining technique enables organizations to obtain knowledge-

based data.
o Data mining enables organizations to make lucrative modifications in
operation and production.
o Compared with other statistical data applications, data mining is a cost-
efficient.
o Data Mining helps the decision-making process of an organization.
o It Facilitates the automated discovery of hidden patterns as well as the
prediction of trends and behaviors.
o It can be induced in the new system as well as the existing platforms.

UNIT - IV 11
[CYBER SECURITY]

o It is a quick process that makes it easy for new users to analyze enormous
amounts of data in a short time.

Disadvantages of Data Mining

o There is a probability that the organizations may sell useful data of

customers to other organizations for money. As per the report, American
Express has sold credit card purchases of their customers to other
organizations.
o Many data mining analytics software is difficult to operate and needs
advance training to work on.
o Different data mining instruments operate in distinct ways due to the
different algorithms used in their design. Therefore, the selection of the
right data mining tools is a very challenging task.
o The data mining techniques are not precise, so that it may lead to severe
consequences in certain conditions.

Data Mining Applications

Data Mining is primarily used by organizations with intense consumer demands-

Retail, Communication, Financial, marketing company, determine price,
consumer preferences, product positioning, and impact on sales, customer
satisfaction, and corporate profits. Data mining enables a retailer to use point-
of-sale records of customer purchases to develop products and promotions that
help the organization to attract the customer.

UNIT - IV 12
[CYBER SECURITY]

These are the following areas where data mining is widely used:

Data Mining in Healthcare:

Data mining in healthcare has excellent potential to improve the health system.
It uses data and analytics for better insights and to identify best practices that
will enhance health care services and reduce costs. Analysts use data mining
approaches such as Machine learning, Multi-dimensional database, Data
visualization, Soft computing, and statistics. Data Mining can be used to forecast
patients in each category. The procedures ensure that the patients get intensive
care at the right place and at the right time. Data mining also enables healthcare
insurers to recognize fraud and abuse.

Data Mining in Market Basket Analysis:

Market basket analysis is a modeling method based on a hypothesis. If you buy

a specific group of products, then you are more likely to buy another group of
products. This technique may enable the retailer to understand the purchase
behavior of a buyer. This data may assist the retailer in understanding the
requirements of the buyer and altering the store's layout accordingly. Using a
different analytical comparison of results between various stores, between
customers in different demographic groups can be done.

Data mining in Education:

Education data mining is a newly emerging field, concerned with developing

techniques that explore knowledge from the data generated from educational
Environments. EDM objectives are recognized as affirming student's future
learning behavior, studying the impact of educational support, and promoting
learning science. An organization can use data mining to make precise decisions
and also to predict the results of the student. With the results, the institution
can concentrate on what to teach and how to teach.

Data Mining in Manufacturing Engineering:

Knowledge is the best asset possessed by a manufacturing company. Data

mining tools can be beneficial to find patterns in a complex manufacturing
process. Data mining can be used in system-level designing to obtain the
relationships between product architecture, product portfolio, and data needs
of the customers. It can also be used to forecast the product development
period, cost, and expectations among the other tasks.

UNIT - IV 13
[CYBER SECURITY]

Data Mining in CRM (Customer Relationship Management):

Customer Relationship Management (CRM) is all about obtaining and holding

Customers, also enhancing customer loyalty and implementing customer-
oriented strategies. To get a decent relationship with the customer, a business
organization needs to collect data and analyze the data. With data mining
technologies, the collected data can be used for analytics.

Data Mining in Fraud detection:

Billions of dollars are lost to the action of frauds. Traditional methods of fraud
detection are a little bit time consuming and sophisticated. Data mining provides
meaningful patterns and turning data into information. An ideal fraud detection
system should protect the data of all the users. Supervised methods consist of a
collection of sample records, and these records are classified as fraudulent or
non-fraudulent. A model is constructed using this data, and the technique is
made to identify whether the document is fraudulent or not.

Data Mining in Lie Detection:

Apprehending a criminal is not a big deal, but bringing out the truth from him is
a very challenging task. Law enforcement may use data mining techniques to
investigate offenses, monitor suspected terrorist communications, etc. This
technique includes text mining also, and it seeks meaningful patterns in data,
which is usually unstructured text. The information collected from the previous
investigations is compared, and a model for lie detection is constructed.

Data Mining Financial Banking:

The Digitalization of the banking system is supposed to generate an enormous

amount of data with every new transaction. The data mining technique can help
bankers by solving business-related problems in banking and finance by
identifying trends, casualties, and correlations in business information and
market costs that are not instantly evident to managers or executives because
the data volume is too large or are produced too rapidly on the screen by
experts. The manager may find these data for better targeting, acquiring,
retaining, segmenting, and maintain a profitable customer.

Challenges of Implementation in Data mining

Although data mining is very powerful, it faces many challenges during its
execution. Various challenges could be related to performance, data, methods,
UNIT - IV 14
[CYBER SECURITY]

and techniques, etc. The process of data mining becomes effective when the
challenges or problems are correctly recognized and adequately resolved.

Incomplete and noisy data:

The process of extracting useful data from large volumes of data is data mining.
The data in the real-world is heterogeneous, incomplete, and noisy. Data in huge
quantities will usually be inaccurate or unreliable. These problems may occur
due to data measuring instrument or because of human errors. Suppose a retail
chain collects phone numbers of customers who spend more than $ 500, and
the accounting employees put the information into their system. The person
may make a digit mistake when entering the phone number, which results in
incorrect data. Even some customers may not be willing to disclose their phone
numbers, which results in incomplete data. The data could get changed due to
human or system error. All these consequences (noisy and incomplete
data)makes data mining challenging.

Data Distribution:

Real-worlds data is usually stored on various platforms in a distributed

computing environment. It might be in a database, individual systems, or even
on the internet. Practically, It is a quite tough task to make all the data to a
centralized data repository mainly due to organizational and technical concerns.
For example, various regional offices may have their servers to store their data.
It is not feasible to store, all the data from all the offices on a central server.

UNIT - IV 15
[CYBER SECURITY]

Therefore, data mining requires the development of tools and algorithms that
allow the mining of distributed data.

Complex Data:

Real-world data is heterogeneous, and it could be multimedia data, including

audio and video, images, complex data, spatial data, time series, and so on.
Managing these various types of data and extracting useful information is a
tough task. Most of the time, new technologies, new tools, and methodologies
would have to be refined to obtain specific information.

Performance:

The data mining system's performance relies primarily on the efficiency of

algorithms and techniques used. If the designed algorithm and techniques are
not up to the mark, then the efficiency of the data mining process will be
affected adversely.

Data Privacy and Security:

Data mining usually leads to serious issues in terms of data security, governance,
and privacy. For example, if a retailer analyzes the details of the purchased
items, then it reveals data about buying habits and preferences of the customers
without their permission.

Data Visualization:

In data mining, data visualization is a very important process because it is the

primary method that shows the output to the user in a presentable way. The
extracted data should convey the exact meaning of what it intends to express.
But many times, representing the information to the end-user in a precise and
easy way is difficult. The input data and the output information being
complicated, very efficient, and successful data visualization processes need to
be implemented to make it successful.

EMAIL SECURITY
Email security is the process of preventing email-based cyber attacks and
unwanted communications. It spans protecting inboxes from takeover,
protecting domains from spoofing, stopping phishing attacks, preventing fraud,

UNIT - IV 16
[CYBER SECURITY]

blocking malware delivery, filtering spam, and using encryption to protect the
contents of emails from unauthorized persons.

Security and privacy were not built into email when it was first invented, and
despite email's importance as a communication method, these are still not built
into email by default. As a result, email is a major attack vector for organizations
large and small, and for individual people as well.

What kinds of attacks occur via email?

Some of the common types of email attacks include:

 Fraud: Email-based fraud attacks can take a variety of forms, from the
classic advance-fee scams directed at everyday people to business
email compromise (BEC) messages that aim to trick large enterprise
accounting departments into transferring money to illegitimate
accounts. Often the attacker will use domain spoofing to make the
request for funds look like it comes from a legitimate source.

 Phishing: A phishing attack tries to get the victim to give the attacker
sensitive information. Email phishing attacks may direct users to a fake
webpage that collects credentials, or simply pressure the user to send
the information to an email address secretly controlled by the
attacker. Domain spoofing is also common in attacks like these.

 Malware: Types of malware delivered over email include spyware,

scareware, adware, and ransomware, among others. Attackers can
deliver malware via email in several different ways. One of the most
common is including an email attachment that contains malicious
code.

 Account takeover: Attackers take over email inboxes from legitimate

users for a variety of purposes, such as monitoring their messages,
stealing information, or using legitimate email addresses to forward
malware attacks and spam to their contacts.

UNIT - IV 17
[CYBER SECURITY]

 Email interception: Attackers can intercept emails in order to steal the

information they contain, or to carry out on-path attacks in which they
impersonate both sides of a conversation to each other. The most
common method for doing this is monitoring network data packets on
wireless local area networks (LANs), as intercepting an email as it
transits the Internet is extremely difficult.

Email domain spoofing

Email domain spoofing is important in several types of email-based attacks, as it

allows attackers to send messages from legitimate-seeming addresses. This
technique allows attackers to send an email with a forged "from" address. For
example, if Chuck wants to trick Bob with an email, Chuck might send Bob an
email from the domain "@trustworthy-bank.com," even though Chuck does not
really own the domain "trustworthy-bank.com" or represent that organization.

What is a phishing attack?

Phishing is an attempt to steal sensitive data, typically in the form of usernames,

passwords, or other important account information. The phisher either uses the
stolen information themselves, for instance to take over the user's accounts
with their password, or sells the stolen information.

Phishing attackers disguise themselves as a reputable source. With an enticing

or seemingly urgent request, an attacker lures the victim into providing
information, just as a person uses bait while fishing.

Phishing often takes place over email. Phishers either try to trick people into
emailing information directly, or link to a webpage they control that is designed
to look legitimate (for instance, a fake login page where the user enters their
password).

There are several types of phishing:

 Spear phishing is highly targeted and often personalized to be more

convincing.

UNIT - IV 18
[CYBER SECURITY]

 Whaling targets important or influential persons within an

organization, such as executives. This is a major threat vector in
enterprise email security.

 Non-email phishing attacks include vishing (phishing via phone

call), smishing (phishing via text message), and social media phishing.

An email security strategy can include several approaches for blocking phishing
attacks. Email security solutions can filter out emails from known bad IP
addresses. They can block or remove links embedded within emails to stop users
from navigating to phishing webpages. Or, they can use DNS filtering to block
these webpages. Data loss prevention (DLP) solutions can also block or redact
outgoing messages containing sensitive information.

Finally, an organization's employees should receive training on how to recognize

a phishing email.

How are email attachments used in attacks?

Email attachments are a valuable feature, but attackers use this email capability
to send malicious content to their targets, including malware.

One way they can do this is by simply attaching the malicious software as an .exe
file, then tricking the recipient into opening the attachment. A far more common
approach is to conceal malicious code within an innocent-seeming document,
like a PDF or a Word file. Both these file types support the inclusion of code —
such as macros — that attackers can use to perform some malicious action on
the recipient's computer, like downloading and opening malware.

Many ransomware infections in recent years have started with an email

attachment. For example:

 Ryuk ransomware often enters a network through a TrickBot or

Emotet infection, both of which spread via email attachments

 Maze ransomware uses email attachments to gain a foothold within

the victim's network

UNIT - IV 19
[CYBER SECURITY]

 Petya ransomware attacks also usually started out with an email

attachment

Part of email security involves blocking or neutralizing these malicious email

attachments; this can involve scanning all emails with anti-malware to identify
malicious code. In addition, users should be trained to ignore unexpected or
unexplained email attachments. For web-based email clients, browser
isolation can also help nullify these attacks, as the malicious attachment is
downloaded in a sandbox separate from the user's device.

What is spam?

Spam is a term for unwanted or inappropriate email messages, sent without the
recipient's permission. Almost all email providers offer some degree of spam
filtering. But inevitably, some spam messages still reach user inboxes.

Spammers gain a bad "email sender reputation"* over time, leading to more and
more of their messages getting marked as spam. For this reason they are often
motivated to take over user inboxes, steal IP address space, or spoof domains in
order to send spam that is not detected as spam.

Individuals and organizations can take several approaches to cut down on the
spam they receive. They can reduce or eliminate public listings of their email
addresses. They can implement a third-party spam filter on top of the filtering
provided by their email service. And they can be consistent about marking spam
emails as spam, in order to better train the filtering they do have.

*If a large percentage of a sender’s emails are unopened or marked as spam by

recipients, or if a sender’s messages bounce too much, ISPs and email services
downgrade their email sender reputation.

How do attackers take over email accounts?

Attackers can use a stolen inbox for a wide range of purposes, including sending
spam, initiating phishing attacks, distributing malware, harvesting contact lists,
or using the email address to steal more of the user's accounts.

They can use a number of methods to break into an email account:

UNIT - IV 20
[CYBER SECURITY]

 Purchasing lists of previously stolen credentials: There have been

many personal data breaches over the years, and lists of stolen
username/password credentials circulate widely on the dark web. An
attacker can purchase such a list and use the credentials to break into
users' accounts, often via credential stuffing.

 Brute force attacks: In a brute force attack, an attacker loads a login

page and uses a bot to rapidly guess a user's credentials. Rate
limiting and limits on password entry effectively stop this method.

 Phishing attacks: The attacker may have conducted a previous

phishing attack to obtain the user's email account login credentials.

 Web browser infections: Similar to an on-path attack, a malicious

party can infect a user's web browser in order to see all the
information they enter on webpages, including their email username
and password.

 Spyware: The attacker may have already infected the user's device
and installed spyware to track everything they type, including their
email username and password.

Using multi-factor authentication (MFA) instead of single-factor password

authentication is one way to protect inboxes from compromise. Enterprises may
also want to require their users to go through a single sign-on (SSO) service
instead of logging directly into email.

How does encryption protect email?

Encryption is the process of scrambling data so that only authorized parties can
unscramble and read it. Encryption is like putting a sealed envelope around a
letter so that only the recipient can read the letter's contents, even though any
number of parties will handle the letter as it goes from sender to recipient.

Encryption is not built into email automatically; this means sending an email is
like sending a letter with no envelope protecting its contents. Because emails
often contain personal and confidential data, this can be a big problem.

UNIT - IV 21
[CYBER SECURITY]

Just as a letter does not instantly go from one person to another, emails do not
go straight from the sender to the recipient. Instead, they traverse multiple
connected networks and are routed from mail server to mail server until they
finally reach the recipient. Anyone in the middle of this process could intercept
and read the email if it is not encrypted, including the email service provider.
However, the most likely place for an email to be intercepted is close to the
origin of the email, via a technique called packet sniffing (monitoring data
packets on a network).

Encryption is like putting a sealed envelope around an email. Most email

encryption works by using public key cryptography (learn more). Some email
encryption is end-to-end; this protects email contents from the email service
provider, in addition to any external parties.

How do DNS records help prevent email attacks?

The Domain Name System (DNS) stores public records about a domain,
including that domain's IP address. The DNS is essential for enabling users to
connect to websites and send emails without memorizing long alphanumeric IP
addresses.

There are specialized types of DNS records that help ensure emails are from a
legitimate source, not an impersonator: SPF records, DKIM records, and DMARC
records. Email service providers check emails against all three of these records
to see if they are from the place they claim to be from and have not been altered
in transit.

MANAGEMENT AND INCIDENTS:

Business owners are always looking for ways to keep their company safe from
unforeseen security incidents, which can cause significant losses. One way to do
this is by implementing an incident management process.
What is incident management, and why do organizations need it? This article
will explore the roles and responsibilities of an incident management team and
the tools they can use to respond swiftly and effectively to security incidents.
What Is Incident Management?

Incident management is the process used by cybersecurity, DevOps, and IT

professionals to identify and respond to incidents in their organization.

UNIT - IV 22
[CYBER SECURITY]

Cybersecurity incidents can be anything from a server outage to a data breach

to something as simple as an employee misconfiguring a firewall.
Cybersecurity incident management aims to minimize the impact of these
incidents on business operations and prevent them from happening again. To
do this, incident managers must first identify the cause of the incident and take
steps to fix it. They also need to ensure that the proper procedures are in place
to prevent incidents from recurring (Bisson, 2021).
What Are the Benefits of an Incident Management Plan?

There are many benefits to implementing an effective incident management

process.
 Reduced downtime. By quickly identifying and resolving incidents,
businesses can minimize the downtime their employees experience.
This is especially important for companies that rely on technology to
do their work.
 Improved customer service. If an incident affects customers,
companies must resolve the issue as soon as possible. Incident
management can help businesses do this properly and efficiently.
 Prevention of future incidents. By identifying the root cause of
incidents and fixing them, companies can prevent the same types of
incidents from happening again.
 Improved communication. One of the critical purposes of incident
management is to enhance communication between different
departments and teams within an organization. Good communication
prevents duplication of efforts and ensures that everyone is on the
same page when responding to incidents.
What Are the Roles and Responsibilities of an Incident Management Team?

An effective incident management team has several key roles and

responsibilities (Chai & Lewis, 2020).
 Identifying incidents. The first step in resolving an incident is
identifying that it has occurred. Incident managers must be able to
promptly locate any issue that could impact business operations.
 Resolving incidents. Once an incident has been identified, it is up to
the incident manager to fix it as quickly as possible. This often includes
working with other departments to get things back up and running.
 Reporting incidents. Incident managers must provide regular reports
on all happenings in their organization. This helps prevent future
incidents and keeps everyone up to date on the latest information.

UNIT - IV 23
[CYBER SECURITY]

 Training employees. One of the critical responsibilities of an incident

manager is training staff on how to respond to different types of
incidents. This includes teaching them about the procedures that have
been put in place and helping them understand the impact that an
incident can have on business operations.
What Are Some Standard Tools Used by Incident Management Teams?

Incident management teams use several tools and technologies to help them
respond appropriately to incidents. Some of the most common tools include:
 Intrusion detection systems. These systems detect and react to
security incidents. They often have features such as real-time alerts and
reporting.
 Netflow analyzers. These tools help incident managers understand the
traffic flowing in and out of their network. This information can identify
malicious activity and quickly respond to incidents.
 Vulnerability scanners. These scanners help identify vulnerabilities in
an organization’s systems and networks. This information can be used
to fix the vulnerabilities and prevent future incidents.
 Availability monitoring. This type of monitoring helps incident
managers track the availability of critical systems and applications. This
information can be used to quickly identify and resolve incidents
affecting business operations.
 Web proxies. A web proxy is a server positioned between the client
and the target server. It intercepts all requests from the client and
forwards them to the target server. This can be used to monitor traffic
and block access to specific websites.
 Security information and event management (SIEM) tools. SIEM tools
collect and analyze incident security data across an organization. This
can help incident managers quickly identify and mitigate any potential
threats.
 Threat intelligence. Threat intelligence is information about current or
emerging threats that can impact an organization. It can be leveraged
to help incident managers stay ahead of any potential attacks and
protect their business.
How to Create an Effective Incident Management Plan

An effective incident management plan is key to ensuring that your organization

can adequately respond to any incidents that occur. Here are some tips for
creating effective incident response strategies (Griffin, 2021).

UNIT - IV 24
[CYBER SECURITY]

 Define the roles and responsibilities of the team. Ensure everyone on

the team knows their role and what they need to do to resolve an
incident.
 Establish procedures. Make sure that you have clear procedures for
responding to different types of security incidents. This will help ensure
that everyone is on the same page when resolving an incident.
 Train employees. Train security and other staff to recognize and
respond to various incidents. This will help get the business back up
and running with as little downtime as possible.
 Create a communication plan. Make sure you have a communication
plan and incident response policy in place for sharing information
about incidents with employees, customers, and partners.
 Test your plan. Testing your plan regularly ensures that it runs
smoothly, functions effectively, and is updated to account for new
developments in business operations and cybersecurity.
The Growing Demand for In-House Incident Management Teams

As businesses become more aware of the dangers of security incidents, the

demand for in-house incident management teams is growing. In-house teams
can help organizations promptly respond to any incidents and protect their
business from potential attacks—for example, by creating an organization-wide
incident response policy.
In response to this growing need, leading cybersecurity education providers
like EC-Council have developed specialized incident management training
programs. EC-Council’s Certified Incident Handler (E|CIH) program is one of the
most popular and well-recognized incident response certifications in the
cybersecurity industry.
The accredited E|CIH program covers response procedures for a wide range of
security incidents, including malware, email, network, cloud, and web
application attacks. If you are a leader looking to strengthen your in-house
incident management team or a cybersecurity professional looking to enhance
your incident handling skills, the E|CIH is an excellent place to start.
Protect Your Organization with an Incident Handling Certification

Incident management is a critical component of any successful business. By

establishing a dedicated incident handling team and implementing an effective
incident response plan, you can protect your organization from the impact of
cyberattacks.

UNIT - IV 25
[CYBER SECURITY]

If you are a cybersecurity professional, consider specializing in incident

management to take advantage of the growing demand for these teams. Visit
the program page for EC-Council’s E|CIH certification to learn more.

SECURITY PLANNING
A cyber security plan is the centerpiece of any effort to defend against attacks
and mitigate risk in IT environments. Cyber security plans cover the strategy,
policy, procedures, and technologies your organization will rely on when seeking
to heighten cyber risk management and implement successful security
programs.

Data and metrics are critical to every cyber security plan. By providing greater
visibility into the attack surface and measuring the effectiveness of security
controls, data and metrics enable your security leaders to focus resources on
addressing the largest areas of risk while benchmarking performance against
competitors and peers.

BitSight provides a suite of cyber security and risk management solutions that
help organizations create, measure, and refine effective and efficient cyber
security plans. With BitSight, cyber security risk management teams have the
objective, verifiable information they need to confidently make informed
decisions and drive data-driven conversations about security and risk.

Developing a Data Breach Response Plan

Determining how an organization will respond to a data breach is an essential

part of every cyber security plan. When a breach occurs, have a pre-established
data breach response plan enables security leaders to take immediate action to
minimize damage to data, reputation, and the bottom line without having to
spend time defining ownership and responsibilities.

Data breach response plans are highly customized to the needs of each
organization, but there are several tasks that must be included in this kind of
cyber security plan for every business.

UNIT - IV 26
[CYBER SECURITY]

1. What types of data constitute a data incident? This information is key to

knowing when to trigger a data breach response plan. A breach including
sensitive data most likely will require activating your incident response
plan. Sensitive data may include customer information, company
information, user credentials, intellectual property, or data on a vendor’s
network. Depending on the type of data that is breached, you may be
required to notify customers as part of your response plan.
2. Who is responsible for what during a data breach?. Your data breach
response plan should list the people responsible for stopping the breach
and remediating damage. A legal team may need to weigh in if customers'
protected information was involved. You may need the communications
team to help with crisis management and public relations. The HR
department may be required to help if employee information was
involved. Responding to data breaches of a certain size will likely need to
involve C-suite executives.
3. How does the internal escalation process work?. When an employee
discovers a potential breach, there must be a concrete plan for how that
information gets escalated internally up the chain to different
departments that is also agreed upon by everyone involved.
4. How does the external escalation process work?. When should you get
help from outside partners and what kind of help might you need? These
external resources often include forensic investigation teams or legal
resources.

Like every other part of a cyber security plan, a data breach response plan relies
on superior metrics. When a breach is detected, BitSight metrics can help
identify where vulnerabilities are present in the network, helping to speed
remediation. After remediation, BitSight cyber risk monitoring tools can help to
see if problems in systems have been truly addressed or if vulnerabilities are still
present in your network.

BitSight Security Ratings

BitSight is the most widely adopted Security Ratings solution in the world.
BitSight ratings offer a data-driven, dynamic measurement of the cybersecurity
performance of an organization and its third-party vendors. BitSight analyzes
vast amounts of externally observable data to produce daily security ratings that
range from 250 to 900. The higher the rating, the more effective the company’s
security practices the lower the likelihood of a breach.

UNIT - IV 27
[CYBER SECURITY]

BitSight Security Ratings are based on four categories of data – compromised

systems, security intelligence, user behavior, and publicly disclosed data
breaches. In addition to an overall rating for each company, BitSight provides
data on specific ratings for certain risk factors and individual digital assets.

BitSight Security Ratings provide the data and metrics security leaders need
when crafting a cyber security plan or cyber risk management framework.
BitSight’s data can help to identify risk throughout an organization’s attack
surface or vendor ecosystem. Additionally, BitSight can measure the
effectiveness of controls selected to mitigate risk and improve security, and
benchmark an organization’s performance against peers and competitors.
Ultimately, BitSight provides the clear, objective, and continuous data that
security leaders need to refine their cyber security risk management process.

Benefits for Cyber Security Plans

The BitSight Security Ratings platform offers a suite of solutions that security
leaders can take advantage of when crafting cyber security plans.

 BitSight for Security Performance Management. BitSight helps

organizations measurably reduce cyber risk through broad measurement,
continuous monitoring, and detailed planning and forecasting. With
BitSight, security and risk leaders can continuously monitor, measure, and
communicate the efficacy of the controls they have in place to keep their
organization secure. BitSight’s metrics enable security leaders to make
faster, data-driven decisions about where the biggest risks to the
organization exist, and where to direct resources to remediate them.
 BitSight for Third-Party Risk Management. BitSight provides continuous
monitoring capabilities that let third-party risk management teams better
track the security performance of vendors without having to sit back and
rely on vendors self-reporting their cybersecurity data. BitSight
immediately exposes cyber risk within the supply chain and helps to
prioritize resources on remediating the most dangerous issues to
measurably reduce cyber risk.
 BitSight Security Ratings for Benchmarking. With BitSight, organizations
can continuously monitor and assess their security posture and
benchmark their performance against industry peers and competitors.
BitSight security ratings provide a continuous, data-driven measure of

UNIT - IV 28
[CYBER SECURITY]

performance on a wide range of risk factors for a company and its

competitors.
 BitSight Attack Surface Analytics. BitSight enables security leaders to get
a handle on risk hidden throughout their entire network landscape,
including digital assets in the cloud, subsidiaries, geographies, and the
remote workforce. With greater visibility into the attack surface and the
risks within it, security teams can discover shadow IT and visualize areas
of greatest risk to prioritize remediation.

Why BitSight is the Security Ratings leader

Founded in 2011, BitSight transforms how companies manage information

security risk. By providing objective, verifiable, and actionable security ratings,
BitSight helps organizations make faster, more strategic decisions about
cybersecurity policy and third-party risk management.

BitSight is trusted by some of the largest organizations and governments to get

a clearer picture of their security posture and the posture of their third-party
vendors. Over 2,100 customers use BitSight to monitor 540,000 organizations.
Seven of the top 10 largest cyber insurers trust BitSight, as do 4 of the top 5
investment banks and all of the Big 4 accounting firms. BitSight is the choice of
20% of the world’s countries and 25% of Fortune 500 companies.

BUSINESS CONTINUITY PLANNING

A cyber security business continuity plan is a form of Business Continuity
planning. Business Continuity Planning is the process of creating a plan to
identify major risks to a business which could cause significant disruption,
preventing these where feasible, and planning to allow essential processes to
continue wherever possible.

A business continuity plan should outline a range of risks including physical

events (e.g. fire, flooding and natural disasters), supply chain disruption and
cyber-attacks. Cyber risk is often overlooked and the potential impact of
business disruption regularly underestimated.

A cyber security business continuity plan (sometimes known as an incident

response plan) can help your business to identify a range of cyber risk and
outline how to prevent or mitigate incidents where possible. It should also

UNIT - IV 29
[CYBER SECURITY]

outline the actions that should be taken to minimise business disruption during
a cyber emergency.

The benefits of an incident response plan or cybersecurity business continuity

plan include; lessening business disruption by providing clear steps, actions and
responsibilities, and an increased awareness of cyber risks across a business
which can prevent incidents from occurring. By planning incident response
ahead of time, a business can also ensure their response is compliant with
regulators and GDPR.

WHAT IS DISASTER RECOVERY PLANNING?

A Disaster Recovery plan is an essential part of Business Continuity planning and

outlines the steps needed for a business to quickly resume work after a major
incident. Whereas a Business Continuity Plan outlines how to ensure a business
remains operational during an incident, a Disaster Recovery Plan focuses on the
best strategies for recovery following a disaster.

For example in the case of a cyber attack, a Business Continuity plan may focus
on ensuring essential computer systems remain usable and securing important
data to allow employees to continue working. A Disaster Recovery plan may
include instructions for recovering data or making a website accessible following
a Distributed Denial of Service attack.

CYBER BUSINESS CONTINUITY PLANNING

Business continuity and disaster recovery in cyber security should follow the
same principles as any business continuity or disaster recovery plan, but with an
awareness of the specific risks of a cyber attack or breach. Here are the steps
you should take:

UNIT - IV 30
[CYBER SECURITY]

1. Assemble your team

The first step is deciding who to include in your team. This should include
people from across the business, including your IT team and Senior
Leadership. Each member should have clearly delegated roles and
responsibilities, as this removes ambiguity and therefore downtime in a
crisis.

2. Conduct a cybersecurity risk assessment

This is where you will outline all the possible risks to your business that
relate to a cyber-attack or breach. It’s important to consider the impact
that the different types of cyber-attacks could have, and the potential
regulatory implications of a data breach. It’s also crucial to audit all parts
of your supply chain for cyber risk, as a cyber breach from one of your
suppliers or partners could put your business at risk and vice versa.

3. Perform a Business Impact analysis

Once you have identified all the major cyber risks to your business, you
should perform a business impact analysis. This is an opportunity to
identify each business impact that could be caused by the disruption of
business functions and processes. This analysis will help you determine
recovery strategies and which functions and processes should take
priority – typically the ones with the highest operational and financial
impacts.

4. Test your systems

Once plans are in place, it’s important to test your systems to determine
if you need to adapt or review your current plans. This will allow you to
refine your plans and systems before a cyber breach or attack occurs.

5. Set up a continuous monitoring process

Cyber criminals are using increasingly sophisticated methods to breach

businesses’ cybersecurity. Processes that may have been completely
adequate only a few years ago may now need to change. Continually
monitoring your processes to determine any weak points, or
improvements that can be made is one of the best ways you can protect
your business from large amounts of downtime and business disruption.

UNIT - IV 31
[CYBER SECURITY]

WHAT ELSE DO I NEED TO CONSIDER TO KEEP MY BUSINESS SAFE FROM CYBER

CRIMINALS?

Education and training

According to research conducted by IBM 95% of cyber breaches were caused by

human error. Therefore an important part of your Business Continuity planning
should be regular employee cyber training to stay ahead of the increasingly
sophisticated methods used by cyber criminals. Many comprehensive cyber
insurance policies offer employee training as part of their cover to reduce the
risk of claims caused by human error.

Cybersecurity measures

Robust cybersecurity is essential to protect your business, and it’s important to

invest in some cybersecurity measures regardless of your business size or
industry. It is also a requirement of cyber insurance cover that the policyholder
ensures there is adequate cybersecurity measures in place, otherwise if an
incident occurs claims may be voided.

There are many measures a business can take to protect against cyber attacks
including keeping antivirus software and firewalls up to date, using VPNs for
encrypted data transfer and remote file access, enforcing secure password
policies and multifactor authentication.
UNIT - IV 32
[CYBER SECURITY]

Penetration testing can also be a useful tool to help you stay ahead of cyber
criminals. By identifying vulnerabilities in your IT Infrastructure, you can fix any
issues before a hacker gains access to your systems

Penetration testing can take the form of Black Box, White Box and Grey Box
testing:

Black Box – a tester with no knowledge of the internal systems attempts to

breach security, usually using a brute force attack and trial-and-error to find
vulnerabilities in the system.

White Box – the tester has knowledge of the IT architecture and systems, and
will use these to test and analyse any potential weaknesses.

Grey Box – the tester has some knowledge of the systems, and will use the
limited information they have to find potential vulnerabilities or security holes.

Cyber insurance

Even with robust cybersecurity and the best business continuity plans in place,
a cyber breach or attack may still occur leaving your business liable to pay out-
of-pocket for a range of costs and liabilities including data and system recovery,
notification costs, reputational damage and even legal liabilities.

Both cyber liability and cyber crime insurance cover will help your business
offset the costs of recovery after a cyber-related security breach, loss of data, a
ransomware attack or a similar event. A comprehensive cyber insurance policy
will provide financial compensation for the direct costs incurred, and any
liabilities payable to third parties following a cyberattack, a data breach or loss
of data.

UNIT - IV 33
[CYBER SECURITY]

Many insurers’ policies also offer significant additional value in terms of Cyber
Breach Response Support which is an invaluable resource when dealing with
cyber-attacks.

These services can include crisis containment, PR and reputation management

and independent legal advice. Many policies also offer the services of forensic
investigation consultants to identify the point of entry and extent of potential
system damages, recover data wherever possible, and advise on how to improve
vulnerabilities in your current cyber security framework.

HANDLING INCIDENTS
DEFINITION

Incident response is an organized, strategic approach to detecting and managing

cyber attacks in ways that minimize damage, recovery time and total costs.

Strictly speaking, incident response is a subset of incident

management. Incident management is an umbrella term for an enterprise's
broad handling of cyber attacks, involving diverse stakeholders from the
executive, legal, HR, communications and IT teams. Incident response is the part
of incident management that handles technical cybersecurity tasks and
considerations.

Many experts use the terms incident response and incident

management interchangeably, however, because both incident management
and incident response strategies work to ensure business continuity in the face
of a security crisis, such as a data breach.

Why is incident response important?

Today, Benjamin Franklin might say the only certainties are death, taxes and
cyber attacks. Research suggests critical security incidents are all but inevitable,
thanks to both criminal ingenuity on the attacker's side and human error on the
user's side. A reactive, disorganized response to an attack gives bad actors the
upper hand and puts the business at greater risk. At worst, the financial,

UNIT - IV 34
[CYBER SECURITY]

operational and reputational damage from a major security incident could force
an organization to go out of business.

On the other hand, a cohesive, well-vetted incident response strategy that

follows incident response best practices limits fallout and positions the business
to recover as quickly as possible.

Types of security incidents

In developing incident response strategies, it's important to first understand
how security vulnerabilities, threats and incidents relate.

A vulnerability is a weakness in the IT or business environment. A threat is an

entity -- whether a malicious hacker or a company insider -- that aims to exploit
a vulnerability in an attack. To qualify as an incident, an attack must succeed in
accessing enterprise resources or in otherwise putting them at risk. Finally,
a data breach is an incident in which attackers successfully compromise
sensitive information, such as personally identifiable information or intellectual
property.

When it comes to cybersecurity, an ounce of prevention is worth a pound of

cure. Experts say organizations should fix known vulnerabilities and proactively
develop response strategies for dealing with common security incidents. These
include the following:

 Unauthorized attempts to access systems or data.

 Privilege escalation attacks.
 Insider threats.
 Phishing attacks.
 Malware attacks.
 Denial-of-service (DoS) attacks.
 Man-in-the-middle attacks.

UNIT - IV 35
[CYBER SECURITY]

 Password attacks.
 Web application attacks.
 Advanced persistent threats.

But since all security events are not equally serious -- and enterprises simply do
not have the resources to aggressively address each and every one -- incident
response requires prioritization. Weigh an incident's urgency and importance to
determine if it warrants a full-fledged response. For example, an active
ransomware attack is both urgent (i.e., time-sensitive) and important (i.e., it
puts critical IT assets and business continuity at risk). Such an attack logically
warrants a major, expedited response.

Learn more about the top cybersecurity threats enterprises face today.

What is an incident response plan?

An incident response plan is an organization's go-to set of documentation that

details the following:

 What. Which threats, exploits and situations qualify as actionable

security incidents, and what to do when they occur.
 Who. In the event of a security incident, who is responsible for which
tasks and how others can contact them.
 When. Under what circumstances team members should perform
certain tasks.
 How. Specifically how team members should complete those tasks.

An incident response plan acts as a detailed, authoritative map, guiding

responders from initial detection, assessment and triage of an incident to its
containment and resolution.

UNIT - IV 36
[CYBER SECURITY]

How to create an incident response plan

Successful incident response requires proactively drafting, vetting and testing
plans before crisis strikes. Best practices include the following:

1. Establish a policy. An incident remediation and response policy should

be an evergreen document describing general, high-level incident-
handling priorities. A good policy empowers incident responders and
guides them in making sound decisions when the proverbial
excrement hits the fan.
2. Build an incident response team. An incident response plan is only as
strong as the people involved. Establish who will handle which tasks,
and ensure everyone has adequate training to fulfill their roles and
responsibilities.
3. Create playbooks. Playbooks are the lifeblood of incident response.
While an incident response policy offers a high-level view, playbooks
get into the weeds, outlining standardized, step-by-step actions
responders should take in specific scenarios. Playbook benefits include
greater consistency, efficiency and effectiveness -- in both incident
response and incident responder training. Learn how to create
playbooks.
4. Create a communication plan. An incident response plan can't
succeed without a solid communication plan among diverse
stakeholders. These may include the incident response, executive,
communications, legal and HR teams, as well as customers, third-party
partners, law enforcement and the general public.

UNIT - IV 37
[CYBER SECURITY]

An incident response plan is a key component of any incident response program.

In general, an incident response plan should include the following components:

 A plan overview.
 A list of roles and responsibilities.
 A list of incidents requiring action.
 The current state of network infrastructure and security controls.
 Detection, investigation and containment procedures.
 Eradication procedures.
 Recovery procedures.
 The breach notification process.
 A list of post-incident follow-up tasks.
 A contact list.
 Incident response plan testing.
 Ongoing revisions.

How to manage an incident response plan

The worst time to find out if an incident response plan has holes is during a real
security crisis, which makes ongoing testing critical. Experts advise organizations

UNIT - IV 38
[CYBER SECURITY]

to hold regular simulations featuring diverse attack vectors, such as

ransomware, malicious insiders and brute-force attacks.

Many enterprises conduct incident response tabletop exercises to vet their

plans. A discussion-based tabletop exercise involves talking through the specifics
of an attack and the team's response. An operational tabletop exercise includes
hands-on tasks, with enactment of relevant processes to see how they
unfold. Templates such as this one can help plan effective simulations.

After both simulated and real security incidents, response teams should study
what happened and review lessons learned. Note any security gaps that
emerged, recommend appropriate additional controls, brainstorm ways to
improve processes and update the incident response plan accordingly.

Remember, an incident response plan is not a set-it-and-forget-it proposition. It

should continually evolve to reflect changes in the threat landscape, IT
infrastructure and business environment. Experts recommend formal,
comprehensive reassessments and revisions annually, at the very least.

Incident response frameworks: Phases of incident response

Rather than trying to recreate the wheel, an organization looking to build an

incident response plan can refer to established incident response
frameworks for high-level guidance and direction.

Well-known frameworks from NIST, SANS Institute, ISO and ISACA all differ
slightly in their approaches, yet they each describe similar phases of incident
response:

1. Preparation/planning. Build an incident response team and create

policies, processes and playbooks; deploy tools and services to support
incident response.
2. Detection/identification. Use IT monitoring to detect, evaluate,
validate and triage security incidents.

UNIT - IV 39
[CYBER SECURITY]

3. Containment. Take steps to stop an incident from worsening and

regain control of IT resources.
4. Eradication. Eliminate threat activity, including malware and malicious
user accounts; identify any vulnerabilities the attackers exploited.
5. Recovery. Restore normal operations and mitigate relevant
vulnerabilities.
6. Lessons learned. Review the incident to establish what happened,
when it happened and how it happened. Flag security controls, policies
and procedures that functioned sub-optimally and identify ways to
improve them. Update the incident response plan accordingly.

Who is responsible for incident response?

Behind every great incident response program is a coordinated, efficient and

effective incident response team. After all, without the right people to support
them and put them into practice, security policies, processes and tools mean
very little. This cross-functional group consists of people from diverse parts of
the organization who are responsible for completing the steps and processes
involved in incident response.

Types of incident response teams

The three most common types of incident response teams are as follows:

 Computer security incident response team (CSIRT).

 Computer incident response team (CIRT).
 Computer emergency response team (CERT).

These acronyms are often used interchangeably in the field, and the teams
generally have the same goals and responsibilities. One important note is that
the name CERT is a registered trademark of Carnegie Mellon University, so
companies must apply for authorization to use it.

UNIT - IV 40
[CYBER SECURITY]

Another term commonly heard during an incident response team conversation

is security operations center (SOC). A SOC encompasses the people, tools and
processes that manage an organization's security program. While SOC teams
may be responsible for incident response, it is not their sole task within an
organization. SOC teams' other duties can include conducting asset discovery
and management, keeping activity logs and ensuring regulatory compliance,
among others.

Incident response team members

The size of an incident response team and the members included will vary based
on the individual organization's needs. Some members may even fill multiple
roles and responsibilities.

In general, an incident response team consists of the following members:

 Technical team. This is the core incident response team of IT and

security members who have technical expertise across company
systems. It often includes an incident response manager, incident
response coordinator, team lead, security analysts, incident
responders, threat researchers and forensics analysts.
 Executive sponsor. This is an executive or board member, often the
CSO or CISO.
 Communications team. This includes PR representatives and others
who manage internal and external communications.
 External stakeholders. Members include other employees or
departments within the organization, such as IT, legal or general
counsel, HR, PR, business continuity and disaster recovery, physical
security and facilities teams.
 Third parties. These external members might include security or
incident response consultants, external legal representation, MSPs,
managed security service providers, cloud service providers (CSPs),
vendors and partners.

UNIT - IV 41
[CYBER SECURITY]

A well-developed incident response team is vital to ensuring incident response

activities happen as planned.

What does an incident response team do?

The chief goals of an incident response team are to detect and respond to
security events and minimize their business impact. As such, team
responsibilities largely align with the phases outlined in an incident response
framework and plan. Team tasks include the following:

 Prepare for and prevent security incidents.

 Create the incident response plan.
 Test, update and manage the incident response plan before use.
 Perform incident response tabletop exercises.
 Develop metrics to analyze program initiatives.
 Identify security events.
 Contain security events, quarantine threats and isolate systems.
 Eradicate threats, discover root causes and remove affected systems
from production environments.

UNIT - IV 42
[CYBER SECURITY]

 Recover from threats and get affected systems back online.

 Conduct follow-up activities, including documentation, incident
analysis and identifying how to prevent similar events and improve
future response efforts.
 Review and update the incident response plan regularly.

Interested in becoming an incident responder?

Incident response requires professionals with security skills who can execute on
tasks such as monitoring for vulnerabilities and taking appropriate measures
when necessary. They must be able to analyze data to spot and assess the scope
and urgency of incidents, as well as perform other duties. They may also report
on trends, educate internal users and work with law enforcement.

The incident responder role can be an exciting, albeit challenging, career.

Incident responder jobs are in demand and can command sizeable salaries. The
tradeoff, however, is that many incident responders work long hours under
constant stress.

Learn more about the incident responder career path.

Headed to an interview? Check out these sample interview questions.

Incident response in the cloud

As enterprise cloud use proliferates, the importance of including the cloud in

incident response processes increases. The goals of cloud incident response are
the same as in traditional incident response but with some caveats.

Consider the shared responsibility model, for example. With on-premises

applications, platforms and infrastructure, an organization's IT and security
teams are generally in charge of all management and security tasks. With SaaS,
PaaS and IaaS, on the other hand, some or all responsibility shifts to CSPs. This

UNIT - IV 43
[CYBER SECURITY]

can make incident detection and investigation more difficult or even impossible,
depending on the deployment.

Cloud incident response may also require new tools and skill sets, as well as a
deeper knowledge of cloud security incidents and threats. Traditional tools may
not work properly -- or at all -- in cloud environments. New tools and procedures
not only add to what incident response teams must learn and manage but may
also require extra budget.

Learn more about cloud incident response, including the Cloud Security
Alliance's framework and best practices for including cloud in incident response
programs.

Incident response tools and technologies

As Benjamin Franklin once said, "The best investment is in the tools of one's own
trade." In the case of incident response, this involves many tools, typically
categorized by their prevention, detection or response functionalities.

No silver-bullet, one-size-fits-all incident response tool exists. Rather, a mix of

tools and technologies are required to help incident response teams prevent,
detect, analyze, contain, eradicate and recover from incidents. Most
organizations already have a variety of incident response tools and processes in
deployment. Typically categorized by their detection, prevention and response
functionalities, these include the following:

 Antimalware.
 Backup and recovery tools.
 Cloud access security broker.
 Data classification tools.
 Data loss prevention.
 DoS mitigation.

UNIT - IV 44
[CYBER SECURITY]

 Employee security awareness training.

 Endpoint detection and response.
 Firewalls.
 Forensics analysis.
 Intrusion prevention and detection systems.
 Security information and event management (SIEM).
 Security orchestration, automation and response (SOAR).
 Vulnerability management.

Managing all these tools can be a lot for a security team to handle. Many
organizations are turning to automation in incident response to reduce alert
fatigue, perform alert triage, automatically investigate and respond to threats,
automate ticketing and alerting, conserve human efforts for more high-value
activities, respond and resolve issues faster, automate case management and
reporting, and save money.

Contemplating whether to handle incident response in-house versus

outsourcing some or all incident response duties? In-house incident response
requires the proper staff, tools and budget. It's also important to consider the
nature and complexity of the threats the organization faces. In some scenarios,
in-house incident response may be the best bet. Organizations facing more
serious threats -- or those that have multiple locations, each facing unique
threats -- may be better suited to outsourcing their incident response needs,
however.

Service providers often offer incident response services, such as the following,
on retainer or on an emergency basis:

 Managing threat detection and response.

 Providing threat prevention services.
 Conducting penetration tests and threat hunting.

UNIT - IV 45
[CYBER SECURITY]

 Assisting with media and PR management.

 Conducting root cause analysis.
 Conducting crisis management.
 Maintaining regulatory compliance.

Get help deciding between deploying incident response in house or employing

a service provider, and read up on the leading incident response software,
vendors and service providers.

Incident response and SOAR

SOAR is one of the newest tools to join the incident response arsenal. As such,
confusion surrounds what it is and what it does. Its capabilities sound similar to
those of SIEM, adding to the confusion.

Security orchestration, automation and response is a collection of technologies

that, when combined, help security teams aggregate, analyze, detect and
respond to security events with little or no human input. The main functions of
each component of SOAR are outlined below:

 Security orchestration. This function connects and integrates internal

and external tools through built-in or custom integrations and APIs. It
collects and consolidates data collected by various tools to initiate
response functions, based on defined incident analysis parameters
and processes.
 Security automation. This function uses the data collected during
security orchestration to trigger workflows and tasks based on defined
thresholds and actions laid out in incident response playbooks. SOAR
platforms can automatically remediate lower-risk vulnerabilities and
complete low-level tasks historically performed by human analysts,
such as vulnerability scanning. High-risk threats also can automatically
escalate to security analysts for further investigation.

UNIT - IV 46
[CYBER SECURITY]

 Security response. Delivered via a single view, this function enables

security, network and systems analysts to access and share threat
intelligence, collaborate and conduct post-incident response activities.

The four components of SOAR tools enable teams to collect, analyze, find and
respond to security incidents.

SIEM systems' operations are similar to SOAR platforms, but they lack a key
feature: automated response. SIEMs simply alert teams about potential
incidents; they do not trigger automated actions. SIEMs and SOARs have similar
mean time to detect, but SOARs excel with mean time to respond, thanks to
their automated capabilities.

SOAR platforms augment human analysts with the following capabilities:

UNIT - IV 47
[CYBER SECURITY]

 Threat intelligence coordination.

 Case management.
 Vulnerability management.
 Automated enrichment for remediation.
 Threat hunting.
 Incident response automation.

In these use cases, SOAR platforms can help improve productivity; automate
repetitive, tedious and low-importance tasks; use existing security tools better
and more contextually; and improve third-party tool integration, among other
benefits. SOAR platforms aren't without challenges, however. Namely, SOARs
may not be able to integrate with all security tools easily or at all, do not address
security culture within an organization and may fail to live up to inflated user
expectations.

RISK ANALYSIS
Risk analysis refers to the review of risks associated with the particular action or
event. The risk analysis is applied to information technology, projects, security
issues and any other event where risks may be analysed based on a quantitative
and qualitative basis. Risks are part of every IT project and business
organizations. The analysis of risk should be occurred on a regular basis and be
updated to identify new potential threats. The strategic risk analysis helps to
minimize the future risk probability and damage.

Enterprise and organization used risk analysis:

o To anticipates and reduce the effect of harmful results occurred from

adverse events.
o To plan for technology or equipment failure or loss from adverse events,
both natural and human-caused.
o To evaluate whether the potential risks of a project are balanced in the
decision process when evaluating to move forward with the project.
o To identify the impact of and prepare for changes in the enterprise
environment.
UNIT - IV 48
[CYBER SECURITY]

Benefits of risk analysis

Every organization needs to understand about the risks associated with their
information systems to effectively and efficiently protect their IT assets. Risk
analysis can help an organization to improve their security in many ways. These
are:

o Concerning financial and organizational impacts, it identifies, rate and

compares the overall impact of risks related to the organization.
o It helps to identify gaps in information security and determine the next
steps to eliminate the risks of security.
o It can also enhance the communication and decision-making processes
related to information security.
o It improves security policies and procedures as well as develop cost-
effective methods for implementing information security policies and
procedures.
o It increases employee awareness about risks and security measures
during the risk analysis process and understands the financial impacts of
potential security risks.

Steps in the risk analysis process

The basic steps followed by a risk analysis process are:

Conduct a risk assessment survey:

Getting the input from management and department heads is critical to the risk
assessment process. The risk assessment survey refers to begin documenting
the specific risks or threats within each department.

Identify the risks:

This step is used to evaluate an IT system or other aspects of an organization to

identify the risk related to software, hardware, data, and IT employees. It
identifies the possible adverse events that could occur in an organization such
as human error, flooding, fire, or earthquakes.

UNIT - IV 49
[CYBER SECURITY]

Analyse the risks:

Once the risks are evaluated and identified, the risk analysis process should
analyse each risk that will occur, as well as determine the consequences linked
with each risk. It also determines how they might affect the objectives of an IT
project.

Develop a risk management plan:

After analysis of the Risk that provides an idea about which assets are valuable
and which threats will probably affect the IT assets negatively, we would
develop a plan for risk management to produce control recommendations that
can be used to mitigate, transfer, accept or avoid the risk.

Implement the risk management plan:

The primary goal of this step is to implement the measures to remove or reduce
the analyses risks. We can remove or reduce the risk from starting with the
highest priority and resolve or at least mitigate each risk so that it is no longer a
threat.

Monitor the risks:

This step is responsible for monitoring the security risk on a regular basis for
identifying, treating and managing risks that should be an essential part of any
risk analysis process.

Types of Risk Analysis

The essential number of distinct approaches related to risk analysis are:

UNIT - IV 50
[CYBER SECURITY]

Qualitative Risk Analysis

o The qualitative risk analysis process is a project management technique

that prioritizes risk on the project by assigning the probability and impact
number. Probability is something a risk event will occur whereas impact
is the significance of the consequences of a risk event.
o The objective of qualitative risk analysis is to assess and evaluate the
characteristics of individually identified risk and then prioritize them
based on the agreed-upon characteristics.
o The assessing individual risk evaluates the probability that each risk will
occur and effect on the project objectives. The categorizing risks will help
in filtering them out.
o Qualitative analysis is used to determine the risk exposure of the project
by multiplying the probability and impact.

Quantitative Risk Analysis

o The objectives of performing quantitative risk analysis process provide a

numerical estimate of the overall effect of risk on the project objectives.
o It is used to evaluate the likelihood of success in achieving the project
objectives and to estimate contingency reserve, usually applicable for
time and cost.
o Quantitative analysis is not mandatory, especially for smaller projects.
Quantitative risk analysis helps in calculating estimates of overall project
risk which is the main focus.

DEALING WITH DISASTER

Disaster recovery is generally a planning process and it produces a document
which ensures businesses to solve critical events that affect their activities. Such
events can be a natural disaster (earthquakes, flood, etc.), cyber–attack or
hardware failure like servers or routers.
As such having a document in place it will reduce the down time of business
process from the technology and infrastructure side. This document is generally
combined with Business Continuity Plan which makes the analyses of all the
processes and prioritizes them according to the importance of the businesses.
In case of a massive disruption it shows which process should be recovered
firstly and what should be the downtime. It also minimizes the application

UNIT - IV 51
[CYBER SECURITY]

service interruption. It helps us to recover data in the organized process and

help the staff to have a clear view about what should be done in case of a
disaster.

Requirements to Have a Disaster Recovery Plan

Disaster recovery starts with an inventory of all assets like computers, network
equipment, server, etc. and it is recommended to register by serial numbers too.
We should make an inventory of all the software and prioritize them according
to business importance.
An example is shown in the following table −

Systems Down Disaster Preventions Solution Recover fully

Time type strategy

Restore the Fix the

backups in primary
Payroll 8 Server We take
the Backup server and
system hours damaged backup daily
Server restore up to
date data

You should prepare a list of all contacts of your partners and service providers,
like ISP contact and data, license that you have purchased and where they are
purchased. Documenting all your Network which should include IP schemas,
usernames and password of servers.
Preventive steps to be taken for Disaster Recovery
 The server room should have an authorized level. For example: only
IT personnel should enter at any given point of time.
 In the server room there should be a fire alarm, humidity sensor,
flood sensor and a temperature sensor.
These are more for prevention. You can refer the following image.

UNIT - IV 52
[CYBER SECURITY]

 At the server level, RAID systems should always be used and there
should always be a spare Hard Disk in the server room.
 You should have backups in place, this is generally recommended
for local and off-site backup, so a NAS should be in your server
room.
 Backup should be done periodically.
 The connectivity to internet is another issue and it is recommended
that the headquarters should have one or more internet lines. One
primary and one secondary with a device that offers redundancy.
 If you are an enterprise, you should have a disaster recovery site
which generally is located out of the city of the main site. The main
purpose is to be as a stand-by as in any case of a disaster, it
replicates and backs up the data.

UNIT - IV 53