[Cybersecurity Architecture] How to Execute An Investigation of Security Breach
What is Breach?
Breach is defined as an incident involving the loss of, or unauthorized disclousre of, sensitive, classified, sometimes regulated information as a reslt of a compromise or breakdown in the organization's security and protection systems.
Once breach happened in your environment, as cybersecurity professional, how will you prepare to execute the investigation and ask the questions?
7 Steps Process
Further details can be found from https://www.ekransystem.com/en/blog/data-breach-investigation-best-practices
RCA
Questions to Answer for Cybersecurity Team
1 Was it human error or technology error led to this breach?
Example: the vulnerability was not been patched for what reason?
2 Was it due to weak governance?
Example: Was CEO knowing about this vulnerability existing or only knows by the technician?
Roles and Responsibilities:
3 Are we stuck in the elevator?
Do we live in the glass bubble? = Has IT Audit put themselves into a glass bubble by not communicating with other groups such as I&IT?
Or could be another way around, has IT Audit been exiled by I&IT?
Are we a victim of our own culture?
Does our organization support interaction of IT audit during incident response situations?
There are so many attacking surface / exploit code around your Technology stack.
4 Was it sophisticated?
Malware:
Undectectable Malware.
None of popular Cybersecurity frameworks (CIS Controles, NYCRR 500, NIST CSF, General Data Protection Regulation) includes managment system and audit process.
Management System:
IIA 3 Lines of Defense
The Three Lines Model helps organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management. The model applies to all organizations and is optimized by:
The IIA’s Three Lines Model:
Defense in Depth
DiD architecture was designed from ISO27001
References
https://www.youtube.com/watch?v=hc4_oNwDFco
共有 0 条评论