Retired

Security+: Common Incident Response Procedures (SY0-401) [DECOMMISSIONED ARTICLE]

Infosec
December 6, 2017 by
Infosec

NOTE: This article reflects an older version of the Security+ Exam – please see the current Security+ Certification page for the most up-to-date information.


Introduction

Do you want to be certified under the CompTIA Security+ process? Are you interested in taking and owning this certification exam? Here are a couple of incident response procedures you need to be knowledgeable about in order to score high with ease.

Preparation

It must be said that Incident Response Plans (IRP) are critical in any organization – may it be security-focused or not. This is because IRPs are developed to help employees identify, understand, and respond to and eliminate information security attacks. Without IRPs in place, organizations run the risk of not following proper protocol when mitigating a risk – and being unable to detect and eventually to recover from a detected security breach.

Moreover, all successful projects and organizational processes start with a well thought out plan – which includes meticulous research on the technical environment of the project, a critical review of one’s organizational resources, and a comprehensive methodology of how to carry out the dream. This can be said of any technical undertaking – may it be for a grade school science fair, a legendary house’s pre-fall fashion show, or in this case, information security.

Preparation in this regard constitutes capacity building for employees – including users and IT staff – to be ready for potential incidents like data breaches, virus or malware outbreaks, or denial of service.

Incident Identification

The peri-incident response begins with identification. First and foremost, in order to dictate a course of action, one must first identify the action. This means that IT security experts must then determine whether or not the perceived threat is an actual threat. Of course, preparation can only benefit the organization and improve processes within the company, but the application of this preparation is very significant in making sure that incident response plans of the organization are strong and useful.

The organization may identify the threats based on severity and risk, both of which are qualified in any self-respecting organization’s enterprise risk management (ERM) framework and IRP – as aforementioned. Once potential threats are tagged as actual security risks, the next step for IT security staff is escalation and notification.

Escalation and Notification

A major part of IT security’s job is to ensure that the incident – based on severity as initially identified – must be met with a response of the same caliber. Grounded on the threat’s potential impact to the organization, IT security must ensure that the team and their systems are ready to take in whatever level of risk is available. Next, it is the job of the IT security staff to inform the stakeholders involved and most likely affected by the targeted threat.

Mitigation

To mitigate means to lessen the intensity of the object at play. In the particular case of incident response in information security, to mitigate means to limit the damage of the incident through containment and to isolate particular systems to avoid additional damage. Moreover, to mitigate in incident response means to perform eradication activities to clear the information security threat. Remember that the ultimate objective of mitigation is eventual recovery of organizational data and other relevant information compromised through the incident.

  • Incident Isolation (Quarantine and Device Removal). Incident isolation is crucial in any information security incident response process, as virus and malware in IT tend to spread to the various parts of the infected system, endangering more data than initially. Additionally, incident isolation is known to be more efficient as it allows the IT security team to focus on solving the issues of the compromised system, despite having to revert to a redundant system (e.g. safe mode) until the incident is resolved. It has also been shown in studies that isolation-based security approaches are more effective in providing prevention and enhancing incident response, especially for organizations with more complicated systems.
  • Damage and Loss Control. Damage and loss control are equally important in the mitigation and containment portion of the information security incident response procedure. Through putting in place safety and risk management information and services, an organization can more confidently approach and respond to security threats and eventually minimize the costs and losses dealt as a result of the data breach or virus outbreak. If stringent controls are in place, stakeholders are reassured that their stakes are safely held and will remain safe at the hands of the organization, despite problems with information security.

Reporting

After the problem incident is mitigated and the information security threat is cleared, the next and final step to this process is documenting and reporting the incident for future reference. This entire post-incident progression is based on the idea that in order to avoid potential future loss – through the same incident or something similar – one must document past incidents and analyze learning opportunities from there. If an incident is adequately handled, it is imperative that costing and results are discussed within the IT security team and the rest of the organization to more easily provide next steps and recommendations for similar cases. Aside from this, it is general procedure that companies report outcomes so they can plan accordingly – also known as starting the process all over again.

It must be said that these incident response procedures are called as such precisely because they are the standards for every incident occurrence in the information security world; additionally, it has to be said that incidents are normal, and definitely will happen more than once. With all that, it is understandable why certification exams such as CompTIA Security+ require interested participants to learn these and understand the whole process of incident response in an organization.

Looking for comptia sec+ training? Fill out the form below for details/pricing info from InfoSec Institute.

InfoSec Institute is a well-established information security training business. Founded by expert security instructors over 17 years ago, InfoSec Institute believes that hands-on training trumps other learning methods for today’s very demanding environment. And our 15,000 trainees prove this to be true. Our standardized certifications such as the CISSP and our specialized courses like the highly technical Microsoft SQL Server Database Administration training seminar equip interested individuals with any knowledge of information security they may need. Moreover, InfoSec Institute offers other security awareness and phishing training programs that further the learnings of our cherished partners in the said industry.

For the Security+ exam, InfoSec Institute offers a specialized five-day Boot Camp that covers all bases of the certification exam from CompTIA. The Boot Camp is a great prep tool for anyone considering to take the CompTIA Security+ certification exam because not only does the person learn about security theory, they also learn about the important how-tos of practical application of the theory.

The main objective of the Boot Camp is to ensure that IT professionals who enroll in the course are well-trained in preparation for the Security+ (SY0-401) exam. InfoSec Institute’s comprehensive prep module is CompTIA-authorized – meaning, even the certification provider recognizes this company’s dedication to building capacity in the industry. Our programs have evolved from incident recognition to problem mitigation – a serious development that understands the greater demand in the industry; also, the modules have been retrofitted to accommodate the newly-introduced Performance Based Exam Objectives from CompTIA. These are as follows: (1) network security, (2) compliance and operational security, (3) threats and vulnerabilities, (4) application, data, and host security, (5) access control and identity management, and (6) cryptography. It must be noted that all these developments have been embraced fully by InfoSec Institute because these upgrades will only benefit the information security sector that people who have been involved in the whole process are a part of.

Now, say there are a lot of various certification training programs, offered by a host of service providers. What makes InfoSec Institute different is the confidence that individuals learn with the best security instructors in the world and that we only use our CompTIA Authorized Quality Curriculum (CAQC) to build our practice exams and seminar modules. We in the InfoSec Institute are also an award-winning training facility that only advances our course content as the technologies change. More importantly, we are proud to share the InfoSec Institute Personal Touch – because we understand that learning capacities and tolerances are different per person, and we as service providers have to adapt to that.

InfoSec Institute prides itself with the sheer number of individuals that pass the CompTIA Security+ certification exam. Garnering the highest passing rate in the industry, around 92% of InfoSec Institute’s classroom Boot Camp participants pass the coveted certification, while 94.7% of online class students are certified. It is truly an amazing feat for both the exam takers and InfoSec Institute which continues to innovate its products and services to meet the developing demands of the information security industry.

We’ll see you there, future information security expert!

Infosec
Infosec