Microsoft Word - MSc in Cybersecurity.docx MSc in Cybersecurity (MSCCYB1-JAN21I) Incident Response and Analytics (H9IRSAN) - CA (40%) Semester3 – XXXXXXXXXX Date CA Released to Students: 12th July at...

1 answer below »
Attached


Microsoft Word - MSc in Cybersecurity.docx MSc in Cybersecurity (MSCCYB1-JAN21I) Incident Response and Analytics (H9IRSAN) - CA (40%) Semester3 – 2020-2021 Date CA Released to Students: 12th July at 11 Am Deadline: 16/07/2021 at 14:00 Submission: The final report must be submitted as a Word or PDF document to Moodle before the deadline. Report requirements: The report will have a strict word limit of a maximum of 2000 words, and any violation of this limit would be severely penalised (Material written over and above 2000 words would not be considered). It is generally expected that your report would be between 1500-2000 words. The length includes the title, notes, and any other text you include in the report. Turnitin: This is an individual assessment. All report submissions will be electronically screened for evidence of academic misconduct (i.e., plagiarism and collusion). Question One [20 marks]* Real case description: In November 2017, Uber Technologies Inc. announced a security breach that took place in October 2016. The breach is reported to have affected 50 million customer accounts globally and 7 million driver accounts. Initial reports indicated that compromised information included names, phone numbers, email addresses and driving license details of some of their drivers. Discuss the steps of incident response audit for the case above. Base your answer on Incident Response Methodology recommended by NIST. Question Two [30 marks]* Case description: ABC Company is a large automotive dealer company buying cars from distributors and selling them to customers as the authorised dealer. You are a new Incident Manager in company and you want to audit the Incident Response capability in the organisation. As a result of your audit you found out, that there is not Incident Response Management in the organisation. You have to establish one yourself. Describe the methodology of establishing a Computer Security Incident Response Capability (Hint: Responsibility). Describe the potential issues. Question Three [50 marks]* Case description: The ABC Security consultancy service helps organisations develop the resilience to protect against, remediate and recover from a wide range of cyber incidents and data breaches. You are an Incident Manager and you need to make a presentation for the Board of Directors with the assessment of potential move the client’s database to the cloud. Part 1. Please critically assess the impact this move to the cloud with the explanation of the PROs and CONs for Incident Response in the Cloud. [15 marks] Part 2. Please explain whether we will have a stronger or weaker Incident Response capability and why. [20 marks] Part 3. Please explain the recommendations how to mitigate the risks. [15 marks] * Please focus on application of the incident response management methodology for example above.
Answered 3 days AfterJul 12, 2021

Answer To: Microsoft Word - MSc in Cybersecurity.docx MSc in Cybersecurity (MSCCYB1-JAN21I) Incident Response...

Neha answered on Jul 15 2021
147 Votes
Question 1
After each of the incident clear needs some substantial effort for the documentation and instigation about whatever happened in the incident get the feedback for the earlier incidents and also enable better preparation for detection and the analysis for the future incidents which can take place. It also has the feedback loop collected from the eradication and cont
ainment step to the analysis and detection. There are many parts of the attack which are not explained completely at the detection stage, and they are revealed only when the incident responders are entering into it. There are few steps which can be followed for documenting the incident response. This tips on preparation, detection and analysis, containment, recovery and eradication and at last post incident activity.
· Preparation
when we are preparing for the incidents then it is important that we are compiling with the list of IT assets like servers, endpoints and the network and also identified their importance and understand which elements are critical or holding sensitive data. We can set up the monitoring so that we have the baseline of normal activity. We need to determine the type of the security events which can be investigated and then create details steps for similar types of incidents.
· Detection and Analysis
The detection step involves collection of the data from system publicly available information, security tools and the people which are internally or externally related with the organization and then try to identify precursors and the indicators. The precursors are the science that the incident can happen in the future and indicators are used as the data to show that attack has already taken place, or it is going to happen now. The analysis is done to find out the baseline or the normal activity on the affected systems and correlate all the related evidence and events. This activity is done to check how they are deviating from normal behaviour.
· Containment, Eradication and Recovery
The major goal of containment is to stop the attacks before it is able to damage the resources or create any issue. The containment strategy is completely dependent over the level of damage which can be done, the requirement of keeping critical service available for the customers and the employees and at last the duration of the whole solution and the temporary solution can be either for few hours, days or the week or this can be the permanent solution.
When we are doing containment, it is important to find out the attacking host and also validate IP address. This will allow the user to block any type of communication from the attacker and also helps in finding out threat actor. With the help of this information, we can easily understand the mode of operation, search and then block other types of communication channels which can be used by the attacker.
If we talk about the eradication and recovery stage, then we need to perform some tasks and remove all the elements of the incident from working environment. It can also include the identification of all the affected hosts, close passwords, remove malware or reset them for the user account who was breached. Once we are able to eradicate the threat, restore system and recover the normal operations as quickly as possible then we can take steps to make sure that same assets will not be attacked again in future.
· Post-Incident Activity
The most important part of the president response methodology is to from all the previous incidents so that we can improve the process. We need to ask, investigate and document the answers for few required questions. We can check for the whatever incident took place and how many times. We can find the answer for how well the team was able to deal with the...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here