Incident Response
-
Incident ResponseIncident Reporting
-
Incident Response Use CasesLab Setup
-
Role Playing - Shift Manager
-
Demonstrating: Investigating and Escalating
-
Report from Malware Analyst
-
Exercise 1.1: Exploring Suspicious Executable Detected using SIEM
-
Exercise 1.2: Investigating Multiple Failed Logins using SIEM
-
Exercise 3: Mitigating Risk
-
Exercise 4.1: Asking the Right Questions
-
Scenario 4.1: Asking the Right Questions
-
Scenario 4.2: Suspicious or Malicious?
-
Exercise 4.2: Reviewing the Shift Log
-
Exercise 4.3: Investigating an Unauthorized Login Attempt
-
Exercise 4.4: Investigating Firewall Traffic
-
Exercise 4.5: Reviewing the Security Operations Mailbox
-
Exercise 5.1: Reviewing New Intelligence
-
Exercise 5.2: Assessing Threat Severity
-
Exercise 6: Recommending Remediation
-
Exercise 7: Conducting a Post-Incident Review
-
Exercise 8: Communicating with Operations and Senior Management
-
Business ContinuityBusiness Continuity Plan Development8 Topics
-
BCP Invocation Process2 Topics
-
Emergency Procedures7 Topics
-
Crisis Management Team10 Topics
-
BCP Seating Plan
-
Overview
-
Disaster RecoveryScope of Critical Services
-
Network Services
-
Application Hosting Service
-
File Hosting Services
-
Call Centre and Voice Recording Services
-
Regulatory Links
-
Thin Client Environment
-
Voice System (Non-Service Desk)
-
Printing Services
-
Recovery Time Objective (RTO) & Recovery Point Objective
-
Single Point of Failure
-
Redundancy Requirements
-
Alternate Locations
-
Contact Protocol4 Topics
Participants3
Network Services
1.1 Network Architecture
WAN diagram
Fig. 1
DC & DR diagram
Fig. 2
1.2 Scenario 1 >>>>>> 6th of October Telecom Egypt exchange total loss
Description: Our main DC is only connected to 6th of October public exchange by several media. But if we lost the entire public exchange, our DC will be isolated. Please refer to Fig.1 in 3.1
Impact: Very high. All the CORE banking system, applications will be affected.
Probability: Low, as we are dealing with several media inside several locations (rooms) in this Public exchange.
BCP: IT teams will f/up with Telecom Egypt to find out the time frame needed to fix the problem. Then a decision could be taken to switch the entire CORE banking system and applications to DR
RTO: 4 Hours.
1.3 Scenario 2 >>>>>>> Core switch / Router Malfunction
Description: We have two fully redundant Core switches / routers in DC, and we have another Core switch / router in DR
Impact: If we lost one Core switch or router the impact is low, as there is automatic failover to the second switch or router in DC.
If we lost the two Core switches or routers the impact is very high, the DC will be isolated, and we will reach the same scenario as 3.2 and have to switch to DR.
Probability: Low
BCP: If we lost one Core switch / Router no need for BCP and the IT will proceed with replacing the faulty switch / router as per the signed contract & SLA with BMB
If we lost the two Core switches / Routers, the IT head will evaluate the recovery time needed as the switching to DR will take about 4 hours, and the SLA with BMB to replace the faulty Cisco equipment is also 4 hours.
RTO: 4 hours.
Moving to DR should take 4 hours. SLA with BMB for faulty equipment replacement is as follows: 4 hours in Cairo, 6 hours in Alex and Delta region, and 8 hours in other regions in Egypt.
1.4 Scenario 3 >>>>>>> Omar Makram Head Office isolated
Description: Reference to fig.1 in 3.1, Omar Makram Head Office will be isolated in two cases; either the building is not accessible or in case of total loss of Bab El Loaq public exchange.
Impact: Very high; as the entire departments in Omar Makram will not be able to work.
Probability: Medium; as the building located at Tahreir square where a lot of demonstrations are being held. Also the building is connected to one public exchange only with one copper cable that could be cut.
BCP: IT head will evaluate the situation and will decide with the senior management when to activate the BCP plan of moving the users to work from other places.
Please refer to Appendix A for the BCP seating plan.
RTO: 3 hours
1.5 Scenario 4 >>>>>>> Garden City Head Office Isolated
Description: Reference to fig.1 in 3.1, Garden City Head Office will be isolated in two cases; either the building is not accessible or in case of total loss of Bab El Loaq public exchange.
Impact: Very high; as the entire departments in Garden City will not be able to work.
Probability: Medium; as the building located at Garden City area where a lot of demonstrations are being held. Also the building is connected to one public exchange only with one copper cable that could be cut.
BCP: IT head will evaluate the situation and will decide with the senior management when to activate the BCP plan of moving the users to work from other places.
Please refer to Appendix A for the BCP seating plan.
RTO: 3 hours
1.6 Scenario 5 >>>>>>> DC cable cut
Description: This scenario is only part of the scenario one in 3.2 as it describe the situation when only the Fiber cable damaged or the copper cable damaged.
Impact: high impact, as it will cause service instability for all bank applications for short time
Probability: Medium; as the cable problems could be done.
BCP: We have two redundant cables; fiber cable and copper cable as shown in fig.1 in 3.1
IT will f/up with Telecom Egypt to evaluate the fixing time, and decide when we will take the decision of activating the microwave link, which is the third link between the DC and 6th of October public exchange.
RTO: 30 min. is the time required to switch to microwave and operate the bank again.
1.7 Scenario 6 >>>>>>>>> Branch Isolated
Description: Reference to fig.1 in 3.1, any branch will be isolated in three cases; either the building is not accessible, if we lost all the communication to it, or in case of power outage.
Impact: High, as the bank clients will not be able to be served from this branch.
Probability: Medium. The probability of any of the above cases is high, but we have several layer of redundancy.
BCP: We have two service providers connected to each branch from the nearest public exchange. The connection between the branch and the public exchange is through one copper cable, but we have another redundancy, which is the 3G to connect the branch directly to Vodafone network.
For the power outage, please refer to appendix D to know the Generator & UPS status of each branch.
In case of total isolation of any branch due to the above reasons, the bank clients will be routed to the nearest branch. Appendix E
RTO: 1 Hour