Back to Course

Incident Response

0% Complete
0/71 Steps
  1. Incident Response
    Incident Reporting
  2. Incident Response Use Cases
    Lab Setup
  3. Role Playing - Shift Manager
  4. Demonstrating: Investigating and Escalating
  5. Report from Malware Analyst
  6. Exercise 1.1: Exploring Suspicious Executable Detected using SIEM
  7. Exercise 1.2: Investigating Multiple Failed Logins using SIEM
  8. Exercise 3: Mitigating Risk
  9. Exercise 4.1: Asking the Right Questions
  10. Scenario 4.1: Asking the Right Questions
  11. Scenario 4.2: Suspicious or Malicious?
  12. Exercise 4.2: Reviewing the Shift Log
  13. Exercise 4.3: Investigating an Unauthorized Login Attempt
  14. Exercise 4.4: Investigating Firewall Traffic
  15. Exercise 4.5: Reviewing the Security Operations Mailbox
  16. Exercise 5.1: Reviewing New Intelligence
  17. Exercise 5.2: Assessing Threat Severity
  18. Exercise 6: Recommending Remediation
  19. Exercise 7: Conducting a Post-Incident Review
  20. Exercise 8: Communicating with Operations and Senior Management
  21. Business Continuity
    Business Continuity Plan Development
    8 Topics
  22. BCP Invocation Process
    2 Topics
  23. Emergency Procedures
    7 Topics
  24. Crisis Management Team
    10 Topics
  25. BCP Seating Plan
  26. Overview
  27. Disaster Recovery
    Scope of Critical Services
  28. Network Services
  29. Application Hosting Service
  30. File Hosting Services
  31. Call Centre and Voice Recording Services
  32. Regulatory Links
  33. Thin Client Environment
  34. Voice System (Non-Service Desk)
  35. Printing Services
  36. Recovery Time Objective (RTO) & Recovery Point Objective
  37. Single Point of Failure
  38. Redundancy Requirements
  39. Alternate Locations
  40. Contact Protocol
    4 Topics

Participants3

Incident Response Network Services
In Progress
Lesson 28 of 40
In Progress

Network Services

Secure x Design

1.1                    Network Architecture

WAN diagram

Fig. 1

DC & DR diagram

Fig. 2

1.2                    Scenario 1 >>>>>> 6th of October Telecom Egypt exchange total loss

Description: Our main DC is only connected to 6th of October public exchange by several media. But if we lost the entire public exchange, our DC will be isolated. Please refer to Fig.1 in 3.1

Impact: Very high. All the CORE banking system, applications will be affected.

Probability: Low, as we are dealing with several media inside several locations (rooms) in this Public exchange.

BCP: IT teams will f/up with Telecom Egypt to find out the time frame needed to fix the problem. Then a decision could be taken to switch the entire CORE banking system and applications to DR

RTO: 4 Hours.

1.3                    Scenario 2 >>>>>>> Core switch / Router Malfunction

Description:  We have two fully redundant Core switches / routers in DC, and we have another Core switch / router in DR

Impact: If we lost one Core switch or router the impact is low, as there is automatic failover to the second switch or router in DC.

If we lost the two Core switches or routers the impact is very high, the DC will be isolated, and we will reach the same scenario as 3.2 and have to switch to DR.

Probability: Low

BCP: If we lost one Core switch / Router no need for BCP and the IT will proceed with replacing the faulty switch / router as per the signed contract & SLA with BMB

If we lost the two Core switches / Routers, the IT head will evaluate the recovery time needed as the switching to DR will take about 4 hours, and the SLA with BMB to replace the faulty Cisco equipment is also 4 hours.

RTO: 4 hours.

Moving to DR should take 4 hours. SLA with BMB for faulty equipment replacement is as follows: 4 hours in Cairo, 6 hours in Alex and Delta region, and 8 hours in other regions in Egypt.

1.4                    Scenario 3 >>>>>>> Omar Makram Head Office isolated

Description:  Reference to fig.1 in 3.1, Omar Makram Head Office will be isolated in two cases; either the building is not accessible or in case of total loss of Bab El Loaq public exchange.   

Impact: Very high; as the entire departments in Omar Makram will not be able to work.

Probability: Medium; as the building located at Tahreir square where a lot of demonstrations are being held. Also the building is connected to one public exchange only with one copper cable that could be cut.  

BCP: IT head will evaluate the situation and will decide with the senior management when to activate the BCP plan of moving the users to work from other places.

Please refer to Appendix A for the BCP seating plan. 

RTO: 3 hours

1.5                    Scenario 4 >>>>>>> Garden City Head Office Isolated

Description:  Reference to fig.1 in 3.1, Garden City Head Office will be isolated in two cases; either the building is not accessible or in case of total loss of Bab El Loaq public exchange.  

Impact: Very high; as the entire departments in Garden City will not be able to work.

Probability: Medium; as the building located at Garden City area where a lot of demonstrations are being held. Also the building is connected to one public exchange only with one copper cable that could be cut.  

BCP: IT head will evaluate the situation and will decide with the senior management when to activate the BCP plan of moving the users to work from other places.

Please refer to Appendix A for the BCP seating plan. 

RTO: 3 hours

1.6                    Scenario 5 >>>>>>> DC cable cut

Description: This scenario is only part of the scenario one in 3.2 as it describe the situation when only the Fiber cable damaged or the copper cable damaged.

Impact: high impact, as it will cause service instability for all bank applications for short time

Probability: Medium; as the cable problems could be done.

BCP: We have two redundant cables; fiber cable and copper cable as shown in fig.1 in 3.1

IT will f/up with Telecom Egypt to evaluate the fixing time, and decide when we will take the decision of activating the microwave link, which is the third link between the DC and 6th of October public exchange.

RTO: 30 min. is the time required to switch to microwave and operate the bank again.

1.7                    Scenario 6 >>>>>>>>> Branch Isolated

Description:  Reference to fig.1 in 3.1, any branch will be isolated in three cases; either the building is not accessible, if we lost all the communication to it, or in case of power outage.

Impact: High, as the bank clients will not be able to be served from this branch.

Probability: Medium. The probability of any of the above cases is high, but we have several layer of redundancy.

BCP: We have two service providers connected to each branch from the nearest public exchange. The connection between the branch and the public exchange is through one copper cable, but we have another redundancy, which is the 3G to connect the branch directly to Vodafone network.

For the power outage, please refer to appendix D to know the Generator & UPS status of each branch.

In case of total isolation of any branch due to the above reasons, the bank clients will be routed to the nearest branch. Appendix E

RTO: 1 Hour