The system administrator found a logic bomb installed on a back-end server. It was alleged that the disgruntled former system administrator got involved. As a security professional, which of the following will you suggest first to prevent it from reoccurring?
A. Ask 5-Whys to investigate in-depth for the solution
B. Reinstall the server using the CD media
C. Conduct thorough reference check and background investigation
D. Apply lessons learned for continuous improvement
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is A. Ask 5-Whys to investigate in-depth for the solution.
Workaround and Solution
The root cause must be identified to prevent an incident from reoccurring. It was “alleged” that the disgruntled former system administrator got involved. You have to determine the root cause FIRST to solve the problem (or prevention from recurring) and distinguish the problem solving and root cause analysis from lessons learned.
Risk becomes an issue when it materializes, that affects performance or progress to objectives. If an issue is solved with temporary handling or workaround without identifying the root cause, it may reoccur and become a problem. A problem can only be remedied with a solution that has identified the root cause.
Root Cause Analysis (RCA)
In science and engineering, root cause analysis (RCA) is a method of problem-solving used for identifying the root causes of faults or problems. RCA generally serves as input to a remediation process whereby corrective actions are taken to prevent the problem from reoccurring. There are a variety of RCA techniques, such as Fish-Bone Diagram or Ishikawa Diagram, 5-Whys Analysis, Pareto Analysis, Fault Tree Analysis, and so forth.
There are no consistent definitions of lessons learned, but it’s generally accepted that “lessons learned” are part of the continuous improvement process.
Some thought lessons learned are an ongoing process, while others considered it is a post-incident activity or meeting conducted periodically or when a major incident happened. In agile, the retrospective event is quite close to the idea of lessons learned.
Lessons learned are conducted to improve everything, for example, product, people, process, technology, communication, collaboration, quality, efficiency, effectiveness, and so forth.
Incident management in ITIL is to contain an incident that affects the service level with a contingent measure, workaround, or identified solution. If the incident can’t be addressed effectively, it escalates to problem management that will identify the root cause to prevent it from recurring.