Module 09 Incident Response Planning and Procedures
As part of the incident response plan, which of the following should be documented?
- Communication plans - Governance methods - Agreements - Procedures
In most cases, how many severity levels do organizations follow?
3
change control process
A formal process for recording changes to a system.
sanitization
A method that performs a complete data destruction of all contents of a drive by replacing data on the drive by writing other data over it.
lessons learned report
A report that includes all weaknesses that were uncovered and what changes were made to address them.
incident summary report
A report that provides the details of the entire cyber incident from initial detection to final correction and follow-up.
segmentation containment technique
Allowing a compromised device to talk to the threat actor C&C system but filtering the communication.
Personal health information (PHI)
Also called protected health information, it is information as it relates to a person's health data, transactions, and history. Also called protected health information.
reimaging
Applying a saved image to a sanitized hard drive.
prevent the inadvertent release of information
Avoiding providing information unintentionally.
Which of the following is NOT an example of intellectual property?
Brand Image
Which of the following is NOT a communications best practice strategy?
Contact local news media before the word leaks out.
Intellectual property
Creations of the mind, such as inventions, literary and artistic works, designs, and symbols; names; and images used in commerce.
What is the act of violating an explicit or implied security policy that may or may not be successful?
Cyber incident
Kaitlyn is creating an incident response plan. Who should first be notified in the event of a cyber incident?
Cyber incident response team
Personally identifiable information (PII)
Data that could identity a specific individual.
Corporate information
Data that is confidential to the organization.
What is the first step in determining the detection and analysis phase of incident response?
Deciding if what occurred was a cybersecurity incident
Anabelle needs to eradicate malware from a hard drive. Which should she NOT do?
Delete the files from the hard drive by using the Quick Format option.
verification of logging/communication to security monitoring
Ensuring that a system is being monitored correctly.
regulatory bodies
Entities that are responsible for providing regulatory oversight.
(incident response plan update)
Evaluating the different actionable goals of the incident response plan to determine if updates need to be made.
senior leadership
Executive-level managers.
Eva is researching which law enforcement agency to contact in the event of different types of cyber incidents. Which law enforcement agency should be contacted no matter the type of incident?
FBI
True or False: Most but not all states have notification laws requiring that users be promptly notified in the event of a data breach.
False
True or False: The first step in incident response is to determine if an actual attack did occur.
False
True or false: Personally identifiable information (PII) identifies an organization.
False
disclosing based on regulatory requirements
Federal regulatory requirements that mandate communication from an organization if a specific cyber event occurs.
reconstitution of resources
Fully integrating a device back into the system.
Pat is researching requirements for communicating with affected parties in a cyber incident. What requirement would Pat find that is in place in the European Union (EU)?
GDPR
Isabella has been asked to research HIPAA requirements for her employer. Which of the following is false regarding HIPAA?
HIPAA only applies to information in electronic format.
Which of the following is not a reason for contacting law enforcement agencies in the event of a cyber incident?
Identifying threat actors often leads to no arrests or convictions.
What does IR stand for?
Incident Response
High value asset (HVA) information
Information critical to an organization so that its loss or corruption would have serious impact to the organization's ability to perform its mission or conduct business.
Sensitive Personal Information (SPI)
Information that does not directly identify an individual but is related to an individual and communicates information that is private or could potentially harm an individual should it be made public.
training
Instruction and coaching.
Containment
Keeping a cybersecurity incident under control by limiting its impact.
Which of the following is false regarding state legislative mandates about communication in a cyber incident?
Only California has a state security breach notification law.
public relations
Organizational department charged with addressing the public to minimize negative publicity.
legal
Organizational department that handles legal matters for ensuring compliance with laws and regulations.
human resources
Organizational department that handles the human assets.
Viola is examining data that was compromised during a recent attack. Into which category would a password number be classified?
PII
isolation containment technique
Permitting a compromised device to continue to function but directing all network communication to a sinkhole.
continue monitoring
Persistently watching for attacks.
If an incident occurs and you need to report it publicly, which of the following team should be involved?
Public relations
restoration of permissions
Reapplying permissions.
What is the rebuilding of a system called?
Reconstruction
documentation of procedures
Recording of all phases of incident response procedures.
Which of the following scopes of impact describes the length of time needed for IT systems to return to their normal functions?
Recovery time
reconstruction
Restoring a sanitized hard drive.
limiting communication to trusted parties
Restricting communications to trusted parties who are stakeholders.
use a secure communication method
Sending information in such a way as to avoid any inadvertent release of information.
internal and external entities
Stakeholders who are both part of the organization and those who are outside of it.
disclosing based on legislative requirements
State legislative mandates regarding communication that must be satisfied based on a data breach.
reporting requirements
State notification laws mandating that users be promptly notified in the event of a data breach.
data integrity
The correctness and completeness of data.
system process criticality
The degree to which the impacted systems affect the overall functionality of the entire system.
(economic impact)
The financial effect of an incident.
Recovery time
The length of time needed for IT systems to be disinfected and return to their normal functions.
downtime
The length of time that a cybersecurity incident interrupts the normal business processes.
restoration of capabilities and services
The necessary procedures for recovery of the systems back to their necessary performance.
evidence retention
The process of retaining artifacts after a cybersecurity incident.
characteristics contributing to severity level classification
The scope of the impact of cybersecurity incidents that can reveal the severity level.
vulnerability mitigation
The steps to reduce or eliminate the vulnerabilities.
Financial information
The storage, processing, and transmission of information related to a financial transaction.
Which of the following is NOT a reason for communications in a cyber incident?
To allow for unplanned release of information
True or False: A cyber incident is the act of violating an explicit or implied security policy whether or not it is successful.
True
True or false: Incident response is a process in which an organization manages to handle an attack, which could be of any nature.
True
True or false: Only relevant information is shared with a stakeholder.
True
True or false: The vulnerability mitigation method may consist of many methods for handling vulnerabilities.
True
True or false: To prevent any kind of threat to a system, its applications, and operating system, you need to ensure that the system is regularly patched.
True
What does MTD stand for?
maximum tolerable downtime
Which of the following information is part of PII?
- Credit card number - Email address - Passport number - Place of birth
Which of the following are methods of sanitization?
- Data Disposal - Low-level Format - Degaussing
Which of the following are types of Isolation?
- Isolating the affected systems - Isolating the attacker
Which of the following are examples of high-value assets (HVA)?
- Servers - Employee records - Web applications - Network devices
What is the best way for an organization to limit adverse public reactions to a cyber incident?
By controlling the conversation
Adamo has been asked to create a new cyber incident response plan. What will be the final phase in the plan?
Post-Incident
Kristin is reviewing the impact of a recent attack and found that it only caused a seldom-used test server to be taken offline for short period of time. She has decided that this incident does not deserve a high priority ranking. What scope of impact has she used in making this determination?
System process criticality
Rico is developing a list of personnel who may be asked to serve on a cyber incident response team. Who will have the responsibility of helping the team to focus on minimizing damage and recovering quickly from a cyber incident?
Team leader
For internal communications, which two categories are often used?
Technical and management
secure disposal
The destruction of a hard drive.
eradication
The elimination of an infection.
Why is financial information data considered to have a high value?
The loss of accounting data prevents an organization from providing stakeholders an accurate picture of its financial health.