CISM (Domain 4) 30% Incident Management
Which of the following choices includes the activity of evaluating the computing infrastructure by performing proactive security assessment and evaluation? A disaster recovery plan A business continuity plan An incident management plan A continuity of operations plan
A disaster recovery plan is a set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency. A business continuity plan is a plan used by an enterprise to respond to disruption of critical business processes. It depends on the contingency plan for restoration of critical systems. This activity is part of the protect phase of the incident management planning process flow. A continuity of operations plan is an effort within individual executive departments and agencies to ensure that primary mission-essential functions continue to be performed during a wide range of emergencies, including localized acts of nature, accidents and technological or attack-related emergencies.
Which of the following would be MOST useful in developing a series of recovery time objectives? Gap analysis Regression analysis Risk analysis Business impact analysis
A gap analysis is useful in assessing the differences between the current state and a future state. Regression analysis is used to retest earlier program abends or logical errors that occurred during the initial testing phase. Risk analysis is a process by which frequency and magnitude of IT risk scenarios are estimated. Recovery time objectives (RTOs) are a primary deliverable of a business impact analysis. RTOs define the amount of time allowed for the recovery of a business function or resource after a disaster occurs.
Which of the following is the BEST indicator that operational risk is effectively managed in an enterprise? A tested business continuity plan/disaster recovery plan An increase in timely reporting of incidents by employees Extent of risk management education Regular review of risk by senior management
A tested business continuity plan/disaster recovery plan is the best indicator that operational risk is managed effectively in the enterprise. Reporting incidents by employees is an indicator but not the best choice, because it is dependent upon the knowledge of the employees. Extent of risk management education is not correct, because it may not necessarily indicate that risk is effectively managed in the enterprise. A high level of risk management education would help but would not necessarily mean that risk is managed effectively. Regular review of risk by senior management is not correct because it may not necessarily indicate that risk is effectively managed in the enterprise. Top management involvement would greatly help but would not necessarily mean that risk is managed effectively.
How does a security information and event management solution MOST likely detect the existence of an advanced persistent threat in its infrastructure? Through analysis of the network traffic history Through stateful inspection of firewall packets Through identification of zero-day attacks Through vulnerability assessments
Advanced persistent threat (APT) refers to stealthy attacks not easily discovered without detailed analysis of behavior and traffic flows. Security information and event management (SIEM) solutions analyze network traffic over long periods of time to identify variances in behavior that may reveal APTs. Stateful inspection is a function of some firewalls but is not part of a SIEM solution. A stateful inspection firewall keeps track of the destination Internet Protocol address of each packet that leaves the enterprise's internal network. Whenever the response to a packet is received, its record is referenced to ascertain and ensure that the incoming message is in response to the request that went out from the enterprise. Zero-day attacks are not APTs because they are unknown until they manifest for the first time and cannot be proactively detected by SIEM solutions. A vulnerability assessment identifies areas that may potentially be exploited, but does not detect attempts at exploitation, so it is not related to APT.
An enterprise determined that in a worst-case situation it was not feasible to recreate all the data lost in a system crash in the time available. Various constraints prevent increasing the frequency of backups. What other solutions to this issue could the information security manager suggest? Increase the recovery time objective Decrease the service delivery objective Adjust the maximum tolerable outage Increase the allowable interruption window
Because the original recovery time objective (RTO) cannot be met due to the time required to restore data, the RTO could be increased. Decreasing the service delivery objective (SDO) would increase the problem and is not a solution. Adjusting the maximum tolerable outage (MTO) would not have any effect on the situation. Increasing the allowable interruption window (AIW) is based on the maximum time the enterprise can be down before major financial impacts occur.
Which action should the information security manager first take when alerted to a possible cybersecurity incident by the security operations center team? Contain and eradicate the incident Initiate incident analysis Gather and handle evidence Perform incident eradication and recovery
Containing and eradicating the incident would occur only after the incident is validated. The first step in incident response is to confirm the incident is valid. This would be done through incident analysis. Evidence gathering, eradication and containment occur after the incident is confirmed. Recovery, evidence gathering, eradication and containment occur after the incident is confirmed.
Which of the following situations would be of the MOST concern to a security manager? Audit logs are not enabled on a production server. The logon ID for a terminated systems analyst still exists on the system. The help desk has received numerous reports of users receiving phishing emails. A Trojan was found installed on a systems administrator's laptop.
Failure to enable audit logs on a production server, although important, does not pose as immediate or as critical a threat as a Trojan installed on a systems administrator's laptop. The logon ID for a terminated employee existing on the system poses a risk, but unless it is a disgruntled or malicious employee, it is not likely to be a critical threat. Numerous reports of phishing emails are a risk. But in this situation, employees recognize the threat and are responding appropriately, so it is not a critical threat. The discovery of a Trojan installed on a systems administrator's laptop is a highly significant threat from an attacker and may mean that privileged user accounts and passwords have been compromised.
What makes an incident management program effective? It identifies, assesses and prevents recurrence of incidents. It detects and documents incidents. It includes a risk management strategy. It reflects the capabilities of the enterprise.
Incident management identifies and assesses incidents as they happen. Then it implements improvements to prevent future occurrences. Detecting and documenting incidents is only part of the process; future occurrences need to be addressed and prevented. Risk management occurs outside the incident management program. Objectives are set based on business needs, and capabilities are built to meet those objectives.
Which of the following is the BEST control to limit the impact of a successful ransomware attack? Incident response plan User awareness Air-gapped backups Disaster recovery plan
Incident response plans are reactive corrective controls and will not directly address the loss associated with a successful ransomware attack. User awareness will help reduce the possibility of a successful attack but will not help limit damage from a successful attack. Air-gapped backups are the best control to limit the damage because they are offline backups and would not be infected with the ransomware. These backups would allow the enterprise to recover data based on the recovery point objective. Disaster recovery plans are corrective controls and will not directly address the loss associated with a successful ransomware attack.
When collecting evidence for forensic analysis, it is MOST important to: perform a vulnerability assessment on the applications affected. use a digital rights management solution to access the data. follow data preservation procedures. perform a backup of the affected media to new media.
Performing a vulnerability assessment takes place after the root cause of an incident has been determined to find new vulnerabilities, not to collect evidence. A digital rights management solution is not intended to support forensic analysis. The information security manager must follow procedures that preserve evidence, ensure a legally sufficient chain of custody and are appropriate to meet business objectives. The suspect media should never be used as the source for analysis. The source or original media should be secured and only used to create a bit-for-bit image.
To ensure the timely identification of security incidents, the BEST course of action is to: document a business impact analysis. review a risk analysis. implement incident detection. apply preventive and detective controls.
The business impact analysis identifies and analyzes business processes and activities with the objective of understanding the impact of downtime, which drives the assignment of recovery objectives and prioritization. Downtime is a variable bound with the availability requirement in the information security scope. Risk analysis does not ensure the timely identification of information security incidents. The incident process performance deals with timely operations. Risk analysis is mainly concerned with calculating the probability and impact of a potential risk. Incident detection provides timely notification of an incident and could ensure the timely triggering and identification of incidents. Subsequently, implementing incident detection ensures proper incident response, reducing impacts to within acceptable levels. Incident management is built on reactive controls because it must handle effects not manageable with preventive controls. Detective controls represent a wide range of countermeasures and do not ensure timely identification and handling of incidents.
In a business impact analysis, the value of an information system should be based on the overall: cost of recovery. cost to recreate. opportunity cost. cost of emergency operations.
The cost of recovering the system is not the basis for determining the value of the system to the enterprise. The primary basis is loss of revenues or other costs. The cost to recreate is not a basis for valuing the system; the cost to the enterprise of the loss of the function is the basis. Opportunity cost reflects the cost to the enterprise resulting from the loss of a function. Cost of emergency operations is unrelated to the value of an information system.
While a disaster recovery exercise in the enterprise's hot site successfully restored all essential services, the test was deemed a failure. Which of the following circumstances would be the MOST likely cause? The maximum tolerable outage exceeded the acceptable interruption window (AIW). The recovery plans specified outdated operating system versions. Some restored systems exceeded service delivery objectives. Aggregate recovery activities exceeded the AIW.
The maximum tolerable outage, the amount of time the enterprise can operate in alternate mode, would normally exceed the acceptable interruption window (AIW). While a difference in operating system versions might cause a delay, it would probably be minor. Service delivery objectives (SDOs) are directly related to the business needs. The SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. Not meeting SDOs on some systems might be a concern but would not necessarily lead to the conclusion that the test was a failure. Exceeding the AIW would cause the enterprise significant damage and must be avoided. The acceptable interruption window is the maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectives.
Which of the following benefits that the enterprise receives from employing a systematic incident management program with a formal methodology is MOST important? A formal methodology makes incident management more flexible. A formal methodology is more reliant on business continuity activities. Each incident responder is able to get broad-based experience. Evidence of due diligence supports legal and liability claims.
The more formalized that something becomes, the less flexible it is. A formal methodology is actually able to more easily operate as a stand-alone function, with less reliance on business continuity activities. Having a formal methodology means that duties are generally assigned based on competence and availability of time. Legal and liability claims are most credible when the mechanisms used to collect them are formally documented, repeatable and regularly practiced.
What is the PRIMARY factor that should be taken into consideration when designing the technical solution for a disaster recovery site? Service delivery objective Recovery time objective Allowable interruption window Maximum tolerable outage
The service delivery objective is the required level of functionality that must be supported during the alternate process mode until the normal situation is restored, which is directly related to business needs. The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal or acceptable operations defined by the service level objective. The RTO must be shorter than the allowable interruption window (AIW). The length of the AIW is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services and applications. AIW is generally based on the downtime before the enterprise suffers major financial damage. The technical implementation of the disaster recovery site will be based on this constraint, especially the choice between a mirrored, hot, warm or cold site. Maximum tolerable outage is the amount of time the enterprise can operate in alternate mode based on various factors such as accessibility and performance levels.
When a computer hacking attack has been crafted carefully, perpetrators may not leave a trace in transaction logs. If such an attack is anticipated, which of the following will be the MOST vital information source from a forensic perspective? Reconciliation results against external statements Reviews of approval steps executed by business managers Interviews collected from operation staff Volatile data remaining in the computer resources
When hacking is carefully completed, it can be difficult to find any observable trace evidence of the attack. Hence, reconciliation against external statements or logs may not be effective, as there may be no traces of the attack. Hacking most likely is conducted from the back end. Hence, business approval procedures may not provide vital information from a forensic perspective. Interviews are subjective and, therefore, are weak evidence from a forensic perspective. Attackers make sure to hide evidence of infiltration, such as erasing logs, editing control reports, etc. From a forensic perspective, it is equally important to capture volatile data, such as open ports, active processes, RAM data, etc., for further investigation.
Addressing the root cause of an incident is one aspect of which of the following incident management processes? Eradication Recovery Lessons learned Containment
Determining the root cause of an incident and eliminating it are key activities that occur as part of the eradication process. Recovery focuses on restoring systems or services to conditions specified in service delivery objectives (SDOs) or business continuity plans (BCPs). Lessons learned are documented at the end of the incident response process, after the root cause has been identified and remediated. Containment focuses on preventing the spread of damage associated with an incident, typically while the root cause either is still unknown or is known but cannot yet be remediated.
Which of the following choices is a characteristic of security information and event management (SIEM) technology? SIEM promotes compliance with security policies. SIEM is primarily a means of managing residual risk. SIEM replaces the need to install a firewall. SIEM provides a full range of compensating controls.
If properly deployed, configured and tuned, security information and event management (SIEM) can provide information on policy compliance, incident monitoring and other capabilities. SIEM is not used to manage residual risk. SIEM is an automated review of logs through aggregation and correlation and does not replace the need for firewalls. SIEM provides a series of detective controls, not compensating controls.
What makes an incident management program effective? It identifies, assesses and prevents recurrence of incidents. It detects and documents incidents. It includes a risk management strategy. It reflects the capabilities of the enterprise.
Incident management identifies and assesses incidents as they happen. Then it implements improvements to prevent future occurrences. Detecting and documenting incidents is only part of the process; future occurrences need to be addressed and prevented. Risk management occurs outside the incident management program. Objectives are set based on business needs, and capabilities are built to meet those objectives.
Which of the following technologies is likely to be the MOST useful in countering advanced persistent threats? Anomaly-based intrusion detection system Security information and event management system Automated vulnerability scanning tools Integrated network management system
Intrusion detection systems can detect and notify of a potential attack but provide no information on subsequent breaches, making them less effective at identifying persistent threats than system information and event management (SIEM) systems. SIEM systems can identify incidents or potential incidents, prioritize according to potential impact, track incidents until they are closed, and provide substantial trend analysis over time. Vulnerability scanning tools identify weaknesses in systems and networks that correspond to known paradigms. In general, advanced persistent threats (APTs) involve exploits that are outside the scope of published vulnerabilities, making vulnerability scanning a limited countermeasure against APTs. Integrated network management typically provides a limited subset of the capabilities of fully implemented SIEM.
An information security manager is in the process of investigating a network intrusion. One of the enterprise's employees is a suspect. The manager has just obtained the suspect's computer and hard drive. Which of the following is the BEST next step? Create an image of the hard drive. Encrypt the data on the hard drive. Examine the original hard drive. Create a logical copy of the hard drive.
One of the first steps in an investigation is to create an image of the original hard drive. A physical copy will copy the data, block by block, including any hidden data blocks and hidden partitions that can be used to conceal evidence. Encryption is not required. Examining the hard drive is not good practice because it risks destroying or corrupting evidence. A logical copy will only copy the files and folders and may not copy other necessary data to properly examine the hard drive for forensic evidence.
In order to contain an incident, which of the following would be the MOST effective to ensure that the proper tools, technologies and subject matter experts are engaged? process team plan strategy
Processes will be developed based on the strategy. Once processes are developed, teams are defined by the strategy. Unless a strategy is defined, a plan cannot be developed. A strategy is the most effective, as it defines the overall goal of the incident response.
Which of the following would be the BEST course of action when an alert indicates a large volume of outgoing traffic from a critical enterprise server? Notify senior management about the incident. Monitor traffic from the server. Compare traffic log files from previous days. Initiate the incident response process.
Senior management would be notified after confirmation of the incident. Monitoring traffic from the server could be initiated as part of the incident response process. Comparing the log files could be initiated as part of the incident response process. For a critical enterprise server, the incident management process should be started as soon as possible, which would be when an alert warns of unusual traffic.
Forensic investigators can determine what is currently happening on a system by examining: a bit-by-bit copy. isolated systems. volatile data. the original media.
A bit-by-bit copy of the data is an imaging activity, and imaging of the volatile memory is not possible using this method. Both isolated and live systems can be forensically analyzed. Volatile data are only present while the computer is running. During an investigation, volatile data can contain critical information that would be lost if not first collected. For example, many types of malware are designed to be present in the computer's memory when it is operating and to disappear when the computer is turned off, leaving no trace. Forensic analysis should never be done on original media and it will not provide information regarding volatile memory.
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected? Applying patches Changing access rules Upgrading hardware Backing up files
Applying patches does not significantly increase the level of difficulty. Changing access rules has no effect on eradication of malicious code. Upgrading hardware does not significantly increase the level of difficulty. If malicious code is not immediately detected, it will most likely be backed up as part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected on a backup tape. Any subsequent restores using that tape may reintroduce the malicious code.