Incident Management Overview & Response Procedures
B is the correct answer. Justification Risk assessment results are a document that would not likely be included in a computer incident response team (CIRT) manual. Quickly ranking the severity criteria of an incident is a key element of incident response. The emergency call tree directory is a document that would not likely be included in a CIRT manual. A table of critical backup files is a document that would not likely be included in a CIRT manual.
A computer incident response team manual should PRIMARILY contain which of the following documents? Risk assessment results Severity criteria Emergency call tree directory Table of critical backup files
B is the correct answer. Justification Performing a BIA will include reassessment of the maximum tolerable outage (MTO); until that time, there is no way to determine whether it is the MTO or the allowable interruption window (AIW) that is incorrect. The first issue is to determine whether the plan is current and then update requirements as necessary. The business impact analysis (BIA) will most likely be a collaborative effort with the business process owners. The service delivery objective will need to be updated by performing a BIA. The MTO will always be at least equal to the allowable interruption window AIW and is generally longer.
A newly-hired information security manager examines the 10-year old business continuity plan and notes that the maximum tolerable outage (MTO) is much shorter than the allowable interruption window (AIW). What action should be taken as a result of this information? Reassess MTO. Conduct a business impact analysis and update the plan. Increase the service delivery objective. Take no action; MTO is not related to AIW.
B is the correct answer. Justification Notifying law enforcement should be performed after the containment plan has been executed. After an incident has been confirmed, containment is the first priority of incident response because it will generally mitigate further impact. Making an image copy of the media should be performed after the containment plan has been executed. Isolating affected servers is part of containment.
A password hacking tool was used to capture detailed bank account information and personal identification numbers. Upon confirming the incident, the NEXT step is to: notify law enforcement. start containment. make an image copy of the media. isolate affected servers.
D is the correct answer. Justification The virus may start infecting other computers while the virus scan is running. Only when the impact to the IT environment is significant should it be reported to senior management. A case of virus infection does not warrant the action. Formatting the hard disk is the last resort. The first action should be containing the risk (i.e., disconnecting the computer so that it will not infect other computers on the network).
An employee's computer has been infected with a new virus. What should be the FIRST action? Execute the virus scan. Report the incident to senior management. Format the hard disk. Disconnect the computer from the network.
B is the correct answer. Justification Before reporting to senior management, the extent of the exposure needs to be assessed. Before reporting to senior management, affected customers or the authorities, the extent of the exposure needs to be assessed. Reporting the incident to authorities is a management decision and not up to the security manager. Communication with affected customers is a management task and is not the responsibility of the security manager.
An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation? Inform senior management. Determine the extent of the compromise. Report the incident to the authorities. Communicate with the affected customers.
B is the correct answer. Justification During contingency situations, contact with one or more senior managers may be lost. In such cases, a documented succession plan is important as a means of establishing who is empowered to make decisions on behalf of the organization. However, if an organization experiencing a contingency situation has only a succession plan and no distributed key process documentation, the effectiveness of the empowered decision maker will be limited. A succession plan is therefore worthwhile, but less important than process documentation. Many factors come into play during contingency situations, but continuity is possible only when personnel who are able to resume key processes have the knowledge of how to do so. When key process documentation is distributed to contingency locations, it is available for the use of any staff who report to these locations during contingencies, and so long as that documentation is up to date, it may be used even by those who may not typically be involved in performing those functions. Reciprocal agreements are established when contingency sites are shared among multiple business partners. There are business justifications for establishing these relationships, but having them established is generally not going to ensure continuity of operations. Strong leadership by senior management drives the preparation that goes into continuity of operations planning before a contingency situation arises. Assuming that this preparation has been adequate, however, the continuity functions should be carried out by organization personnel even if leadership during the contingency is interrupted or lacking in strength.
For global organizations, which of the following is MOST essential to the continuity of operations in an emergency situation? A documented succession plan Distribution of key process documents A reciprocal agreement with an alternate site Strong senior management leadership
B is the correct answer. Justification Copies of contracts and service level agreements (would not be as immediately critical as the BCP itself. Without a copy of the BCP, recovery efforts would be severely hampered or may not be effective. The BCP would contain a list of the emergency numbers of service providers. Key software escrow agreements would not be as immediately critical as the BCP itself. A list of emergency numbers would be a part of the BCP.
In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster? Copies of critical contracts and service level agreements Copies of the business continuity plan Key software escrow agreements for the purchased systems List of emergency numbers of service providers
D is the correct answer. Justification A recovery point objective identifies the maximum acceptable data loss associated with successful recovery. It does not prioritize the order of incident response. Risk assessment (both qualitative and quantitative) examines sources of threat, associated vulnerability and probability of occurrence. At the point that an incident occurs, the probability aspect of risk is no longer unknown, so the degree of impact drives the prioritization of incident response, captured in the specialized business impact analysis. Business continuity plans define procedures to follow when business functions are impacted. They do not prioritize the order of incident response. Business impact analysis is a systematic activity designed to assess the effect upon an organization associated with impairment or loss of a function. At the point that an incident occurs, its probability is no longer unknown, so it is the potential impact on the organization that determines prioritization of response activities.
Prioritization of incident response activities is driven primarily by a: recovery point objective. quantitative risk assessment. business continuity plan. business impact analysis.
A is the correct answer. Justification Roles and responsibilities for all involved in incident response should be established when the incident response plan is established. Determining roles and responsibilities during a disaster is not the best time to make such decisions, unless it is absolutely necessary. While testing the plan may drive some changes in roles based on test results, roles (including who declares the disaster) should have been established before testing and plan approval. Roles and responsibilities for all involved in incident response should be established when the incident response plan is established, not after the details have been approved.
The BEST time to determine who should be responsible for declaring a disaster is: during the establishment of the plan. once an incident has been confirmed by operations staff. after fully testing the incident management plan. after the implementation details of the plan have been approved.
A is the correct answer. Justification Timely reporting of all security-related activities provides the information needed to monitor and respond to information security governance issues. Effective communication channels also are important for disseminating security-related information to the organization. Audits are one form of periodic reporting, but they are too infrequent for effective day-to-day information security management. Automated policy compliance monitoring is useful for reporting IT-related processes, but by itself is insufficient for overall information security governance monitoring. Even if personnel could be persuaded to leave notes on policy violations in suggestion boxes, it would not be effective and is unlikely to be timely unless suggestions are collected daily.
The MOST timely and effective approach to detecting nontechnical security violations in an organization is: the development of organization wide communication channels. periodic third-party auditing of incident reporting logs. an automated policy compliance monitoring system. deployment of suggestion boxes throughout the organization.
D is the correct answer. Justification Containment is one of the steps of the standard incident management process, not the primary objective. Depending on the nature of the incident and its potential impact on the organization, containment may or may not be a priority. Root-cause analysis facilitates long-term remediation of vulnerabilities to prevent the recurrence of a given type of incident, but it is not the purpose of incident management. Eradication is one of the steps of the standard incident management process, not the primary objective. The purpose of incident management is to identify and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels.
The PRIMARY business objective of incident management is: containment. root-cause analysis. eradication. impact control.
C is the correct answer. Justification Investigating and reporting results of the incident is a responsibility of incident response teams but not the primary objective. Gathering evidence is an activity that an incident response team may conduct, depending on circumstances, but not a primary objective. The primary role of incident response is to detect, respond to and contain incidents so that impact to business operations is minimized. Assisting law enforcement is an activity that an incident response team may conduct, depending on circumstances, but not a primary objective.
The PRIMARY objective of incident response is to: investigate and report results of the incident to management. gather evidence. minimize business disruptions. assist law enforcement in investigations.
B is the correct answer. Justification Incident management focuses on prevention, containment and restoration activities and does not reduce the threat level. Incident management is a component of risk management that can provide an optimal balance between prevention, containment and restoration. Recovery plans are created by business and process owners. Incident management should ideally be integrated with continuity and recovery plans, but an organization does not seek to evaluate these plans for redundancy. Reporting structures are typically created for business reasons. Incident management may play a role in clarifying or modifying the structures used for reporting incidents in particular, but streamlining the reporting structure is not the primary way in which incident management adds value to an organization.
The PRIMARY way in which incident management adds value to an organization is by: reducing the overall threat level. optimizing risk management efforts. eliminating redundant recovery plans. streamlining the reporting structure.
C is the correct answer. Justification The ability to resume normal operations is situational and would not be a standard for acceptability. While the maximum tolerable outage, in addition to many other factors, is part of a SDO, by itself, it does not address the acceptability of a specific level of operational recovery. A prior determination of acceptable levels of operation in the event of an outage is the SDO. The SDO may be set at less than normal operation levels, but sufficient to sustain essential business functions. While the acceptable interruption window, in addition to many other factors, is part of an SDO, by itself, it does not address the acceptability of a specific level of operational recovery.
The acceptability of a partial system recovery after a security incident is MOST likely to be based on the: ability to resume normal operations. maximum tolerable outage. service delivery objective. acceptable interruption window.
C is the correct answer. Justification Changing the root password of the system does not ensure the integrity of the mail server. Implementing multifactor authentication is an after measure and does not clear existing security threats. Rebuilding the system from the original installation medium is the only way to ensure all security vulnerabilities and potential stealth malicious programs have been destroyed. Disconnecting the mail server from the network is an initial step but does not guarantee security.
The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure the system is secure would be to: change the root password of the system. implement multifactor authentication. rebuild the system from the original installation medium. disconnect the mail server from the network.
C is the correct answer. Justification Identifying the sources of the attack may be useful to stop the attack, but does not aid in determining impact. The overall impact of a distributed denial-of-service attack may be beyond the comprehension of the users as servers, databases, routers, etc., may be affected. Criticality of affected services will determine the impact on the business. If affected services are not critical, then there is no cause for alarm. Logs may identify the nature of the attack rather than the impact.
Which of the following choices is the BEST method of determining the impact of a distributed denial-of-service attack on a business? Identify the sources of the malicious traffic. Interview the users and document their responses. Determine the criticality of the affected services. Review the logs of the firewalls and intrusion detection system.
D is the correct answer. Justification This is the definition of a disaster recovery plan (DRP). The incident response process is sequentially the first response to an adverse event with aims of preventing the incident from escalating to a disaster. A DRP table-top test or walk-through is performed to exercise the DRP in a test scenario to determine whether the steps that the organization needs to take to recover are reliably documented. Business disruption insurance is an instrument of the risk management strategy to diversify and distribute the costs associated with an adverse event to a third party. Business insurance premiums are not dependent on incident management and response. Incident management and response is a component of business continuity planning. As a first response to adverse events, the objective of incident management and response is to prevent incidents from becoming problems, and to prevent problems from becoming disasters.
The purpose of incident management and response is to: recover an activity interrupted by an emergency or disaster, within a defined time and cost. perform a walk-through of the steps required to recover from an adverse event. reduce business disruption insurance premiums for the business. address disruptive events with the objective of controlling impacts within acceptable levels.
B is the correct answer. Justification Quickly restoring service will not always be the best option such as in cases of criminal activity, which requires preservation of evidence precluding use of the systems involved. Problem management is focused on investigating and uncovering the root cause of incidents, which will often be a problem when restoring service compromises the evidence needed. Managing risk goes beyond the quick restoration of services (e.g., if doing so increased some other risk disproportionately). Forensics is concerned with legally adequate collection and preservation of evidence, not with service continuity.
The typical requirement for security incidents to be resolved quickly and service restored is: always the best option for an enterprise. often in conflict with effective problem management. the basis for enterprise risk management activities. a component of forensics training.
A is the correct answer. Justification The first action is to validate that clear incident definition and severity criteria are established and communicated throughout the organization. A training program will not be effective until clear incident identification and severity criteria have been established. The steering committee may become involved after incident criteria have been clearly established and communicated. Enforcement activities will not be effective unless incident criteria have been clearly established and communicated.
What action should the security manager take FIRST when incident reports from different organizational units are inconsistent and highly inaccurate? Ensure that a clear organizational incident definition and severity hierarchy exists. Initiate a companywide incident identification training and awareness program. Escalate the issue to the security steering committee for appropriate action. Involve human resources in implementing a reporting enforcement program.
B is the correct answer. Justification In general, patching servers will not affect network traffic. Packet filtering techniques are the only ones which reduce network congestion caused by a network denial-of-service (DoS) attack. Implementing network address translation would not be effective in mitigating most network DoS attacks. Load balancing would not be as effective in mitigating most network DoS attacks.
What is the BEST method for mitigating against network denial-of-service (DoS) attacks? Ensure all servers are up-to-date on OS patches. Employ packet filtering to drop suspect packets. Implement network address translation to make internal addresses nonroutable. Implement load balancing for Internet facing devices.
C is the correct answer. Justification Evaluating the impact of the information loss would be a part of incident response procedures. Updating inventory is of minor significance and can be done anytime. The first step is to initiate incident response procedures. Disabling the user account would be addressed as a part of incident response.
What is the FIRST action an information security manager should take when a company laptop is reported stolen? Evaluate the impact of the information loss Update the corporate laptop inventory Ensure compliance with reporting procedures Disable the user account immediately
D is the correct answer. Justification Documentation is important, but it should follow containment. Monitoring is important and should be ongoing but does not limit the impact of the incident. Restoration follows containment. The first priority in responding to a security incident is to contain it to limit the impact.
What is the FIRST priority when responding to a major security incident? Documentation Monitoring Restoration Containment
C is the correct answer. Justification Critical data are secondary to safety of personnel. Critical infrastructure is secondary to safety of personnel. The safety of an organization's employees should be the most important consideration given human safety laws. Human safety is considered first in any process or management practice. Vital records are secondary to safety of personnel.
Which of the following has the highest priority when defining an emergency response plan? Critical data Critical infrastructure Safety of personnel Vital records
A is the correct answer. Justification An approved and tested plan will provide assurance of the provider's ability to address incidents within an acceptable recovery time and an internal team to provide oversight and liaison functions to ensure that the response is according to plan. Identifying a liaison is not sufficient by itself to provide assurance of adequate incident response performance. Notification and reporting is not a sufficient assurance of suitable response activities and provides no capability for input, participation or addressing related issues in a timely manner. Audits provide a periodic snapshot of the sufficiency of the provider's plans and capabilities, but are not adequate to manage collateral and consequential issues in the event of a significant incident.
What is the MOST appropriate IT incident response management approach for an organization that has outsourced its IT and incident management function? A tested plan and a team to provide oversight An individual to serve as the liaison between the parties Clear notification and reporting channels A periodic audit of the provider's capabilities
C is the correct answer. Justification A business continuity plan would be triggered during the execution of the incident response plan in case it developed into a disaster causing serious business interruption. A disaster recovery plan would be triggered during the execution of the incident response plan if it developed into a disaster. An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities pertaining to all parties involved in responding to an information security breach. A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through configuration changes (patch management).
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach? Business continuity plan Disaster recovery plan Incident response plan Vulnerability management plan
C is the correct answer. Justification Transaction turnaround time may be a concern when the effectiveness of an application system is evaluated. Normally it is not the main agenda in the restoration stage. Mean time between failures (MTBF) is the predicted elapsed time between inherent failures of a system during operation. MTBF is not a factor in determining restoration of data. The service delivery objective (SDO) relates directly to the business needs; SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. The duration of a data restoration job may be of secondary importance. The strategic importance of data should be considered first.
Which of the following BEST contributes to the design of data restoration plans? Transaction turnaround time Mean time between failures Service delivery objectives The duration of the data restoration job
A is the correct answer. Justification The priority in this event is to minimize the effect of the virus infection and to prevent it from spreading by removing the infected server(s) from the network. After the network is secured from further infection, the damage assessment can be performed. The virus signature files should be updated on a regular basis regardless of when a server was infected. An undetected virus infection is a function of the antivirus software and generally unrelated to weakness in the firewall.
Which of the following actions is MOST important when a server is infected with a virus? Isolate the infected server(s) from the network. Identify all potential damage caused by the infection. Ensure that the virus database files are current. Establish security weaknesses in the firewall.
C is the correct answer. Justification Shutting off all network access points would create a denial of service that could result in loss of revenue. Dumping event logs, while useful, would not mitigate the immediate threat posed by the network attack. Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing. Enabling trace logging, while useful, would not mitigate the immediate threat posed by the network attack.
Which of the following actions should be taken when an online trading company discovers a network attack in progress? Shut off all network access points Dump all event logs to removable media Isolate the affected network segment Enable trace logging on all events
A is the correct answer. Justification An organization must be able to detect the incident to respond, record and classify the incident. Even if response is not possible, detection allows stakeholders to be informed. Responding to an incident is an essential part of incident management, but it must be detected first. Incidents detected are typically classified based on impact. Incidents cannot be recorded unless detected.
Which of the following capabilities is MOST important for an effective incident management process? The organization's capability to: detect the incident. respond to the incident. classify the incident. record the incident.
C is the correct answer. Justification A disaster recovery plan is a set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency. A business continuity plan is a plan used by an organization to respond to disruption of critical business processes. It depends on the contingency plan for restoration of critical systems. This activity is part of the "protect" phase of the incident management planning process flow. A continuity of operations plan is an effort within individual executive departments and agencies to ensure that primary mission-essential functions continue to be performed during a wide range of emergencies, including localized acts of nature, accidents and technological or attack-related emergencies.
Which of the following choices includes the activity of evaluating the computing infrastructure by performing proactive security assessment and evaluation? A disaster recovery plan A business continuity plan An incident management plan A continuity of operations plan
D is the correct answer. Justification Past incidents can be a useful guide to the types and severity of incidents, but will not necessarily provide any information on a current incident. Integrating incident management with business continuity facilitates response to high-severity incidents, but severity level must be determined prior to invoking the business continuity plan. Maintaining an inventory of assets and resources may be helpful when determining the severity of incidents, but is not a requirement. The incident response team is likely not as well informed regarding each operational area impacted by a security incident as the managers from those areas, so it makes sense to consult with the managers to get their estimates.
Which of the following choices is MOST useful to an incident response team determining the severity level of reported security incidents? Reviewing past incidents to determine impact Integrating incident management with business continuity Maintaining an inventory of assets and resources Involving managers from affected operational areas
B is the correct answer. Justification Call trees are too detailed, change too frequently and are not a part of policy. Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained within an incident response policy. Press release templates are too detailed to be included in a policy document. Lists of critical backup files are too detailed to be included in a policy document.
Which of the following is a key component of an incident response policy? Updated call trees Escalation criteria Press release templates Critical backup files inventory
D is the correct answer. Justification Determining response time is based on the categorization of incidents. The process for reporting depends on the categorization. Management may want only high-severity incidents to be reported. The resources required depend on the categorization of the incident and the established response time. Incidents with higher likelihood and impact warrant more attention.
Which of the following is the FIRST step in developing an incident response plan? Set the minimum time required to respond to incidents. Establish a process to report incidents to senior management. Ensure the availability of skilled resources. Categorize incidents based on likelihood and impact.
D is the correct answer. Justification In general, any control practice is vulnerable to collusion, and if an incident is carefully crafted among a number of staff, it is hard to detect. However, successful collusion is not common. As long as it is well defined, it is unlikely that the quality of incident investigation will fall short. A risk-based approach may not guarantee the minimization of false-positive alerts. A risk-based approach focuses on high-risk items. Those attempting to commit fraud may take advantage of its weaknesses. When risk-based monitoring is in place, there is a higher chance of overlooking low-risk activities. Even though the impact of a low-risk event is small, it may not be possible to ignore the accumulated damage from its repeated occurrence. Therefore, it also is essential to review the chance of the repeated occurrence of low-risk events.
Which of the following needs to be MOST seriously considered when designing a risk-based incident response management program? The chance of collusion among staff Degradation of investigation quality Minimization of false-positive alerts Monitoring repeated low-risk events
B is the correct answer. Justification The cost to rebuild information processing facilities would not be the first thing to determine. Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different systems. This will allow recovery time objectives to be determined. Location and cost of a recovery facility cannot be addressed until the potential losses are calculated, which will determine the type of recovery site that is needed—and this will affect cost. Individual recovery team requirements will occur after the requirements for business continuity are determined.
Which of the following should be determined FIRST when establishing a business continuity program? Cost to rebuild information processing facilities Incremental daily cost of the unavailability of systems Location and cost of offsite recovery facilities Composition and mission of individual recovery teams
A is the correct answer. Justification Safety of people always comes first; therefore, verifying access logs of personnel to the facility should be the first action in order to ensure that all staff can be accounted for. Calling the crisis management team together should be done after the initial emergency response (i.e., evacuation of people). Launching the disaster recovery plan is not the first action. Launching the business continuity plan is not the first action.
Which of the following should be the FIRST action to take when a fire spreads throughout the building? Check the facility access logs. Call together the crisis management team. Launch the disaster recovery plan. Launch the business continuity plan.
D is the correct answer. Justification Audit logs not enabled on a production server, although important, do not pose as immediate or as critical a threat as a Trojan installed on a system administrator's laptop. The logon ID for a terminated employee existing on the system poses a risk, but unless it is a disgruntled or malicious employee, it is not likely to be a critical threat. Numerous reports of phishing emails are a risk. But in this situation, employees recognize the threat and are responding appropriately, so it is not a critical threat. The discovery of a Trojan installed on a system's administrator's laptop is a highly significant threat from an attacker and may mean that privileged user accounts and passwords have been compromised.
Which of the following situations would be the MOST concern to a security manager? Audit logs are not enabled on a production server The logon ID for a terminated systems analyst still exists on the system The help desk has received numerous results of users receiving phishing emails A Trojan was found to be installed on a system administrator's laptop
D is the correct answer. Justification Virus signature files updated every day do not pose a great risk. Reviewing security access logs within five days is not the greatest risk. Patches applied within 24 hours is not a significant risk. Waiting to investigate security incidents can pose a major risk.
Which of the following would present the GREATEST risk to information security? Virus signature files updates are applied to all servers every day Security access logs are reviewed within five business days Critical patches are applied within 24 hours of their release Security incidents are investigated within five business days
D is the correct answer. Justification Closing tickets is not a priority of incident response. Reducing the number of incidents is the focus of overall incident management. Minimizing the impact on operations is not necessarily the primary focus. Some disruption in operations may be within acceptable limits. The primary focus of incident response is to ensure that business-defined service delivery objectives are met.
While defining incident response procedures, an information security manager must PRIMARILY focus on: closing incident tickets in a predetermined time frame. reducing the number of incidents. minimizing operational interruptions. meeting service delivery objectives.
A is the correct answer. Justification Incident response procedures primarily focus on containing the incident and minimizing damage. Root cause analysis is a component of the overall incident management process rather than the incident response procedure. Implementing solutions is possible only after a cause has been determined. Recording and closing tickets is part of the subsequent documentation process, but is not the primary focus of incident response.
While developing incident response procedures an information security manager must ensure that the procedure is PRIMARILY aimed at: containing incidents to minimize damage. identifying root causes of incidents. implementing solutions to prevent recurrence. recording and closing incident tickets.
