CHAPTER 41: Incident Response, Communication, and Professionalism
_______ ______ ________ (___) is a group of security controls designed to restrict the usage or proliferation of copyrighted software and products.
Digital Rights Management (DRM)
Incident Response Life Cycle: 1. _________ 2. _____ and _______ 3. ______, _______, and ______ 4. _____-_____ ______
1. Preparation 2. Detection and analysis 3. Containment, eradication, and recovery 4. Post-incident activity Note: Basically the CompTIA 7-step process +preparation. Imagine yourself as C planning.
Which of the following are good ideas when dealing with customers? (Select two.) ❍ A. Speak clearly. ❍ B. Ignore them. ❍ C. Avoid distractions. ❍ D. Explain to them what they did wrong.
A and C. Speak clearly so that customers understand you, and avoid distractions so that the customers know they have your complete attention.
You are the security administrator for your organization. You have just identified a malware incident. Of the following, what should be your first response? ❍ A. Containment ❍ B. Removal ❍ C. Recovery ❍ D. Monitoring
A. Of the listed answers, most organizations' incident response procedures specify that containment of the malware incident should be first. Next would be the removal of the malware, then recovery of any damaged systems, and finally monitoring (which should actually be going on at all times). But before all of this is the preparation phase, and of course, in the scenario, identification was already performed.
A customer experiences a server crash. When you arrive, the manager is upset about this problem. What do you need to remember in this scenario? ❍ A. Stay calm and do the job as efficiently as possible. ❍ B. Imagine the customer in his underwear. ❍ C. Avoid the customer and get the job done quickly. ❍ D. Refer the customer to your supervisor.
A. There isn't much you can do when a customer is upset except stay calm and fix the problem!
You are a field technician working at a customer's site. One of the workers asks you to load a copy of an organization's purchased software on a personal laptop. What should you do first? ❍ A. Verify that the installation is allowed under the company's licensing agreement. ❍ B. Act as though you are distracted and ignore the user. ❍ C. Leave the premises and inform the police. ❍ D. Tell the worker that installing unlicensed software is illegal. ❍ E. Notify the worker's manager of a security breach.
A. You should first check whether the company allows installations of paid software on personal computers or laptops. If it is allowed, go ahead and do the installation. If not, then you should refuse and notify your manager of the occurrence. Refusal can be tough at times, so be strong, and think about the consequences of your actions. They could directly affect you in a negative way.
A manager suspects that a user has obtained movies and other copyright-protected materials through the use of a BitTorrent client. The incident response tech confirms the suspicion, and as such, the user is in violation of company policy. What should the incident response technician do next? ❍ A. Immediately delete all unauthorized materials. ❍ B. Secure the workstation in a limited-access storage facility. ❍ C. Reprimand the user and apply a content filter to the user's profile. ❍ D. Document the incident and purge all policy-violating materials.
Answer: B. The incident response technician should secure the workstation in a limited-access storage facility until the matter is sorted out. A company can be liable for what its employees download, so the workstation should be securely stored and not disturbed until the matter has been investigated thoroughly. The incident response technician should also contact the network administrator (or network security administrator) and inform him or her that the user was able to download a BitTorrent client and figure out a way to block the usage of those. NOTE: Documenting the incident isn't enough, the evidence hasn't been secured yet.
Your company has multiple users who work with the same commercial software. What is the best type of license to purchase so that it is in compliance with the EULA? ❍ A. Seat license ❍ B. Commercial license ❍ C. Enterprise license ❍ D. Open source license
Answer: C. You would want to get an enterprise license. This allows multiple users to install the software on their systems, and each can accept the end-user licensing agreement (EULA) individually. Incorrect answers: The terms "seat" and "commercial" licensing might be used for other types of licenses, but generally, the term "enterprise" is widely used when there are many end user licenses required (for example, when you are dealing with Microsoft operating system and Office software). An open source license doesn't require a purchase. It can be downloaded and freely modified, based on the rules of the open source licensing agreement.
How will speaking with a lot of jargon make a technician sound? ❍ A. Competent ❍ B. Insecure ❍ C. Smart ❍ D. Powerful
B. Too much computer jargon can make an end user think that you do not have the qualifications needed and are masking it with techno-babble.
You find illegal materials on a customer's computer. Your boss commands you to preserve computer evidence until he gets to the scene. What is your boss asking you to begin? ❍ A. Documentation ❍ B. Chain of custody ❍ C. First response ❍ D. GDPR compliance
B. Your boss is asking you to begin the process of a chain of custody: the chronological paper trail of evidence. It is a form of documentation, but a specific one. You were the first responder. These cases will be rare, but you should understand the terminology and what to do if you find illegal materials
You have been asked by a customer at a hospital to perform routine maintenance on a laser printer. Before you begin, you notice PHI has printed out. What should you do first? ❍ A. Ensure the paper tray is full so that everything can print. ❍ B. Place the printed output in a secure recycle bin and begin maintenance. ❍ C. Kindly warn the customer that printing PHI at work is a HIPAA violation. ❍ D. Ask the customer to move the printed output to another area.
D. Ask the customer to move the confidential information. Protected health information (PHI) is information that is protected under the HIPAA Privacy Rule. Before ensuring that the paper tray is full, you should first ask the customer to remove the private information. You should never throw away or recycle customer printed output unless they ask you to. Printing PHI at a hospital is routine and not a HIPAA violation. Remember to always behave professionally and protect people's privacy. If you make this a regular practice, you will often receive a customer's gratitude, and as time goes on, you will increase your job security.
Which of the following is not one of the steps of the incident response process? ❍ A. Eradication ❍ B. Recovery ❍ C. Containment ❍ D. Non-repudiation
D. Non-repudiation, although an important part of security, is not part of the incident response process. Non-repudiation means that you have irrefutable proof that a person did something—it might include logs, audit trails, and so on. Eradication, containment, and recovery are all parts of the incident response process
Which type of regulated data is specifically protected under the HIPAA Privacy Rule? ❍ A. PII ❍ B. PCI ❍ C. GDPR ❍ D. PHI
D. Protected health information (PHI) is information that is protected under the HIPAA Privacy Rule. The Health Insurance Portability and Accountability Act (HIPAA) is a wide-ranging act that governs the protection of all kinds of health information. Personally identifiable information (PII) is information used to uniquely identify, contact, or locate a person. The payment card industry (PCI) encompasses anything that concerns credit cards, debit cards, ATMs, or point-of-sale (POS) machines. The General Data Protection Regulation (GDPR) is a European Union regulation that deals with data protection and privacy.
The _____ _____ _____ _____ (____) is a European Union regulation that deals with data protection and privacy for people who live in the EU.
General Data Protection Regulation
_______ _______ is the set of procedures that any investigator follows when examining a technology incident. How you first respond, how you document the situation, and your ability to establish a chain of custody are all important to your investigating skills.
Incident response
The ___ ___ ____ ____ ___ Standards (PCI-DSS) define how credit card data is to be transacted and stored.
Payment Card Industry Data Security Standards (PCI-DSS).
_______ ______ _________ (___) is information used to uniquely identify, contact, or locate a person. This type of information could be a name, birthday, Social Security number, biometric information, and so on
Personally identifiable information (PII)
_________ __________ __________ (___) is information that is protected under the HIPAA Privacy Rule. The Health Insurance Portability and Accountability Act (HIPAA) is a wide-ranging act, passed in 1996, that governs the protection of all kinds of health information. Includes medical and insurance records, plus associated hospital and laboratory test results (like DNA testing!).
Protected health information (PHI)
If you are required to preserve evidence, one way to do this is through ______ of _______, the chronological documentation or paper trail of evidence. It documents who had custody of the evidence all the way up to litigation (if necessary), and logs the transfer of evidence from person to person.
chain of custody
Commercial licensing is ______-source, meaning the user or corporation is usually not allowed to share or modify the software.
closed
___-______ _______ _______(____ ) is a licensing agreement between a software vendor and the end user. In most cases, the end user is required to agree to the _____ before using the product.
end-user licensing agreement (EULA)
An ______ is simply something that happens within your computer or on the network. It could be good or bad. For example, an event could be an administrator connecting a system to another system through a mapped network drive according to the organization's procedures.
event
An _______ is when there is an imminent threat or an outright violation of security policies, and a security breach has occurred.
incident
A legal ____ is a process that an organization uses to preserve all forms of relevant information when litigation is reasonably anticipated. If a legal hold notice has been given to the backup service, they will not destroy the old backup tapes until the hold is lifted.
legal hold (from dion)
The _____ _____ _______ (___) encompasses anything that concerns credit cards, debit cards, ATMs, point-of-sale (POS) machines, and so on, that organizations use or transact with when dealing with user cardholder data.
payment card industry (PCI)
From Dion: When conducting incident response, you must (1) identify, (2) report, and (3) preserve the data/device. Therefore, the first step of the incident response is to identify the issue.
read