CompTIA Quiz: Lesson 2
Incident response course of action: Analysis
An early stage in the process and involves determining whether a genuine incident has been identified and what level of priority it should be assigned. Gathering and preserving evidence is not a consideration at this point.
Sherwood Applied Business Security Architecture (SABSA)
It is a methodology for providing information assurance aligned to business needs and driven by risk analysis.
The IT department head returns from an industry conference feeling inspired by a presentation on the topic of defense in depth. A meeting is scheduled with IT staff to brainstorm ideas for implementing defense in depth throughout the organization. Which of the following ideas are consistent with this industry best practice? A) Provide user training on identifying cyber threats. B) Adopt a vendor-specific stance. C) Align administrative and technical controls with control functions. D) Move endpoint security to the firewall.
A (Provide user training on identifying cyber threats.) & C (Align administrative and technical controls with control functions.) * Defense in depth means an attacker must get past multiple security controls to fully compromise a network. Since employees are the greatest security risk, user training is a critical component of defense in depth. Vendor-specific policies are not consistent with defense in depth. A single vendor often means less innovation, the likelihood that some of the bundled products will be second-rate, and a more vulnerable attack surface due to a single supplier code. * Administrative and technical controls should align with the control functions - prevent, deter, detect, correct, and compensate. Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level. Endpoint security contrasts with the focus on perimeter security, like firewalls.
Control Objectives for Information and Related Technologies (COBIT)
An IT governance framework with security as a core component. It is published by ISACA and is also a commercial product, available through APMG International.
Incident management relies heavily on efficient allocation of resources. Which of the following factors should the IT manager consider in order to effectively triage remediation efforts? A) Planning time B) Downtime C) Detection time D) Recovery time
B) Downtime, C) Detection time, & D) Recovery time B) Downtime is a critical factor to consider to the degree to which an incident disrupts business processes. ---B1) An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. C) Detection time is an important consideration requiring that the systems used to search for intrusions are thorough and the response to detections must be fast. D) Recovery time must be considered, as some incidents that need to have complex system changes require lengthy remediation. ---D1) This extended recovery period should trigger heightened alertness for continued or new attacks.
A response team has to balance the need for business continuity with the desire to preserve evidence when making incident management decisions. Consider the following and determine which would be an effective course of action for the goal of collecting and preserving evidence to pursue prosecution of the attacker(s)? A) Analysis B) Quarantine C) Hot swap D) Prevention
B) Quarantine & C) Hot swap B) Quarantining is the process of isolating a file, computer system, or computer network to prevent the spread of a virus or another cybersecurity incident. ---B1) This allows for analysis of the attack and collection of evidence. C) A hot swap involves bringing a backup system into operation, and the live system is frozen to preserve evidence of the attack.
The recovery phase of an incident response involves several steps. Which of the following is NOT a step in the recovery phase? A) Re-audit security controls. B) Reconstitute affected systems. C) Prepare a lessons learned report. D) Notify affected parties with instructions to remediate affected systems.
C) Prepare a lessons learned report Preparing a "lessons learned" report is part of the lessons learned phase, which is after the recovery phase.
Incident management: Planning time
Can refer to the expected time for completing a project plan, or a period of time that is scheduled for an IT team to work together to plan out projects. It is not a consideration for incident remediation efforts.
After a poorly handled security breach, a company updates their security policy to include an improved incidence response plan. Which type of security control does this update address?
Corrective An incidence response plan is corrective. It responds to and fixes an incident. It may also prevent its re-occurrence.
What are the stages of the incident response lifecycle in the correct order?
Preparation > Identification > Containment, Eradication, and Recovery > Lessons Learned Stage 1. Preparation requires making the system resilient to attack in the first place (hardening systems, writing policies and procedures, and establishing confidential lines of communication). Stage 2. Identification involves determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders. Stage 3. Containment, Eradication, and Recovery is limiting the scope and impact of the incident. Once the incident is contained, the cause can then be removed and the system brought back to a secure state. Stage 4. Lessons learned consists of analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident.
The first responder to a security incident determines if the situation requires escalation. What is an example of escalation?
The first responder calls senior staff to get them involved. Escalation is the process of involving additional senior staff to assist in incident management when the first responder feels the situation is too complex to be managed alone. "Pulling the plug" on an affected system is an option to contain an attack, but it is not the definition of escalation. Although it is important to have access to legal expertise who can evaluate incident response from the perspective of compliance with laws and industry regulations, contacting the legal department is not an example of escalation. The term escalation can be used to describe when a user gains additional privileges without authorization. However, this is within the context of privilege management, not incident response.
There are a variety of methods for indicating a potential security breach during the identification and detection phase of incident response. Two examples of appropriate methods are Intrusion Detection System (IDS) alerts and firewall alerts. What else would be of interest to the IT department during this phase?
A) A media report of a newly discovered vulnerability in the version of software that's currently running would be valuable information that should be addressed immediately. B) A whistleblower with information about a potential insider threat would be worthy of pursuit. ---BX) "Out of band" is an authenticated communications channel separate from the company's primary channel. X) If the marketing department is trying to post a document that has been identified as confidential data, the IT department would not be concerned since the company's data loss prevention mechanisms are working.
In the containment phase of incident response, the Cyber Incident Response Team (CIRT) faces complex issues that need to be addressed quickly. During this phase, a member of the CIRT would be concerned about all EXCEPT which of the following issues? A) What damage has already occurred? B) Which password policy will prevent this in the future? C) What actions could alert the attacker that the attack has been detected? D) What countermeasures are available?
B) Which password policy will prevent this in the future? * CIRT would not be concerned about future password policy during the containment phase since it is not a critical issue in incident response. During the containment phase, it is essential to assess what damage or theft has already occurred, as well as how much more damage could occur and in what time frame. Alerting the attacker that the attack has been detected could lead to retaliatory attacks prepared in advance by the attacker, so it needs to be considered in how the response proceeds. The CIRT also needs to determine what evidence of the attack must be gathered and preserved. Available countermeasures to the attack as well as their associated costs and implications is a consideration during this phase.
International Organization for Standardization (ISO)
Develops standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27000 series). It is a commercial product.
Compensating security control
Does not prevent the attack. Instead, it restores the function of the system through other means, such as using data backup or an alternative site.
During the recovery phase of an incident response lifecycle what should be done regarding affected parties?
Ensure that affected parties are notified and provided with the means to remediate their own systems.
Deterrent security control
May not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion.
Detective security control
May not prevent or deter access, but will identify and record any attempted or successful intrusion.
Reconstituting affected systems
Means either removing malicious files or tools from affected systems or restoring the systems from secure backups. This is part of the recovery phase.
Incident response course of action: Prevention
Occurs when the response team takes countermeasures to end the incident on the live system, without regard to preserving evidence.
Re-auditing security controls
Part of the recovery phase and ensures the controls are not vulnerable to another attack. The attacker gained information about the network in the current attack, which could be used to launch a second attempt.
National Institute of Standards and Technology (NIST)
The only framework within the IT governance space focusing solely on security. Its standards are used by US federal agencies and publishes cybersecurity best practice guides and research.