incident response handling

Ace your homework & exams now with Quizwiz!

Role-based responsibility

-legal -HR -Marketing

Triage

A method of prioritizing treatment: data integrity downtime economic/ publicity scope detection time recovery time

Containment Phase

Hardest and most important decision that is made during an incident. Decision points for containment include: - What is scope of incident - What is the type of device? - What is the network reachability of the device that has been affected by the incident? - How quickly can the incident response team get containment in place? - How quickly is containment needed? -escalation or reporting

The Nist Computer Security Incident Handling Guide special publication identifies the following stages in an incident response lifecycle.

Incident response phases: -preparation -identification/detection analysis -containment, eradication, and recovery -post-incident activity

downtime

Refers to a period of time when a system is unavailable and the cost of downtime.

Incident Response Plan

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization's information system(s).

post-incident activity

analyzing the incident and responses to identify whether procedures or systems could be improved. Ensure documentation. "lessons learned"

Cyber Incident Response Team(CIRT/CSIRT)

appropriate detection and analysis software, incident response personnel.

incident management or incident response procedures

are the actions and guidelines for dealing with security incidents. An incident is where security is breached or there is an attempted breach. "the act of violating an explicit or implied security policy"

economic/publicity

both data integrity and downtime affect marketing.

scope

broadly the number of systems affected.

identification/ detection and analysis

determine whether an incident has take place and scope of severity. Notify organization.

analysis and incident identification phase

incident classify and prioritize false positives

Eradication and recovery

investigation-cause containment-ensure that valuable systems or data are not at risk hot swap- a backup system prevention- countermeasures to end the incident (may delete evidence)

Containment, erdaication, and recovery

limiting the scope and impact of the incident. The cause can then be removed and the system brought back to a secure state.

preparation

making the system resilient to attack in the first place. Includes hardening, policies, and procedures.

first responder

member of CIRT taking charge of a reported incident.

recovery time

some incidents require lengthy remediation as the system changes required are complex to implement. This period should have heightened alertness for continued attacks.

detection time

the demonstrates that the systems used to search for intrusions must be thorough and the response to detections must be fast.

data integrity

the most important factor inprioritizing incidents will often be the value of data that is at risk

identification phase

the process of collating events and determining whether any of them should be managed as incidents .precursors-events that make an incident more likely to happen


Related study sets

Biology 1030 Clemson Espinoza Exam 1

View Set

13. zabezpečování personálního obsazení hotelu

View Set

Chapter 6 & 7 Statistics Questions

View Set

Med Surg, Nervous System Study Questions

View Set

Delivery Types/Complications FINAL

View Set

Similar Solids Worksheet (14.13)

View Set