Module 1, Unit 4 - Incident Response

Ace your homework & exams now with Quizwiz!

Established policies and procedures for dealing with security breaches and the personnel and resources to implement those policies.

Incident Response Plan (IRP)

The actions and guidelines for dealing with security incidents.

Incident Response Procedures

Follow-up actions performed after an incident has been resolved, usually in the form of a meeting, to assess how processes and procedures can be improved.

Lessons Learned

An employee or ex-employee who reports misconduct.

Whistleblower

Within the incident response process, this is the process of making a system resilient to attack in the first place, including hardening, policies, procedures, etc.

Preparation Phase

The process of organizing and labeling any significant data resource.

Classification

What are the 4 phases of the incident response lifecycle defined by NIST?

Preparation, Identification/Detection & Analysis, Containment/Eradication/Recovery, and Post-Incident Activity

What is an incident response playbook?

A data-driven procedure to assist junior analysts in detecting and responding to quite specific cyber threat scenarios.

A test exercise of a mock incident to help staff develop competencies and identify deficiencies in procedures and tools.

Incident Response Exercise

What is a Computer Security Incident Response Team (CSIRT)?

A single point-of-contact for the notification of security incidents

The principle that something should not be so secure that it is completely inaccessible. This principle also involves protecting a resource against loss or damage or DoS attacks.

Availability

The amount of time before a data breach is identified.

Detection Time

A disruption to business processes, caused by an incident.

Downtime

Data integrity and downtime will have effects in the short term by costs involved in incident response and lost of business, and in the long term by reputation and market standing.

Economic / Publicity

Company policy should set out the procedure for alerting the appropriate individuals of potential incidents, how quickly to do so, and in what matter.

Incident Reporting

Which eradication response is where countermeasures to end the incident are taken on the live system even though it may destroy evidence?

Prevention

In terms of incident response, the number of systems affected, which describes the scale of the incident and its response.

Scope

What NIST special publication identifies the following stages in an accident response lifecycle?

Computer Security Incident Handling Guide

Which eradication response allows the attack to proceed but ensures that valuable systems or data are not at risk?

Containment

Within the incident response process, limiting the scope and impact of the incident.

Containment, Eradication, and Recovery Phase

The team responsible for incident response. This team must have expertise across a number of business domains (IT, HR, Legal, and marketing for instance).

Cyber Incident Response Team (CIRT)/Computer Security Incident Response Team (CSIRT)

An attack that has been successful in obtaining information that should have been kept secret or confidential

Data Breach

The most important factor in prioritizing incidents will often be the value of data that is at risk.

Data integrity

True or False? The "first responder" is whoever reports an incident to the CSIRT.

False (The appropriate person on the CSIRT to be notified when a suspicious event is detected so that they can take charge of the situation and formulate the appropriate response).

True or False? It is important to publish all security alerts to all members of staff.

False (You must avoid the inadvertent release of information beyond the team authorized to handle the incident as to not alert the attacker to the detection and remediation measures about to be taken against them.)

The critical first steps to take when a security incident is discovered, taken by the first appropriate individuals on the scene.

First Responder

Which eradication response is where a backup system is brought online and the live system frozen to preserve evidence of the attack?

Hot swap

Within the incident response process, determining whether an incident has taken place and assessing how severe it might be.

Identification/Detection and Analysis

What type of actions are appropriate to the containment phase of incident response?

If further evidence needs to be gathered the best approach would be to quarantine or sandbox the affected system or network; another option is to remove the device (pull the plug) in order to prevent the attacker from widening the attack; if an incident is too critical where senior staff becomes involved then it should be escalated; if its a data breach then affected parties must be notified

The act of violating an explicit or implied security policy, otherwise known as a breach or attempted breach.

Incident

What are the actions and guidelines for dealing with security incidents referred to as?

Incident Management / Incident response procedures

Procedures and guidelines covering appropriate priorities, actions, and responsibilities in the event of security incidents.

Incident Response Plan

Which eradication response is where further investigation is warranted due to the causes of the incident not being clear?

Investigation / escalation

What role does out-of-band messaging play in incident response?

It prevents alerting the attacker that their attack has been detected when CSIRT team member/Law enforcement/regulatory authorities are communicating.

Reviewing the security incidents to determining their cause and whether they were avoidable is known as?

Lessons learned

Within the incident response process, analyzing the incident and responses to identify whether procedures or systems could be improved.

Post-incident Activity Phase

Which recovery step ensures that the system is not vulnerable to another attack?

Re-audit security controls

Which recovery step removes the malicious files or tools from affected systems or restores the systems from secure backups?

Reconstitution of affected systems

Some incidents require lengthy remediation as the system changes required are complex to implement.

Recovery time

What will industries that have strict regulations regarding the safe processing of data set out for notifying affected customers as well as the regulator?

Reporting requirements

The tasks of various experts and business areas that are called upon during a respones

Role-based Responsibilities

The number of systems affected.

Scope


Related study sets

BA 325 Final Exam Homework questions

View Set

NS ch 38 the solar system review questions

View Set

Canvas Quiz: Gastrointestinal (GI) Bleed

View Set

geology ch. 16 air quality issues

View Set

CA Real Estate Finance Course (UNIT QUIZZES)

View Set

ISDS 3115 - Graded Ch. 1 Homework

View Set