Sec Plus Lesson 2 Comparing and Contrasting Security Controls
Arrange the following stages of the incident response lifecycle in the correct order. A. Preparation; Identification; Containment, Eradication, and Recovery; Lessons Learned B. Identification; Preparation; Containment, Eradication, and Recovery; Lessons Learned C. Containment, Eradication, and Recovery; Identification; Preparation; Lessons Learned D. Identification; Containment, Eradication, and Recovery; Preparation; Lessons Learned
A Stage 1. Preparation requires making the system resilient to attack in the first place (hardening systems, writing policies and procedures, and establishing confidential lines of communication). Stage 2. Identification involves determining whether an incident has taken place and assessing how severe it might be, followed by notification of the incident to stakeholders. Stage 3. Containment, Eradication, and Recovery is limiting the scope and impact of the incident. Once the incident is contained, the cause can then be removed and the system brought back to a secure state. Stage 4. Lessons learned consists of analyzing the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident.
There are a variety of methods for indicating a potential security breach during the identification and detection phase of incident response. Two examples of appropriate methods are Intrusion Detection System (IDS) alerts and firewall alerts. Evaluate the following evidence and select the alternate methods that would be of most interest to the IT department during this phase. (Select two) A. A daily industry newsletter reports on a new vulnerability in the software version that runs on the company's server. B. An anonymous employee uses an "out of band" communication method to report a suspected insider threat. C. The marketing department contacts the IT department because they can't post a company document to the company's social media account. D. An employee calls the help desk because the employee is working on a file and is unable to save it to a USB to work on at home.
A & B. A media report of a newly discovered vulnerability in the version of software that's currently running would be valuable information that should be addressed immediately. A whistleblower with information about a potential insider threat would be worthy of pursuit. "Out of band" is an authenticated communications channel separate from the company's primary channel. If the marketing department is trying to post a document that has been identified as confidential data, the IT department would not be concerned since the company's data loss prevention mechanisms are working.
The IT department head returns from an industry conference feeling inspired by a presentation on the topic of defense in depth. A meeting is scheduled with IT staff to brainstorm ideas for implementing defense in depth throughout the organization. Which of the following ideas are consistent with this industry best practice? (Select two) A. Provide user training on identifying cyber threats. B. Adopt a vendor-specific stance. C. Align administrative and technical controls with control functions. D. Move endpoint security to the firewall.
A and C Defense in depth means an attacker must get past multiple security controls to fully compromise a network. Since employees are the greatest security risk, user training is a critical component of defense in depth. Administrative and technical controls should align with the control functions - prevent, deter, detect, correct, and compensate.
Detective
A detective is the control that may not prevent or deter access, but will identify and record any attempted or successful intrusion.
Deterrent
A deterrent is the control that may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion.
After a poorly handled security breach, a company updates its security policy with an improved incidence response plan. Which of the following security controls does this update include? A. Compensating B. Deterrent C. Corrective D. Detective
An incidence response plan is corrective. It responds to and fixes an incident. It may also prevent its reoccurrence.
Analysis
Analysis is an early stage in the process and involves determining whether a genuine incident has been identified and what level of priority it should be assigned. Gathering and preserving evidence is not a consideration at this point.
In the containment phase of incident response, the Cyber Incident Response Team (CIRT) faces complex issues that need to be addressed quickly. During this phase, a member of the CIRT would be concerned about all EXCEPT which of the following issues? A. What damage has already occurred? B. Which password policy will prevent this in the future? C. What actions could alert the attacker that the attack has been detected? D. What countermeasures are available?
B CIRT would not be concerned about future password policy during the containment phase since it is not a critical issue in incident response. During the containment phase, it is essential to assess what damage or theft has already occurred, as well as how much more damage could occur and in what time frame. Alerting the attacker that the attack has been detected could lead to retaliatory attacks prepared in advance by the attacker, so it needs to be considered in how the response proceeds. The CIRT also needs to determine what evidence of the attack must be gathered and preserved. Available countermeasures to the attack as well as their associated costs and implications is a consideration during this phase.
The first responder to a security incident determines if the situation requires escalation. Consider the following, and select the scenario that best describes escalation in this situation. A. The first responder calls the company's legal team. B. The first responder shuts down the affected system. C. The first responder calls senior staff to get them involved. D. The first responder reviews user privileges to look for users who may have gained unauthorized privileges.
C Escalation is the process of involving additional senior staff to assist in incident management when the first responder feels the situation is too complex to be managed alone. "Pulling the plug" on an affected system is an option to contain an attack, but it is not the definition of escalation. Although it is important to have access to legal expertise who can evaluate incident response from the perspective of compliance with laws and industry regulations, contacting the legal department is not an example of escalation. The term escalation can be used to describe when a user gains additional privileges without authorization. However, this is within the context of privilege management, not incident response.
Control Objectives for Information and Related Technologies (COBIT)
COBIT is an IT governance framework with security as a core component. COBIT is published by ISACA and is also a commercial product, available through APMG International.
Compensating
Compensating is a security control that does not prevent the attack, but rather restores the function of the system through other means, such as using data backup or an alternative site.
Incident management relies heavily on efficient allocation of resources. Which of the following factors should the IT manager consider in order to effectively triage remediation efforts? (Choose THREE) A. Planning time B. Downtime C. Detection time D. Recovery time
Downtime is a critical factor to consider to the degree to which an incident disrupts business processes. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. Detection time is an important consideration requiring that the systems used to search for intrusions are thorough and the response to detections must be fast. Recovery time must be considered, as some incidents that need to have complex system changes require lengthy remediation. This extended recovery period should trigger heightened alertness for continued or new attacks. Planning time can refer to the expected time for completing a project plan, or a period of time that is scheduled for an IT team to work together to plan out projects. It is not a consideration for incident remediation efforts.
Endpoint Security
Endpoint security is a set of security procedures and technologies designed to restrict network access at a device level. Endpoint security contrasts with the focus on perimeter security, like firewalls.
Notify affected parties with instructions to remediate affected systems.
Ensure that affected parties are notified and provided with the means to remediate their own systems is part of the recovery phase.
International Organization for Standardization (ISO)
ISO develops standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27000 series). It is a commercial product.
Which of the following frameworks focuses exclusively on IT security, rather than IT service delivery? A. National Institute of Standards and Technology (NIST) B. International Organization for Standardization (ISO) C. Control Objectives for Information and Related Technologies (COBIT) D. Sherwood Applied Business Security Architecture (SABSA)
National Institute of Standards and Technology NIST is the only framework within the IT governance space focusing solely on security. Its standards are used by US federal agencies and publishes cybersecurity best practice guides and research.
The recovery phase of an incident response involves several steps. Which of the following is NOT a step in the recovery phase? A. Re-audit security controls. B. Reconstitute affected systems. C. Prepare a lessons learned report. D. Notify affected parties with instructions to remediate affected systems.
Preparing a "lessons learned" report is part of the lessons learned phase, which is after the recovery phase.
Prevention
Prevention occurs when the response team takes countermeasures to end the incident on the live system, without regard to preserving evidence.
A response team has to balance the need for business continuity with the desire to preserve evidence when making incident management decisions. Consider the following and determine which would be an effective course of action for the goal of collecting and preserving evidence to pursue prosecution of the attacker(s)? (Choose two) A. Analysis B. Quarantine C. Hot swap D. Prevention
Quarantining is the process of isolating a file, computer system, or computer network to prevent the spread of a virus or another cybersecurity incident. This allows for analysis of the attack and collection of evidence. A hot swap involves bringing a backup system into operation, and the live system is frozen to preserve evidence of the attack.
Re-Audit security controls process
Re-auditing security controls is part of the recovery phase and ensures the controls are not vulnerable to another attack. The attacker gained information about the network in the current attack, which could be used to launch a second attempt.
Reconstitute affected systems process
Reconstituting affected systems means either removing malicious files or tools from affected systems or restoring the systems from secure backups. This is part of the recovery phase.
Sherwood Applied Business Security Architecture (SABSA)
SABSA is a methodology for providing information assurance aligned to business needs and driven by risk analysis.
Vendor
Vendor-specific policies are not consistent with defense in depth. A single vendor often means less innovation, the likelihood that some of the bundled products will be second-rate, and a more vulnerable attack surface due to a single supplier code.