Week 8
18 Questions
2 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What does CSIRT stand for in the context of computer security?

  • Computer Security Incident Response Team (correct)
  • Certified Security Incident Response Team
  • Certified Systematic Incident Resolution Team
  • Computer Security Induction and Training
  • How are the members of CSIRT selected?

  • Randomly chosen from different departments
  • Based on seniority within the organization
  • Selected based on skills and access privileges (correct)
  • Chosen through a lottery system
  • What are the different ways in which training for CSIRT members can be conducted?

  • Only through university courses
  • Individual self-paced learning
  • National training programs and conferences (correct)
  • Exclusively through online tutorials
  • What are the general categories of strategies mentioned for Incident Response (IR)?

    <p>Protect and forget, Apprehend and prosecute</p> Signup and view all the answers

    Which of the following is NOT a general section of an incident response plan?

    <p>Resolution</p> Signup and view all the answers

    What does the process of Incident Classification involve?

    <p>Categorizing incidents based on severity and type</p> Signup and view all the answers

    What is a possible indicator of an incident related to computing resources?

    <p>Unusual system crashes</p> Signup and view all the answers

    Which action is part of the response actions in incident handling?

    <p>Disabling compromised user accounts</p> Signup and view all the answers

    What is a definite indicator of an incident according to the text?

    <p>Use of dormant accounts</p> Signup and view all the answers

    When developing an Incident Response (IR) Plan, what should be the first step for containment/eradication?

    <p>Identify the affected area</p> Signup and view all the answers

    Which of the following is NOT a probable indicator of an incident?

    <p>Notification from IDS</p> Signup and view all the answers

    What is one containment strategy mentioned in the text for Incident Response?

    <p>Temporarily disable compromised process or service</p> Signup and view all the answers

    What are the five strategies to test contingency plans?

    <p>Desk check, Structured walk-through, Simulation, Parallel testing, <strong>Full interruption</strong></p> Signup and view all the answers

    In an Incident Response (IR) plan, what should be done after informing appropriate human resources?

    <p><strong>Assess full extent of the damage</strong></p> Signup and view all the answers

    How often should an IR Plan be reviewed?

    <p><strong>Every one year or less</strong></p> Signup and view all the answers

    What action should be taken based on the results of After-action reviews (AARs) of the IR plan?

    <p><strong>Revise plan to correct deficiencies</strong></p> Signup and view all the answers

    Which step is NOT part of the recovery operations in an Incident Response plan?

    <p><strong>Terminate all IT systems temporarily</strong></p> Signup and view all the answers

    What is the purpose of using a structured walk-through in testing contingency plans?

    <p><strong>To identify potential issues and gaps</strong></p> Signup and view all the answers

    Study Notes

    Organizing the Computer Security Incident Response Team (CSIRT)

    • CSIRT is a group of individuals who respond to incidents, selected based on skills and access privileges
    • Different CSIRT subteams can be formed based on scope and type of incident
    • Training members can occur through national training programs, conferences, and mentoring-type training

    Creating IR Contingency Strategies

    • Plan how to respond to various incidents, with strategies varying greatly depending on the circumstances
    • General categories of strategies include:
      • Protect and forget
      • Apprehend and prosecute

    Developing the Incident Response (IR) Plan

    • The IR plan includes general sections on:
      • Identification
      • Response
      • Containment and eradication
      • Recovery
    • Incident classification involves evaluating organizational events and identifying possible indicators of an incident, such as:
      • Presence of unfamiliar files
      • Presence of unknown programs or processes
      • Unusual consumption of computing resources
      • Unusual system crashes
    • Probable indicators of an incident include:
      • Activities at unexpected times
      • Presence of new accounts
      • Reported attacks
      • Notification from IDS
    • Definite indicators of an incident include:
      • Use of dormant accounts
      • Modified or missing logs
      • Presence of hacker tools
      • Notifications by a partner or peer
      • Notification by hacker
    • Response actions include:
      • Notification
      • Documenting the incident
      • Interviewing individuals involved

    Containment and Eradication

    • Containment strategies include:
      • Disabling compromised user accounts
      • Reconfiguring firewall to block problem traffic
      • Temporarily disabling compromised process or service
      • Taking down the conduit application or server
      • Stopping all computers and network devices

    Recovery

    • Recovery involves:
      • Informing appropriate human resources
      • Assessing the full extent of the damage
      • Beginning recovery operations based on the IR plan
      • Steps include:
        • Identifying and resolving vulnerabilities
        • Restoring data
        • Restoring services and processes
        • Restoring confidence across the organization
      • After-action review

    Ensuring Plan Testing, Training, and Exercises

    • Five strategies to test contingency plans include:
      • Desk check
      • Structured walk-through
      • Simulation
      • Parallel testing
      • Full interruption
      • War gaming

    IR Plan Maintenance

    • The IR plan should be periodically reviewed, every one year or less
    • Shortcomings should be noted, and deficiencies may come to light based on:
      • After-action reviews
      • Use of the plan for actual incidents
      • Use of the plan for simulated incidents
      • Review during periodic maintenance
    • Revise the plan to correct deficiencies

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    7 9780840024220_PPT_ch11.pdf

    Description

    This quiz covers indicators of an incident as part of developing an Incident Response (IR) Plan. Topics include possible indicators like presence of unknown programs, unusual system crashes, and probable indicators like activities at unexpected times and notification from IDS.

    Use Quizgecko on...
    Browser
    Browser