Week 8

Questions and Answers

What does CSIRT stand for in the context of computer security?

Computer Security Incident Response Team (correct)

Certified Security Incident Response Team

Certified Systematic Incident Resolution Team

Computer Security Induction and Training

How are the members of CSIRT selected?

Randomly chosen from different departments

Based on seniority within the organization

Selected based on skills and access privileges (correct)

Chosen through a lottery system

What are the different ways in which training for CSIRT members can be conducted?

Only through university courses

Individual self-paced learning

National training programs and conferences (correct)

Exclusively through online tutorials

What are the general categories of strategies mentioned for Incident Response (IR)?

Protect and forget, Apprehend and prosecute

Which of the following is NOT a general section of an incident response plan?

Resolution

What does the process of Incident Classification involve?

Categorizing incidents based on severity and type

What is a possible indicator of an incident related to computing resources?

Unusual system crashes

Which action is part of the response actions in incident handling?

Disabling compromised user accounts

What is a definite indicator of an incident according to the text?

Use of dormant accounts

When developing an Incident Response (IR) Plan, what should be the first step for containment/eradication?

Identify the affected area

Which of the following is NOT a probable indicator of an incident?

Notification from IDS

What is one containment strategy mentioned in the text for Incident Response?

Temporarily disable compromised process or service

What are the five strategies to test contingency plans?

Desk check, Structured walk-through, Simulation, Parallel testing, Full interruption

In an Incident Response (IR) plan, what should be done after informing appropriate human resources?

Assess full extent of the damage

How often should an IR Plan be reviewed?

Every one year or less

What action should be taken based on the results of After-action reviews (AARs) of the IR plan?

Revise plan to correct deficiencies

Which step is NOT part of the recovery operations in an Incident Response plan?

Terminate all IT systems temporarily

What is the purpose of using a structured walk-through in testing contingency plans?

To identify potential issues and gaps

Study Notes

Organizing the Computer Security Incident Response Team (CSIRT)

• CSIRT is a group of individuals who respond to incidents, selected based on skills and access privileges
• Different CSIRT subteams can be formed based on scope and type of incident
• Training members can occur through national training programs, conferences, and mentoring-type training

Creating IR Contingency Strategies

• Plan how to respond to various incidents, with strategies varying greatly depending on the circumstances
• General categories of strategies include:
  • Protect and forget
  • Apprehend and prosecute

Developing the Incident Response (IR) Plan

• The IR plan includes general sections on:
  • Identification
  • Response
  • Containment and eradication
  • Recovery
• Incident classification involves evaluating organizational events and identifying possible indicators of an incident, such as:
  • Presence of unfamiliar files
  • Presence of unknown programs or processes
  • Unusual consumption of computing resources
  • Unusual system crashes
• Probable indicators of an incident include:
  • Activities at unexpected times
  • Presence of new accounts
  • Reported attacks
  • Notification from IDS
• Definite indicators of an incident include:
  • Use of dormant accounts
  • Modified or missing logs
  • Presence of hacker tools
  • Notifications by a partner or peer
  • Notification by hacker
• Response actions include:
  • Notification
  • Documenting the incident
  • Interviewing individuals involved

Containment and Eradication

• Containment strategies include:
  • Disabling compromised user accounts
  • Reconfiguring firewall to block problem traffic
  • Temporarily disabling compromised process or service
  • Taking down the conduit application or server
  • Stopping all computers and network devices

Recovery

• Recovery involves:
  • Informing appropriate human resources
  • Assessing the full extent of the damage
  • Beginning recovery operations based on the IR plan
  • Steps include:
    • Identifying and resolving vulnerabilities
    • Restoring data
    • Restoring services and processes
    • Restoring confidence across the organization
  • After-action review

Ensuring Plan Testing, Training, and Exercises

• Five strategies to test contingency plans include:
  • Desk check
  • Structured walk-through
  • Simulation
  • Parallel testing
  • Full interruption
  • War gaming

IR Plan Maintenance

• The IR plan should be periodically reviewed, every one year or less
• Shortcomings should be noted, and deficiencies may come to light based on:
  • After-action reviews
  • Use of the plan for actual incidents
  • Use of the plan for simulated incidents
  • Review during periodic maintenance
• Revise the plan to correct deficiencies

Description

This quiz covers indicators of an incident as part of developing an Incident Response (IR) Plan. Topics include possible indicators like presence of unknown programs, unusual system crashes, and probable indicators like activities at unexpected times and notification from IDS.