Podcast
Questions and Answers
What does CSIRT stand for in the context of computer security?
What does CSIRT stand for in the context of computer security?
- Computer Security Incident Response Team (correct)
- Certified Security Incident Response Team
- Certified Systematic Incident Resolution Team
- Computer Security Induction and Training
How are the members of CSIRT selected?
How are the members of CSIRT selected?
- Randomly chosen from different departments
- Based on seniority within the organization
- Selected based on skills and access privileges (correct)
- Chosen through a lottery system
What are the different ways in which training for CSIRT members can be conducted?
What are the different ways in which training for CSIRT members can be conducted?
- Only through university courses
- Individual self-paced learning
- National training programs and conferences (correct)
- Exclusively through online tutorials
What are the general categories of strategies mentioned for Incident Response (IR)?
What are the general categories of strategies mentioned for Incident Response (IR)?
Which of the following is NOT a general section of an incident response plan?
Which of the following is NOT a general section of an incident response plan?
What does the process of Incident Classification involve?
What does the process of Incident Classification involve?
What is a possible indicator of an incident related to computing resources?
What is a possible indicator of an incident related to computing resources?
Which action is part of the response actions in incident handling?
Which action is part of the response actions in incident handling?
What is a definite indicator of an incident according to the text?
What is a definite indicator of an incident according to the text?
When developing an Incident Response (IR) Plan, what should be the first step for containment/eradication?
When developing an Incident Response (IR) Plan, what should be the first step for containment/eradication?
Which of the following is NOT a probable indicator of an incident?
Which of the following is NOT a probable indicator of an incident?
What is one containment strategy mentioned in the text for Incident Response?
What is one containment strategy mentioned in the text for Incident Response?
What are the five strategies to test contingency plans?
What are the five strategies to test contingency plans?
In an Incident Response (IR) plan, what should be done after informing appropriate human resources?
In an Incident Response (IR) plan, what should be done after informing appropriate human resources?
How often should an IR Plan be reviewed?
How often should an IR Plan be reviewed?
What action should be taken based on the results of After-action reviews (AARs) of the IR plan?
What action should be taken based on the results of After-action reviews (AARs) of the IR plan?
Which step is NOT part of the recovery operations in an Incident Response plan?
Which step is NOT part of the recovery operations in an Incident Response plan?
What is the purpose of using a structured walk-through in testing contingency plans?
What is the purpose of using a structured walk-through in testing contingency plans?
Flashcards are hidden until you start studying
Study Notes
Organizing the Computer Security Incident Response Team (CSIRT)
- CSIRT is a group of individuals who respond to incidents, selected based on skills and access privileges
- Different CSIRT subteams can be formed based on scope and type of incident
- Training members can occur through national training programs, conferences, and mentoring-type training
Creating IR Contingency Strategies
- Plan how to respond to various incidents, with strategies varying greatly depending on the circumstances
- General categories of strategies include:
- Protect and forget
- Apprehend and prosecute
Developing the Incident Response (IR) Plan
- The IR plan includes general sections on:
- Identification
- Response
- Containment and eradication
- Recovery
- Incident classification involves evaluating organizational events and identifying possible indicators of an incident, such as:
- Presence of unfamiliar files
- Presence of unknown programs or processes
- Unusual consumption of computing resources
- Unusual system crashes
- Probable indicators of an incident include:
- Activities at unexpected times
- Presence of new accounts
- Reported attacks
- Notification from IDS
- Definite indicators of an incident include:
- Use of dormant accounts
- Modified or missing logs
- Presence of hacker tools
- Notifications by a partner or peer
- Notification by hacker
- Response actions include:
- Notification
- Documenting the incident
- Interviewing individuals involved
Containment and Eradication
- Containment strategies include:
- Disabling compromised user accounts
- Reconfiguring firewall to block problem traffic
- Temporarily disabling compromised process or service
- Taking down the conduit application or server
- Stopping all computers and network devices
Recovery
- Recovery involves:
- Informing appropriate human resources
- Assessing the full extent of the damage
- Beginning recovery operations based on the IR plan
- Steps include:
- Identifying and resolving vulnerabilities
- Restoring data
- Restoring services and processes
- Restoring confidence across the organization
- After-action review
Ensuring Plan Testing, Training, and Exercises
- Five strategies to test contingency plans include:
- Desk check
- Structured walk-through
- Simulation
- Parallel testing
- Full interruption
- War gaming
IR Plan Maintenance
- The IR plan should be periodically reviewed, every one year or less
- Shortcomings should be noted, and deficiencies may come to light based on:
- After-action reviews
- Use of the plan for actual incidents
- Use of the plan for simulated incidents
- Review during periodic maintenance
- Revise the plan to correct deficiencies
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
