Incident Response and Computer Security

Questions and Answers

What is an incident?

A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

What is incident response?

A structured, organized approach to detecting, addressing, and managing the aftermath of a security incident, cyberattack, or data breach.

What is a Denial of Service (DoS) attack?

An attack that prevents or impairs the normal authorized functionality of the organization's networks, systems, or applications.

What is a DDoS attack?

A malicious attempt to disrupt the normal functioning of a server, service, or network by overwhelming it with a flood of internet traffic.

What is malware?

Code that is covertly inserted into another program with the intent of gaining unauthorized access or causing harm.

What is Incident Response Program composed of?

Policies, plans, procedures, and people; it is a roadmap of reporting, responding, and recovery actions.

What are the steps of the Incident Response Process?

Preparation, Detection and Analysis, Containment, Eradication, and Recovery, and Post-Incident Activity (Postmortem)

What is Chain of Custody?

The process of preserving, documenting, and tracking the handling of evidence to maintain its integrity and prove it has not been tampered with during an investigation.

What is Computer Security Incident Response Team (CSIRT)?

Specialized team responsible for detecting, analyzing, and responding to cybersecurity incidents within an organization or community.

What is Product Security Incident Response Team?

Team focused on addressing security vulnerabilities and incidents specifically related to an organization's products or services, ensuring they are identified, mitigated, and communicated effectively.

What are the steps of the Forensic Analysis?

Collection, Examination, Analysis, and Reporting

What is Gramm-Leach-Bliley Act (GLBA)?

Federal requirement that addresses the protection of personally identifiable information (PII) and financial records.

What is Health Information Technology for Economic and Clinical Data Act (HITECH)?

Federal requirement that addresses the protection of personally identifiable information (PII).

What is The Federal Information Security Management Act (FISMA)?

Federal requirement that addresses the protection of personally identifiable information (PII).

What is Federal Education Rights and Privacy Act (FERPA)?

Federal requirement that addresses the protection of personally identifiable information (PII).

What is access control?

Security features that govern how users and processes communicate and interact with systems and resources.

What is the primary objective of access control?

To protect information and systems from unauthorized access, modification, or disruption.

What are the 3 common attributes of access control?

Identification scheme, authentication model, authorization model.

What is security posture?

The organization's approach to access control.

What are the two fundamental postures of security?

Secure (“default deny”) and open (“default open”).

What is Principle of Least Privilege?

Users should be granted the minimum permissions necessary to complete their assigned tasks.

What is Separation of Duties?

A security principle that divides tasks and responsibilities among multiple individuals to reduce the risk of fraud, error, or misuse of systems.

What is Authorization?

The process of assigning authenticated subjects permission to carry out a specific operation.

What is Multi-Factor Authentication?

Two or more factors are used.

What is Mandatory Access Control?

Data is classified, and employees are granted access according to the sensitivity of information.

What is Discretionary Access Control?

Data owners decide who should have access to what information.

What is Role Based Access Control?

Access is based on positions (roles) within an organization.

What is Attribute Based Access Control?

Access is based on evaluating rules against the attributes of entities, operations, and the environment.

What is Network Segmentation?

The process of logically grouping network assets, resources, and applications.

What is Software Bill of Materials (SBOMs)?

A detailed inventory that lists all components, libraries, and dependencies within a software application to improve transparency, security, and risk management.

What is Vulnerability Exploitability eXchange (VEX)?

Security document that provides information about whether specific vulnerabilities in software are exploitable, helping organizations prioritize and manage remediation efforts.

What is Artificial Intelligence Bill of Materials (AI BOM)?

Includes the model's name, version, type, creator and more, model architecture, model usage, and model considerations.

What is Systems development lifecycle (SDLC)?

Provides a standard process for any system development. Applies to commercial off-the-shelf software and open source software.

What is Open Web Application Security Project (OWASP)?

Open community dedicated to enabling organizations to develop, purchase and maintain applications that can be trusted.

What is Cryptography?

The process that takes plain text and turns it into cipher text.

What is Emergency Preparedness?

Process of planning, organizing, and implementing measures to effectively respond to and recover from emergencies, disasters, or unforeseen events.

What is Business Continuity Threat?

A potential danger to the organization.

What is Risk Assessment?

Evaluates the sufficiency of controls to prevent a threat from occurring or to minimize its impact.

What is Business Impact Assessment?

A multi-step collaborative activity that involves business process owners, stakeholders, and corporate officers that identifies essential services/processes and recovery timeframes.

What is Disaster Response Plan?

Addresses what should be done immediately following a significant incident.

What is Disaster Recovery Phase?

The path to bringing the company back to a normal business environment.

What is Resumption Phase?

The objective is to transition to normal operations.

What is Plan Test and Maintenance?

Proactive testing of the plan is essential; until tested, the plan is theoretical at best.

What is Personal Identity Theft?

Someone possesses and uses identifying information that is not his with the intent to commit fraud or other crimes.

What is Corporate Identity Theft?

When criminals attempt to impersonate authorized employees to access corporate bank accounts and steal money.

What is Health Insurance Portability and Accountability Act?

An act to protect the confidentiality, integrity, and availability of all electronic protected health information.

What is Privacy in the Digital Context?

Control personal data, anonymity, data security, consent and awareness.

What is GDPR?

Comprehensive data protection law implemented by the European Union in 2018, designed to protect individuals' privacy and regulate how organizations collect, process, and store personal data.

What is the Importance of High Accuracy and Precision in AI Systems?

Lies in ensuring reliable, consistent, and trustworthy outcomes.

The Importance of High Accuracy and Precision in AI Systems?

Lies in ensuring reliable, consistent, and trustworthy outcomes.

Flashcards

Incident

A violation or imminent threat of violation of computer security policies or standard security practices.

Incident Response

A structured approach to detecting, addressing, and managing the aftermath of a security incident, cyberattack, or data breach.

DDoS attack

An attempt to disrupt the normal functioning of a server by overwhelming it with traffic.

Malware

Code secretly inserted into another program to gain unauthorized access.

Incident Response Program (IRP)

Policies, plans, procedures, and people that provide a roadmap for responding to and recovering from incidents.

Chain of Custody

The process of preserving, documenting, and tracking evidence to maintain its integrity during an investigation.

CSIRT

A specialized team responsible for detecting, analyzing, and responding to cybersecurity incidents within an organization.

Access Control

Security features that govern how users and processes communicate and interact with systems and resources.

Principle of Least Privilege

Users should be granted only the minimum permissions necessary to complete their assigned tasks.

Separation of Duties

Dividing tasks among multiple individuals to reduce the risk of fraud, error, or misuse of systems.

SBOM

A detailed inventory of all components, libraries, and dependencies within a software application.

Vulnerability Exploitability eXchange (VEX)

Security document that provides information about whether specific software vulnerabilities are exploitable.

Cryptography

The process that takes plain text and turns it into cipher text.

Symmetric key

Uses a single secret key that must be shared in advance and kept private.

Asymmetric key

Uses two different but mathematically related keys: a public key for encryption and a private key for decryption.

Study Notes

• Final exam setup: 40 multiple choice questions, 2 hours, closed book/closed note, and proctored
• Exam date/time/location: Wednesday, March 12th at 10 AM, 575 Park St., Troy, AL
• Chapters covered include chapters 9-14, 16, and 17

Chapter 9

• Incident: A violation, or imminent threat, of computer security policies, acceptable use policies, or standard security practices
• Incident response: a structured, organized approach to detecting, addressing, and managing the aftermath of a security incident, cyberattack, or data breach
• Denial of Service (DoS) attack: Prevents or impairs the normal authorized functionality of an organization's networks, systems, or applications
• DDoS attack disrupts normal function by overwhelming a server, service, or network with traffic
• Malware: covert code inserted into a program for unauthorized access or harm
• Incident security levels are categorized by the potential harm caused:
• Level 1 incidents may cause significant harm
• Level 2 incidents involve the compromise of noncritical systems or information
• Level 3 incidents are contained and resolved by the information system custodian, data/process owner, or HR personnel
• Incident Response Program: composed of policies, plans, procedures, and people
• Incident Response Program functions as a roadmap for reporting, responding, and recovery actions
• Incident Response Process: Preparation, Detection and Analysis, Containment, Eradication, and Recovery, and Post-Incident Activity (Postmortem)
• Chain of Custody: preserves, documents, and tracks evidence handling to maintain integrity during investigations
• Information sharing and coordination: cybersecurity threat information is exchanged and collaborated on by organizations, teams, or stakeholders
• This enhances prevention, detection, and response to security incidents
• Computer Security Incident Response Team (CSIRT): A specialized team which detects, analyzes, and responds to cybersecurity incidents within an organization or community
• Product Security Incident Response Team: addresses security vulnerabilities and incidents specifically related to an organization's products or services
• Forensic Analysis: Collection, Examination, Analysis, and Reporting
• Data Breach Notification Requirements: federal requirements which address the protection of personally identifiable information (PII)
• Gramm-Leach-Bliley Act (GLBA): financial records
• Health Information Technology for Economic and Clinical Data Act (HITECH)
• The Federal Information Security Management Act (FISMA)
• Federal Education Rights and Privacy Act (FERPA)
• State breach notification laws are in all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands
• California was the first state to adopt a security breach notification law
• Massachusetts law is widely regarded as the most comprehensive state information security legislation

Chapter 10

• Access Control: Security features that govern how users and processes communicate and interact with systems and resources
• The primary objective is to protect information and systems from unauthorized access, modification, or disruption
• Access control attributes: identification scheme, authentication model, and authorization model
• Security posture: an organization's approach to access control
• Fundamental postures: secure (“default deny”) and open (“default open”)
• Principle of Least Privilege: Users should be granted the minimum permissions necessary to complete their assigned tasks
• Provides a strong foundation for any access control policy
• Separation of Duties: tasks and responsibilities are divided among multiple individuals which reduces the risk of fraud, error, or misuse of systems
• Authorization Factors: Knowledge, Ownership/Possession, and Characteristics/Inheritance
• Authorization: the process of assigning authenticated subjects permission to carry out a specific operation
• Multi-Factor Authentication: two or more factors are used
• Categories of Access Control List: Mandatory Access Control, Discretionary Access Control, Role Based Access Control, Rule Based Access Control, and Attribute Based Access Control
• Network Segmentation: logically grouping network assets, resources, and applications
• Firewalls: security tool that monitors and controls incoming and outgoing network traffic based on predefined rules to block unauthorized access
• Intrusion Detection: system or process that monitors networks or systems for suspicious activities or policy violations, alerting administrators to potential threats
• VPN: secure tunnel for transmitting data over unsecured networks, such as the internet
• An alternative virtual pathway exists between systems within the larger pathway of the Internet
• User Access Control: ensures authorized users can access information and resources, while unauthorized users cannot
• Access Monitoring: monitors successful access, failed access, and privileged operations
• Employees should have no expectation of privacy while on company time or when using company resources

Chapter 11

• Software Bill of Materials (SBOMs): a detailed inventory that lists all components, libraries, and dependencies within a software application
• Used to improve transparency, security, and risk management. Enhances vulnerability management and promotes transparency and trust
• Vulnerability Exploitability eXchange (VEX): a security document that provides information about whether specific software vulnerabilities are exploitable
• Helps organizations prioritize and manage remediation efforts
• Artificial Intelligence Bill of Materials (AI BOM):
• Includes model details, model architecture, model usage, and model considerations
• Systems development lifecycle (SDLC): provides a standard process for any system development
• Applies to commercial off-the-shelf software and open source software
• Consists of the initiation phase, developmental/acquisition phase, implementation phase, operational phase, and disposal phase
• Software Release Phases: Alpha phase, Beta phase, Release candidate, and General availability (or go live)
• Software update: is different from security patches (which address a specific vulnerability), updates include fundamental enhancements and new features
• Software updates should be tested thoroughly
• Open Web Application Security Project (OWASP): an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted
• It releases the top 10 most critical web application security flaws every 3 years.
• Code Security Issues: Potential for injection, Lack of input validation, Lack of dynamic data verification, Lack of output validation, Failure to use runtime defenses and address randomization, and Broken authentication and session management
• Cryptography: plain text is converted into cipher text
• Symmetric key: uses a single secret key that must be shared in advance and kept private
• Asymmetric key: uses two different but mathematically related keys: public key encrypts and private key decrypts
• Public Key Infrastructure (PKI): a framework which distributes, manages, creates, and revokes public keys
• Digital Certificate: electronic document issued by a trusted authority that uses a public key to verify the identity of an individual, organization, or device
• There is a chance a key has been compromised if revoked

Chapter 12

• Emergency Preparedness: plans, organizes, and implements measures to recover from emergencies, disasters, or unforeseen events
• Resilient organization: an organization that can quickly adapt and recover from changes to the environment
• Requires the support of enterprise leadership
• Requires a resilient culture based on empowerment, purpose, trust, and accountability
• Requires people who are properly selected, motivated, equipped, and led
• Requires agility and flexibility via a distributed workplace model and a robust and collaborative IT structure
• Business Continuity Threat: a potential danger to the organization
• Risk Assessment: evaluates the sufficiency of controls to prevent a threat from occurring or to minimize its impact
• Business Impact Assessment: a multi-step activity involving business process owners, stakeholders, and corporate officers
• Essential services/processes and recovery timeframes are identified
• Maximum tolerable downtime (MTD): the longest period a business process or system can be unavailable without causing significant harm to the organization
• Recovery time objective (RTO): the target amount of time within which a system, application, or process must be restored after a disruption to avoid unacceptable consequences
• Recovery point objective (RPO): the maximum acceptable amount of data loss measured in time, representing the point to which data must be restored following a disruption
• Business Continuity Plan: ensures the organization can respond and recover from a disaster
• Includes response plans, contingency plans, recovery plans, and resumption plans
• Disaster Response Plan: addresses what should be done immediately following a significant incident
• Defines who has the authority to declare a disaster
• Defines who has the authority to contact external entities
• Defines evacuation procedures
• Defines emergency communication and notification procedures
• Relocation Site Types: Hot site, Warm Site, Cold site, Mobile site, Mirrored site, and Reciprocal site
• Disaster Recovery Phase: the path to bringing the company back to a normal business environment
• The plan should break down each category of the overall recovery effort to simplify the daunting recovery process: Mainframe, Network, Communications, Infrastructure, and Facilities
• Resumption Phase: transitions the organization to normal operations
• Validation: verifying recovered systems are operating correctly
• Deactivation: the official notification that the organization is no longer operating in emergency or disaster mode
• Plan Test and Maintenance: proactive plan testing is essential because the plan is theoretical at best until tested
• The tests prove the plan is relevant, operable under adverse conditions, and accurate

Chapter 13

• Gramm-Leach-Bliley Act (GLBA): 1999, A U.S. federal law requiring financial institutions to protect the privacy and security of their customers' sensitive information
• Privacy Rule: limits the institution's disclosure of NPPI to unaffiliated third parties
• Safeguards Rule: addresses confidentiality and security of customer NPPI
• Pretexting Protection: refers to social engineering. GLBA encourages organizations to train employees to combat it
• NPPI: nonpublic personal information
• Examples: Names, Addresses, Phone numbers, Income and credit histories, and Social security numbers
• Interagency Guidelines: mitigates risks related to information systems being compromised
• Requires institutions to implement a comprehensive written cybersecurity program, that includes administrative, technical, and physical safeguards
• Personal Identity Theft: someone possesses and uses identifying information that is not his with the intent to commit fraud or other crimes
• Corporate Identity Theft: criminals try to impersonate authorized employees to access corporate bank accounts and steal money

Chapter 14

• Health Insurance Portability and Accountability Act: protects the confidentiality, integrity, and availability of all electronic protected health information
• The standards are non-specific and scalable
• Covered entities choose the appropriate technology and controls for their own unique equipment, taking size, capabilities, technical infrastructure, security measure cost, and probability of risk into consideration
• Terms used in HIPAA
• ePHI: any individually identifiable health information (IIHI) that is stored, processed, or transmitted electronically or digitally
• Covered Entities: health care providers, health plans, health-care clearinghouses, and certain business associates
• Health Plan: an entity that provides payment for medical services
• Clearinghouse: an entity that processes nonstandard health information into a standard format
• Business Associate: people or organizations that create, receive, maintain, transmit, access, or can potentially access PHI
• Administrative Safeguards: the documented policies and procedures for managing operations, conduct, access of workforce to ePHI, and selection, development, and use of security controls
• Physical Safeguards: requirements for protecting ePHI from unauthorized physical access
• Technical Safeguards: the use of technology to control access to ePHI
• Organization Safeguards: standards for business associate contracts and requirements for group health plans
• Documentation Requirements: policies and procedures regarding documentation records and their retention and availability
• HITECH Act: Health-care quality, safety, and efficiency are improved through the promotion of health information technology
• Act amended the Public Health Service Act
• Widened the scope of privacy and security protections available under HIPAA
• Omnibus Rule: expanded definition of “business associates”
• Extended compliance enforcement to business associates and subcontractors of business associates
• Increased violation penalties
• Included provisions for more aggressive enforcement
• Granted explicit authority to state attorney generals to enforce HIPAA Rule
• Defined specific thresholds, response timelines, and methods for security breach victim notification
• Breach Notification under HIPAA: CEs must notify individuals if the breach affects them, even if the breach is through a business associate
• Notification must be done within 60 days of the discovery of the breach

Chapter 16

• Privacy in the Digital Context: controls personal data, anonymity, data security, consent, and awareness
• Challenges include: Ubiquitous data collection, Surveillance technologies, and Data Breaches
• AI as both Protector and Challenger: AI acts as a safeguard by enhancing security, improving decision-making, solving complex problems
• poses challenges related to ethical concerns, bias, privacy risks, and the potential for misuse or replacing human roles
• Privacy Concern in AI Applications: Consent and transparency, Bias and discrimination, and Data breaches.
• GDPR: a comprehensive data protection law implemented by the European Union in 2018
• Designed to protect individuals' privacy and regulate how organizations collect, process, and store personal data
• GDPR Key Principles: Consent, Right to access, Data portability, Data minimization, and Right to be forgotten
• CCPA: California Consumer Privacy Key Principles: Right to know, Right to delete, Right to opt-out, Right to non-discrimination, and Compliance requirements: notice, consumer requests, data protection measures
• PIPEDA: Personal Information and Electronic Documents Act
• Founded on 10 fundamental principles: accountability, identifying purposes, consent, limiting collection, limiting disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance
• DPA 2018: Data Protection Act of 2018 (United Kingdom)
• Right to access: individuals have the right to access their personal data and get a copy
• Right to rectification and erasure: individuals can request incorrect data, be corrected, and personal data erased (in certain circumstances)
• Automated decision making: individuals are protected against risks associated with automated decision making and profiling

Chapter 17

• The Blueprint for an AI Bill of Rights: Safe and effective systems, Algorithmic discrimination protections, Data privacy, Notice and explanation, and Human alternatives, consideration, and fallback
• The Foundation of AI Governance: Guiding Principles from the Executive Order concerning with: Safety and security, innovation and competition, workforce support, equity and civil rights, consumer protection, privacy and civil liberties, facilitating accountable and efficient AI in government operations, and global leadership
• NIST's AI Risk Management Framework
• The Importance of High Accuracy and Precision in AI Systems: ensures reliable, consistent, and trustworthy outcomes
• High accuracy ensures AI systems produce results close to the true or desired outcomes, reducing errors. High precision ensures consistency and specificity in results, avoiding unnecessary or irrelevant outputs
• Explainable AI (XAI) Building Trust and Understanding: for providing understandable explanations
• Explainability is key for building trust through transparency, Improving AI systems helps identify and correct errors and biases, and address balancing complexities with explainability
• NAIAC: a U.S.-based advisory body which provides recommendations on AI-related topics such as advancing AI research and innovation
• Ensuring development of trustworthy AI systems and preparing the workforce for AI-driven transformation (ethical, fair, unbiased, and unbiased)
• The European Artificial Intelligence Board: a regulatory body established to oversee and ensure uniform application of EU AI laws across member states, particularly under the EU AI Act
• Provides guidance, resolves disputes, and promotes cooperation on AI-related issues at a pan-European level
• EU AI Act: seeks to regulate AI by categorizing applications into risk levels (unacceptable, high, limited, and minimal risk)
• Sets rules to ensure AI systems are safe, ethical, and respect fundamental rights
• Covers high-risk AI systems like those in healthcare, education, transportation, and law enforcement
• AI Supply Chain Security: involves multiple actors, challenging responsibilities
• LLM: a type of AI model, trained on vast amounts of text data, that can generate, understand, and process human language
• Examples: GPT models and BERT
• Top 10 risks: prompt injections, insecure output handling, training data poisoning, denial of service, supply chain, permission issues, data leakage, excessive agency, overreliance, and insecure plugins