Introduction to Cybersecurity Incidents

Questions and Answers

What does the unit "Introduction to security incidents" cover?

It covers the basic concepts of cyberincidents and incident management by reviewing its key areas, such as classifications, categories, levels of criticality, and a general understanding of the stages and principles of incident management according to the NIST model.

What are the three core principles of information security?

• Confidentiality, Integrity, Security
• Security, Integrity, Availability
• Confidentiality, Availability, Trust
• Confidentiality, Integrity, Availability (correct)

A Denial-of-Service (DoS) attack aims to gain access to a system.

False (B)

What are some examples of malicious code?

Viruses, worms, and Trojan horses (B)

What is a "Trojan horse" in the context of cybersecurity?

A "Trojan horse" is a type of malicious code disguised as legitimate software to trick users into installing it. Once installed, it can perform malicious actions, such as stealing data or granting remote access to attackers.

What does CCN-STIC 817 stand for?

Cybersecurity Communications Network, Security, and Technology Information Center (B)

What are the two key components used to determine the severity of a cyber incident?

Impact and probability.

Which of the following is NOT a sector commonly targeted by cybercriminals?

Education (A)

What role does the CISO play in managing cyber incidents?

The CISO should be a knowledgeable leader who understands both the risks of cybercrime and their own role in motivating the entire organization to take responsibility for cybersecurity.

Why is it crucial to keep offline copies of important documents related to incident response?

In case of a cyber incident, access to computer files might be compromised. Having physical backups ensures that critical information and plans remain readily accessible for incident management and mitigation.

It's recommended to ensure that backup copies are closely linked to the primary system for easy retrieval.

False (B)

What is the primary objective of the "containment" stage of incident management?

To minimize the impact of a cyber incident and prevent further damage to the organization's systems and data.

What is the most important aspect to consider when making decisions during incident containment?

The organization must have predetermined strategies and procedures in place for containing the incident. This helps to make decisions more efficient and effective, especially in high-pressure situations.

Flashcards

Cybersecurity incident

A compromise or violation of the security of an organization's IT assets, including information, services, and infrastructure.

Confidentiality

Preventing unauthorized access to information.

Integrity

Ensuring information remains unchanged unless authorized.

Availability

Ensuring information and resources are accessible to authorized personnel.

Denial-of-Service (DoS) incident

Disrupting access to networks, systems, or applications by overloading them.

Malicious code incident

Targeting systems with viruses, worms, or Trojan horses.

Unauthorized access incident

Accessing systems, networks, applications, or data without authorization.

Inappropriate use incident

Violating security policies, like using unauthorized applications.

Incident taxonomy

A classification system for identifying, analyzing, containing, and eliminating cyber incidents.

Incident classification factors

Factors considered when classifying incidents, including threat type, origin, system security, user profile, and impact.

Cyber incident management

The process of handling cyber incidents throughout their life cycle, from preparation to post-incident activities.

NIST model

A framework used as a reference for cyber incident management.

Criticality of an incident

Determining the severity level of an incident based on its impact.

CSIRT/CERT

Incident response centers specializing in handling cyber incidents.

Proactive services

Preventive measures taken to avoid incidents.

Reactive services

Actions taken after a cyber incident has happened.

MISP

A platform for sharing cyber threat intelligence.

Incident labeling

Tagging cyber incidents for better categorization and management.

Information sharing formats

Methods for exchanging security-related information and incident details across organisations

Legal and regulatory requirements

Laws and regulations related to information security and incident handling

Study Notes

Topic 2.1 Introduction to Cybersecurity Incidents

• Cybersecurity Incident Framework: The unit introduces core concepts of cybersecurity incidents and their management.
• Incident Taxonomy: Defines key concepts, types, and classifications of cybersecurity incidents to establish a framework for efficient response. Crucially, it determines the level of criticality.
• Incident Management: Details basic principles for managing incidents, covering the lifecycle from preparation to post-incident activities. This uses the NIST model as a reference. Key metrics for organizational maturity are also included.
• Incident Response Centers (CERT-CSIRT-SOC): Introduces incident response hubs, explaining their role, capabilities, and divisions (proactive/reactive services). Organizational structures are highlighted.
• Incident Action Procedures: Presents key procedures for managing incidents, notably emphasizing the preparatory phases in technology, operations, legal and communication aspects.
• Information Exchange and Labeling: Displays fundamental information sources and tools, including threat intelligence platform MISP, and discusses standard formats for exchanging cybersecurity information and tagging incidents.

Topic 2.2 Cybersecurity Incident Taxonomy

• Definition of a Cybersecurity Incident: A cybersecurity incident is a compromise or violation of a firm's IT assets (information, services, infrastructure elements like servers, computers, networks, smartphones, etc.). This can encompass electrical/hardware failures, policy violations, and malicious activity (including disgruntled employees.)
• Fundamental Security Principles: The consequence of a cybersecurity incident compromises fundamental security principles: confidentiality, integrity and availability of information.

Topic 2.3 Cybersecurity Incident Management: Phases

• Cybersecurity Event: A significant cybersecurity change that may impact organizational operations (mission, capabilities, reputation, etc.).
• Cybersecurity Incident: One or more unexpected/undesirable cybersecurity events, potentially compromising organizational operations.
• Incident Management: Comprehensive processes for preparing, detecting, reporting, evaluating, and responding to security incidents, while continuously improving the response plan.

Description

This quiz covers the fundamentals of cybersecurity incidents, including their classification, management principles, and the role of incident response centers. Explore the NIST model for effective preparation and response, alongside key procedures and organizational structures essential for incident management.