4_2_1 Section 4 – Operations and Incident Response - 4.2 – Incident Response - Incident Response Process

Questions and Answers

What is a common consequence of a user clicking a malicious email attachment?

• The malware is instantly detected and removed by the organization's security systems.
• The malware deletes sensitive information from the organization's servers.
• The malware automatically notifies the incident response team.
• The malware begins communicating with other services and sending information outside the organization. (correct)

What is the purpose of an incident response team?

• To provide general IT support to employees.
• To respond to and manage security incidents. (correct)
• To develop new security policies for the organization.
• To conduct regular security audits and risk assessments.

What is a distributed denial of service attack characterized by?

• A limited number of users accessing the organization's system simultaneously.
• A large number of botnets overloading the internet connection. (correct)
• A single hacker attempting to access the organization's system.
• A malware infection spreading across the organization's network.

What is a possible motivation behind a thief contacting an organization after stealing sensitive information?

To offer to return the stolen information in exchange for payment. (D)

What is a potential risk of a user installing peer-to-peer software inside the organization?

The software may open up all systems to access from the outside. (D)

Who may be part of the incident response team?

The IT management team for the security department, as well as other specifically trained personnel. (A)

What is the primary role of compliance officers in a security incident?

Ensuring data compliance with organizational rules and regulations (C)

What is the title of the NIST publication that provides guidance on handling security incidents?

Computer Security Incident Handling Guide (D)

What is the key to handling a security incident properly?

Being well-prepared with the right people and processes in place (A)

What is the purpose of creating hash values of evidence during a security incident?

To ensure that the evidence does not change (B)

Why is it challenging to identify legitimate security threats?

Because of the numerous types of attacks that occur daily (C)

What are precursors in the context of security incidents?

Predictors of a security incident (A)

What is the purpose of monitoring systems during a security incident?

To identify cases where a security incident may have occurred (B)

What is the role of technical staff in responding to security incidents?

Troubleshooting and resolving technical issues (A)

What is the benefit of having a clean operating system and application images during a security incident?

It helps to mitigate security incidents (A)

What is the importance of having policies and procedures in place during a security incident?

It ensures that everyone knows their roles and responsibilities (B)

What is the primary purpose of a post-incident meeting?

To discuss and document the incident's details (A)

Why is it essential to document the incident's details?

To understand what happened and when it happened (C)

What should be examined during the post-incident meeting?

The effectiveness of the plans in place during the incident (C)

What can be done to improve the response to future incidents?

Updating alarms and alerts to identify precursors (B)

What can be gained from having an objective view of the incident?

A better understanding of what to look for in future incidents (B)

Why is it important to conduct the post-incident meeting quickly?

To avoid having to recall details later (A)

What is the purpose of a sandbox in incident response?

To run malicious software and analyze its behavior (D)

What is the first step in recovering a system after a security incident?

Eradicate the malware and remove it from the system (A)

What can be a challenge when analyzing malware in a sandbox?

The malware may recognize when it's running in a sandbox (C)

What is the importance of having a backup in incident response?

It allows for quick recovery of a system after a security incident (D)

What is the goal of incident response?

To recover a system and prevent future incidents (B)

What can be a time-consuming process in incident response?

Reconstituting a network after a security incident (C)

What is the benefit of sending patches out to systems during incident response?

It makes high value changes to prevent further incidents (B)

What is the purpose of file integrity monitoring systems?

To alert on changes to critical operating system files (D)

What should you never do when detecting a security incident?

Leave the incident running to see what it does (C)

What is the final step in incident response?

Review processes to identify what worked and what didn't (B)