01. Incident Response Plan (386)

Question 1

Incident Management Readiness

Events that can disrupt the continuity and viability of an organisations;

1. Natural Disasters
2. Human-made disasters
3. Malicious acts
4. Cyberattacks
5. Change with unintended consequences

286

Question 2

Incident Management Readiness

Incident management readiness begins with upfront analysis of business processes and dependencies

386

Question 3

Incident Response Plan

BCP and DRP share the common objective;
Best possible continuity of business operations during/after a disruptive event

386

Question 4

Incident Response Plan

Business continuity response is required so business can operatie critical business processes without primary processing systems

386

Question 5

Incident Response Plan

Disaster recovery planning is needed to recover systems and resume normal operations

386

Question 6

Incident Response Plan

Connected devices often directly or indirectly relate to life safety. Life safety is included as a high priority in information securtiy

387

Question 7

Incident Response Plan

Risk assessments are the foundation of planning for security incident responses, business continuity planning, and disaster recovery planning

387

Question 8

Security Incident Response

As a result of a security incidents, the confidentiality, integrity, or availability of information systems has been or is in danger of being compromised

388

Answer 8

Types of security incidents;

Computer account abuse
Willful account abuse, sharing credentials etc.
Computer or network trespass
Unauthorised access to computer network
Information exposure or theft
Protected information still exposed to unauthorized people
Malware
Worm or virus outbreak that disrupts business operations
Ransomware and wipeware
Data encryption for ransom, exfiltration of data and threat of posting publically, or destroying data instead of encrypting it
Denial-of-Service (Dos)
Attacks flood target network with data to overwhelm it
Distributed Denial-of-Service (DDoS)
Similar to DoS but emanating from hundreds of thousands of computers at one time.
Encryption or Destruction of Critical information
The results of a ransomware or wiper attack
Disclosure of sensitive information
Sensitive information disclosed to unauthorised party
Information System Theft
Laptop, mobile, other information processing or storage equipment stolen
Information System Damage
Human intruder or malware causing temporary or irreversible damate to information systems
Information Corruption
Damage to information stored on systems.
Misconfiguration
Errors by IT workers resulting in data loss
Sabotage
Disruptive or damaging processes to an organisation or several organisations by human or malware with intent

Question 9

Intrusion Kill Chain

Lockheed-Martin model depicting typical computer intrusion;

1. Reconnaissance
2. Weaponisation
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions on Objective

390

Question 10

Incident Response Plan Development

A security manager must first thoroughlly understand organisation business processes and information systems

390

Answer 10

Security manager may first develope a high-level incident response plan

Question 11

Incident Response Plan Development - Objectives

Organisations must establish objectives before developing a security incident response place to know if business needs are being met

390

Question 12

Resources

Incident response stages from detection to closure require personnel with different skill sets, including;

1. Incident detection and response
2. Network, system, application SMEs
3. Malware analysis and reverse engineering
4. Forensics
5. Incident command and control
6. Crisis communications
7. Legal / Privacy
8. Business Unit Leaders
9. Executives
10. Law Enforcement

392

Question 13

Outsourcing

Organisations opt to utilize forensic experts on demand or contract basis

392

Question 14

Gap Analysis

A securtiy manager must determine the current state of the organisations incident response capabilities, and the desired state. Best method is to use a gap analysis

393

Question 15

Security Incident Plan Development

A securtiy incident response plan is a document that defines policies, roles, responsibilities, and actions to be taken in event of a security incident

393

Answer 15

Security incident response plan typically includes;

Policy
Roles and Responsibilities
Incidwent Detection Capabilities
Playbooks
Communications
Recordkeeping

Question 16

Third Party

Applications and infrastructure owned and managed by a third party does not obselve an organisation of their responsiblities towards security incidents

394

Question 17

Incident response documentation reviews

Organisations should review and update documents once per year, or any time significant change is made

394

Question 18

ITSM and Security Incident Management Relationship

Many security managers leverage existing incident processes from a well writen ITSM rather than build a response plan from scratch

394

Question 19

Communication and Escalation

Incident response plans include procedures for communication and escalations.
2 forms of escalation;

1. Notifying appropriate levels of upper management when an incident has been detected
2. Notifying appropriate levels of management when incident response service level agreements (SLAs) have not been met

395