10 - Incident Management

Question 1

What is an incident?

Answer 1

Any event that violates an org’s security policies.

May disrupt normal operations

Question 2

Cycle of diaster planning/recovery (3 things)

Answer 2

• Planning
• Disaster
• Recovery

Question 3

Planning process

RCIDP

Answer 3

• Risk assessment
• Conduct aq business impact analysis
• Identify preventative controls
• Develop IT recovery and reconsitution strategy
• plann testing, training, maintenance and exercises

Question 4

Business Impact Analysis

Answer 4

Determines the impact in the event that key processes are not available

Built on worst case scenarios: what assets needed to recover?
Identify recovery time (maximum down time)

Question 5

3 steps of BIA

Answer 5

Assess and analyse
Report
Develop Policies

Question 6

Business COntinuity Plan

Answer 6

Creates a plan to continue business after disaster

Question 7

Recovery time objective

Answer 7

How quickly business process should be recovered, based on business tolerance to loss.

Question 8

Recovery Point Objective

Answer 8

Defines the maximum acceptable level of data loss

Question 9

Incident response plan helps to do what

Answer 9

helps to identify the security event and bring it to closure

Question 10

Disaster Recovery Plan

Answer 10

How an org manages a catastrophic event, such as a natural disaster or accidental data loss

Question 11

GDPR requires a backup and disaster recovery plan. What is the maximum time for informing authorities of a breach?

Answer 11

72 hours

Question 12

SANS Institute’s 6 steps of incident response

PICERL

Answer 12

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned

Question 13

Incident Response reactive and/or proactive?

Answer 13

reactive (handling incidents as they occur) but also proactive (prepare/prevent)

Question 14

Backup considerations

Answer 14

• Frequency
• Location
• Medium
• Vaulting
• Mirroring
• What to backup

Question 15

Redundant/Mirrored

Answer 15

Mirror of original

Fully available
Real time info mirroring

Drawbacks:
Expensive

Question 16

Hot site & drawbacks

Answer 16

• Fully configured
• Readily available
• annually tested

Drawbacks:
- Expensive
- Hardware/software choices limited
- Short term

Question 17

Warm Site

Answer 17

• Partially Configured
• Long term
• Choice of hardware/software use

Drawbacks:
- Not readily available
- No testing
- Resources not available

Question 18

Cold Site

Answer 18

• Core equipment only

Drawbacks
- take up to a week
- Operation resources not available

Question 19

Mobile/rolling site

Answer 19

• Transportable with necessary hardware and equipment

Drawbacks:
- Short term

Question 20

Disaster Declaration Policy

Answer 20

Outlines the process by with BCP and DRP are activated

Defines the roles and responsibilities for assessing/declaring disaster.

Includes notification of people and alternate site activations

Question 21

Forensic Investigation

Answer 21

who, what, when, where, how and why etc

Evidence…:
- Collection
- Preservation
- Analysis
- Presentation

Question 22

What to do after the incident

Answer 22

Review readiness for next incident
Review risk management and security policies
Further investigation

Question 23

SANS report format

Answer 23

• When and who
• scope
• how contained/eradicated
• recovery work
• effective response areas
• areas of improvement