(11) Data Integrity Validation Flashcards

1
Q

What specific activities need to take place to validate the integrity of data?

A

-Validate that only authorized user accounts exist on every system and application in the org

-Verify the proper restoration of permissions for each account

-Verify the integrity of systems and data

-Verify that all systems are properly logging

-Conduct vulnerability scans on all systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What change management processes should be applied as part of the incident response effort?

A

The change management control processes were likely skipped over as a result of the incident, so at this point the Computer Security Incident Response Team (CSIRT) needs to document what changes were made to the information system during the incident response effort and then go back to normal change management processes once the incident response effort is over

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What changes to the incident response plan should/may be applied as part of the lessons learned phase of the incident response process?

A

During the lessons learned session, any new controls or security measures should be put in place if it wasn’t put in place before and if the omission of such things contributed in some way to the incident that happened, to happen.

The change management process should be followed if new changes to the incident response plan are needed as a result of the incident

Also, if any new Indicators of Compromise (IoCs) are discovered, then they should be added to the org’s incident response database to be ready for them in the future if need be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

After the lessons learned portion of the org’s incident response, what should happen last?

A

Lastly, a final report should be completed. The final report creates a memory that the org can use when developing new security controls and when training new employees

It will be useful if the org is going to court as a result of the incident

It helps identify any undetected issues with the incident response apparatus that can help avoid the issue in the future

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What elements should the post incident report include?

A

The post incident report should include:

-Chronological chain of events for the entire situation from start to conclusion

-Root cause, location, and specific actions that took place

-Estimation of the impact of the incident on the org and stakeholders

-Result of post recovery validation and documentation of everything

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does the incident response team need to do with the evidence acquired as a result of the incident?

A

The incident response team needs to either retain it (especially if a court case is coming up) based on the companies data retention policies or destroy it securely. If the data is to be retained, it needs to be placed in a data repository with the chain of custody intact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly