4 - Information Security Incident Management

Question 1

Who developed the Kill Chain and what are the phases

Answer 1

Lockheed Martin
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Actions on Objectives

Question 2

Which NIST Pub is for the Computer Security Incident Handling Guide

Answer 2

NIST 800-61

Question 3

What type of analysis should be performed prior to building our BCP or DR Plans

Answer 3

Business Impact Analysis (BIA) and
Criticality Analysis (CA)

Question 4

List some examples of backup media rotation

Answer 4

FIFO
Grandfather-father-son using full and daily incremental or differential.
Tower of Hanoi

Question 5

What is the difference between Incident Response testing and DR Testing

Answer 5

IRP - Doc Review, Walk through, and simulation

BCP/DR has parallel and cutover as well

Question 6

What is the main purpose of the “chain of custody” procedures

Answer 6

To prove the integrity of investigation data

Question 7

T or F documenting steps during actual security incidents will also determine whether the organization recovered from the incident

Answer 7

False
That is not the purpose of documenting and does not indicate if they actually recovered.

Question 8

What is the primary purpose of incident responders being asked to review incident response procedures.

Answer 8

Helps find mistakes in incident response procedures before an actual incident occurs

Question 9

What PCI-DSS requirement is to put contact information for card brands in their incident response plans

Answer 9

12.10.1

card brands should notified as soon as possible after a knowledge of a breach of credit card data.

Question 10

What is the last step in a security incident

Answer 10

Post-Incident review or postmortem

Closure is second to last step

Question 11

What is a good indicator on when Exec Management should be notified of a security incident

Answer 11

When regulators need to be notified

disruption in business

compromise of sensitive information

Question 12

Purpose of a write blocker in the context of a security incident response

Answer 12

allows you to connect to hard drive that is the subject of a forensic analysis to a computer. The write block permits the computer to read from the subject hard drive but not permit any updates to the hard drive

Question 13

for GDPR how quickly must an organization report a security breach of PII to SA

Answer 13

72 hours

Question 14

What technology besides DLP will detect data exfiltration

Answer 14

Network anomaly detection since it is designed to baseline normal network behavior and report on a anomalous network traffic such as data exfiltration

Question 15

What plan is to ensure effective notifications of internal and external parties

Answer 15

Crisis Response Plan

Question 16

Is it feasible to during a known compromise to test the proposed changes in a test environment first

Answer 16

Yes if they want to minimize any disruption to the environment.

Question 17

What are some well known computer forensic tools

Answer 17

EnCase
Forensic Toolkit
Autopsy

Question 18

T or F that during a security incident during containment and remediation if your if your change control process is mature you can use that process

Answer 18

T
Test environments take more time and might not be available.

Question 19

Who is more appropriate to be on a CERT - IT Security Engineers or IT Network, System and application engineers

Answer 19

IT Network, system and application engineers are more familiar with the operational details and would be a better fit for this role

Question 20

Can there be more than one incident commander especially for a lengthy cybersecurity incident and if so, who should take that role

Answer 20

Yes. It is not feasible for one person to say work 24 or 48 hours straight and they should utilize member from the incident response team.

Question 21

What is the process of asking and analyzing until no more information is available

Answer 21

Root Cause Analysis