5.4 Given a scenario, follow incident response procedures. Flashcards
Event
Defined as anything that happens during a set time period.
Incident
Defined as an event that has a negative impact.
Incident Response Plan (IRP)
A set of written instructions for reacting to a security incident.
Cyber-incident Response Teams (CIRT)
A dedicated team that is responsible for the investigation of any computer security incidents that occur.
Exercise
- Put simply, testing the IRP.
- Used to evaluate the preparedness of CIRT.
- A fire drill is an example of testing the IRP.
Preparation
Equipping IT staff, management, and users to handle potential incidents when they arise.
Includes hardening systems in order to prevent and attack
Identification
Determining whether an event is actually an incident.
Containment
Limiting the damage of the incident and isolating those systems that are impacted and prevent the incident from spreading thus preventing further damage.
Quarantine/Isolation of the system to prevent spread.
Eradication
Includes the processes used to remove or eliminate the cause of an incident.
(Wipe it out)
Recovery
The process of removing and damaged elements from the environment and replacing them
Lessons Learned
- The final step in the Incident Response Process.
* Perform an After Action Review of the incident and apply any required changes to the IRP and future responses
In what phase of an incident response plan does the organization return to normal operations after handling a violating event? A. Containment B. Lessons Learned C. Recovery D. Eradication
C. Recovery
Ben has been asked to work on a report that will analyze the results of an incident exercise with the purpose of identifying strengths to be maintained and weaknesses to be addressed for improvement. What report will he be working on?
A. Containment report
B. After Action Report
C. Identification of critical systems repor
D. Eradication Report
B. After Action Report
It has been reported that someone has caused an information spillage incident on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in the incident response process did you just complete? A. Identification B. Isolation C. Eradication D. Containment
D. Containment