(9) Security Incident Definitions

Question 1

What is an event?

Answer 1

An event is an observable happening in a system or network. A security event specifically is observable and has to do with a security function

Question 2

What is an adverse event?

Answer 2

An adverse event is any event that has less than ideal consequences. Malware infection, server crash, etc.

Question 3

What is a security incident?

Answer 3

A security incident is a clear violation of company policies as it has to do with proper use of company equipment or systems, software

Question 4

What are computer security incident response teams (CSIRTs)?

Answer 4

CSIRTs are responsible for reacting to security incidents that happen within an org by following standard (thought of beforehand) processes to secure the system

Question 5

What is an incident response process?

Answer 5

An example of an incident response process is preparation, detection/analysis, containment eradication and recovery, and post incident activity

Question 6

Is the incident response process a straight forward process to follow?

Answer 6

Incident response processes can be straight forward but most often involve looping back to prior processes for new detection and containment activities, etc.

Question 7

What does it take to construct a Computer Security Incident Response Team (CSIRT)?

Answer 7

Constructing a CSIRT takes a lot of work to get up and running. It takes preparation to make sure it has a proper policy foundation, has operating procedures that will be effective in the orgs computing environment, gets proper training and is prepped to response properly

Question 8

What type of materials and assembly should an ORG have for a security preparation?

Answer 8

Backup equipment, blank removable media, forensic and packet capture software, Office supplies and evidence collection materials and bootable USB media with trusted copies of forensic tools

Question 9

According to the NIST 800-61 guideline, describe how Alerts should work

Answer 9

Alerts should originate from intrusion detection and prevention systems, SIEM systems, antivirus software, file integrity checking software, and others

Question 10

According to NIST 800-61, describe how logs should play a role in a security program

Answer 10

Logs should be those that are produced by the OS, services, apps, network flows and devices

Question 11

According to NIST 800-61, describe public available information

Answer 11

Public available information is information shared with the public about any new developments in terms of exploits and vulnerabilities in a lab environment

Question 12

According to NIST 800-61, describe People

Answer 12

People describes those who work inside the org or external sources that report the activity that may indicate that an issue is currently happening