__NIST 800-61_ Computer Security Incident Handling Guide Flashcards
Computer Security Incident Handling Guide What is the purpose of NIST 800-61and how is it used in incident response?
The purpose of NIST 800-61 is to provide guidance on how to respond to cyber security incidents. It outlines the steps organizations should take when responding to an incident including the collection and analysis of evidence
notification of affected parties
and post-incident activities. NIST 800-61 is used by incident responders to ensure that they are following best practices when responding to a security incident.
Computer Security Incident Handling Guide What are the six steps of the incident response process as outlined in NIST 800-61?
The six steps of the incident response process
are Preparation
Detection and Analysis
Containment
Eradication
Recovery
and Lessons Learned. Preparation involves creating an incident response plan and assembling a team to respond to incidents. Detection and Analysis involves identifying the incident and gathering evidence. Containment involves stopping the spread of the incident. Eradication involves removing malicious code or other threats from the system. Recovery involves restoring systems to their pre-incident state. Finally
Lessons Learned involves analyzing the incident to identify areas for improvement in order to prevent similar incidents in the future.
Computer Security Incident Handling Guide How would you define an incident and what types of incidents might a company experience?
An incident is an event that has a negative impact on an organization’s security posture. Common types of incidents include data breaches malicious code attacks
phishing attempts
and unauthorized access to systems or data. Companies should be prepared to respond to any type of incident in order to minimize the damage and restore normal operations.
Computer Security Incident Handling Guide What are some common indicators of compromise and how might you detect them during an incident?
Common indicators of compromise include unusual network traffic changes in system configurations
and unauthorized access to data. To detect these indicators during an incident
security teams can use network monitoring tools to detect unusual traffic patterns
review system logs for changes in configuration settings
and perform regular audits of user access privileges.
Computer Security Incident Handling Guide What is the importance of incident documentation and reporting and how would you go about documenting an incident?
Incident documentation and reporting is essential for organizations to understand the impact of a security incident identify potential areas of improvement
and ensure compliance with relevant regulations. To document an incident
I would collect evidence such as system logs
network traffic data
and screenshots. I would also document the timeline of events
the steps taken to contain the incident
and any other relevant information. Finally
I would create a report that summarizes the incident and provides recommendations for preventing similar incidents in the future.
Computer Security Incident Handling Guide What are some of the legal and regulatory requirements related to incident response and how do they affect the incident response process?
Incident response legal and regulatory requirements vary by jurisdiction but generally require organizations to have a plan in place for responding to security incidents. These requirements also often include provisions for reporting incidents to relevant authorities and providing notifications to affected individuals. Adhering to these regulations can help ensure that organizations are able to effectively respond to incidents in a timely manner
while also protecting the privacy of those affected.
Section: NIST 800-61: Computer Security Incident Handling Guide What is the difference between an incident response plan and a disaster recovery plan and how might they be used together?
The main difference between an incident response plan and a disaster recovery plan is that an incident response plan focuses on responding to and mitigating the effects of a security incident while a disaster recovery plan focuses on restoring systems and services after a major disruption. An incident response plan and a disaster recovery plan can be used together to ensure that an organization is prepared for any type of security event or disruption. The incident response plan outlines the steps to take in the event of an attack
while the disaster recovery plan outlines how to restore systems and services in the aftermath.
Computer Security Incident Handling Guide How would you prioritize incidents and allocate resources during an incident response
and what factors might you consider? I would prioritize incidents based on the severity of the incident and the potential impact it could have on the organization. I would consider factors such as the type of incident how quickly it needs to be addressed
and what resources are available to address it. Additionally
I would assess the risk associated with each incident and allocate resources accordingly.
Computer Security Incident Handling Guide How would you communicate with stakeholders during an incident and what information should be included in those communications?
I would communicate with stakeholders during an incident by providing timely updates and relevant information. I would ensure that the information is clear concise
and easy to understand. I would also include details such as the current status of the incident
any steps taken to mitigate the issue
and any potential risks or impacts associated with the incident.
Computer Security Incident Handling Guide What is the role of continuous monitoring in incident response and how might you use it to detect and respond to incidents more effectively?
Continuous monitoring is an important part of incident response as it allows organizations to proactively detect and respond to security incidents. By regularly scanning for malicious activity organizations can identify potential threats before they become a major issue. Additionally
continuous monitoring can help organizations develop better incident response plans by providing visibility into the current state of their systems and networks. This visibility can help organizations quickly identify and respond to incidents more effectively.
