Chapter 17- Preventing and Responding to Incidents Flashcards
- What is the primary goal of incident response
? to minimise the impact on organisation.
- What is an incident?
An Incident is an unplanned interruption to an IT service or a reduction in the quality of an IT service.
• An Incident is any event that has a negative effect on the confidentiality, Integrity or availability of an organisation’s asset.
- What is Security Incident?
A security incident is an event that may indicate that an organization’s systems or data have been compromised or that measures put in place to protect them have been bypassed
- List the methods of detecting incidents:
Intrusion detection and prevention systems
• Anti-malware software
• Automated tools scanning audit logs
• End user detect unusual activities
- What are designated incident response teams called:
Computer Incident Response Team (CIRT) or Computer Security Incident Response Team (CSIRT).
- Describe Mitigation steps for incidence response:
Mitigation steps attempt to contain an incident. In some cases, responders take steps to mitigate the incident, but without letting the attacker know that the attack has been detected. This allows security personnel to monitor the attacker’s activities and determine the scope of the attack.
- Describe Incident Reporting:
Incident Reporting refers to reporting an incident within the organisation and organisations and individuals outside the organisation
- What is Recovery in Incidence Response steps?
After investigators collect all appropriate evidence from a system, the next step is to recover the system, or return it to a fully functioning state. The most secure method of restoring a system after an incident is to completely rebuild the system from scratch.
- What is Remediation in Incident Response?
In the remediation stage, personnel look at the incident and attempt to identify what allowed it to happen and implement methods to prevent it from happening again e.g., root cause analysis.
- What is root cause analysis?
Root Cause Analysis is used in incident response and it examines the incident to determine what allowed it to happen.
- What are lessons learned?
personnel examine the incident response and look for areas where response can be improved. Based on the findings, the team may recommend changes to procedures, the addition of security controls, or even changes to policies.
- List some preventive measures:
keep systems and applications up to date
• remove or disable unneeded services and protocols
• keep systems and applications up to date
• use intrusion detection and prevention systems
• use up to date anti-malware software
• Use firewalls
• Implement Configuration and system management processes.
- Computers in a botnet are referred to as:
bots or zombies
- What is Bot Herder?
Bot Herder is typically a criminal who controls all the computers in the botnet via one or more command-and-control servers.
- What are zombies?
Zombie is a malicious program that is installed on a device that transforms it into a zombie that attacks systems. Zombies can be programmed to contact the server periodically or remain dormant until a specific programmed date and time, or in response to an event, such as when a specific traffic is detected.
- List methods of protecting the system from botnets:
use defence-in-depth strategy, implementing multiple layers of security. • up to date malware protection • up to date patches. • keep browsers and plugins up to date • use sandboxing on browsers
- What is a Distributed Reflective Denial-of-Service (DRDoS)?
)? Distibuted Reflective Denial of Service manipulates traffic or network service so that the attacks are reflected back to the victim from other sources e.g. Domain Name Systems (DNS) poisoning attacks and smurf attacks.
- What is SYN Flood Attack?
SYN Flood attack occurs when attackers send multiple SYN packets but never complete the connection with ACK.
• the attack can consume available memory and processing power, resulting in the victim slowing to a crawl or actually crashing.
- List ways of stopping SYN Flood attacks:
Using SYN cookies, firewalls, IDS and IPS
- What are smurf and fraggle attacks?
they are DoS attacks.
• It is a spoofed broadcast ping request using the IP address of the victim as the source IP address.
• Smurf attack is another type of flood attack but it floods the victim with Internet Control Message Protocol (ICMP) echo packets instead of with TCP SYN packets.
- What are fraggle attacks?
The fraggle attack will broadcast a UDP packet using the spoofed IP address of the victim. All systems on the network will then send traffic to the victim, just as with a smurf attack.
• Fraggle attacks are similar to smurf attacks but instead of using ICMP, fraggle attacks use UDP ports 7 and 19
- What is Ping of Death (PoD) attack?
Ping of Death (PoD) attack is a Denial of Service attack (DoS) attack in which the attacker aims to disrupt a targeted machine by sending a packet larger than the maximum allowable size, causing the target machine to freeze or crash.
- What is teardrop attack?
An attacker fragments traffic in such a way that a system is unable to put data packets back together
- What is a land attack?
Land Attack occurs when an attacker sends spoofed SYN packets to a victim’s address both as the source and destination IP Address.
- How can you protect against Land Attacks
patching and filtering traffic to detect traffic with identical source and destination addresses.
- What is zero-day attack?
Zero-day attacks refers to an attack on a system exploiting a vulnerability that is unknown to others.
- List 3 instances of zero-day attacks:
Attacker first discovers a vulnerability.
• Vendor learns of a vulnerability.
• Vendor releases a patch: However, organizations often take time to evaluate and test a patch before applying it, resulting in a gap between when the vendor releases the patch and when administrators apply it
- How to protect systems against zero-day exploits
ensure that you are not running unneeded services and protocols.
• enable network based and host based firewalls
• use IDS and IPS
- What is Exploit Wednesday?
Exploit Wednesday is when attackers often try to reverse- engineer patches to understand them, and then exploit them the next day.
- What is malicious code?
Malicious code is any script or program that performs unwanted, unauthorised, or unknown activity on a computer system
- List some types of malicious codes
virus, worms, trojan horse, destructive macros, and logic bombs.
- What is drive-by download?
Drive-by downloads are codes downloaded and installed on a user’s system without the user’s knowledge.
• Attackers modify the code on a web page and when the user visits, the code downloads and installs malware on the user’s system without the user’s knowledge or consent
- What is a Man-in-the-middle (MITM) attack?
A man-in-the-middle attack occurs when a malicious user can logically gain a position between two endpoints of an ongoing communication.
- List 2 types of man-in-the-middle attacks (MITM):
- One involves copying or sniffing traffic between 2 parties (sniffer attack)
- other involves attacker positioning themselves in the line of communication
- What is Employee Sabotage
Employee Sabotage is a criminal act of destruction or disruption committed against an organisation by an employee
- How to safeguard against employee sabotage:
intensive auditing, monitoring for abnormal or unauthorized activity, keeping lines of communication open between employees and managers, and properly compensating and recognizing employees for their contributions.
- What is Espionage?
Espionage is the malicious act of gathering proprietary, secret, private, sensitive or confidential information about an organisation.
- List some Countermeasures for Espionage:
Countermeasures against espionage are to strictly control access to all non-public data, thoroughly screen new employee candidates, and efficiently track all employee activities
- What is intrusion detection
Intrusion detection is a specific form of monitoring that monitors recorded information and real time events to detect abnormal activity indicating a potential incident or intrusion.