Chapter 2 mod 1

Question 1

Define Breach

Answer 1

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose

Question 2

Define Event

Answer 2

Any observable occurrence in a network or system.

Question 3

Define Exploit

Answer 3

A particular attack. It is named this way because these attacks exploit system vulnerabilities.

Question 4

Define Incident

Answer 4

An event that actually or potentially jeopardizes the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits.

Question 5

Define Intrusion

Answer 5

A security event, or combination of events, that constitutes a deliberate security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization.

Question 6

Define Threat

Answer 6

an activity, deliberate or unintentional, with the potential for causing harm to an automated information system or activity.

Question 7

Define Vulnerability

Answer 7

Weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.

Question 8

Define Zero Day

Answer 8

A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures or methods.

Question 10

What is the top priority of any incident response?

Answer 10

The top priority of any incident response is to protect life, health, and safety, and safety is always chosen first when making decisions related to priorities.

Question 11

What is the primary goal of incident management?

Answer 11

The primary goal of incident management is to be prepared, requiring a policy and a response plan to guide the organization through a crisis.

Question 12

What term is sometimes used interchangeably with incident management to describe the process?

Answer 12

The term “crisis management” is sometimes used interchangeably with incident management to describe the process.

Question 13

define an event in the organizational context?

Answer 13

An event is defined as any measurable occurrence, and most events are harmless. However, if the event has the potential to disrupt the business’s mission, it is called an incident.

Question 14

What is the key requirement for preserving business viability and survival during an incident?

Answer 14

Every organization must have an incident response plan to help preserve business viability and survival during an incident.

Question 15

What is the ultimate aim of the incident response process?

Answer 15

The incident response process is aimed at reducing the impact of an incident, enabling the organization to resume interrupted operations as soon as possible.

Question 16

How does incident response planning relate to business continuity management (BCM)?

Answer 16

incident response planning allows the organization to handle an incident from the start.
Business continuity management keeps the organization running during the lifecycle of an incident, while disaster recovery patterns the recovery process back to normalcy

Question 17

What is the overarching goal of incident response in relation to organizational operations?

Answer 17

The overarching goal of incident response is to reduce the impact of an incident, allowing the organization to resume its interrupted operations as quickly as possible.

Question 18

What broader discipline does incident response planning fall under?

Answer 18

Incident response planning falls under the broader discipline of business continuity management (BCM).

Question 19

What role does the incident response plan play in relation to the incident response policy?

Answer 19

The incident response plan is referenced by the incident response policy, serving as a living representation that employees follow based on their role in the process.

Question 20

What aspects of the organization should shape the incident response process?

Answer 20

The organization’s vision, strategy, and mission should shape the incident response process.

Question 21

What does the incident response plan contain, and what does it represent for an organization?

Answer 21

The incident response plan may contain several procedures and standards related to incident response and represents a living representation of an organization’s incident response policy.

Question 22

What should the procedures to implement the incident response plan define?

Answer 22

The procedures to implement the incident response plan should define the technical processes, techniques, checklists, and other tools that teams will use when responding to an incident.

Question 23

What components are commonly found in the preparation phase of an incident response plan?

Answer 23

Components in the preparation phase include developing an approved policy, identifying critical data and systems, training staff, implementing an incident response team, practicing incident identification, identifying roles and responsibilities, and planning communication coordination.

Question 24

What activities are involved in the detection and analysis phase of an incident response plan?

Answer 24

Activities in the detection and analysis phase include monitoring all possible attack vectors, analyzing incidents using known data and threat intelligence, prioritizing incident response, and standardizing incident documentation.

Question 25

What are the key activities in the containment phase of an incident response plan?

Answer 25

Key activities in the containment phase include gathering evidence, choosing an appropriate containment strategy, identifying the attacker, and isolating the attack.

Question 26

What activities are part of the post-incident activity phase in an incident response plan?

Answer 26

Post-incident activities include identifying evidence that may need to be retained, documenting lessons learned, and conducting a retrospective analysis.

Question 27

What should be considered when planning the coordination of communication between stakeholders in the preparation phase?

Answer 27

The possibility that a primary method of communication may not be available should be considered when planning the coordination of communication between stakeholders.

Question 28

What is the overarching structure of the incident response plan, as mentioned in the text?

Answer 28

The incident response plan typically consists of four main phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-incident Activity.

Question 29

What is the organizational need mentioned alongside establishing a Security Operations Center (SOC)?

Answer 29

The organizational need mentioned alongside establishing a Security Operations Center (SOC) is the need to create a suitable incident response team.

Question 30

How can an incident response team be structured in terms of staffing and training?

Answer 30

An incident response team can be leveraged, dedicated, or a combination of both, depending on the requirements of the organization.

Question 31

What role do many IT professionals play in incident response?

Answer 31

Many IT professionals are classified as first responders for incidents, being the first on the scene and possessing the skills to differentiate typical IT problems from security incidents.

Question 32

How are IT professionals similar to medical first responders in their roles?

Answer 32

IT professionals, like medical first responders, have the skills and knowledge to provide assistance and differentiate between typical IT problems and security incidents.

Question 33

What specific training do IT professionals need for incident response?

Answer 33

IT professionals need specific training to determine the difference between a typical problem that needs troubleshooting and a security incident that requires reporting and addressing at a higher level.

Question 34

What is emphasized as crucial for IT professionals in distinguishing between minor and major incidents?

Answer 34

IT professionals need training to distinguish between minor and major incidents and know what actions to take when encountering a major security incident.

Question 35

How is a typical incident response team described in terms of its composition?

Answer 35

A typical incident response team is described as a cross-functional group of individuals representing the management, technical, and functional areas most directly impacted by a security incident.

Question 36

Who are potential members of an incident response team?

Answer 36

Potential members of an incident response team include representatives of senior management, information security professionals, legal representatives, public affairs/communications representatives, and engineering representatives (system and network).

Question 37

What is the role of representatives of senior management in an incident response team?

Answer 37

Representatives of senior management play a role in the incident response team by providing leadership and decision-making from a strategic perspective.

Question 38

Why is it important for an incident response team to include cross-functional members?

Answer 38

An incident response team needs cross-functional members to bring diverse skills and perspectives from management, technical, and functional areas to effectively address the impacts of a security incident.

Question 39

What training should team members have in relation to incident response?

Answer 39

Team members should have training on incident response and the organization’s incident response plan.

Question 40

What are the typical responsibilities of team members during an incident response?

Answer 40

Team members typically assist with investigating the incident, assessing the damage, collecting evidence, reporting the incident, initiating recovery procedures, participating in remediation and lessons learned stages, and contributing to root cause analysis.

Question 41

What are the common names for teams responsible for investigating computer security incidents?

Answer 41

Teams responsible for investigating computer security incidents are commonly known as computer incident response teams (CIRTs) or computer security incident response teams (CSIRTs).

Question 42

What are the four primary responsibilities of a response team when an incident occurs?

Answer 42

The four primary responsibilities of a response team when an incident occurs are: Determine the amount and scope of damage caused by the incident. Determine whether any confidential information was compromised during the incident. Implement any necessary recovery procedures to restore security and recover from incident-related damage. Supervise the implementation of any additional security measures necessary to improve security and prevent recurrence of the incident.