Chapter 8 Recovery and Post-Incident Response Flashcards

1
Q

Activities designed to isolate the incident and prevent it from spreading further

A

Containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The network is connected to the firewall and may have some limited access to other networks

A

Segmentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The quarantine network connects directly to the internet and has no access to other systems

A

Isolation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  • The affected systems are completely disconnected from other networks
  • They may still be allowed to communicate with other compromise systems within the quarantine VLAN
A

Removal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

NIST recommends that investigators maintain a detailed evidence log that includes what?

A
  • Identifying information (IE, the location, serial number, model number, hostname, MAC address and Etc)
  • Name, title, and phone number of each individual who collected or handled the evidence during the investigation
  • Time and date of each occurrence of evidence handling
  • Locations where the evidence was stored
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What following activities are part of the security incident eradication effort?

A
  • Sanitation
  • Reconstruction/reimaging
  • Secure disposal
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What following activities are part of the components of the validation effort?

A
  • Patching
  • Permissions
  • Scanning
  • Verify logging / communication to security monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Helps an organization identify other systems that operate that might share the same vulnerability

A

Root cause analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the three available options to securely dispose of media containing sensitive information?

A
  • Clear
  • Purge
  • Destroy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  • Media Sanitization Method
  • Technique used to remove all user addressable storage locations for protection against simple non-invasive data recovery techniques
A

Clear

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  • Media sanitization method
  • Physical or logical technique that is used to render target data recovery infeasible using state-of-the-art laboratory techniques
  • i.e. overriding, block erase, cryptographic erase activities, Degaussing
A

Purge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  • Media sanitization method
  • Renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the inability to use the media for data storage
  • i.e. disintegration, pulverization, melting, and incinerating
A

Destroy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A form of purging that uses extremely strong magnetic fields to disrupt the data stored on a device

A

Degaussing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  • Before concluding the recovery effort, incident responders should take time to verify that the recovery measures put in place were successful.
  • What are the four activities that should always be included in these validation efforts?
A
  1. Validate that only authorized user accounts exist on every system and application in the organization
  2. Verify the permissions assigned to each account
  3. Verify that all systems are logging properly
  4. Conduct vulnerability scans on all systems
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Important elements that the CSIRT should cover in a post incident report include what?

A
  • Chronology of events for the incident and response efforts
  • Root cause of the incident
  • Location and description of evidence collected during the incident response process
  • Specific actions taken by responders to contain, eradicate, and recover from the incident, Including the rationale for those decisions
  • Estimates of the impact of the internet on the organization and its stakeholders
  • Results of post recovery validation efforts
  • Documentation of issues identified during the lesson learned review
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
A framework used for media sanitization
Popular categories include:
- Clear
- Purge
- Destroy
A

NIST 800-88