Chapter 8 Recovery and Post-Incident Response Flashcards
Activities designed to isolate the incident and prevent it from spreading further
Containment
The network is connected to the firewall and may have some limited access to other networks
Segmentation
The quarantine network connects directly to the internet and has no access to other systems
Isolation
- The affected systems are completely disconnected from other networks
- They may still be allowed to communicate with other compromise systems within the quarantine VLAN
Removal
NIST recommends that investigators maintain a detailed evidence log that includes what?
- Identifying information (IE, the location, serial number, model number, hostname, MAC address and Etc)
- Name, title, and phone number of each individual who collected or handled the evidence during the investigation
- Time and date of each occurrence of evidence handling
- Locations where the evidence was stored
What following activities are part of the security incident eradication effort?
- Sanitation
- Reconstruction/reimaging
- Secure disposal
What following activities are part of the components of the validation effort?
- Patching
- Permissions
- Scanning
- Verify logging / communication to security monitoring
Helps an organization identify other systems that operate that might share the same vulnerability
Root cause analysis
What are the three available options to securely dispose of media containing sensitive information?
- Clear
- Purge
- Destroy
- Media Sanitization Method
- Technique used to remove all user addressable storage locations for protection against simple non-invasive data recovery techniques
Clear
- Media sanitization method
- Physical or logical technique that is used to render target data recovery infeasible using state-of-the-art laboratory techniques
- i.e. overriding, block erase, cryptographic erase activities, Degaussing
Purge
- Media sanitization method
- Renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the inability to use the media for data storage
- i.e. disintegration, pulverization, melting, and incinerating
Destroy
A form of purging that uses extremely strong magnetic fields to disrupt the data stored on a device
Degaussing
- Before concluding the recovery effort, incident responders should take time to verify that the recovery measures put in place were successful.
- What are the four activities that should always be included in these validation efforts?
- Validate that only authorized user accounts exist on every system and application in the organization
- Verify the permissions assigned to each account
- Verify that all systems are logging properly
- Conduct vulnerability scans on all systems
Important elements that the CSIRT should cover in a post incident report include what?
- Chronology of events for the incident and response efforts
- Root cause of the incident
- Location and description of evidence collected during the incident response process
- Specific actions taken by responders to contain, eradicate, and recover from the incident, Including the rationale for those decisions
- Estimates of the impact of the internet on the organization and its stakeholders
- Results of post recovery validation efforts
- Documentation of issues identified during the lesson learned review