Chapter 8 Recovery and Post-Incident Response

Question 1

Activities designed to isolate the incident and prevent it from spreading further

Answer 1

Containment

Question 2

The network is connected to the firewall and may have some limited access to other networks

Answer 2

Segmentation

Question 3

The quarantine network connects directly to the internet and has no access to other systems

Answer 3

Isolation

Question 4

• The affected systems are completely disconnected from other networks
• They may still be allowed to communicate with other compromise systems within the quarantine VLAN

Answer 4

Removal

Question 5

NIST recommends that investigators maintain a detailed evidence log that includes what?

Answer 5

• Identifying information (IE, the location, serial number, model number, hostname, MAC address and Etc)
• Name, title, and phone number of each individual who collected or handled the evidence during the investigation
• Time and date of each occurrence of evidence handling
• Locations where the evidence was stored

Question 6

What following activities are part of the security incident eradication effort?

Answer 6

• Sanitation
• Reconstruction/reimaging
• Secure disposal

Question 7

What following activities are part of the components of the validation effort?

Answer 7

• Patching
• Permissions
• Scanning
• Verify logging / communication to security monitoring

Question 8

Helps an organization identify other systems that operate that might share the same vulnerability

Answer 8

Root cause analysis

Question 9

What are the three available options to securely dispose of media containing sensitive information?

Answer 9

• Clear
• Purge
• Destroy

Question 10

• Media Sanitization Method
• Technique used to remove all user addressable storage locations for protection against simple non-invasive data recovery techniques

Answer 10

Clear

Question 11

• Media sanitization method
• Physical or logical technique that is used to render target data recovery infeasible using state-of-the-art laboratory techniques
• i.e. overriding, block erase, cryptographic erase activities, Degaussing

Answer 11

Purge

Question 12

• Media sanitization method
• Renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the inability to use the media for data storage
• i.e. disintegration, pulverization, melting, and incinerating

Answer 12

Destroy

Question 13

A form of purging that uses extremely strong magnetic fields to disrupt the data stored on a device

Answer 13

Degaussing

Question 14

• Before concluding the recovery effort, incident responders should take time to verify that the recovery measures put in place were successful.
• What are the four activities that should always be included in these validation efforts?

Answer 14

1. Validate that only authorized user accounts exist on every system and application in the organization
2. Verify the permissions assigned to each account
3. Verify that all systems are logging properly
4. Conduct vulnerability scans on all systems

Question 15

Important elements that the CSIRT should cover in a post incident report include what?

Answer 15

• Chronology of events for the incident and response efforts
• Root cause of the incident
• Location and description of evidence collected during the incident response process
• Specific actions taken by responders to contain, eradicate, and recover from the incident, Including the rationale for those decisions
• Estimates of the impact of the internet on the organization and its stakeholders
• Results of post recovery validation efforts
• Documentation of issues identified during the lesson learned review

Question 16

A framework used for media sanitization
Popular categories include:
- Clear
- Purge
- Destroy

Answer 16

NIST 800-88