CNS PreFinals Flashcards
is an unexpected event occurring when an attack, whether natural or human-made, affects information resources and/or assets, causing actual damage or disruption to a business’s assets.
incident
is a detailed set of processes that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets.
incident response plan (IRP)
the set of procedures, policies, and guidelines that commence at the detection of an incident
incident response (IR).
- It is important to point out that an IRP is one of three major components of ____.
contingency plan (CP)
three major components of contingency plan (CP).
Incident Response
Disaster Recovery
Business Continuity
Personnel and Plan Preparation
- In a large business or organization the delegation of tasks is essential to maintaining effective operations. When looking at the makeup of an IRP, a __ assumes responsibility for the creation of it.
company’s CISO
With the aid of other managers and systems administrators on the contingency planning (CP) team, the __ should select members from each community of interest to form an independent IR team, which executes the IRP.
CISO
- __ should follow this six-step process when creating each of the three CP components [_, _, and _]:
Contingency planners
IRP, DRP, and BCP
six-step process when creating each of the three CP components [IRP, DRP, and BCP]:
- Identify the mission-or business-critical functions
- Identify the resources that support the critical functions
- Anticipate potential contingencies or disasters
- Select contingency planning strategies
- Implement the selected strategy
- Test and revise contingency plans
- Select contingency planning strategies
In regards to step four, for every incident, the CP team creates three sets of incident-handling procedures:
- During the incident
- After the incident
- Before the incident
- __: The planners develop and document the procedures that must be performed during the incident.
During the incident
- _: Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed immediately after the incident has ceased.
After the incident
- _, _, or _, or s may be hard to distinguish from an actual incident.
Incident Detection
Overloaded networks, computers, or servers, misbehaving computers systems or software packages
- _: The planners draft a third set of procedures which are tasks that must be performed to prepare for the incident.
Before the incident
- It is the responsibility of the IR team to determine if an incident is a valid incident or is just the product of “normal” system use.
Incident Detection
- Incident candidates can be detected and tracked by end-users through several means; _
Incident Detection
; intrusion detection systems (IDS), host- and network-based virus detection software, and systems administrators.
- Therefore, managers must ensure IT professionals receive training to detect __
Incident Detection
possible, probable, and definite indicators.
- Possible Indicators:
- Presence of unfamiliar files
- Presence or execution of unknown programs or processes
Unusual consumption of computing resources - Unusual system crashes
- Activities at unexpected times
- Presence of new accounts
- Reported attacks
- Notification from a host- or network-based
intrusion detection system (IDS)
- Definite Indicators:
- Use of dormant accounts
- Changes to logs
- Presence of hacker tools
- Notifications by business partner
- Notification by hacker
- Once an actual incident has been confirmed and properly classified, the __ needs to be directed to move from the detection phase to the reaction phase.
Incident Response
_IR team
is designed to first stop the incident (if still continuing), mitigate its effects, and provide information for the recovery from the incident.
Incident Response
_IR
Incident Response
- Three key steps include:
❑ Notification of Key personnel
❑ Documentation of an Incident
❑ Incident Containment strategies
Notification of key Personnel.
Incident Response
document of contact information -sequential or hierarchical roster
Alert Roster
scripted description of incident and what components of IRP to implement
Alert message
- Who, What, When, Where, Why, and How
Documenting an Incident
- Serves as a case study
- improvements in IR and IRP
- provide legal protection
- future training simulations
Documenting an Incident
- Disabling compromised user accounts
- Reconfiguring a firewall to block the problem traffic
- Temporarily disabling the compromised process or service
- Taking down the conduit application or server—for example, the e-mail server
- Stopping all computers and network devices
❑Incident Containment Strategies
The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets
Incident Recovery
- Incident damage assessment
Incident damage assessment
- System logs
- Intrusion detection logs
- Configuration logs
- Documentation from the actual incident
- The recovery process includes the following steps:
Identify and resolve vulnerabilities that allowed the incident to occur and spread.
Address the safeguards that failed to stop or limit the incident – install, replace, or upgrade them.
Evaluate monitoring capabilities – improve detection and reporting methods, or install new monitoring capabilities
Restore systems backups
Restore the services and processes in use – compromised services and processes must be examined, cleaned, then restored.
Continuously monitor the system to prevent incident from happening again. -Don’t allow your system to become the hackers playground.
Restore confidence in member’s of the organization by ensuring them appropriate measures have been taken to resolve the matter.
- Finally, before an organization can return to routine duties it is management’s responsibility to see that an __ is conducted.
- Detailed examination of events from detection to final recovery.
- All parties involved give input on positives and negatives of the entire IR process.
- Management should give a summary to bring the IR team’s actions to a close.
after-action review (AAR)
Threat Statistics
*47% of browser attacks – Microsoft, Google
*Average 6110 DoS attacks per day
*28 days average vulnerability exposure
*86% of all attacks are against home user
*54% of DoS attacks world-wide against US
*69% of vulnerabilities against Web
applications
*__ attacks – Microsoft, Google
47% of browser
*__ attacks per day
Average 6110 DoS
*__ average vulnerability exposure
*28 days
*__ of all attacks are against home user
86%
*___ world-wide against US
54% of DoS attacks
*__ against Web
applications
69% of vulnerabilities
Threats to the Enterprise
- Virus, worms, Trojan horses
- Web site hacking
- Hackers and crackers
- Terrorist attacks
- Cyber crime and information warfare
- Effects of emerging standards and technologies
- Virus, worms, Trojan horses
Threats to the Enterprise
- Web site hacking
Threats to the Enterprise
- Hackers and crackers
Threats to the Enterprise
- Cyber crime and information warfare
Threats to the Enterprise
- Terrorist attacks
Threats to the Enterprise
Security Challenges
*ID and prioritize opportunities to improve security effectiveness and efficiency
*Manage security in dynamic threat
environment with limited budget
*Courts and government policy expectations
*Securing Web services
*Managing identity and access privileges
- Effects of emerging standards and technologies
Threats to the Enterprise
*ID and prioritize opportunities to improve security effectiveness and efficiency
Security Challenges
*Manage security in dynamic threat
environment with limited budget
Security Challenges
*Courts and government policy expectations
Security Challenges
*Securing Web services
Security Challenges
*Managing identity and access privileges
Security Challenges
Six Step Process
- Inventory
- Risk Assessment
- ID Needs
- Support
- Execute
- Review
Inventory Environment
“The first thing we need to do is to actually__ on our computing system and understand what the relationship of each asset is to our
business process”
- Prioritize assets
- Ensure critical systems are protected
- Use Enterprise Architecture
draft out all of the assets that run
understand what the relationship of each asset
Inventory Environment
- Prioritize assets
- Ensure critical systems are protected
- Use Enterprise Architecture
Risk Assessment - Portfolio
- Look at all assets
- Best Practices
- Service Levels
Risks and Costs
Risks
- Threats
- Loss of Data
Costs
- Prevention
- Data Recovery
ID Needs and Write Plan
- Define, align, and prioritize opportunities
*Vulnerability vs largest risks
*ID and define security goals - Determine costs and ROI –
Key is Impact!
ID/Define Organizational Goals
*Protect sensitive and critical information
*Prevent unauthorized access to the
network
*Avoid embarrassing publicity
*Maintain uninterrupted operations
*Protect privacy
*Set a “zero-incident” culture
*Comply with federal and state regulations
Obtain Support and Approval
- Need executive champion
– CIO - Know top management priorities
- Know what the competition is doing
- Projects in line with market’s thinking
- Use federal mandates and audit findings
CIO
Chief Information Officer
Cost Planning and Portfolio Management
Zero-based Budget
Management Review
ID Problems Early
Track Initiatives
Answers …
* How am I doing?
* Am I on time?
* Within budget?
* Are there any problems or issues
Balance Scorecard
Plan Maintenance
* Review annually
* Compare against best practices
* Adjust as necessary
Review
Your organization experiences a sudden system crash. What should the IR team do first?
a. Restart the system immediately
b. Check for possible incident indicators
c. Ignore the crash
d. Call the software vendor
b. Check for possible incident indicators
An employee reports an unfamiliar file appearing on their desktop. What is the best response?
a. Delete the File ‘
b. Report to the IT security team for investigation
c. Open the file to check its contents
d. ignore it
b. Report to the IT security team for investigation
Your IDS detects unusual activity at midnight. What should you do?
a. Assume its a false alarm
b. Notify the IR team immediately
c. Restart the system
d. ignore it
b. Notify the IR team immediately
A hacker claims to have access to your company’s database. What is the first step?
a. Verify the claim and check system logs
b. Pay the ransom
c. Announce the breach publicly
d. Shut down all systems permanently
a. Verify the claim and check system logs
Your company experiences a ransomware attack that encrypts critical files. What should you do first?
a. Pay the ransom to recover das
b. Disconnect affected systems from the network
c. Notify all employees to stop working
d. Restore from backups immediately
b. Disconnect affected systems from the network
A server handling financial transactions is running unusually slow. What is the best action?
a. Restart the server
b. Check for potential security breaches
c. Upgrade the hardware
d. Ignore the issue if transactions still process
b. Check for potential security breaches
A phishing email is reported by on employee. What is the best response?
a. Instruct all employees to delete similar emalis
b. Report the email to the security team for analysis
c. Click the link to check if it’s harmful
d. Do nothing unless someone gets affected
b. Report the email to the security team for analysis
- An employee leaves their workstation unlocked, and someone Installs unauthorized
software, What should the IR team do?
a. Remove the software and warn the employee
b. Format the workstation immediately
c. Suspend the employee
d. Ignore it unless data is stolen
a. Remove the software and warn the employee
9.
- A company detects malware spreading across multiple devices. What is the best course of action?
a. Isolate Infected devices and analyze the malware
b. Reboot all machines to stop the malware
c. Continue normal operations until it affects critical data
d. Shut down the internet connection permanently
a. Isolate Infected devices and analyze the malware
A network administrator discovers unauthorized access from a foreign IP address. What should they do?
a. Block the IP and check logs for further signs of compromise
b. Wait to see if further attacks happen
c. Notify employees to change their passwords immediately
d. Announce the breach on social media
a. Block the IP and check logs for further signs of compromise
After a security breach, employees are concerned about their personal data. What should management do?
a. Be transparent and provide guidance on protective measures
b. Deny any data breach happened
c. Offer compensation immediately
d. Ignore employee concerns
a. Be transparent and provide guidance on protective measures
- What is the purpose of incident containment strategies?
a. To completely eliminate all cyber threats
b. To prevent the incident from spreading
c. To notify law enforcement
d. To test new security software
b. To prevent the incident from spreading
- What is the first step in the recovery process?
a. Restore system backups
b. Identify vulnerabilities
c. Evaluate monitoring capabilities
d. Restore services
b. Identify vulnerabilities
- What does an After-Action Review (AAR) include?
a. Examination of events
b. Evaluation of IR process
c. Summary report
d. All of the above
d. All of the above
- What should be done after restoring services post-incident?
a. Remove all system logs
b. Conduct system monitoring
c. Disable all security measures
d. Ignore user feedback
b. Conduct system monitoring
- What is the potential method for incident containment?
a. Allowing unauthorized access
b. Disabling compromised accounts
c. Ignoring minor threats
d. Removing firewall restrictions
b. Disabling compromised accounts
- Which of the following is an example of incident recovery?
a. Installing new monitoring tools
b. Disabling user accounts
c. Blocking network access
d. Deleting backup files
a. Installing new monitoring tools
- What does incident damage assessment evaluate?
a. Financial impact only
b. Scope of confidentiality, integrity, and availability breach
c. Legal consequences only
d. Only hardware damage
b. Scope of confidentiality, integrity, and availability breach
- What should be the final step after handling an incident?
a. Conducting an After-Action Review
b. Ignoring the past incident
c. Shutting down the affected systems permanently
d. Upgrading all company software immediately