Event and Incident Handling Flashcards
What are the roles and responsibilities of an incident responder?
As first responders to security incidents, to protect an organization’s valuable assets by taking immediate actions to detect, prevent, and mitigate cyber-threats.
What type of security breaches you may encounter as an incident responder?
some of the common security breaches are: Cross-site scripting SQL injection attacks DoS attack Man in the middle attack
What document do you need to restore a system that has failed?
a Disaster Recovery Plan (DRP)
What is port scanning? Why is it required?
When a network is scanned to identify open ports and services.
It allows you to see the state of the network. And check for unauthorized accesses
What is a security incident?
an event that indicates that the sensitive data of an organization have been compromised or a security measure has failed
What is SIEM?
Security information and event management) threat detection and incident response system that helps take quick preventive actions against a possible security attack. through real-time monitoring.
What is the Difference between HIDS and NIDS
Intrusion Detection System.
HIDS is host based monitors a system and idenitifies suspicious activity
NIDS is network based and checks traffic of all the devices connected to it
What is an automated incidence response?
enable the incident response team to detect and respond to cyber threats and security incidents in real-time.
What is an incident trigger?
an event signaling the possibility of a cyber threat. When incident triggers are generated, an incident responder must be aware that an attack is in process.
What steps would you take after a cybersecurity incident occurs?
Identification:
In this step, the security incident is identified and reported to the higher authorities. IR team tries to find the source of the security breach.
Triage and analysis:
Data is collected from various sources and analyzed further to find indicators of compromise.
Containment:
The affected systems are isolated to prevent further damage.
Post-incident activity:
This step includes documentation of information to prevent such security incidents in the future.
How to detect whether a file has changed in the system?
One way to compare the change in files is through hashing (MD5).
What is Advanced Persistent Threat? How to handle them?
when attackers bypass an organization’s security posture and remain undetected in the systems or network.
Handle them by proper access & administration control, pen testing and employee awareness training.
How would you detect a storage-related security incident in the cloud?
monitoring storage units’ metadata for malicious content.
What are the best practices to eliminate an insider attack?
Monitoring the employee behavior on systems
Conducting risk assessment
Documenting and establishing security controls and policies
Implementing secure backups and disaster recovery plans
Strict account management policies
Prevent employees from installing unauthorized software and visiting malicious sites
To detect malicious emails, what steps would you take to examine the emails’ originating IP addresses?
Searching IP address in WHOIS database
Getting the IP address of the sender from the header of received mail
Opening email to trace its header
