Incident Response

Question 1

What is the OODA Loop?

Answer 1

• “Observe, Orient, Decide, Act”
• Organizations use OODA loop to determine which incident response tools to use.

Question 2

What tools are in the Observe category of the OODA Loop?

Answer 2

• Intrusion detection systems
• Vulnerability scanners
• Availability monitoring

Question 3

What are the 4 phases of an incident response plan?

PLEASE DON’T COME PLEASE

Answer 3

1) Planning
2) Detection and analysis
3) Containment, eradication, and recovery
4) Post-incident review

Question 4

What is a cybersecurity EVENT?

Answer 4

• It is a singular occurrence of a change in a system or network.
• Examples include: network scans and failed login attempts that are stopped before the system is compromised.
• The change in network may come from inside or outside the organization and may result from normal operation, error, or fraud.
• It’s NOT a malicious or evil thing!

Question 5

What is a cybersecurity INCIDENT?

Answer 5

• It involves a violation of security policies, procedures, or acceptable use policies.
• It has a negative effect on the confidentiality, integrity, or availability of an organization’s data or systems.
• There is MALICIOUS INTENT and EVIL here!

Question 6

What is a post-incident analysis of a security incident?

Answer 6

It is an analysis that is part of an advisory (consulting) engagement and is done in order to develop recommendations for decision making

Question 7

What are 3rd party losses?

Answer 7

They are losses suffered by customers and business partners

Question 8

What is the job of an incident response manager?

Answer 8

• His job is to oversee all incident response team activity.
• This activity includes the detection, analysis, and containment of an incident.
• Communicate incident response requirements to relevant stakeholders
• Test the incident response plan at least annually
• Take corrective action when the incident response plan is not followed

Question 9

What responsibility does an incident response manager have?

Answer 9

• Communicate incident response requirements to relevant stakeholders
• Declare when an incident has occurred
• Test the incident response plan annually

Question 10

Why should an incident response plan include the organization’s cybersecurity insurance policy number/info?

Answer 10

• Because an insurance policy transfers the risk of loss to the insurance company in exchange for insurance premiums.
• Cybersecurity insurance covers 1st party losses (costs incurred directly by the organization) and 3rd party losses (liabilities owed to external people).

Question 11

Which group selects members for the incident handling and incident response teams?

Answer 11

Senior management

Question 12

What are the 3 staffing models for incident response plans?

Answer 12

• In-house staffed
• Partially outsourced
• Fully outsourced

Question 13

How can internal and external auditors evaluate if an entity responded to cybersecurity incidents?

Answer 13

They can do so in accordance with a documented incident response plan

Question 14

What are goals of incident response plans?

Answer 14

To ensure proper reporting

Question 15

What are some pre-incident services offered by cybersecurity insurance companies?

Answer 15

• Self-assessments
• Online training
• Consultations
• Incident response planning