Module 1 - Intro to Incident Reponse and Team Roles Flashcards

Upon the completion of this module students will be able to: Characterize the roles of help desk technicians and first responders Evaluate the different roles an incident response plan and how incident responders fill those roles Critique the key elements of staffing and teaming models for incident response Analyze volatile data

1
Q

Goal if Incident Response Team

A
  • Quickly respond to an incident

- Protect top 2 assets for organization (people & information)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Defining an Incident

A

Each organization needs to based on:

  • Impact
  • Scope
  • Risk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Components of Plan

A
  • defining an incident
  • separation of duties
  • integrated approach
  • incident response plans
  • contain contact lists
  • communication plan
  • rules and regulations, address legal issues
  • escalation procedures
  • address documentation
  • be tested and realistic
  • be endorsed by management
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Advisory Groups in IR

A
  • Should be in place to avoid “group think” from taking over

Purpose:
Ask questions
Identify technical challenges
Address management concerns

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Contact Lists (groups to include)

A

Internal: team members, management, stakeholders
External: ISP, Tech/Support Maintenance for hardware/software, Law Enforcement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Rules and Regulations

A

FISMA requires Federal agencies to report incidents to the United States Computer Emergency Readiness Team (US-CERT).

Releases of Personally Identifiable Information (PII) must be reported:

  • To US-CERT and Privacy Officers
  • To government agencies in certain states
  • Within a certain amount of time
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

IR Team Models

A
  • Central Incident Response Team (only 1 team handles all)
  • Distributed Incident Response Teams (regionalized or segregated)
  • Coordinating Team (advising team)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IR Staffing Models

A
  • Employees
  • Partially Outsourced
  • Fully Outsourced
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Questions for Staffing a Team

A
  • type of team
  • type of services
  • how big
  • where located
  • what groups
  • cost
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CSIRT Team Roles

A
manager or team lead 
assistant managers, supervisors, or group leaders 
hotline, help desk, or triage staff 
incident handlers 
vulnerability handlers 
artifact analysis staff 
platform specialists 
trainers 
technology watch
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CSIRT Secondary Roles

A
Other roles may include :
support staff 
technical writers 
network or system administrators, CSIRT infrastructure staff 
programmers or developers (to build CSIRT tools) 
web developers and maintainers 
media relations 
legal or paralegal staff or liaison 
law enforcement staff or liaison 
auditors or quality assurance staff 
marketing staff
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

IR Plan must be evaluated

A
  • After tests
  • After incidents (not during)

-> Documentation and education

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Focal Points in developing Team

A

Preparing - practice (policies/procedures, training)
Handling
Follow-up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly