Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIH > Module 3: Incident Response and Handling Steps > Flashcards

Module 3: Incident Response and Handling Steps Flashcards

1
Q

What can be used to detect information system security breaches

A

Intrusion Detection System (IDS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are common symptoms of a security incident

A
  • Suspicious log entries
  • The IDS generates an alarm
  • Presence of unexplained user accounts on the network
  • Presence of suspicious files
  • Modified files or folders
  • Unusual services running or ports opened
  • Unusual system behavior
  • Icons of drive changed/drives not accessible
  • Number of packets received are more than expected
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Incident Handling (IH)

A

A set of procedures to overcome the various kinds of incidents caused by the various vulnerabilities in the systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the three basic functions of Incident Handling

A
  1. Incident reporting
  2. Incident analysis
  3. Incident response
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Incident Response (IR)

A

To identify the attacks or incidents or incidents that have compromised the personal and business information in the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why is Incident Response required

A
  • Protect Systems
  • Protect Personnel
  • Efficiently use the resources
  • Address legal issues
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the goals of Incident Response

A
  • Examining whether or not the incident occurred
  • Limiting the impact of incident on business and network operations
  • Preventing future attacks or incidents
  • Supporting enhancement of accurate information
  • Creating guidelines and control measures for proper recovery and handling of evidence
  • Safeguarding privacy rights recognized by law and policy
  • Identifying illegal activity and taking legal action
  • Providing useful recommendations with precise reports
  • Swift detection, reporting, containment and recovery after an incident
  • Limiting the exposure and compromise of the business data
  • Securing the organization’s reputation and assets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an Incident Response Plan

A

It is a set of instructions to detect and respond to an incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the team created for responding to the incident response plan

A

The Incident Response Team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The Incident Response Plan covers

A
  • How information is passed to the appropriate personnel
  • Assessment of the incident
  • Incident containment and response strategy
  • Restoration of systems and resource
  • Documentation of the incident
  • Preservation of the evidence
  • Reporting of the incident to the appropriate personnel
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What does an Incident Response Plan require these essential per-requisites

A
  • Expert teams
  • Legal review and approved strategy
  • Company’s financial support
  • Support from the top management
  • Corrective action plan
  • Physical resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the most important aspect of incident handling and response

A

Preparation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does preparation help the organization and incident response teams

A

It prepares them for a comprehensive risk response that include planning, risk assessment, control implementation, and resource allocation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an Incident Response Team

A

A team of experts capable of handling any computer security incidents that may occur in your organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the Incident Response Team need to prepare for an incident

A
  • Hardware and software for investigating incidents
  • Forms and reports to investigate
  • Policies and SOP’s
  • Training programs for staff to prepare for incidents
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 17 steps of Incident Response and Handling

A
  1. Identification
  2. Incident Reporting
  3. Initial Response
  4. Communicating the Incident
  5. Containment
  6. Formulating a Response Strategy
  7. Incident Classification
  8. Incident Investigation
  9. Data Collection
  10. Forensic Analysis
  11. Evidence Protection
  12. Notifying External Agencies
  13. Eradication
  14. Systems Recovery
  15. Incident Documentation
  16. Incident Damage and Cost Assessment
  17. Review and Update the Response Policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is done in Step 1 Incident

A

An incident is analyzed for its nature, intensity, and its effects on the network and systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Incident identification involves

A
  • Validating an incident
  • Identifying the nature of an incident
  • Identifying and protecting the evidence
  • Logging and making a report of whatever anomalies are observed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What actions are taken in the identification phase

A
  • Audit log collection, examination, and analysis
  • Incident Reporting and assessment
  • Collect/protect system information
  • Incident severity level
  • Other systems analysis
  • Assign members to incident task force
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is Step 2 Incident Recording

A

The process of storing the details of occurrence of an incident accurately

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What information should be recorded

A
  • The date and time of the incident occurred
  • The date and time the incident was detected
  • Who has reported the incident
  • Description of the incident
  • Systems involved
  • Backup info such as error messages, log files, etc.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is Step 3 Initial Response

A

It is the steps to be followed while responding to an incident are documented

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is Step 4 Communicating the Incident

A

A process where it helps in reducing the impact of the incident by facilitating a better coordination between different stakeholders affected with incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is Step 5 Containment

A

To reduce loss and damage due to attacks by eliminating threat sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the common techniques used in Containment

A
  • Disabling of specific system services
  • Changing of passwords and disabling account
  • Complete backups of the infected system
  • Temporary shutdown of the compromised system
  • System Restoration
  • Maintaining a low profile
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the goal of Step 6 Formulating a Response Strategy

A

The goal of response strategy is to examine the most appropriate response procedure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the goal of Step 7 Incident Classification

A

Classifying incidents based on the severity of the incident with a high, medium, or low level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How is an incident classified

A
  • Categorization (type of incident)
  • Priority level
  • Resource allocation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is the goal of Step 8 Incident Investigation

A

Identifying the perpetrators who are responsible for the occurrence of incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is the investigation phase capable of determining

A
  • Who is responsible for the incident?
  • What is the reason behind the incident?
  • When did the incident occur?
  • Where exactly the incident happened?
  • How to recover from the incident?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are the two different phases in a computer security investigation

A
  • Data collection

* Forensic analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is the goal of Step 9 Data Collection

A

The process of gathering known facts and evidence that are required for forensic analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What are the different evidence gathered during the data collection phase

A
  • Host-based evidence
  • Network-based evidence
  • Other evidence
34
Q

What is host-based evidence

A

The evidence gathered and available on a computer system

35
Q

What is network-based evidence

A

The information gathered from the network resources

36
Q

What does other evidence consist of

A
  • Gathering personal files
  • Interviewing employees, witnesses, and character witnesses
  • Documenting the information gathered
37
Q

What is Step 10 Forensic Analysis

A

The process of analyzing and reviewing the data gathered from computer systems such as log files of the system, system files, web history files, email files, installed applications, graphic files, etc.

38
Q

Why is documentation important in forensic analysis

A

It helps the forensic examiners to file a case against the attackers during the investigation process.

39
Q

What should forensic analysis help determine

A
  • The victims and attackers of the event or incident
  • What kind of incident happened
  • When and where the incident have occurred
  • What the incident has affected
  • How the events have occurred
40
Q

Why is Step 11 Evidence Protection important

A

Organizations or incident response teams need to protect the evidence to take legal action against perpetrators for intentionally attacking a computer system

41
Q

Why is Step 12 Notify External Agencies important

A

External agencies provide technical assistance in recovering from the computer security incident and prevent it from happening in the future.

42
Q

What is the goal of Step 13 Eradication

A

To locate malicious objects and remove the residual of attacks.

43
Q

Who performs Step 13 Eradication

A

The Incident Response Team

44
Q

What are some types of techniques are used in Step 13 Eradication phase

A
  • Using anti-virus
  • Installing latest patches
  • Conducting independent security audits
  • Disabling any unnecessary services
  • Tracking progress on all corrections that are required
45
Q

What happens in Step 14 Systems Recovery

A

An affected system is restored to its normal operations.

46
Q

What are the two important steps in Step 14 Systems Recovery

A
  • Determine the course of action. (Selecting the appropriate strategy to restore the system after an incident)
  • Monitor and validate the systems. (Used to make sure that the recovered systems are sanitized of incident causes)
47
Q

What should Step 15 Incident Documentation provide

A
  • Description of the security breach
  • Who handled the incident
  • When the incident was handled
  • Reasons behind the occurrence of the incident
48
Q

Why is proper documentation important

A

It is necessary for the prosecution of the offender

49
Q

How should the document prepared in Step 15 Incident Documentation

A
  • Concise and clear
  • Standard Format
  • Error-free
50
Q

Why should an organization perform Step 16 Incident Damage and Cost Assessment

A

Because incident damage and recovery cost play an important role in legal actions against the perpetrators

51
Q

Step 16 Incident Damage and Cost Assessment should include what costs

A
  • The loss of confidential info
  • Legal costs for investigating the case
  • Labor costs
  • System downtime
  • Cost of repair
52
Q

Why is Step 17 Review and Update the Response Policies important

A

It will reduce the impact of incident and help you to handle future incidents

53
Q

What steps can you use in Step 17 Review and Update the Response Policies

A
  • Using additional security policies
  • Update policies
  • Use lessons learned
  • Examine the organization’s computer systems regularly
54
Q

True or False: A Training and Awareness program is important for educating people on how to handle incidents

A

TRUE

55
Q

What are the four important elements of any security awareness and training programs

A
  • Designing and planning of the awareness and training program
  • Development of the training material
  • Implementation of the program
  • Measuring the effectiveness of the program
56
Q

What is the objective of Incident Management

A

To quickly restore the services of computer system into normal operations after an incident with little or no impact on the business

57
Q

What is the purpose of Incident Management

A
  • Prevent incidents and attacks by tightening the physical security of the system or infrastructure
  • Create awareness program by training employees and users
  • Monitor and test the organization’s infrastructure for weaknesses
  • Share information with other teams
58
Q

What are the five steps of Incident Management

A
  1. Preparation
  2. Protection
  3. Detection
  4. Triage
  5. Response
59
Q

What is the purpose of the Incident Management Team

A

Provides support to all users in the organization that are affected by threat or attack

60
Q

Who is in the Incident Management Team

A
  • Executive Management
  • Staff that supports department representatives
  • Head of departments
61
Q

What is the goal of the Incident Response Team

A

To minimize the severity and impact of the incident by providing a quick, effective, and skillful response to any unexpected involving computer systems

62
Q

Incident Response Team Members

A
  • Information Security Officer (ISO)
  • Information Technology Officer (ITOC)
  • Information Privacy Officer (IPO)
  • Network Admin
  • System Admin
  • Business App and Online Sales Officer
  • Internal Auditor
63
Q

TRUE or FALSE: The members of the team involved in incident response procedure should have excellent technical skills for the team’s success

A

TRUE

64
Q

The efficiency of an incident response team depends on what

A

Availability and response time

65
Q

How is a Centralized Incident Response Team structured

A

There is a single team responsible for response to all types of incidents in the organization.

These are considered more effective in quickly responding to an incident

66
Q

How is a Distributed Incident Response Team structured

A

Organizations have multiple IR teams that are responsible for responding to a specific type of incident or incidents in a particular department.

This model is a best fit for organizations with a distributed geographical presence and a large computing base

67
Q

How is a Coordinated Team structured

A

This model plays an advisory role and not directly responsible for incident response

68
Q

What are the 3 models that an Incident Response Team is staffed

A
  • Employee (In-house)
  • Partially Outsourced (Outsource Incident Handling but do not give up sensitive or confidential info and require additional technical knowledge)
  • Fully Outsourced (Organizations completely outsource their incident response activities)
69
Q

What major factors play a key role in deciding the structure and staffing for an Incident Response Team

A
  • Cost/benefit analysis (required long term financial investment)
  • Availability of expertise (People who know what they are doing)
  • Size of the organization (Determines the need of exact number of IR teams and team members)
  • Operations up-time (Having 24 hour service)
70
Q

What are the different teams to help support an Incident Response Team

A
  • Management
  • Information Security Teams
  • Telecommunications Department
  • IT Support Teams
  • Legal Department
  • Public Affairs and Media Relations Department
  • HR Department
  • Business Continuity Planning Team
  • Physical Security
71
Q

TRUE or FALSE: Incident Management is a function carried out by Incident Handling and Incident Handling is one of the services provided in Incident Response

A

FALSE

Incident Response is a function of Incident Handling which is a service provided in Incident Management

See page 162 for diagram

72
Q

TRUE or FALSE: Staying calm, Stop the incident if it is still in progress, and Document everything are just a few of the best practices for Incident Response

A

TRUE

73
Q

According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms

A

Protection

74
Q

When recognizing and separating the infected hosts from the information system what helps to achieve this

A

Inspecting the processes running on the system

75
Q

Which step in the incident handling and response steps focuses on limiting the scope and extent of an incident

A

Containment

76
Q

Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out

A

Containment

77
Q

What approach in incident response, focuses on developing the infrastructure and security processes before the occurrence or detection of an event or any incident

A

Proactive approach

78
Q

TRUE or FALSE: A state of network interface is considered host-based evidence

A

TRUE

79
Q

Which stage of the incident response and handling process involves auditing the system and network log files

A

Identification

80
Q

What is the purpose of the Incident Coordinator of an IRT

A

They link the groups that are affected by the incidents,such as legal, human resources, different business areas, and management

CIH (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions