Module 4 Flashcards
4 steps to incident response life cycle
from NIST 800-61 R2
- Preparation
- Detection and Analysis
- containment, eradication, recovery
4 post incident activity
what are the 4 functional impact categories and explain them
- None
- Low
- Medium
- High
what are the four informational impact categories
- None
- privacy breach
- proprietary breach
- integrity loss
list 7 incident attack vectors
- External/Removable media
- attrition - brute force methods
- web
- improper usage - resulting from a violation of acceptable use policies
- loss or theft of equipment
7, other - this attack does not fit in the other categories
what incident response life cycle step do the actions below belong in
- choosing a containment strategy
- evidence gathering and handling
- -identify the attacking hosts
- eradication and recovery
containment, eradication, and recovery
what part of the incident life cycle do these actions belong to
- lessons learned
- using collected incident data
- evidence retention
Post-Incident Activity
what is CSIRT
computer security incident response team
what is the function of CSIRT
responsible for providing incident response services to part or all of the organization
define incident response plan
provides the roadmap for implementing the incident response capabilities - provides foundation for the response policy
define incident response policy
policy governing incident response is highly individualized to the organization
define incident procedures
SOP (standard operating procedures)
what are some parties your incident response team might be communicating with
- other incident response teams
- internet service provider
- incident reporters
- law enforcement agencies
- software and support vendors
- customer constituents, and media
impact categories low, medium, high are based off what standards
FIPS 199
what is the acronym FIPS
Federal Information Processing standards
what functional impact category would this definition below to:
minimal effect: the organization can still provide all critical services to all users but has lost efficiency
Low
what functional impact category would this definition below to:
organization has lost the ability to provide a critical service to a subset of system users
Medium
what functional impact category would this definition below to:
organization is no longer able to provide some critical services to any users
High
what Information impact category would this definition belong to:
sensitive personally identifiable information(PII) of taxpayers, employees, beneficiaries, etc. was accessed or exfiltrated
privacy breach
what Information impact category would this definition belong to:
unclassified proprietary information such as Protected Critical Infrastructure Information(PCII) was accessed or breached
proprietary breach
what Information impact category would this definition belong to:
sensitive or proprietary information was changed or deleted
integrity loss
attack vectors like those below would belong to what step of incident response/security life cycle: external/removable media attrition web email impersonation improper usage
detection and analysis
what incident response step would the items/actions below belong to: port list current baseline laptops contact information incident reporting mechanism war room
preparation
what step in the incident response cycle do these actions belong to:
evidence gathering and handling
identifying the attack hosts
eradication and recovery
containment, eradication and recovery
