Module 4: CSIRT Flashcards
What does CSIRT stand for
Computer Security Incident Response Team (CSIRT)
What is the primary job function of CSIRT
To review, receive, and respond to incidents
What does an Incident Response Team help an organization do
Recover from computer security breaches and threats
What is the goal of a CSIRT
- Manage the security problems
- Reduce and control the damage
- Provide effective response and recovery
Why is a clear vision for the CSIRT needed
A vision acts as a guiding principle for teams and helps them remain focused to achieve a predefined business objective.
What is the purpose of a CSIRT Mission Statement
Infers what a team is trying to achieve
What is a CSIRT’s constituency
The region where the CSIRT is bound to serve.
Such as the constituency of Gulfstream can be “Gulfstream Aerospace Corporation” and “gulfstream.com”
What type of issues does a CSIRT constituency have to face
- Constituencies that overlap (have clear rules of what their services are)
- Relationship to Constituency (level of authority)
- Promoting the CSIRT to the Constituency (how is it viewed to the public)
- Gaining Constituency Trust
What is a full constituency relationship
The CSIRT has fully authority to make any decision(s) on behalf of their constituency
What is a shared constituency relationship
The CSIRT provide direct support to their constituents and share in the decision-making process
What is a none constituency relationship
The CSIRT have no authority and act as advisors
TRUE or FALSE: With all the many different CSIRT’s from around the world it is not encouraged to co-operate with one another in order to get their jobs done.
FALSE
Cooperation and coordination is the heart of the CSIRT framework
What is a internal CSIRT
Offers incident handling services to their parent organization
What is a national CSIRT
Provides services to an entire nation
What is a coordination center
They coordinate and facilitate the handling of the incidents across various CSIRT’s
What is an analysis center
To use synced data from various sources such as patterns to provide early warning and predict future activity
What are vendor teams
They are teams that coordinate with organizations who report and track vulnerabilities
What do Incident Response Providers do
Provide assistance regarding incident handling services to paid clients
What steps need to be done to create a CSIRT
- Obtain management’s support and buy-in
- Determine the CSIRT strategic plan
- Gather relevant information
- Design the CSIRT vision
- Communicate the CSIRT vision and operational plan
- Begin CSIRT implementation
- Announce the operational CSIRT
- Evaluate CSIRT effectiveness
TRUE or FALSE: It is important to get management support for creating a CSIRT. (or for creating any project)
TRUE
They can approve the funding that makes it happen
What relevant information needs to be gathered for a CSIRT
The expectations, strategic direction, definitions, and responsibilities of the CSIRT
When designing the CSIRT vision what is the main focus
To communicate clearly the definition and what is expected from the CSIRT.
*The ultimate goal is to provide response to incidents
Why must you create the CSIRT’s vision and communicate it with management.
Because you might have to modify or make changes to the plan. It also helps gain additional information that was missed during the info gathering process
What are some steps that need to occur when implementing a CSIRT
- Hiring staff
- Purchasing equipment
- Developing policies
- Develop incident-tracking system
- Develop incident-tracking guidelines and forms
Who needs to announce to the organization that the organization has a CSIRT now
Management
According to EC Council, what is the role of a CSIRT
To provide IT security services such as prevention, detection, correction, and awareness building to their constituency
What services does the CSIRT provide
- Awareness raising
- Detection
- Correction
A few common roles in an Incident Response Team are
- Incident Coordinator (IC) - (Acts a link between groups)
- Incident Manager (IM) - (Handles incident from management and technical POV)
- Incident Analyst (IA) - (Eradicates and recovers from the incident)
- Constituency - (Stakeholder in the incident)
- Administration - (Ensures the office operations return to normal)
- HR - (Responsible for human aspect of the disaster)
- Public Relations - (Responsible for stakeholder communications)
What are the three categories of CSIRT services
- Reactive services
- Proactive services
- Security quality management services
How does a reactive service work
It identifies and rectifies any threats against the CSIRT systems
What are the reactive services that are provided
- Alerts and warnings
- Incident handling
- Vulnerability handling
- Artifact handling (a malicious file or object on the computer system)
How does a proactive service work
It is to prevent the occurrence of an incident and to minimize their impact and scope.
What are the proactive services that are provided
- Announcements
- Technology Watch
- Security Audits or Assessments
- Config and Maintenance of Security Tools, Applications, Infrastructures, and services
- Development of Security Tools
- IDS
- Security-related information dissemination
How does a security quality management service work
They are designed to include feedback and lessons learned while responding to the security incidents
What are the security quality management services that are provided
- Risk analysis
- Business Continuity and Disaster Recovery Planning
- Security Consulting
- Awareness building
- Education/training
- Product evaluation or certification
What is the difference between policy and procedure
Policy is the governing principles which the organization and teams will adopt
Procedures defines the way how a team performs its activities without crossing the policy limits
How is a policy defined
- Attributes (important and necessary characteristics of a particular subject area)
- Content (behavior in a specific subject area)
- Validation (checks the ideas on whether they can be translated into real life)
- Implementation, maintenance, and enforcement
How CSIRT handles a case
- Keep a log book (FIR)
- Inform the appropriate people (Danny or the end user)
- Maintain a list of contacts (Kenny Quick, Chris Mitchell)
- Release the information (Emailing the end user)
- Follow up analysis (2nd level review from another shift or peer)
- Report (Send a report to Dave and Sheryl)
What does CERT stand for
Community Emergency Response Team (CERT)
What does CERT do
Helps to train people to be better prepared to respond to emergency situations in their communities.
What does CERT-CC stand for
Community Emergency Response Team Coordination Center (CERT-CC)
What does CERT-CC do
To provide response to major security incidents and analyze product vulnerabilities
What does OCTAVE stand for
Operationally Critical Threat, Asset, and Vulnerability Evaulation (OCTAVE)
What is OCTAVE used for
A set of tools, techniques, and methods for risk-based information security strategic assessment and planning.
What are the three OCTAVE methods
- OCTAVE Method
- OCTAVE-S
- OCTAVE-Allegro
How does the OCTAVE Method work
Uses a three-phased approach to examine organizational and technology issues
What are the 3 phases of OCTAVE Method
Phase 1. Build Asset-Based Threat Profiles
Phase 2. Identify Infrastructure Vulnerabilities
Phase 3. Develop Security Strategy and Plans
How does OCTAVE-S work
It is under the assumption that the analysis team is aware of information about important assets, security requirements, threats, and security practices
How does OCTAVE-Allegro work
It focuses on information assets to which they are connected.
What is the CSIRT service category that artifact handling belongs to
Reactive services
