Module 4: CSIRT Flashcards

1
Q

What does CSIRT stand for

A

Computer Security Incident Response Team (CSIRT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the primary job function of CSIRT

A

To review, receive, and respond to incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What does an Incident Response Team help an organization do

A

Recover from computer security breaches and threats

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the goal of a CSIRT

A
  • Manage the security problems
  • Reduce and control the damage
  • Provide effective response and recovery
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why is a clear vision for the CSIRT needed

A

A vision acts as a guiding principle for teams and helps them remain focused to achieve a predefined business objective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the purpose of a CSIRT Mission Statement

A

Infers what a team is trying to achieve

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a CSIRT’s constituency

A

The region where the CSIRT is bound to serve.

Such as the constituency of Gulfstream can be “Gulfstream Aerospace Corporation” and “gulfstream.com”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What type of issues does a CSIRT constituency have to face

A
  • Constituencies that overlap (have clear rules of what their services are)
  • Relationship to Constituency (level of authority)
  • Promoting the CSIRT to the Constituency (how is it viewed to the public)
  • Gaining Constituency Trust
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a full constituency relationship

A

The CSIRT has fully authority to make any decision(s) on behalf of their constituency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a shared constituency relationship

A

The CSIRT provide direct support to their constituents and share in the decision-making process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a none constituency relationship

A

The CSIRT have no authority and act as advisors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

TRUE or FALSE: With all the many different CSIRT’s from around the world it is not encouraged to co-operate with one another in order to get their jobs done.

A

FALSE

Cooperation and coordination is the heart of the CSIRT framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a internal CSIRT

A

Offers incident handling services to their parent organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a national CSIRT

A

Provides services to an entire nation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a coordination center

A

They coordinate and facilitate the handling of the incidents across various CSIRT’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an analysis center

A

To use synced data from various sources such as patterns to provide early warning and predict future activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are vendor teams

A

They are teams that coordinate with organizations who report and track vulnerabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What do Incident Response Providers do

A

Provide assistance regarding incident handling services to paid clients

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What steps need to be done to create a CSIRT

A
  1. Obtain management’s support and buy-in
  2. Determine the CSIRT strategic plan
  3. Gather relevant information
  4. Design the CSIRT vision
  5. Communicate the CSIRT vision and operational plan
  6. Begin CSIRT implementation
  7. Announce the operational CSIRT
  8. Evaluate CSIRT effectiveness
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

TRUE or FALSE: It is important to get management support for creating a CSIRT. (or for creating any project)

A

TRUE

They can approve the funding that makes it happen

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What relevant information needs to be gathered for a CSIRT

A

The expectations, strategic direction, definitions, and responsibilities of the CSIRT

22
Q

When designing the CSIRT vision what is the main focus

A

To communicate clearly the definition and what is expected from the CSIRT.

*The ultimate goal is to provide response to incidents

23
Q

Why must you create the CSIRT’s vision and communicate it with management.

A

Because you might have to modify or make changes to the plan. It also helps gain additional information that was missed during the info gathering process

24
Q

What are some steps that need to occur when implementing a CSIRT

A
  • Hiring staff
  • Purchasing equipment
  • Developing policies
  • Develop incident-tracking system
  • Develop incident-tracking guidelines and forms
25
Who needs to announce to the organization that the organization has a CSIRT now
Management
26
According to EC Council, what is the role of a CSIRT
To provide IT security services such as prevention, detection, correction, and awareness building to their constituency
27
What services does the CSIRT provide
* Awareness raising * Detection * Correction
28
A few common roles in an Incident Response Team are
* Incident Coordinator (IC) - (Acts a link between groups) * Incident Manager (IM) - (Handles incident from management and technical POV) * Incident Analyst (IA) - (Eradicates and recovers from the incident) * Constituency - (Stakeholder in the incident) * Administration - (Ensures the office operations return to normal) * HR - (Responsible for human aspect of the disaster) * Public Relations - (Responsible for stakeholder communications)
29
What are the three categories of CSIRT services
* Reactive services * Proactive services * Security quality management services
30
How does a reactive service work
It identifies and rectifies any threats against the CSIRT systems
31
What are the reactive services that are provided
* Alerts and warnings * Incident handling * Vulnerability handling * Artifact handling (a malicious file or object on the computer system)
32
How does a proactive service work
It is to prevent the occurrence of an incident and to minimize their impact and scope.
33
What are the proactive services that are provided
* Announcements * Technology Watch * Security Audits or Assessments * Config and Maintenance of Security Tools, Applications, Infrastructures, and services * Development of Security Tools * IDS * Security-related information dissemination
34
How does a security quality management service work
They are designed to include feedback and lessons learned while responding to the security incidents
35
What are the security quality management services that are provided
* Risk analysis * Business Continuity and Disaster Recovery Planning * Security Consulting * Awareness building * Education/training * Product evaluation or certification
36
What is the difference between policy and procedure
Policy is the governing principles which the organization and teams will adopt Procedures defines the way how a team performs its activities without crossing the policy limits
37
How is a policy defined
* Attributes (important and necessary characteristics of a particular subject area) * Content (behavior in a specific subject area) * Validation (checks the ideas on whether they can be translated into real life) * Implementation, maintenance, and enforcement
38
How CSIRT handles a case
1. Keep a log book (FIR) 2. Inform the appropriate people (Danny or the end user) 3. Maintain a list of contacts (Kenny Quick, Chris Mitchell) 4. Release the information (Emailing the end user) 5. Follow up analysis (2nd level review from another shift or peer) 6. Report (Send a report to Dave and Sheryl)
39
What does CERT stand for
Community Emergency Response Team (CERT)
40
What does CERT do
Helps to train people to be better prepared to respond to emergency situations in their communities.
41
What does CERT-CC stand for
Community Emergency Response Team Coordination Center (CERT-CC)
42
What does CERT-CC do
To provide response to major security incidents and analyze product vulnerabilities
43
What does OCTAVE stand for
Operationally Critical Threat, Asset, and Vulnerability Evaulation (OCTAVE)
44
What is OCTAVE used for
A set of tools, techniques, and methods for risk-based information security strategic assessment and planning.
45
What are the three OCTAVE methods
* OCTAVE Method * OCTAVE-S * OCTAVE-Allegro
46
How does the OCTAVE Method work
Uses a three-phased approach to examine organizational and technology issues
47
What are the 3 phases of OCTAVE Method
Phase 1. Build Asset-Based Threat Profiles Phase 2. Identify Infrastructure Vulnerabilities Phase 3. Develop Security Strategy and Plans
48
How does OCTAVE-S work
It is under the assumption that the analysis team is aware of information about important assets, security requirements, threats, and security practices
49
How does OCTAVE-Allegro work
It focuses on information assets to which they are connected.
50
What is the CSIRT service category that artifact handling belongs to
Reactive services