Module 4: CSIRT

Question 1

What does CSIRT stand for

Answer 1

Computer Security Incident Response Team (CSIRT)

Question 2

What is the primary job function of CSIRT

Answer 2

To review, receive, and respond to incidents

Question 3

What does an Incident Response Team help an organization do

Answer 3

Recover from computer security breaches and threats

Question 4

What is the goal of a CSIRT

Answer 4

• Manage the security problems
• Reduce and control the damage
• Provide effective response and recovery

Question 5

Why is a clear vision for the CSIRT needed

Answer 5

A vision acts as a guiding principle for teams and helps them remain focused to achieve a predefined business objective.

Question 6

What is the purpose of a CSIRT Mission Statement

Answer 6

Infers what a team is trying to achieve

Question 7

What is a CSIRT’s constituency

Answer 7

The region where the CSIRT is bound to serve.

Such as the constituency of Gulfstream can be “Gulfstream Aerospace Corporation” and “gulfstream.com”

Question 8

What type of issues does a CSIRT constituency have to face

Answer 8

• Constituencies that overlap (have clear rules of what their services are)
• Relationship to Constituency (level of authority)
• Promoting the CSIRT to the Constituency (how is it viewed to the public)
• Gaining Constituency Trust

Question 9

What is a full constituency relationship

Answer 9

The CSIRT has fully authority to make any decision(s) on behalf of their constituency

Question 10

What is a shared constituency relationship

Answer 10

The CSIRT provide direct support to their constituents and share in the decision-making process

Question 11

What is a none constituency relationship

Answer 11

The CSIRT have no authority and act as advisors

Question 12

TRUE or FALSE: With all the many different CSIRT’s from around the world it is not encouraged to co-operate with one another in order to get their jobs done.

Answer 12

FALSE

Cooperation and coordination is the heart of the CSIRT framework

Question 13

What is a internal CSIRT

Answer 13

Offers incident handling services to their parent organization

Question 14

What is a national CSIRT

Answer 14

Provides services to an entire nation

Question 15

What is a coordination center

Answer 15

They coordinate and facilitate the handling of the incidents across various CSIRT’s

Question 16

What is an analysis center

Answer 16

To use synced data from various sources such as patterns to provide early warning and predict future activity

Question 17

What are vendor teams

Answer 17

They are teams that coordinate with organizations who report and track vulnerabilities

Question 18

What do Incident Response Providers do

Answer 18

Provide assistance regarding incident handling services to paid clients

Question 19

What steps need to be done to create a CSIRT

Answer 19

1. Obtain management’s support and buy-in
2. Determine the CSIRT strategic plan
3. Gather relevant information
4. Design the CSIRT vision
5. Communicate the CSIRT vision and operational plan
6. Begin CSIRT implementation
7. Announce the operational CSIRT
8. Evaluate CSIRT effectiveness

Question 20

TRUE or FALSE: It is important to get management support for creating a CSIRT. (or for creating any project)

Answer 20

TRUE

They can approve the funding that makes it happen

Question 21

What relevant information needs to be gathered for a CSIRT

Answer 21

The expectations, strategic direction, definitions, and responsibilities of the CSIRT

Question 22

When designing the CSIRT vision what is the main focus

Answer 22

To communicate clearly the definition and what is expected from the CSIRT.

*The ultimate goal is to provide response to incidents

Question 23

Why must you create the CSIRT’s vision and communicate it with management.

Answer 23

Because you might have to modify or make changes to the plan. It also helps gain additional information that was missed during the info gathering process

Question 24

What are some steps that need to occur when implementing a CSIRT

Answer 24

• Hiring staff
• Purchasing equipment
• Developing policies
• Develop incident-tracking system
• Develop incident-tracking guidelines and forms

Question 25

Who needs to announce to the organization that the organization has a CSIRT now

Answer 25

Management

Question 26

According to EC Council, what is the role of a CSIRT

Answer 26

To provide IT security services such as prevention, detection, correction, and awareness building to their constituency

Question 27

What services does the CSIRT provide

Answer 27

* Awareness raising * Detection * Correction

Question 28

A few common roles in an Incident Response Team are

Answer 28

* Incident Coordinator (IC) - (Acts a link between groups) * Incident Manager (IM) - (Handles incident from management and technical POV) * Incident Analyst (IA) - (Eradicates and recovers from the incident) * Constituency - (Stakeholder in the incident) * Administration - (Ensures the office operations return to normal) * HR - (Responsible for human aspect of the disaster) * Public Relations - (Responsible for stakeholder communications)

Question 29

What are the three categories of CSIRT services

Answer 29

* Reactive services * Proactive services * Security quality management services

Question 30

How does a reactive service work

Answer 30

It identifies and rectifies any threats against the CSIRT systems

Question 31

What are the reactive services that are provided

Answer 31

* Alerts and warnings * Incident handling * Vulnerability handling * Artifact handling (a malicious file or object on the computer system)

Question 32

How does a proactive service work

Answer 32

It is to prevent the occurrence of an incident and to minimize their impact and scope.

Question 33

What are the proactive services that are provided

Answer 33

* Announcements * Technology Watch * Security Audits or Assessments * Config and Maintenance of Security Tools, Applications, Infrastructures, and services * Development of Security Tools * IDS * Security-related information dissemination

Question 34

How does a security quality management service work

Answer 34

They are designed to include feedback and lessons learned while responding to the security incidents

Question 35

What are the security quality management services that are provided

Answer 35

* Risk analysis * Business Continuity and Disaster Recovery Planning * Security Consulting * Awareness building * Education/training * Product evaluation or certification

Question 36

What is the difference between policy and procedure

Answer 36

Policy is the governing principles which the organization and teams will adopt Procedures defines the way how a team performs its activities without crossing the policy limits

Question 37

How is a policy defined

Answer 37

* Attributes (important and necessary characteristics of a particular subject area) * Content (behavior in a specific subject area) * Validation (checks the ideas on whether they can be translated into real life) * Implementation, maintenance, and enforcement

Question 38

How CSIRT handles a case

Answer 38

1. Keep a log book (FIR) 2. Inform the appropriate people (Danny or the end user) 3. Maintain a list of contacts (Kenny Quick, Chris Mitchell) 4. Release the information (Emailing the end user) 5. Follow up analysis (2nd level review from another shift or peer) 6. Report (Send a report to Dave and Sheryl)

Question 39

What does CERT stand for

Answer 39

Community Emergency Response Team (CERT)

Question 40

What does CERT do

Answer 40

Helps to train people to be better prepared to respond to emergency situations in their communities.

Question 41

What does CERT-CC stand for

Answer 41

Community Emergency Response Team Coordination Center (CERT-CC)

Question 42

What does CERT-CC do

Answer 42

To provide response to major security incidents and analyze product vulnerabilities

Question 43

What does OCTAVE stand for

Answer 43

Operationally Critical Threat, Asset, and Vulnerability Evaulation (OCTAVE)

Question 44

What is OCTAVE used for

Answer 44

A set of tools, techniques, and methods for risk-based information security strategic assessment and planning.

Question 45

What are the three OCTAVE methods

Answer 45

* OCTAVE Method * OCTAVE-S * OCTAVE-Allegro

Question 46

How does the OCTAVE Method work

Answer 46

Uses a three-phased approach to examine organizational and technology issues

Question 47

What are the 3 phases of OCTAVE Method

Answer 47

Phase 1. Build Asset-Based Threat Profiles Phase 2. Identify Infrastructure Vulnerabilities Phase 3. Develop Security Strategy and Plans

Question 48

How does OCTAVE-S work

Answer 48

It is under the assumption that the analysis team is aware of information about important assets, security requirements, threats, and security practices

Question 49

How does OCTAVE-Allegro work

Answer 49

It focuses on information assets to which they are connected.

Question 50

What is the CSIRT service category that artifact handling belongs to

Answer 50

Reactive services