Module 9: Incident Reporting Flashcards
What is incident reporting
The process of reporting the information regarding the encountered security breach in a proper format
When a breach occurs what needs to be reported
- Logs of unauthorized access
- Disturbances in services
- DoS
- The system used to store or process data
- Modifications in system hardware or software
Why is it important to report an incident
It is able to generate assistance in responding to the incident and helps the victim to be in touch with others who have encountered similar incidents
TRUE or FALSE: It is necessary to report an incident in order to receive technical assistance including guidance on detecting and handling the incidents
TRUE
TRUE or FALSE: Reporting an incident doesn’t help with legal issues
FALSE
TRUE or FALSE: Reporting an incident improves awareness on IT security issues and prevent other nuisance
TRUE
What are some of the reasons why organizations do not report computer crimes
- Misunderstanding the scope (Assuming no one else has had this incident)
- Fear of negative publicity (Negatively impact their reputation via the media)
- Potential loss of customers (Customers lose faith in the organization)
- Desire to handle things internally
- Lack of awareness of the attack (Unaware of the methods of attack or its impact)
Why is it a good idea to know who to report an incident to
Timely reporting and notification to all who need to be involved will be able to exercise their roles efficiently
Who are some of the people you need to report an incident to
- Head of IT Security (Dave)
- Local Information Security Officer (Danny)
- Incident response teams in the organization (IT Forensics)
- Human Resources
- Public Affairs Officer
- Legal
- CERT
What kind of communication methods should be used to communicate the incident to other teams
- Telephone calls
- FAX
- Online forms
- In person
- Voice mailbox, memos, bulletin boards
Pretty much any sort of communication that we have at Gulfstream
Who needs to observe every step and sign all the documents regarding the incident which helps in legal issues
Incident handler
TRUE or FALSE: Such things such as the nature of the private data involved in the incident, circumstances that revealed the incident, other individuals involved, immediate responses taken, etc. Are details that need to be reported
TRUE
Think of the information that we put into FIR.
Who should collect all the facts regarding the incident
Incident Response Team
The SOC
What does CERT use to keep track of incidents
Incident reference numbers
How are the reference numbers selected
They are unique and random
TRUE or FALSE: It isn’t necessary to include the incident reference number when coming up with an incident report instead you can just use an inhouse assigned value
FALSE
It is mandatory to use incident reference numbers assigned by CERT
When emailing the CERT where must the incident reference number be
The subject line of any message
How does the CERT incident reference number look
CERT-date-XXXX
CERT-06-0001 is an incident from 2006
What two primary pieces of contact information should be included in an incident report
Email address and telephone number
TRUE or FALSE: Hosts involved in the incident or related activity is the most obvious information to be noted
TRUE
What information from the affected machine needs to be collected
- Hostname or IP
- Time zone
- Purpose or function of the host
What information from the source of attach needs to be collected
- Hostname or IP
* Time zone
Why is it important to include a description of the activity
This helps incident handlers to provide assistance specific to the incident
What are some details that need to be included in the description of activity
- Date and time
- Methods of intrusion
- Tools used to attack
- Details of vulnerabilities exploited
- Source of attack
- Any other information that might be important to describe the attack
Why are logs important
They help to identify the system related activities
How can one avoid confusion when reviewing the logs
Removing the unnecessary log entries
According to EC Council what should we do to sensitive information present in the logs
Replace them with X’s
Why is reporting the time zone important
An incident can occur at one time zone and be reported in a different time zone
To avoid misinterpretations of time zones what is used in preference
GMT or UTC
TRUE or FALSE: Any inaccuracy in time should be mentioned in the report if it exceeds by a minute or two
TRUE
What protocol is used to determine whether the systems are synced with the national time server
NTP (Network Time Protocol)
It is important to include this information in the statement
What are the categories used by US-CERT and other federal agencies
CAT0 - Exercise - Reporting: N/A
CAT1 - Unauthorized Access - Reporting: Within 1 hour
CAT2 - DoS - Reporting: Within 2 hours
CAT3 - Malicious Code - Reporting: Within 1 hour if widespread across agency
CAT4 - Improper Usage - Reporting: Weekly
CAT5 - Scans/Probes/Attempted Access - Reporting: Monthly
CAT6 - Investigation - Reporting: N/A
What is United State Internet Crime Task Force
A non-profit, government assist, and victim advocate agency
