Module 9: Incident Reporting

Question 1

What is incident reporting

Answer 1

The process of reporting the information regarding the encountered security breach in a proper format

Question 2

When a breach occurs what needs to be reported

Answer 2

• Logs of unauthorized access
• Disturbances in services
• DoS
• The system used to store or process data
• Modifications in system hardware or software

Question 3

Why is it important to report an incident

Answer 3

It is able to generate assistance in responding to the incident and helps the victim to be in touch with others who have encountered similar incidents

Question 4

TRUE or FALSE: It is necessary to report an incident in order to receive technical assistance including guidance on detecting and handling the incidents

Answer 4

TRUE

Question 5

TRUE or FALSE: Reporting an incident doesn’t help with legal issues

Answer 5

FALSE

Question 6

TRUE or FALSE: Reporting an incident improves awareness on IT security issues and prevent other nuisance

Answer 6

TRUE

Question 7

What are some of the reasons why organizations do not report computer crimes

Answer 7

• Misunderstanding the scope (Assuming no one else has had this incident)
• Fear of negative publicity (Negatively impact their reputation via the media)
• Potential loss of customers (Customers lose faith in the organization)
• Desire to handle things internally
• Lack of awareness of the attack (Unaware of the methods of attack or its impact)

Question 8

Why is it a good idea to know who to report an incident to

Answer 8

Timely reporting and notification to all who need to be involved will be able to exercise their roles efficiently

Question 9

Who are some of the people you need to report an incident to

Answer 9

• Head of IT Security (Dave)
• Local Information Security Officer (Danny)
• Incident response teams in the organization (IT Forensics)
• Human Resources
• Public Affairs Officer
• Legal
• CERT

Question 10

What kind of communication methods should be used to communicate the incident to other teams

Answer 10

• E-mail
• Telephone calls
• FAX
• Online forms
• In person
• Voice mailbox, memos, bulletin boards

Pretty much any sort of communication that we have at Gulfstream

Question 11

Who needs to observe every step and sign all the documents regarding the incident which helps in legal issues

Answer 11

Incident handler

Question 12

TRUE or FALSE: Such things such as the nature of the private data involved in the incident, circumstances that revealed the incident, other individuals involved, immediate responses taken, etc. Are details that need to be reported

Answer 12

TRUE

Think of the information that we put into FIR.

Question 13

Who should collect all the facts regarding the incident

Answer 13

Incident Response Team

The SOC

Question 14

What does CERT use to keep track of incidents

Answer 14

Incident reference numbers

Question 15

How are the reference numbers selected

Answer 15

They are unique and random

Question 16

TRUE or FALSE: It isn’t necessary to include the incident reference number when coming up with an incident report instead you can just use an inhouse assigned value

Answer 16

FALSE

It is mandatory to use incident reference numbers assigned by CERT

Question 17

When emailing the CERT where must the incident reference number be

Answer 17

The subject line of any message

Question 18

How does the CERT incident reference number look

Answer 18

CERT-date-XXXX

CERT-06-0001 is an incident from 2006

Question 19

What two primary pieces of contact information should be included in an incident report

Answer 19

Email address and telephone number

Question 20

TRUE or FALSE: Hosts involved in the incident or related activity is the most obvious information to be noted

Answer 20

TRUE

Question 21

What information from the affected machine needs to be collected

Answer 21

• Hostname or IP
• Time zone
• Purpose or function of the host

Question 22

What information from the source of attach needs to be collected

Answer 22

• Hostname or IP

* Time zone

Question 23

Why is it important to include a description of the activity

Answer 23

This helps incident handlers to provide assistance specific to the incident

Question 24

What are some details that need to be included in the description of activity

Answer 24

• Date and time
• Methods of intrusion
• Tools used to attack
• Details of vulnerabilities exploited
• Source of attack
• Any other information that might be important to describe the attack

Question 25

Why are logs important

Answer 25

They help to identify the system related activities

Question 26

How can one avoid confusion when reviewing the logs

Answer 26

Removing the unnecessary log entries

Question 27

According to EC Council what should we do to sensitive information present in the logs

Answer 27

Replace them with X’s

Question 28

Why is reporting the time zone important

Answer 28

An incident can occur at one time zone and be reported in a different time zone

Question 29

To avoid misinterpretations of time zones what is used in preference

Answer 29

GMT or UTC

Question 30

TRUE or FALSE: Any inaccuracy in time should be mentioned in the report if it exceeds by a minute or two

Answer 30

TRUE

Question 31

What protocol is used to determine whether the systems are synced with the national time server

Answer 31

NTP (Network Time Protocol)

It is important to include this information in the statement

Question 32

What are the categories used by US-CERT and other federal agencies

Answer 32

CAT0 - Exercise - Reporting: N/A

CAT1 - Unauthorized Access - Reporting: Within 1 hour

CAT2 - DoS - Reporting: Within 2 hours

CAT3 - Malicious Code - Reporting: Within 1 hour if widespread across agency

CAT4 - Improper Usage - Reporting: Weekly

CAT5 - Scans/Probes/Attempted Access - Reporting: Monthly

CAT6 - Investigation - Reporting: N/A

Question 33

What is United State Internet Crime Task Force

Answer 33

A non-profit, government assist, and victim advocate agency