Study Guide - Chapter 12: Reporting and Communication Flashcards
1- Why should organizations predetermine communication guidelines according to NIST?
- To limit how many individuals know sensitive incident information
- To ensure compliance with federal law
- To ensure that appropriate communications are shared with the right parties
- To ensure consistency of communications
To ensure that appropriate communications are shared with the right parties
NIST guidelines note that predetermined communications ensure that appropriate communications are shared with the right parties.
Valentine is preparing a vulnerability management report. What data point will provide the greatest help in determining if patching programs are not succeeding?
- A list of affected hosts
- Information about recurrence
- Prioritization information
- Risk scores
Information about recurrence
Information about recurrence will help Valentine determine if there is an ongoing issue with the patching program. For example, recurrence might demonstrate that the underlying base images for systems were not being patched, resulting in vulnerabilities when new instances of an image are being deployed.
3- Jake wants to identify stakeholders for vulnerability management communications. Which stakeholder group is most likely to want information to be available via an API instead of a written communication?
- Security operations and oversight stakeholders
- Audit and compliance stakeholders
- System administration stakeholders
- Management stakeholders
Security operations and oversight stakeholders
Security operations and oversight stakeholders will likely want to ingest vulnerability management data to perform data enrichment activities for other security systems. Audit and compliance, system administration, and management stakeholders are more likely to want written reports to review and use in their roles.
4- What phase of the NIST IR cycle does communication to stakeholders occur in?
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post‐Incident Activity
- All cycles include communication with stakeholders.
All cycles include communication with stakeholders.
Communication with stakeholders should occur during all phases of the NIST IR cycle to ensure that they are aware and participating as required.
7- Ian wants to ensure that patches are installed as part of a baseline for his organization. What type of tool should he invest in as part of his overall action plan for remediation?
- A vulnerability scanner
- A configuration management tool or system
- A baseline configuration scanner
- An endpoint detection and response (EDR) tool
A configuration management tool or system
Ian’s desire to ensure patches across his infrastructure points to a need for a configuration management tool that can be used to deploy patches at scale. A vulnerability scanner doesn’t install patches, baseline configuration scanners help determine whether the baseline is being met but won’t help maintain the baseline, and EDR is used to detect malicious software and activity, not to patch or maintain a patch level.
9- Jaime is concerned that her organization may face multiple inhibitors to remediation. Which of the following inhibitors to remediation is most often associated with performance or uptime targets?
- Organizational governance
- Legacy systems
- Memorandums of understanding
- Proprietary systems
Memorandums of understanding
Memorandums of understanding (MOUs) are often associated with performance or uptime targets that may not be met if systems are taken offline for patching. Jaime should review her infrastructure designs, MOUs, and patching processes to determine if they are all appropriate to what her organization can accomplish and needs to do to stay secure.
13- Michelle is performing root cause analysis. Which of the following is not one of the four common steps in an RCA exercise?
- Documenting the root cause analysis using a chart or diagram
- Establishing a timeline of events
- Determining which individual or team was responsible for the problem
- Identifying the problems and events that occurred during the event and describing them as completely as possible
Determining which individual or team was responsible for the problem
Root cause analysis exercises are not designed or intended to determine who to blame. Instead, they focus on identifying the root cause so that it can be remediated.
15- After testing, Jim’s team has determined that installing a patch will result in degraded functionality due to a service being modified. What should Jim suggest to address this inhibitor to remediation?
- Take the change through organizational governance.
- Identify a compensating control.
- Replace the legacy system.
- Update the service level agreement.
Identify a compensating control.
The best option that Jim has will likely be to identify a compensating control. This may not be a suitable solution in the long term, and Jim’s organization may need to change their service or design to allow for the security fix to be put in place. Organizational governance won’t change the functional impact, no legacy system is mentioned, nor is there an SLA listed in the question.
17- An incident report is typically prepared in what phase of the NIST incident response cycle?
- Detection and Analysis
- Post‐Incident Activity
- Preparation
- Containment, Eradication, and Recovery
Post‐Incident Activity
Post‐Incident Activity typically includes the incident report in the NIST IR life cycle.
18- The security team that Chris works on has been notified of a zero‐day vulnerability in Windows Server that was released earlier in the morning. Chris’s manager asks Chris to immediately check recent vulnerability reports to determine if the organization is impacted. What should Chris tell his manager?
- That the reports will need to be rerun to list the zero‐day vulnerability.
- He needs to update the vulnerability scanner to detect the zero‐day vulnerability.
- Zero‐day vulnerabilities won’t show in previously run vulnerability management reports.
- That zero‐day vulnerabilities cannot be detected.
Zero‐day vulnerabilities won’t show in previously run vulnerability management reports.
Chris knows that a zero‐day vulnerability means that the scanner won’t have had a rule or detection profile for the vulnerability. That means that previously run reports and scans won’t show it. It’s possible that their vendor may release a detection profile or rule for the zero‐day, but with very little time from release to the request, that is unlikely to have occurred already. Rerunning reports won’t show unknown vulnerabilities, and zero‐day vulnerabilities can be detected if there’s a rule.
20- Geeta’s organization operates a critical system provided by a vendor that specifies that the operating system cannot be patched. What type of solution should Geeta recommend when her vulnerability reporting shows the system is behind on patching and has critical vulnerabilities?
- Mark the vulnerabilities as unable to be remediated and continue operations to ensure business continuity.
- Shut off the system until a solution can be identified.
- Install the operating system patch and test if it causes issues.
- Identify and deploy a compensating control.
Identify and deploy a compensating control.
Geeta should identify a compensating control that will appropriately ensure the security of the system with minimal impact to its functionality. Examples might be placing a network firewall logically in front of the device, moving it to an isolated and secured network segment or VLAN, or otherwise adding protection. Marking the vulnerability as unable to be remediated does not protect the system or the company, shutting it off will impact the organization’s ability to function, and installing the patches may cause functional issues or prevent vendor support.
