Study Guide - Chapter 9: Building an Incident Response Program Flashcards
1- Which one of the following is an example of a computer security incident?
- User accesses a secure file
- Administrator changes a file’s permission settings
- Intruder breaks into a building
- Former employee crashes a server
Former employee crashes a server
A former employee crashing a server is an example of a computer security incident because it is an actual violation of the availability of that system. A user accessing a secure file and an administrator changing file permission settings are examples of security events but are not security incidents.
An intruder breaking into a building may be a security event, but it is not necessarily a computer security event unless they perform some action affecting a computer system.
2- During what phase of the incident response process would an organization implement defenses designed to reduce the likelihood of a security incident?
- Preparation
- Detection and analysis
- Containment, eradication, and recovery
- Post‐incident activity
Preparation
Organizations should build solid, defense‐in‐depth approaches to cybersecurity during the preparation phase of the incident response process. The controls built during this phase serve to reduce the likelihood and impact of future incidents.
phases of the incident response process
- Preparation: This phase involves establishing the necessary policies, procedures, and resources to effectively respond to incidents. It includes training, testing, and documenting procedures.
- Detection and Analysis: This phase focuses on identifying and analyzing potential security incidents. It includes monitoring alerts, logs, publicly available information, and reports from internal and external staff about security anomalies. During the incident detection and analysis phase, the CSIRT engages in primarily passive activities designed to uncover and analyze information about the incident.
- Containment, Eradication, and Recovery: This phase aims to limit the damage caused by the incident, eradicate the incident from the network, and restore normal operations. During the containment, eradication, and recovery phase of incident response moves the organization from the primarily passive incident response activities that take place during the Detection and Analysis phase to more active undertakings.
- Post-Incident Activity: This phase involves documenting the incident, conducting a lessons-learned review, and implementing improvements to prevent future incidents. It includes forensic procedures, performing a root cause analysis, and ensuring that internal and external evidence retention requirements are met
Ben is working to classify the functional impact of an incident. The incident has disabled email service for approximately 30 percent of his organization’s staff. How should Ben classify the functional impact of this incident according to the NIST scale?
- None
- Low
- Medium
- High
Medium
The definition of a medium functional impact is that the organization has lost the ability to provide a critical service to a subset of system users. That accurately describes the situation that Ben finds himself in. Assigning a low functional impact is only done when the organization can provide all critical services to all users at diminished efficiency. Assigning a high functional impact is only done if a critical service is not available to all users.
medium functional impact (NIST)
- medium functional impact means that the organization has lost the ability to provide a critical service to a subset of system users
- Economic Impact: more than $10,000 but less than $500,000
low functional impact (NIST)
- organization can still provide all critical services to all users but has lost efficiency
- Economic Impact: $10,000 or less
high functional impact (NIST)
- organization is unable to provide a critical service to all users.
- Economic Impact: of $500,000 or more
critical functional impact (NIST)
- the organization being unable to provide a critical service to all users.
- Economic Impact: significantly exceeding $500,000
6- What common criticism is leveled at the Cyber Kill Chain?
- Not all threats are aimed at a kill.
- It is too detailed.
- It includes actions outside the defended network.
- It focuses too much on insider threats.
It includes actions outside the defended network.
The Kill Chain includes actions outside the defended network which many defenders cannot take action on, resulting in one of the common criticisms of the model. Other criticisms include the focus on a traditional perimeter and on antimalware‐based techniques, as well as a lack of focus on insider threats.
7- Karen is responding to a security incident that resulted from an intruder stealing files from a government agency. Those files contained unencrypted information about protected critical infrastructure. How should Karen rate the information impact of this loss?
- None
- Privacy breach
- Proprietary breach
- Integrity loss
Proprietary breach
In a proprietary breach, unclassified proprietary information is accessed or exfiltrated. Protected critical infrastructure information (PCII) is an example of unclassified proprietary information.
9- Which one of the following document types would outline the authority of a CSIRT responding to a security incident?
- Policy
- Procedure
- Playbook
- Baseline
Policy
An organization’s incident response policy should contain a clear description of the authority assigned to the CSIRT while responding to an active security incident.
11- What phase of the Cyber Kill Chain includes creation of persistent backdoor access for attackers?
- Delivery
- Exploitation
- Installation
- C2
Installation
The installation phase of the Cyber Kill Chain focuses on providing persistent backdoor access for attackers. Delivery occurs when the tool is put into action either directly or indirectly, whereas exploitation occurs when a vulnerability is exploited. Command‐and‐control (C2) uses two‐way communications to provide continued remote control.
Cyber Kill Chain steps
- Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control (C2)
- Actions of Objectives
12- Robert is finishing a draft of a proposed incident response policy for his organization. Who would be the most appropriate person to sign the policy?
- CEO
- Director of security
- CIO
- CSIRT leader
CEO
The incident response policy provides the CSIRT with the authority needed to do their job. Therefore, it should be approved by the highest possible level of authority within the organization, preferably the CEO.
14- Renee is responding to a security incident that resulted in the unavailability of a website critical to her company’s operations. She is unsure of the amount of time and effort that it will take to recover the website. How should Renee classify the recoverability effort?
- Regular
- Supplemented
- Extended
- Not recoverable
Extended
Extended recoverability effort occurs when the time to recovery is unpredictable. In those cases, additional resources and outside help are typically needed.
Recovery Effort Classification Levels
- Regular: Time to recovery is predictable with existing resources
- Supplemented: Time to recovery is predictable with additional resources.
- Extended: Time to recovery is unpredictable; additional resources and outside help are needed.
- Not Recoverable: Recovery from the incident is not possible (e.g., sensitive data exfiltrated and posted publicly); launch investigation
15- Which one of the following is an example of an attrition attack?
- SQL injection
- Theft of a laptop
- User installs file sharing software
- Brute‐force password attack
Brute‐force password attack
An attrition attack employs brute‐force methods to compromise, degrade, or destroy systems, networks, or services—for example, a DDoS attack intended to impair or deny access to a service or application or a brute‐force attack against an authentication mechanism.
Attrition Attack
attrition attack employs brute-force methods to compromise, degrade, or destroy systems, networks, or services.
examples:
* A DDoS attack intended to impair or deny access to a service or application.
* A brute-force attack against an authentication mechanism
16- Who is the best facilitator for a post‐incident lessons learned session?
- CEO
- CSIRT leader
- Independent facilitator
- First responder
Independent facilitator
Lessons learned sessions are most effective when facilitated by an independent party who was not involved in the incident response effort.
17- Which one of the following elements is not normally found in an incident response policy?
- Performance measures for the CSIRT
- Definition of cybersecurity incidents
- Definition of roles, responsibilities, and levels of authority
- Procedures for rebuilding systems
Procedures for rebuilding systems
Procedures for rebuilding systems are highly technical and would normally be included in a playbook or procedure document rather than an incident response policy.
20- Hank is responding to a security event where the CEO of his company had her laptop stolen. The laptop was encrypted but contained sensitive information about the company’s employees. How should Hank classify the information impact of this security event?
- None
- Privacy breach
- Proprietary breach
- Integrity loss
None
The event described in this scenario would not qualify as a security incident with measurable information impact. Although the laptop did contain information that might cause a privacy breach, that breach was avoided by the use of encryption to protect the contents of the laptop.
