Troubleshooting & Managing Security Incidents 9

Question 0

What is a computer crime

Answer 0

A criminal act that involves using a computer as a source or target.
Can involve stealing restricted information by hacking into a system, compromising national security, perpetuating fraud, conducting illegal activity, or spreading malicious code.

Question 1

Describe security incident management

Answer 1

The set of practices and procedures that govern how an organization will respond to an incident in progress.
Goals are to contain the incident appropriately and minimize any damage that may occur as a result of the incident.

Question 2

What is an IRP, Incident Response Policy

Answer 2

The security policy that determines the actions that an organization will take following a confirmed or potential security breach.

Question 3

What are first responders

Answer 3

The first experienced person or team trained professionals that arrive on an incident scene. Can include security professionals, human resource personnel, or IT support professionals.

Question 4

What is the chain of custody

Answer 4

The record of evidence handling from collection through presentation in court. The evidence can be hardware components, electronic data, or telephone systems.

Question 5

Describe incident isolation

Answer 5

When a computer crime is reported the first thing to do is quarantine the affected devices. Then tag with a chain of custody record to secure the evidence for future presentation in court.

Question 6

What is computer forensics

Answer 6

Deals with collecting and analyzing data from storage devices, computer systems, networks, wireless communications and presenting the information as evidence in a court of law.

Question 7

What is order of volatility

Answer 7

The order in which data needs to be recovered after an incident before the data is erased or overwritten.
The ability to retrieve or validate data after a security incident depends on where it is stored In a location of a computer or external device.

Question 8

Describe the general order of volatility for storage devices

Answer 8

Registers, cache, RAM
network caches and virtual memory
Hard drives anf flash drives
CD-ROMs, DVD-ROMs and printouts

Question 9

Describe the four basic phases in a forensics process

Answer 9

Collection phase: id the attacked system an label it. Record details from those who have access to the system

Examination phase: forensically process collected data. Assess and extract the evidence.

Analysis phase: analyze results. Justify the reason for collecting and examining the data

Reporting phase: report result. Include tools and methods used and why things were done a certain way. Provide recommendations for better policies. Tools, procedures, and other methods in a forensic process.

Question 10

Describe the basic forensic response procedures of IT

Answer 10

Capture system image. Make a bit-for-bit copy of a piece of media as an image file with high accuracy. A forensic image.

Examine network traffic and logs. Logs record everything that happens in an IPS or IDS and provide the evidence needed.

Capture video. Video forensics scrutinizes video for clues

Record time offset. The format in which time is recorded against a file activity. Local time offset against GMT

Take hashes. Hash codes generated by a file or software can be compared to the list of known file hashes

Take screenshots. Capture screenshot of each step of a forensic procedure.

Identify witnesses. A computer forensics expert witness is someone who has experience in handling computer forensics tools and to establish validity of evidence

Track man hours. Takes less than 40 man hours to complete a forensic investigation of a single computer. The increase in storage device capacities and encryption affect the amount of man hours that it can take to assess any damage.
Capturing this expense is part of the overall damage assessment for the incident.

Question 11

What is big data analysis or general characteristics to look for when responding to a data breach

Answer 11

Difficult to forensically investigate

Unformatted or incorrectly formatted data
Incomplete or missing data
Invalid data
Data that is out of range 
Data this is duplicated.

Question 12

Describe the guidelines for responding to security incidents

Answer 12

If an IRP exists follow the guidelines outlined to respond to the incident
If an IRP does not exist, determine a primary investigator who will lead the team through the investigation process
Determine if events actually occurred and to what extent a system or process was damaged
Document the incident
Assess the damage and determine the impact on affected systems
Determine if outside expertise is needed
Notify local law enforcement if needed
Secure the scene so the hardware is contained
Collect all the necessary evidence. Observe the order of volatility as you gather electronic data from various media
Interview personnel to collect additional info pertaining to the crime
Report the investigation findings to the required people

Question 13

Describe the basic incident recovery process

Answer 13

1. Asses the level of damage caused by the incident
2. Recover from the indecent
3. Report the incident.

Question 14

What is damage assessment

Answer 14

Done to determine the extent of damage, the origin or cause of the incident and the amount of expected downtown. Can determine the appropriate strategy to employ as you move into the recovery phase

Question 15

Describe what recovery methods are

Answer 15

After assessing the damage you will know the extent of recovery that needs to be done.
Can involve reformatting the system, applying software patches, or reloading the system, restoring backups or replacing hardware

Question 16

What is an incident report

Answer 16

A report that includes a description of the events that occurred during a security incident. With as much detail as possible. Should not be delayed because of problems with gathering information.

Question 17

Describe some steps to take while assessing the damage in a security incident

Answer 17

Determine if the attack is over
Asses the area of damage to determine the next course of action
Determine the amount of damage to the facility, hardware, systems, and networks
Suffering from digital damage, may need to examine log files, identify compromised accounts and identify modified files
Suffering from physical damage, may need to take inventory to determine which devices and how many have been stolen or damaged, which areas intruders had access to

Question 18

Describe the step to take when recovering from a security incident

Answer 18

Scan the networks and systems using an IDS to determine if organization still exposed
Replace hardware and network cables if damaged or stolen
Detect and delete malware and viruses from the affected systems and media
Disconnect the intruded system from the servers and shut down the server to avoid further intrusions
Disable access to user accounts that have affected the network and search for all the backdoor software installed by the intruder
Reconnect the servers to the network
Restore the data and network systems from the most recent backup
Replace compromised data and applications or reformat the system and perform a fresh install of the os
Harden the networks and servers by changing password, installing patches, and reconfiguring firewalls and routers
Inform officials, reprimand if insiders where involved, possibly contact law enforcement
Write a report describing the recovery process. Save for future use

Question 19

Describe details to capture when reporting a security incident

Answer 19

Name if the organization
Name and number of person who discovered the incident
Name and number of first responders
Type of event
Date and time if the event with time zone
Source and destination of systems and networks including IP addresses
OS and antivirus software used and their versions
Methods used to detect the incident
Business impact of the incident
Resolution steps taken