Writing Assignment: Module 05

Question 1

What is the formal definition of a CSIRT?

Answer 1

The IR Reaction team, often called the Computer Security Incident Team (CSIRT), is responsible for responding to declared incidents. The CSIRT uses it policies, procedures, and training to regain control of the information assets at risk, determine what happened, and prevent repeat occurrences.

Question 2

What is the difference in roles between the CSIRT and the IRPT?

Answer 2

The IRPT is primarily responsible for developing and implementing the policy and plans associated with incident response, whereas the CSIRT is responsible for responding to a notice from some predeFned entity as to the possibility of an incident.

Question 3

What is the most essential reason to involve upper management in the formation of the CSIRT?

Answer 3

Without formal management support, no organization-wide effort can succeed, and management support must be constant and ongoing to ensure long-term success.

Question 4

Is management approval a simple, one-time action?

Answer 4

The management support must be constant and ongoing to ensure long-time success.

Question 5

Among the skills needed by the CSIRT staff, what is required beyond technical skill?

Answer 5

In addition to these technical skills, managerial experience at creating and following policy and plans is also highly desirable.

Question 6

What structures are most often used to develop CSIRTs?

Answer 6

Models of IR teams fall into one of three structural categories: the central IR team (single CSIRT handles incidents), distributed IR teams(multiple CSIRTs handle incidents for a particular logical or physical segment
), and coordinating teams(CSIRT provides guidance and advice to other teams with no authority).

Question 7

What are the most likely staffing models for CSIRTs?

Answer 7

The three staffing models for the CSIRT are: employees, partially outsourced, or fully outsourced.

-Employees: organization performs all IR work
Limited contractor technical and administrative support
-Partially outsourced: portions of IR work outsourced
24-hour-a-day; 7-day-a-week (24/7) monitoring
Basic IR work performed in-house; contractors assist
-Fully outsourced: all IR work outsourced to on-site contractor
Used when organization lacks available, qualified employees

Question 8

How does the need for 24/7 operations affect staffing decisions?

Answer 8

Team model selection factors to consider
Need for 24/7 availability
Full-time versus part-time team members
Employee morale
Cost
Staff expertise
Organizational structures

Question 9

How does the need to manage employee morale affect staffing decisions for CSIRTs?

Answer 9

Incident response work is very stressful, as are the on-call responsibilities of most team members. This combination make it easy for CSIRT members to become overly stressed. Many organizations struggle to find willing available, experienced, and properly skilled people to participate, particularly in 24-hour support.

Question 10

How does the organizational structure impact staffing design for CSIRTs?

Answer 10

If an organization has independent departments, IR may be more effective if each department has it own CSIRT. The main organization can host a centralized IR entity that facilitates standard practices and communications among the teams.

Question 11

Once created, must a plan be maintained? How often should it be revisited?

Answer 11

At a minimum, the CSIRT development plan should be reviewed annually.

Question 12

What are the guiding documents for CSIRT creation or maintenance?

Answer 12

Formal Incident Response Policy and CSIRT plans
Provide response team preparation and training
May combine CSIRT strategic plan with an IR plan

Question 13

What should be one of the first tasks performed by an IR planning committee when forming a CSIRT?

Answer 13

Establishes CSIRT scope and responsibilities
Determines team constituency and abilities

Question 14

What is meant by the “scope of operations” for a CSIRT?

Answer 14

-Determining systems falling under CSIRT’s responsibility
-Be aware of its existence
Know who to serve

Question 15

What purpose does the CSIRT mission statement provide?

Answer 15

-States purpose clearly and succinctly
-Establishes team tone
-Provides path to obtainment of goals and objectives
-Common failing among multiple CSIRTs
Lack of precision in defining mission
Failure to communicate mission so CSIRT tries to validate priorities: leads to revisions on the fly
-Clear and concise mission statement
Allows for established service list, service levels, and quality framework
-Purpose statement supplements mission statement
-Approaches to incident response (philosophy)
Protect and forget, or apprehend and prosecute

Question 16

What are the two approaches that define a CSIRT’s philosophy for incident response?

Answer 16

a.The “protect and forget” approach, in which the focus is on the defense of the data and the systems that house, use, and transmit it.
b. The “apprehend and prosecute” approach, focuses on the identiFcation and apprehension of the intruder, with additional attention given to the collection and preservation of evidentiary

Question 17

The services of a CSIRT can be grouped into which three categories?

Answer 17

Reactive services
Proactive services
Security quality management services

Question 18

What is an after-action review (AAR), and why is it valuable to organizations?

Answer 18

Advantage: Individuals follow each and every procedure, including the interruption of service, restoration of data from backups, and notification of appropriate individuals.
Disadvantage: It is often too risky for most business that cannot afford to disrupt or simulate the disruption of business.

Question 19

What are the key benefits of the AAR?

Answer 19

Detailed event examination: detection to recovery
Key players review notes, members review actions
Update plan
Serves as training case for future staff