Writing Assignment: Module 08 Flashcards
What is an IR reaction strategy?
procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT’s operations.
If an organization chooses the protect and forget approach instead of the apprehend and prosecute philosophy, what aspect of IR will be most affected?
The aspect of IR that will be most affected is the data collection tasks.
What is the first task the CSIRT leader will undertake on arrival?
Determine whether an incident occured
What is the second task the CSIRT leader will undertake?
Analyze precursors and indicators.
What is the best thing an organization can do to make its CSIRT most effective?
Be prepared by having a risk assessment and good security measures.
What is the first imperative of the CSIRT when there is a confirmed incident?
Incident Containment
Why might an organization forego trying to identify the attacking host during an incident response?
To prevent concurrent recurrence and protect assets.
What is the phase after containment during incident response?
Eradicate
What is a concurrent recurrence?
an incident happening while trying to solve another incident
What is the phase after eradication during incident response?
Contain and Mitigate vulnerabilities
What is the primary determinant of which containment and eradication strategies are chosen for a specific incident?
●Type
●Method of incursion
●Current level of success
●Expected or projected level of success
●Current level of loss
●Expected or projected level of loss
●Target
●Target’s level of classification and/or sensitivity
●Any legal or regulatory impacts mandating a specific response
What is watchful waiting and why might we use it?
a tactic that deliberately permits the attack to continue while the entire event is observed and additional evidence is collected. The use of this type of delayed containment may need to be previewed with legal counsel to see if it is feasible.
Why is delayed containment not recommended for most CSIRTs?
may increase attack intensity
What is a DoS attack and how does it differ from a DDoS attack?
the main difference between a DoS and a DDoS attack is the number of sources used to carry out the attack. A DoS attack is typically a single source, while a DDoS attack involves multiple sources.
What is the first and most important step in preparing for DoS and DDoS attack responses?
Coordinating with the ISP
What is malware?
software designed to damage, destroy, or deny service to target systems
What is spam? Can it cause an incident?
unwanted e-mail traffic and is a common carrier of malware and a source of phishing attacks.
spam can cause incidents like posing security risks if employees accidentally click on malicious links or download infected attachments, or with large volumes of spam it can cause email servers to crash.
What is unauthorized access?
when an individual, an applications, or another program,through access to the operation system’s application programming interface (API), attempts to and/or gains access to an information asset without explicit permission or authorization to do so.
What is inappropriate use?
is characterized as a violation of policy’s or an effort to abuse existing systems
What is a hybrid incident?
begins as an IU incident, then may quickly change into a malware incident.