1
Q
is an unexpected event occurring when an attack, whether natural or human-made, affects information resources and/or assets, causing actual damage or disruption to a business’s assets.
A
incident
2
Q
is a detailed set of processes that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets.
A
incident response plan (IRP)
3
Q
the set of procedures, policies, and guidelines that commence at the detection of an incident
A
incident response (IR).
4
Q
- It is important to point out that an IRP is one of three major components of ____.
A
contingency plan (CP)
5
Q
three major components of contingency plan (CP).
A
Incident Response
Disaster Recovery
Business Continuity
6
Q
Personnel and Plan Preparation
- In a large business or organization the delegation of tasks is essential to maintaining effective operations. When looking at the makeup of an IRP, a __ assumes responsibility for the creation of it.
A
company’s CISO
7
Q
With the aid of other managers and systems administrators on the contingency planning (CP) team, the __ should select members from each community of interest to form an independent IR team, which executes the IRP.
A
CISO
8
Q
- __ should follow this six-step process when creating each of the three CP components [_, _, and _]:
A
Contingency planners
IRP, DRP, and BCP
9
Q
six-step process when creating each of the three CP components [IRP, DRP, and BCP]:
A
- Identify the mission-or business-critical functions
- Identify the resources that support the critical functions
- Anticipate potential contingencies or disasters
- Select contingency planning strategies
- Implement the selected strategy
- Test and revise contingency plans
10
Q
- Select contingency planning strategies
In regards to step four, for every incident, the CP team creates three sets of incident-handling procedures:
A
- During the incident
- After the incident
- Before the incident
11
Q
- __: The planners develop and document the procedures that must be performed ____.
A
During the incident
_ during the incident
12
Q
- _: Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed immediately after the incident has ceased.
A
After the incident
13
Q
- _, _, or _, or s may be hard to distinguish from an actual incident.
A
Incident Detection
Overloaded networks, computers, or servers, misbehaving computers systems or software packages
14
Q
- _: The planners draft a third set of procedures which are tasks that must be performed to prepare for the incident.
A
Before the incident
15
Q
- It is the responsibility of the __ to determine if an incident is a valid incident or is just the product of “normal” system use.
A
Incident Detection
_ IR team
16
Q
- Incident candidates can be detected and tracked by end-users through several means; _
A
Incident Detection
; intrusion detection systems (IDS), host- and network-based virus detection software, and systems administrators.
17
Q
- Therefore, managers must ensure IT professionals receive training to detect __
A
Incident Detection
possible, probable, and definite indicators.
18
Q
- Possible Indicators:
A
- Presence of unfamiliar files
- Presence or execution of unknown programs or processes
- Unusual consumption of computing resources
- Unusual system crashes
19
Q
- Probable Indicators:
A
- Activities at unexpected times
- Presence of new accounts
- Reported attacks
- Notification from a host- or network-based
intrusion detection system (IDS)
20
Q
- Definite Indicators:
A
- Use of dormant accounts
- Changes to logs
- Presence of hacker tools
- Notifications by business partner
- Notification by hacker
21
Q
- Once an actual incident has been confirmed and properly classified, the __ needs to be directed to move from the detection phase to the reaction phase.
A
Incident Response
_IR team
22
Q
is designed to first stop the incident (if still continuing), mitigate its effects, and provide information for the recovery from the incident.
A
Incident Response
_IR
23
Q
Incident Response
- Three key steps include:
A
❑ Notification of Key personnel
❑ Documentation of an Incident
❑ Incident Containment strategies
24
Q
Notification of key Personnel.
A
Incident Response
25
document of contact information
- sequential or hierarchical roster
Alert Roster
26
scripted description of incident and what components of IRP to implement
Alert message
27
- Who, What, When, Where, Why, and How
Documenting an Incident
28
- Serves as a case study
- improvements in IR and IRP
- provide legal protection
- future training simulations
Documenting an Incident
29
❑Incident Containment Strategies
- Disabling compromised user accounts
- Reconfiguring a firewall to block the problem traffic
- Temporarily disabling the compromised process or service
- Taking down the conduit application or server—for example, the e-mail server
- Stopping all computers and network devices
30
The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets
Incident Recovery
* Incident damage assessment
31
Incident damage assessment
- System logs
- Intrusion detection logs
- Configuration logs
- Documentation from the actual incident
32
* The recovery process includes the following steps:
Identify and resolve vulnerabilities that allowed the incident to occur and spread.
Address the safeguards that failed to stop or limit the incident – install, replace, or upgrade them.
Evaluate monitoring capabilities – improve detection and reporting methods, or install new monitoring capabilities
Restore systems backups
Restore the services and processes in use – compromised services and processes must be examined, cleaned, then restored.
Continuously monitor the system to prevent incident from happening again. -Don’t allow your system to become the hackers playground.
Restore confidence in member’s of the organization by ensuring them appropriate measures have been taken to resolve the matter.
33
* Finally, before an organization can return to routine duties it is management’s responsibility to see that an __ is conducted.
- Detailed examination of events from detection to final recovery.
- All parties involved give input on positives and negatives of the entire IR process.
- Management should give a summary to bring the IR team’s actions to a close.
after-action review (AAR)
34
Threat Statistics
*47% of browser attacks – Microsoft, Google
*Average 6110 DoS attacks per day
*28 days average vulnerability exposure
*86% of all attacks are against home user
*54% of DoS attacks world-wide against US
*69% of vulnerabilities against Web
applications
35
*__ attacks – Microsoft, Google
47% of browser
36
*__ attacks per day
Average 6110 DoS
37
*__ average vulnerability exposure
*28 days
38
*__ of all attacks are against home user
86%
39
*___ world-wide against US
54% of DoS attacks
40
*__ against Web
applications
69% of vulnerabilities
41
Threats to the Enterprise
* Virus, worms, Trojan horses
* Web site hacking
* Hackers and crackers
* Terrorist attacks
* Cyber crime and information warfare
* Effects of emerging standards and technologies
42
* Virus, worms, Trojan horses
Threats to the Enterprise
43
* Web site hacking
Threats to the Enterprise
44
* Hackers and crackers
Threats to the Enterprise
45
* Cyber crime and information warfare
Threats to the Enterprise
46
* Terrorist attacks
Threats to the Enterprise
47
Security Challenges
*ID and prioritize opportunities to improve security effectiveness and efficiency
*Manage security in dynamic threat
environment with limited budget
*Courts and government policy expectations
*Securing Web services
*Managing identity and access privileges
48
* Effects of emerging standards and technologies
Threats to the Enterprise
49
*ID and prioritize opportunities to improve security effectiveness and efficiency
Security Challenges
50
*Manage security in dynamic threat
environment with limited budget
Security Challenges
51
*Courts and government policy expectations
Security Challenges
52
*Securing Web services
Security Challenges
53
*Managing identity and access privileges
Security Challenges
54
Six Step Process
1. Inventory
2. Risk Assessment
3. ID Needs
4. Support
5. Execute
6. Review
55
___
“The first thing we need to do is to actually__ on our computing system and understand what the relationship of each asset is to our business process”
*
*
*
Inventory Environment
_ draft out all of the assets that run
* Prioritize assets
* Ensure critical systems are protected
* Use Enterprise Architecture
56
Inventory Environment
* Prioritize assets
* Ensure critical systems are protected
* Use Enterprise Architecture
57
Risk Assessment - Portfolio
* Look at all assets
* Best Practices
* Service Levels
Risks and Costs
58
Risks
* Threats
* Loss of Data
59
Costs
* Prevention
* Data Recovery
60
ID Needs and Write Plan
* Define, align, and prioritize opportunities
*Vulnerability vs largest risks
*ID and define security goals
* Determine costs and ROI –
Key is Impact!
61
ID/Define Organizational Goals
*Protect sensitive and critical information
*Prevent unauthorized access to the
network
*Avoid embarrassing publicity
*Maintain uninterrupted operations
*Protect privacy
*Set a “zero-incident” culture
*Comply with federal and state regulations
62
Obtain Support and Approval
1. Need executive champion
– CIO
2. Know top management priorities
3. Know what the competition is doing
4. Projects in line with market’s thinking
5. Use federal mandates and audit findings
63
• Use annual tactical plans
— Execute strategic plan in
small steps
— Used to define and execute budget
• Manage using cost planning and portfolio
management
• Report progress using balanced scorecard
Execute Plan
64
Cost Planning and Portfolio Management
Zero-based Budget
Management Review
ID Problems Early
Track Initiatives
65
Answers ...
* How am I doing?
* Am I on time?
* Within budget?
* Are there any problems or issues
Balance Scorecard
66
Plan Maintenance
* Review annually
* Compare against best practices
* Adjust as necessary
Review
67
*An __ will
provide….
• Better use of limited resources
• Phased deployment and enhancements
• Improved justification of security projects
• Direct tie to university IT strategic plan
• Better planning & execution of security
spending
•Implement best security practices and strategies to create an enterprise that is
well managed and secure
IT Security Strategic Plan
68
* Phased deployment and enhancements
IT Security Strategic Plan
69
* Improved justification of security projects
IT Security Strategic Plan
70
* Direct tie to university IT strategic plan
IT Security Strategic Plan
71
* Better planning & execution of security
spending
IT Security Strategic Plan
72
*Implement best security practices and
strategies to create an enterprise that is
well managed and secure
IT Security Strategic Plan
73
Your organization experiences a sudden system crash. What should the IR team do first?
a. Restart the system immediately
b. Check for possible incident indicators
c. Ignore the crash
d. Call the software vendor
b. Check for possible incident indicators
74
An employee reports an unfamiliar file appearing on their desktop. What is the best response?
a. Delete the File '
b. Report to the IT security team for investigation
c. Open the file to check its contents
d. ignore it
b. Report to the IT security team for investigation
75
Your IDS detects unusual activity at midnight. What should you do?
a. Assume its a false alarm
b. Notify the IR team immediately
c. Restart the system
d. ignore it
b. Notify the IR team immediately
76
A hacker claims to have access to your company's database. What is the first step?
a. Verify the claim and check system logs
b. Pay the ransom
c. Announce the breach publicly
d. Shut down all systems permanently
a. Verify the claim and check system logs
77
Your company experiences a ransomware attack that encrypts critical files. What should you do first?
a. Pay the ransom to recover das
b. Disconnect affected systems from the network
c. Notify all employees to stop working
d. Restore from backups immediately
b. Disconnect affected systems from the network
78
A server handling financial transactions is running unusually slow. What is the best action?
a. Restart the server
b. Check for potential security breaches
c. Upgrade the hardware
d. Ignore the issue if transactions still process
b. Check for potential security breaches
79
A phishing email is reported by on employee. What is the best response?
a. Instruct all employees to delete similar emalis
b. Report the email to the security team for analysis
c. Click the link to check if it's harmful
d. Do nothing unless someone gets affected
b. Report the email to the security team for analysis
80
8. An employee leaves their workstation unlocked, and someone Installs unauthorized
software, What should the IR team do?
a. Remove the software and warn the employee
b. Format the workstation immediately
c. Suspend the employee
d. Ignore it unless data is stolen
a. Remove the software and warn the employee
81
9.
82
10. A company detects malware spreading across multiple devices. What is the best course of action?
a. Isolate Infected devices and analyze the malware
b. Reboot all machines to stop the malware
c. Continue normal operations until it affects critical data
d. Shut down the internet connection permanently
a. Isolate Infected devices and analyze the malware
83
A network administrator discovers unauthorized access from a foreign IP address. What should they do?
a. Block the IP and check logs for further signs of compromise
b. Wait to see if further attacks happen
c. Notify employees to change their passwords immediately
d. Announce the breach on social media
a. Block the IP and check logs for further signs of compromise
84
After a security breach, employees are concerned about their personal data. What should management do?
a. Be transparent and provide guidance on protective measures
b. Deny any data breach happened
c. Offer compensation immediately
d. Ignore employee concerns
a. Be transparent and provide guidance on protective measures
85
13. What is the purpose of incident containment strategies?
a. To completely eliminate all cyber threats
b. To prevent the incident from spreading
c. To notify law enforcement
d. To test new security software
b. To prevent the incident from spreading
86
14. What is the first step in the recovery process?
a. Restore system backups
b. Identify vulnerabilities
c. Evaluate monitoring capabilities
d. Restore services
b. Identify vulnerabilities
87
15. What does an After-Action Review (AAR) include?
a. Examination of events
b. Evaluation of IR process
c. Summary report
d. All of the above
d. All of the above
88
16. What should be done after restoring services post-incident?
a. Remove all system logs
b. Conduct system monitoring
c. Disable all security measures
d. Ignore user feedback
b. Conduct system monitoring
89
19. What does incident damage assessment evaluate?
a. Financial impact only
b. Scope of confidentiality, integrity, and availability breach
c. Legal consequences only
d. Only hardware damage
b. Scope of confidentiality, integrity, and availability breach
90
17. What is the potential method for incident containment?
a. Allowing unauthorized access
b. Disabling compromised accounts
c. Ignoring minor threats
d. Removing firewall restrictions
b. Disabling compromised accounts
91
20. What should be the final step after handling an incident?
a. Conducting an After-Action Review
b. Ignoring the past incident
c. Shutting down the affected systems permanently
d. Upgrading all company software immediately
92
18. Which of the following is an example of incident recovery?
a. Installing new monitoring tools
b. Disabling user accounts
c. Blocking network access
d. Deleting backup files
a. Installing new monitoring tools
Test Reviewer
flashcards
Decks in class (40)
# Cards
-
Drafting Midterm58
-
Ethics Midterm121
-
OS Midterm23
-
Data Midterm27
-
Elective 1: Midterm104
-
Fundamentals Midterm26
-
Elective 1: Prelim127
-
Feedback84
-
Data94
-
Fil 2: PreFinal43
-
Fil 2: Midterm29
-
Rizal Midterm77
-
PE MIDTERM30
-
LWRPrelim Reviewer134
-
Fil 252
-
Purposive Communication47
-
Fil 2: Finals59
-
SD Prelim38
-
Fundamentals Prelim155
-
Fundamentals Prefi29
-
Data Prefi30
-
Ethics PreFi83
-
Elective 1: PreFi51
-
EDA149
-
Elective 2: Prelim237
-
CNS Reviewer333
-
Embedded: Prelim26
-
Microprocessors: Prelim27
-
CNS PreFinals92
-
CpE Law PreFi46
-
Embedded: PreFi43
-
Microprocessors: PreFi50
-
BOHS: PreFi44
-
Elective 2: PreFi24
-
ETC Prelim205
-
Continuation Elective Prelim 318
-
Digital signal processing36
-
Elective 3: Midterm30
-
Techno106
-
Techno: Midterm103
