CCSP Domain 5: Incident Management

Question 1

What is a popular security incident management methodology?

Answer 1

NIST SP 800-61 rev2 Computer Security Incident Handling Guide

Question 2

Describe the Preparation phase of the NIST SP 800-61 rev2 incident response lifecycle

Answer 2

organization’s preparation necessary to ensure they can respond to a security incident, including tools, processes competencies and readiness; should be documented in a security incident response plan that is regularly reviewed and updated

Question 3

How many times should be the Preparation phase reviewed and how?

Answer 3

multiple times a year in a walkthrough (tabletop excersise)

Question 4

Describe the Detection and Analysis phase of the NIST SP 800-61 rev2 incident response lifecycle

Answer 4

activity to detect a security incident in a production environment and to analyze all events to confirm the authenticity of the security incident

Question 5

Describe the Containment, eradication, recovery phase of the NIST SP 800-61 rev2 incident response lifecycle

Answer 5

required and appropriate actions taken to contain the security incident based on the analysis done in the previous phase (Detection & Analysis); limits the scope of the incident

Question 6

When should we proceed to recovery in the NIST SP 800-61 rev2 incident response lifecycle?

Answer 6

after the adversary has been evicted from the environment and known vulnerabilities have been remidiated

Question 7

What happens after recovery in NIST SP 800-61 rev2 incident response lifecycle?

Answer 7

post-mortem analysis is performed; actions taken during the process are reviewed to determine if any changes are needed in hte preparation or detection and analysis phase

Question 8

What are are the phases in the NIST SP 800-61 rev2 incident response lifecycle?

Answer 8

Preparation > Detection and Analysis > Containment, Eradication and Recovery > Post-incident Activity