5A

Question 1

The incident response policy is designed for the ____ team that will be handling security incidents.

Answer 1

security

Question 2

The incident response policy specifies what each person on the incident response team is responsible for and how to handle…?

Answer 2

security incidents

Question 3

Reporting accurate incident information as close to ____ as possible is crucial to an effective response.

Answer 3

near-real-time

Question 4

The first thing to do to prepare for handling security incidents within your organization is to make sure that you have an incident response team in place also known as?

Answer 4

CIRT

Question 5

What does CIRT stand for?

Answer 5

Computer Incident Response Team

Question 6

An incident response team is responsible for knowing how to handle security incidents that occur within the organization, and for ___ and ____ the security issues in a timely manner.

Answer 6

correcting and documenting

Question 7

The first step in making an Incident Response Team is to create the ___. The team will be made up of different types of employees
within the organization with different skill sets.

Answer 7

team

Question 8

List members that will typically appear on a response team.

Answer 8

1. Team Leader
2. Technical Specialist
3. Documentation Specialist
4. Legal Advisor

Question 9

The following describes which member of the incident response team?

The ___ ___ is responsible for ensuring that all team members know their role when a security incident occurs. The ___ ___ is also responsible for building relationships with outside resources that may be called upon in special circumstances.

Answer 9

Team Leader

Question 10

The following describes which member of the incident response team?

The ___ ___ has the technical expertise to assess the situation, identify the scale of the security incident, and the know-how to correct the situation. The CIRT may have several ___ ___ who specialize in different areas. For example, you may have a Windows Server specialist, a Linux specialist, and a Cisco specialist.

Answer 10

Technical Specialist

Question 11

The following describes which member of the incident response team?

The ___ ___ knows how to document the entire response process, and the specialist is the person responsible for logging each incident in a documentation database, including the cause of the problem, and what the solution is.

Answer 11

Documentation Specialist

Question 12

The following describes which member of the incident response team?

The ___ ___ knows the laws and regulations that your organization must follow when it comes to computer forensics and incident response. The legal advisor is someone the rest of the team can turn to if they have questions about legal issues.

Answer 12

Legal Advisor

Question 13

The following are common elements to include in the incident response plan:

Answer 13

1. Incident Categories
2. Roles and Categories
3. Reporting Requirements/Escalation
4. Exercise Planning
5. User Roles

Question 14

The following describes which general incident response plan?

The plan should define the different types of security incidents that can occur within your organization. For example, you may have an incident type called, “social engineering attack,” and another one called, “denial of service attack.”

Answer 14

Incident Categories

Question 15

The following describes which general incident response plan?

The plan should define each team member’s roles and responsibilities. This includes each member’s job role before a security incident occurs, during, and after a security incident.

Answer 15

Roles and Categories

Question 16

The following describes which general incident response plan?

The plan should identify when and how users are supposed to report potential security incidents. The incident response plan should also identify who the first responder is to escalate the incident to. Finally, the plan should identify any reporting requirements for the security incident, and what elements should be contained in the report.

Answer 16

Reporting Requirements/Escalation

Question 17

The following describes which general incident response plan?

It is important to ensure that everyone is prepared for the day a security incident occurs, so be sure to plan exercises where you can practice the events that may occur during a security incident from
the identification phase through to the lesson learned.

Answer 17

Exercise Planning

Question 18

The following describes which general incident response plan?

The first responder is the first individual to be notified of the incident and takes charge of the incident. The first responder is a member of the incident response team

Answer 18

User roles

Question 19

Upon detection of a possible event by internal or external sources, the appropriate operations center (OC) and Air Force Cyberspace Defense (ACD) units will initiate notification procedures in accordance with _____, Chairman of the Joint Chiefs of Staff (CJCSM) 6510.01B and established SOPs of the affected units.

Answer 19

AFI 10-206

Question 20

In cases when the cause/intent of a possible event is not readily apparent, it’s necessary to initially categorize detected activity as a category (CAT) __ investigation.

Answer 20

category 8 - Investigating.

Question 21

Information typically requested during an investigation
includes…?

Answer 21

1.Data detailing the source of the incident
2. The systems affected by the activity
3. Anti-virus and system log data
4. IDS and IPS logs
5. initial forensics data obtained either remotely or locally by using appropriate forensics tools as directed.
6. The ACD unit may also request the victim’s hard drive for an in-depth forensic analysis.

Question 22

Next, it must be determined whether a detected event is a reportable ___ or ___.

Answer 22

event or incident

Question 23

An ____ is any observable occurrence in a system and/or network. ____ sometimes provide indication that an incident is occurring

Answer 23

event

Question 24

An ____ is an assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores,
or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies

Answer 24

incident

Question 25

When investigating a possible event/incident, it will be given a ___ ___ identifying it for descriptive purposes and level of severity of potential impact to mission. Reaction to different categories will be different.

Answer 25

category number

Question 26

What is a category 0? (event)

Answer 26

Training and Exercises

Question 27

What is a category 1? (incident)

Answer 27

Root-Level Intrusion. Includes unauthorized access to information or account credentials that could be used to perform administrative functions. If the Information System (IS) is compromised with malicious code that provides remote interactive control, it will be reported in this CAT.

Question 28

What is a category 2? (incident)

Answer 28

User-Level Intrusion. Unauthorized non- privileged access to an IS. This includes unauthorized access to information or account credentials that could be used to perform user functions such as accessing Web applications, portals, or other similar information resources. If the IS is compromised with malicious code that provides remote interactive control, it will be reported in this CAT.

Question 29

What is a category 3? (event)

Answer 29

Unsuccessful Activity Attempt. Deliberate attempts to gain unauthorized access to an IS that are defeated by normal defensive mechanisms. Attacker fails to gain access to the IS (i.e., attacker attempts valid or potentially valid username and password combinations) and the activity cannot be characterized as exploratory scanning.

Question 30

What is a category 4? (incident)

Answer 30

Denial of Service. Activity that denies, degrades, or disrupts normal functionality of an IS or DoD information network.

Question 31

What is a category 5? (event)

Answer 31

Non-Compliance Activity. Activity that potentially exposes ISs or networks to increased risk because of the action or inaction of authorized users. This includes administrative and user actions such as failure to apply security patches, connections across security domains, installation of vulnerable applications, and other breaches of existing AF or DoD policy.

Question 32

What is a category 6? (event)

Answer 32

Reconnaissance. Activity that seeks to gather information used to characterize ISs, applications, DoD information networks, and users that may be useful in formulating an attack. This includes activity such as mapping DoD information networks, IS devices and applications, interconnectivity, and their users or reporting structure. This activity does not directly result in a compromise.

Question 33

What is a category 7? (incident)

Answer 33

Malicious Logic. Installation of software designed and/or deployed by adversaries with malicious intentions for the purpose of gaining access to resources or information without the consent or knowledge of the user. This only includes malicious code that does not provide remote interactive control of the compromised IS. Malicious code that has allowed interactive access should be categorized as CAT 1 or CAT 2 incidents, not CAT 7.

Question 34

What is a category 8? (event)

Answer 34

Investigating. Events that are potentially malicious or anomalous activity deemed suspicious and warrant, or are undergoing, further review. No event will be closed out as a CAT 8 but will be re-categorized prior to closure.

Question 35

What is a category 9? (event)

Answer 35

Explained Anomaly. Suspicious events that, after further investigation, are determined to be non-malicious activity and do not fit the criteria for any other categories. This includes events such as system malfunctions and false alarms. When reporting these events, clearly specify the reason for which it cannot be otherwise categorized.