Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CSX-F - Cyber Security Fundamentals > Section 5: Incident Response > Flashcards

Section 5: Incident Response Flashcards

1
Q

Cat 4 incident

A

Improper Usage

Authenticates identity of sender and receiver to ensure privacy of message contents (including attachments)

Reporting time frame:
Weekly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Disaster recovery plan (DRP)

A

A set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Examples of an incident

A
  • Multiple failed login attempts from an unfamiliar system
  • Denial of service
  • Changes to hardware or software without owner’s consent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Investigation

A

Capability if identifying an adversary is required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Mitigation & Recovery

A

Procedures to contain the incident, reduce losses and return operations to normal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Incident Recovery

A

This phase ensures that affected systems or services are restored to a condition specified in the service delivery objectives (SDO) or business continuity plan (BCP). The time constraint up to this phase is documented in the recovery time objectives (RTO).

Activities in this phase include:
• Restore operations to normal
• Verify that actions taken on restored systems were successful
• Get system owners to test the system
• Help system owners declare normal operation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

SEM

A

Automatically aggregate and correlate security event log data across multiple security devices. This allows security analysts to focus on a manageable list of critical events.

Security incidents are often made up of a series of events that occur throughout a network. By correlating data, the SEM can take many isolated events and combine them to create one single relevant security incident. These systems use either rule-based or statistical correlation. Rule-based correlations create situation-specific rules that establish a pattern of events. Statistical correlation uses algorithms to calculate threat levels incurred by relevant events on various IT assets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Computer emergency response team (CERT)

A

A group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency. This group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Computer security incident response team (CSIRT)

A

A team established within an enterprise to respond to computer security incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Cybersecurity disaster

A

A cybersecurity-related disaster may occur when a disruption in service is caused by system malfunctions, accidental file deletions, untested application releases, loss of backup, network DoS attacks, intrusions or viruses. These events may require action to recover operational status in order to resume service. Such actions may necessitate restoration of hardware, software or data files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Business Continuity Plan Phases

A
  1. Prepare Business Impact Analysis (BIA)
  2. Identify and prioritize required resources
  3. Chose strategy to recover critical IS facilities
  4. Develop Disaster Recovery Plan
  5. Develop Business Continuity Plan
  6. Train staff and test plans
  7. Maintain plans
  8. Store plans for ease of access despite network failure
  9. Audit the plans
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Full backups

A

Provide a complete copy of every selected file on the system, regardless of whether it was backed up recently. This is the slowest backup method but the fastest method for restoring data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Incremental backups

A

Copy all files that have changed since the last backup was made, regardless of whether the last backup was a full or incremental backup. This is the fastest backup method but the slowest method for restoring data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Differential backups

A

Copy only the files that have changed since the last full backup. The file grows until the next full backup is performed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Emergency

A

Generally suggests a serious local incident, requiring management attention.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Disaster

A

Suggests a much larger level of impact or damage. Declaring a disaster often invokes fallback plans.

17
Q

Crisis

A

More serious and implies that a major incident is spiraling out of control and growing in severity. If a company crisis team decides to meet, it is a very serious situation.

18
Q

Incident

A

A violation or imminent threat to computer security policies, acceptable use policies, or standard security practices. (NIST definition).

  • Attempted or successful unauthorized access, use, disclosure, modification or loss of information or interference with system or network operations
  • The activity of a human threat agent
  • Anything disruptive, including a court order for discovery of electronic information or disruption from a natural disaster
19
Q

Cat 1 incident

A

Unauthorized access

Individual gains logical or physical access without permission to a network, system, application, data or other resource

Reporting time frame:
Within 1 hour of discovery / detection

20
Q

Cat 2 incident

A

Denial of service (DoS)

An attack that successfully prevents or impairs normal authorized functionality of networks, systems or applications by exhausting resources

Reporting time frame:
Within 2 hours of discovery / detection (if the successful attack is still ongoing)

21
Q

Cat 3 incident

A

Malicious code

Successful installation of malicious software (e.g., virus, worm, Trojan horse or other code-based malicious entity) that infects an operating system or application

Reporting time frame:
Daily; Within 1 hour of discovery / detection if widespread

22
Q

Cat 5 incident

A

Scans/probes/ attempted access

Any activity that seeks to access or identify a computer, open ports, protocols, service or any combination of the above

Reporting time frame:
Monthly

23
Q

Cat 6 incident

A

Investigation

Unconfirmed incidents that are potentially malicious or anomalous activity

Reporting time frame:
n/a

24
Q

Incident Response

A

A formal program that prepares an entity for an incident. The response of an enterprise to a disaster or other significant event that may significantly affect the enterprise, its people, or its ability to function productively.
An incident response may include evacuation of a facility, initiating a disaster recovery plan (DRP), performing damage assessment, and any other measures necessary to bring an enterprise to a more stable status.

25
Q

Phases of Incident Response

A
  1. Preparation
  2. Detection & Analysis
  3. Investigation
  4. Mitigation & Recovery
  5. Post Incident Analysis
26
Q

Preparation

A

To establish roles, responsibilities and plans for how an incident will be handled

  • Establish approach to handling incidents
  • Establish policy and warning banners to deter intruders and allow information collection
  • Establish communication plan with stakeholders
  • Develop incident reporting criteria
  • Develop process to activate the incident management team
  • Establish secure location to execute the incident response plan
  • Ensure equipment needed is available
27
Q

Detection & Analysis

A

Capabilities to identify incidents as early as possible and effectively assess the nature of the incident

Identification
• Assign ownership to an incident handler
• Verify reports or events qualifying as incidents
• Establish chain of custody
• Determine incident severity and escalate as necessary

28
Q

Post Incident Analysis

A

To determine corrective actions to prevent similar incidents in the future

29
Q

Containment

A

After an incident has been identified and confirmed, the IMT is activated and information from the incident handler is shared. The team will conduct a detailed assessment and contact the system owner or business manager of the affected information systems/assets to coordinate further action. The action taken in this phase is to limit the exposure.

Activities in this phase include:
• Activate incident management/response team and notify appropriate stakeholders
• Obtain agreement on actions taken that may affect availability
• Get IT representative and relevant virtual team members to implement containment procedures
• Obtain and preserve evidence
• Document actions
• Control and manage communication to the public

30
Q

Eradication

A

When containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it. Eradication can be done in a number of ways: restoring backups to achieve a clean state of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause.

Activities in this phase include:
• Determine signs and cause of incidents
• Locate most recent version of backups or alternative solutions
• Remove root cause
• Improve defenses by implementing protection techniques
• Perform vulnerability analysis

31
Q

Lessons Learned

A

At the end of the incident response process, a report should always be developed to share what occurred, what measures were taken and the results after the plan was executed. Part of the report should contain lessons learned that provide the incident management team (IMT) and other stakeholders valuable learning points of what could have been done better. These lessons should be developed into a plan to enhance the incident management capability and the documentation of the incident response plan.

Activities in this phase include:
• Write incident report
• Analyze issues encountered during incident response efforts
• Propose improvements
• Present report to relevant stakeholders

32
Q

SIEM

A

In addition, security incident and event management (SIEM) systems take the SEM capabilities and combine them with the historical analysis and reporting features of security information management (SIM) systems.

33
Q

Service delivery objective (SDO)

A

Directly related to the business needs, it’s the level of services to be reached during the alternate process mode until the normal situation is restored.

34
Q

Business Continuity and Disaster Recovery

A

When it comes to disaster recovery, the number one priority is ensuring the safety and security of human life. This might include plans for drills, evacuation plans and on-site shelters. Once human safety plans are in place, the additional purpose of business continuity planning (BCP)/disaster recovery planning (DRP) is to enable a business to continue offering critical services in the event of a disruption and to survive a disastrous interruption to activities. Rigorous planning and commitment of resources are necessary to adequately plan for such an event.

35
Q

Business Impact Analysis (BIA)

A

Based on the key processes, process should begin to determine time frames, priorities, resources and interdependencies that support the key processes. Business risk is directly proportional to the impact on the organization and the probability of occurrence of the perceived threat.

Thus, the result of the BIA should be the identification of the following:
• The human resources, data, infrastructure elements and other resources (including those provided by third parties) that support the key processes
• A list of potential vulnerabilities—the dangers or threats to the organization
• The estimated probability of the occurrence of these threats
• The efficiency and effectiveness of existing risk mitigation controls (risk countermeasures)

36
Q

Critical Recovery Time Period

A

To evaluate the impact of downtime for a particular process/application, the impact bands are developed (i.e., high, medium, low) and, for each process, the impact is estimated in time (hours, days, weeks). The same approach is used when estimating the impact of data loss.

37
Q

Recovery point objectives (RPO)

A

Acceptable data loss in case of a disruption of operations. Indicates the earliest point in time to which it is acceptable to recover data. In other words, it is the last known point of good data. To ensure an effective incident management plan or disaster recovery plan, the RTO and RPO must be closely linked.

38
Q

Recovery time objectives (RTO)

A

Amount of time allowed for the recovery of a business function or resource after a disaster occurs. It’s is usually determined based on the point where the ongoing cost of the loss is equal to the cost of recovery.

39
Q

Types of Cybersecurity Incidents

A 
Cat 1: Unauthorized access
Cat 2: Denial of service (DoS)
Cat 3: Malicious code
Cat 4: Improper Usage
Cat 5: Scans/probes/ attempted access
Cat 6: Investigation

CSX-F - Cyber Security Fundamentals (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions