Flashcards in Chapter 14: Incident Management Deck (43)
What is an incident?
Any event that has a negative effoct on the confidentiality, availability, or integrity or an organization's assets.
What is a computer security incident?
An incident that is the result of an attack or the malicous or intentional actions of users.
How does NIST SP 800-61 define a computer security incident?
A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
What are the steps of incident response?
Remediation and Review
List the ways in which an incident might be detected.
IDS/IPS systems send an alert
AV software displays a popup window
Automated tools scanning audit logs to send an alert when an event occurs
End users report problems such as inability to access a network resource.
What should the first step after indicent detection be?
Contain the incident, for example, unplug the NIC but don't turn the system off.
What is a CIRT or CSIRT?
A designated incident reponse team. Computer Incident Response Team. S == Security.
What improves your chances of limiting incident damage?
Faster response time.
What should you do after containing a security incident?
What are requirements for incident reporting?
There can be many. Many jurisdictions have reporting requirements if PII is compromised.
Why are many incidents not properly reported?
Training. People aren't trained properly to recognize them as incidents.
Why is finger pointing bad?
It takes focus away from fixing the problem.
What should the end result of remediation and review?
Often, a report by the C(S)IRT that may recommend changing procedures, adding security controls, or changing policies.
List the basic preventative measures to prevent attacks.
Keep systems and applications up to date
Remove or disable unneeded services and protocols
Use up-to-date antivirus software
USe intrusion detection and prention systems.
What is malicous code?
Any script or program that performs an unwanted, unauthorized, or unknown activity on a computer system.
What is a drive-by-download?
Code downloaded and installed on a user's sytem without the user's knowledge. Occurs when the user visits an intended web page.
What is a zero-day exploit?
An atatck on a system exploiting a vulnerability that is unknown to others.
What is a denial of service attack?
Atacks that prevent a system from processing or responding to legitimate traffic or requests for resources and objects.
What is a SYN flood attack?
A common DoS attack that abuses the three way TCP handshake. Multiple SYNs are sent, but never acknowledged leaving half-open connections.
List tools that can perform a SYN flood
Trinoo, TFN, LOIC
What is a smurf attack?
A flood attack that floods the victim w2ith ICMP echo packets. It's a spoofed broadcast ping that results in responses being sent to the target.
What is Ping of Death?
An oversized ping packet > 64 KB. Vulnerable systems crash when they receive the packet.
What is war dialing?
Using a modem to search for a system taht accepts inbound connection attempts.
What is an intrusion?
An attacker successfully bypassing or thwarting security mechanisms and gaining access to an orgamization's assets.
What is intrusion detection?
A specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.
What is an IDS?
An intrusion detection system. Automates log monitoring and real-time event monitoring.
What is knowledge based detection?
Signature or patten matching detection. Most common method
What is behavior based detection?
Statistical or anomaly based detection. Creates a baseline of normal activities and watches for anomalies.
What is the primary drawback of behavior based IDS?
Often raises a high number of false positives.