Domain 4: Incident Management Flashcards

Question

What happens during the Evidence Retention portion of the incident?

Answer 1

At the conclusion of an incident, the CSIRT has often gathered a large amount of evidence. The team leader should work with staff to identify both internal and external evidence retention requirements. If the incident may result in civil litigation or criminal prosecution, the team should consult attorneys prior to discarding any evidence. If there is no likelihood that the evidence will be used in court, the team should follow any retention policies that the organization has in place.

Answer 2

Every incident that activates the CSIRT should conclude with a formal written report that documents the incident for posterity. This serves several important purposes. First, it creates an institutional memory of the incident that is useful when developing new security controls and training new security team members. Second, it may serve as an important record of the incident if there is ever legal action that results from the incident. Finally, the act of creating the written report can help identify previously undetected deficiencies in the incident response process that may feed back through the lessons-learned process.

Answer 3

One of the major responsibilities that organizations have during the preparation phase of incident response is building a solid incident response plan that will guide the program. This creates the policies, procedures, and other documentation required to support the program's ongoing efforts and ensure that response efforts are effective and timely.

Answer 4

Policy The incident response policy serves as the cornerstone of an organization's incident response program. This policy should be written to guide efforts at a high level and provide the authority for incident response. The policy should be approved at the highest level possible within the organization, preferably by the chief executive officer. For this reason, policy authors should attempt to write the policy in a manner that makes it relatively timeless. This means that the policy should contain statements that provide authority for incident response, assign responsibility to the CSIRT, and describe the role of individual users and state organizational priorities. The policy is not the place to describe specific technologies, response procedures, or evidence-gathering techniques. Those details may change frequently and should be covered in more easily changeable procedure documents. NIST recommends that incident response policies contain these key elements: Statement of management commitment Purpose and objectives of the policy Scope of the policy (to whom it applies and under what circumstances) Definition of cybersecurity incidents and related terms Organizational structure and definition of roles, responsibilities, and level of authority Prioritization or severity rating scheme for incidents Performance measures for the CSIRT Reporting and contact forms

Answer 5

Procedures provide the detailed, tactical information that CSIRT members need when responding to an incident. They represent the collective wisdom of team members and subject matter experts collected during periods of calm and ready to be applied in the event of an actual incident. CSIRTs often develop playbooks that describe the specific procedures that they will follow in the event of a specific type of cybersecurity incident. For example, a financial institution CSIRT might develop playbooks that cover: Breach of personal financial information Web server defacement Phishing attack targeted at customers Loss of a laptop General security incident not covered by another playbook This is clearly not an exhaustive list, and each organization will develop playbooks that describe their response to both high severity and frequently occurring incident categories. The idea behind the playbook is that the team should be able to pick it up and find an operational plan for responding to the security incident that they may follow. Playbooks are especially important in the early hours of incident response to ensure that the team has a planned, measured response to the first reports of a potential incident.

Answer 6

There are many different roles that should be represented in a CSIRT. Depending on the organization and its technical needs, some of these roles may be core team members who are always activated, whereas others may be called in as needed on an incident-by-incident basis. For example, a database administrator might be crucial when investigating the aftermath of a SQL injection attack but would probably not be very helpful when responding to a stolen laptop. The core incident response team normally consists of cybersecurity professionals with specific expertise in incident response. In larger organizations, these may be full-time employees dedicated to incident response, whereas smaller organizations may call on cybersecurity experts who fill other roles for their “day jobs” to step into CSIRT roles in the aftermath of an incident.

Answer 7

Management should have an active role in incident response efforts. The primary responsibility of IT managers and senior leadership is to provide the authority, resources, and time required to respond appropriately to a security incident. This includes ensuring that the CSIRT has the budget and staff required to plan for security incidents and access to subject matter experts during a response.

Answer 8

Incident Response Providers In addition to including internal team members on the CSIRT, the organization may decide to outsource some or all of their actions to an incident response provider. Retaining an incident response provider gives the organization access to expertise that might not otherwise exist inside the firm. This may come at a significant expense, so the organizations should decide what types of incidents may be handled internally and which justify the use of an outside provider. Additionally, the organization should understand the provider's guaranteed response time and ensure that it has a plan in place to respond to the early stages of an incident before the provider assumes control.

Answer 9

Information Governance ensures that information is well organized for future eDiscovery efforts. Identification locates the information that may be responsive to a discovery request when the organization believes that litigation is likely. Preservation ensures that potentially discoverable information is protected against alteration or deletion. Collection gathers the relevant information centrally for use in the eDiscovery process. Processing screens the collected information to perform a “rough cut” of irrelevant information, reducing the amount of information requiring detailed screening. Review examines the remaining information to determine what information is relevant to the request and removing any information protected by attorney-client privilege. Analysis performs a deeper inspection of the content and context of the remaining information. Production places the information into a format that may be shared with others and delivers it to other parties, such as opposing counsel. Presentation displays the information to witnesses, the court, and other parties.

Answer 10

Many different types of evidence can be used in a court of law. Depending on the reference you consult, these may be grouped in many different ways. However, there are four major categories with which you should be familiar: real evidence, documentary evidence, testimonial evidence, and demonstrative evidence. Each has slightly different additional requirements for admissibility. Real Evidence Real evidence (also known as object evidence) consists of things that may actually be brought into a court of law. In common criminal proceedings, this may include items such as a murder weapon, clothing, or other physical objects. In a computer crime case, real evidence might include seized computer equipment, such as a keyboard with fingerprints on it or a hard drive from a hacker's computer system. Depending on the circumstances, real evidence may also be conclusive evidence, such as deoxyribonucleic acid (DNA), that is incontrovertible. Documentary Evidence Documentary evidence includes any written items brought into court to prove a fact at hand. This type of evidence must also be authenticated. For example, if an attorney wants to introduce a computer log as evidence, they have testimony from a witness (for example, the system administrator) confirming that the log was collected as a routine business practice and is indeed the actual log that the system collected.

Answer 11

General description of the evidence Time and date the evidence was collected Exact location the evidence was collected from Name of the person collecting the evidence Relevant circumstances surrounding the collection Each person who handles the evidence must sign the chain-of-custody log indicating the time they took direct responsibility for the evidence and the time they handed it off to the next person in the chain of custody. The chain must provide an unbroken sequence of events accounting for the evidence from the time it was collected until the time of the trial.

Answer 12

Demonstrative evidence is evidence used to support testimonial evidence. It consists of items that may or may not be admitted into evidence themselves but are used to help a witness explain a concept or clarify an issue. For example, demonstrative evidence might include a diagram explaining the contents of a network packet or showing the process used to conduct a distributed denial-of-service attack. The admissibility of demonstrative evidence is a matter left to the trial court, with the general principle that demonstrative evidence must assist the jury in understanding a case.

Answer 13

Security events are occurrences that may escalate into a security incident. An event is any observable occurrence in a system or network. A security event includes any observable occurrence that relates to a security function. A security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Every incident consists of one or more events, but every event is not an incident.

Answer 14

The cybersecurity incident response process has four phases. The four phases of incident response are preparation; detection and analysis; containment, eradication, and recovery; and post-incident activities. The process is not a simple progression of steps from start to finish. Instead, it includes loops that allow responders to return to prior phases as needed during the response.

Answer 15

Security event indicators include alerts, logs, publicly available information, and people. Alerts originate from intrusion detection and prevention systems, security information and event management systems, antivirus software, file integrity checking software, and third-party monitoring services. Logs are generated by operating systems, services, applications, network devices, and network flows. Publicly available information exists about new vulnerabilities and exploits detected “in the wild” or in a controlled laboratory environment. People from inside the organization or external sources report suspicious activity that may indicate that a security incident is in progress.

Answer 16

Policies, procedures, and playbooks guide incident response efforts. The incident response policy serves as the cornerstone of an organization's incident response program. This policy should be written to guide efforts at a high level and provide the authority for incident response. Procedures provide the detailed, tactical information that CSIRT members need when responding to an incident. CSIRTs often develop playbooks that describe the specific procedures that they will follow in the event of a specific type of cybersecurity incident.

Answer 17

Incident response teams should represent diverse stakeholders. The core incident response team normally consists of cybersecurity professionals with specific expertise in incident response. In addition to the core team members, the CSIRT may include representation from technical subject matter experts, IT support staff, legal counsel, human resources staff, and public relations and marketing teams.

Answer 18

Incidents may be classified according to the attack vector where they originate. Common attack vectors for security incidents include external/removable media, attrition, the web, email, impersonation, improper usage, loss or theft of equipment, and other/unknown sources.

Answer 19

Response teams classify the severity of an incident. The functional impact of an incident is the degree of impairment that it causes to the organization. The economic impact is the amount of financial loss that the organization incurs. In addition to measuring the functional and economic impact of a security incident, organizations should measure the time that services will be unavailable and the recoverability effort. Finally, the nature of the data involved in an incident also contributes to the severity of the information impact.

Answer 20

Business continuity planning involves four distinct phases: project scope and planning, business impact analysis, continuity planning, and approval and implementation. Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency.

Answer 21

In the business organization analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis serves as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development.

Answer 22

The BCP team should contain, at a minimum, representatives from each of the operational and support departments; technical experts from the IT department; physical and IT security personnel with BCP skills; legal representatives familiar with corporate legal, regulatory, and contractual responsibilities; and representatives from senior management. Additional team members depend on the structure and nature of the organization.

Answer 23

Business leaders must exercise due diligence to ensure that shareholders' interests are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses also have contractual obligations to their clients that they must meet before, during, and after a disaster.

Answer 24

Explain the steps of the business impact analysis process. The five stages of the business impact analysis process are the identification of priorities, risk identification, likelihood assessment, impact analysis, and resource prioritization.

Answer 25

During the strategy development phase, the BCP team determines which risks they will mitigate. In the provisions and processes phase, the team designs mechanisms and procedures that will mitigate identified risks. The plan must then be approved by senior management and implemented. Personnel must also receive training on their roles in the BCP process.

Answer 26

Committing the plan to writing provides the organization with a written record of the procedures to follow when disaster strikes. It prevents the “it's in my head” syndrome and ensures the orderly progress of events in an emergency.

Answer 27

The common types of recovery facilities are cold sites, warm sites, hot sites, mobile sites, and multiple sites. Be sure you understand the benefits and drawbacks for each such facility.

Answer 28

Databases benefit from three backup technologies. Electronic vaulting is used to transfer database backups to a remote site as part of a bulk transfer. In remote journaling, data transfers occur on a more frequent basis. With remote mirroring technology, database transactions are mirrored at the backup site in real time.

Answer 29

These programs should take a comprehensive approach to planning and include considerations related to the initial response effort, personnel involved, communication among the team and with internal and external entities, assessment of response efforts, and restoration of services. DR programs should also include training and awareness efforts to ensure personnel understand their responsibilities and lessons learned sessions to continuously improve the program.

Answer 30

The five types of disaster recovery plan tests are: * Checklist tests * read-through tests, * structured walk-throughs, * simulation tests, * parallel tests * full-interruption tests. Checklist tests are purely paperwork exercises, whereas structured walk-throughs involve a project team meeting. Neither has an impact on business operations. Simulation tests may shut down noncritical business units. Parallel tests involve relocating personnel but do not affect day-to-day operations. Full-interruption tests involve shutting down primary systems and shifting responsibility to the recovery facility.

Answer 31

Resilient organizations have plans and procedures in place to help mitigate the effects a disaster has on their continuing operations and to speed the return to normal operations. Business continuity planning (BCP) helps your organization assess priorities and design resilient processes that will allow continued operations in the event of a disaster. Disaster recovery planning (DRP) is the technical complement to the business-focused BCP exercise. It includes the technical controls that prevent disruptions and facilitate the restoration of service as quickly as possible after a disruption occurs. BUSINESS CONTINUITY PLANNING VS. DISASTER RECOVERY PLANNING CISM candidates often become confused about the difference between business continuity planning (BCP) and disaster recovery planning (DRP). They might try to sequence them in a particular order or draw firm lines between the two activities. The reality of the situation is that these lines are blurry in real life and don't lend themselves to neat and clean categorization. The distinction between the two is one of perspective. Both activities help prepare an organization for a disaster. They intend to keep operations running continuously, when possible, and recover functions as quickly as possible if a disruption occurs. The perspective difference is that business continuity activities are typically strategically focused and center themselves on business processes and operations. Disaster recovery plans tend to be more tactical and describe technical activities such as recovery sites, backups, and fault tolerance. In any event, don't get hung up on the difference between the two. We've yet to see an exam question force anyone to draw a solid line between the two activities. It's much more important that you understand the processes and technologies involved in these two related disciplines.

Answer 32

overall goal of BCP is to provide a quick, calm, and efficient response in the event of an emergency and to enhance a company's ability to recover from a disruptive event promptly. Project scope and planning Business impact analysis Continuity planning Plan approval and implementation

Answer 33

As with any formalized business process, the development of a resilient business continuity plan requires the use of a proven methodology. Organizations should approach the planning process with several goals in mind: Perform a structured review of the business's organization from a crisis planning point of view. Create a BCP team with the approval of senior management. Assess the resources available to participate in business continuity activities. Analyze the legal and regulatory landscape that governs an organization's response to a catastrophic event.

Answer 34

One of the first tasks of the team responsible for business continuity planning is to perform an analysis of the business organization to identify all departments and individuals who have a stake in the BCP process. Here are some areas to consider: Operational departments that are responsible for the core services the business provides to its clients Critical support services, such as the IT department, facilities and maintenance personnel, and other groups responsible for the upkeep of systems that support the operational departments Security teams responsible for physical security, since they are many times the first responders to an incident and are also responsible for the physical safeguarding of the primary facility and alternate processing facility Senior executives and other key individuals essential for the ongoing viability of the organization

Answer 35

The team should include, at a minimum, the following individuals: Representatives from each of the organization's departments responsible for the core services performed by the business Business unit team members from the functional areas identified by the organizational analysis IT subject-matter experts with technical expertise in areas covered by the BCP Cybersecurity team members with knowledge of the BCP process Physical security and facility management teams responsible for the physical plant Attorneys familiar with corporate legal, regulatory, and contractual responsibilities Human resources team members who can address staffing issues and the impact on individual employees Public relations team members who need to conduct similar planning for how they will communicate with stakeholders and the public in the event of a disruption Senior management representatives with the ability to set the vision, define priorities, and allocate resources

Answer 36

Resource Requirements After the team validates the organizational review, it should turn to an assessment of the resources required by the BCP effort. This assessment involves the resources needed by three distinct BCP phases: BCP Development The BCP team will require some resources to perform the four elements of the BCP process (project scope and planning, business impact analysis, continuity planning, and approval and implementation). It's more than likely that the major resource consumed by this BCP phase will be the effort expended by members of the BCP team and the support staff they call on to assist in the development of the plan. BCP Testing, Training, and Maintenance The testing, training, and maintenance phases of BCP will require some hardware and software commitments. Still, once again, the major commitment in this phase will be the effort of the employees involved in those activities. BCP Implementation When a disaster strikes and the BCP team deems it necessary to conduct a full-scale implementation of the business continuity plan, the implementation will require significant resources. Those resources include a large amount of effort (BCP will likely become the focus of a large part, if not all, of the organization) as well as direct financial expenses. For this reason, the team must use its BCP implementation powers judiciously yet decisively.

Answer 37

Once your BCP team completes the four stages of preparing to create a business continuity plan, it's time to dive into the heart of the work—the business impact analysis (BIA). The BIA identifies the business processes and tasks that are critical to an organization's ongoing viability and the threats posed to those resources. It also assesses the likelihood that each threat will occur and the impact those occurrences will have on the business. The results of the BIA provide you with quantitative measures that can help you prioritize the commitment of business continuity resources to the various local, regional, and global risk exposures facing your organization.

Answer 38

It's important to realize that there are two different types of analyses that business planners use when facing a decision: Quantitative Impact Assessment Involves the use of numbers and formulas to reach a decision. This type of data often expresses options in terms of the dollar value to the business. Qualitative Impact Assessment Takes non-numerical factors, such as reputation, investor/customer confidence, workforce stability, and other concerns, into account. This type of data often results in categories of prioritization (such as high, medium, and low). The BIA process described in this chapter approaches the problem from both quantitative and qualitative points of view. However, it's tempting for a BCP team to “go with the numbers” and perform a quantitative assessment while neglecting the somewhat more subjective qualitative assessment. The BCP team should perform a qualitative analysis of the factors affecting your BCP process. For example, if your business is highly dependent on a few important clients, your management team is probably willing to suffer a significant short-term financial loss to retain those clients in the long term. The BCP team must sit down and discuss (preferably with the involvement of senior management) qualitative concerns to develop a comprehensive approach that satisfies all stakeholders.

Answer 39

The preceding step consisted of the BCP team's drawing up a comprehensive list of the events that can be a threat to an organization. You probably recognized that some events are much more likely to happen than others. For example, an earthquake is a much more plausible risk than a tropical storm for a business located in Southern California. A company based in Florida might have the exact opposite likelihood that each risk would occur. To account for these differences, the next phase of the business impact analysis identifies the likelihood that each risk will occur. We describe this likelihood using the same process used for the risk assessment in Chapter 3. First, we determine the annualized rate of occurrence (ARO) that reflects the number of times a business expects to experience a given disaster each year. This annualization process simplifies comparing the magnitude of very different risks.

Answer 40

The BCP documentation should also outline a vital records program for the organization. This document states where critical business records will be stored and the procedures for making and storing backup copies of those records. One of the biggest challenges in implementing a vital records program is often identifying the essential records in the first place. As many organizations transitioned from paper-based to digital workflows, they often lost the rigor that existed around creating and maintaining formal file structures. Vital records may now be distributed among a wide variety of IT systems and cloud services. Some may be stored on central servers accessible to groups, whereas others may be located in digital repositories assigned to an individual employee.

Answer 41

The emergency-response guidelines outline the organizational and individual responsibilities for an immediate response to an emergency. This document provides the first employees to detect an emergency with the steps they should take to activate the provisions of the BCP that do not start automatically. These guidelines should include the following: Immediate response procedures (security and safety procedures, fire suppression procedures, notification of appropriate emergency-response agencies, and so on) A list of the individuals to notify of the incident (executives, BCP team members, and so on) Secondary response procedures that first responders should take while waiting for the BCP team to assemble

Answer 42

Fault tolerance is the ability of a system to suffer a fault but continue to operate. Fault tolerance is achieved by adding redundant components such as additional disks within a properly configured redundant array of inexpensive disks (RAID) array or additional servers within a failover clustered configuration.

Answer 43

One of the most important elements of the disaster recovery plan is the selection of alternate processing sites to be used when the primary sites are unavailable. Many options are available when considering recovery facilities, limited only by the creative minds of disaster recovery planners and available resources. In the following sections, we cover several types of sites commonly used in disaster recovery planning: cold sites, warm sites, hot sites, mobile sites, and cloud computing.

Answer 44

Cold sites are standby facilities large enough to handle the processing load of an organization and equipped with appropriate electrical and environmental support systems. They may be large warehouses, empty office buildings, or other similar structures. However, a cold site has no computing facilities (hardware or software) preinstalled and also has no active broadband communications links. Many cold sites do have at least a few copper telephone lines, and some sites may have standby links that can be activated with minimal notification.

Answer 45

A hot site is the exact opposite of the cold site. In this configuration, a backup facility is maintained in constant working order, with a full complement of servers, workstations, and communications links ready to assume primary operations responsibilities. The servers and workstations are all preconfigured and loaded with appropriate operating system and application software. The data on the primary site servers is periodically or continuously replicated to corresponding servers at the hot site, ensuring that the hot site has up-to-date data. Depending on the bandwidth available between the sites, hot site data may be replicated instantaneously. If that is the case, operators could move operations to the hot site at a moment's notice. If that’s not the case, disaster recovery managers have three options to activate the hot site:

Answer 46

Warm sites occupy the middle ground between hot and cold sites for disaster recovery specialists. They always contain the equipment and data circuits necessary to rapidly establish operations. As with hot sites, this equipment is usually preconfigured and ready to run appropriate applications to support an organization's operations. Unlike hot sites, however, warm sites do not typically contain copies of the client's data. The main requirement in bringing a warm site to full operational status is the transportation of appropriate backup media to the site and restoration of critical data on the standby servers.

Answer 47

Mobile sites are non-mainstream alternatives to traditional recovery sites. They typically consist of self-contained trailers or other easily relocated units. These sites include all the environmental control systems necessary to maintain a safe computing environment. Larger corporations sometimes maintain these sites on a “fly-away” basis, ready to deploy them to any operating location around the world via air, rail, sea, or surface transportation. Smaller firms might contract with a mobile site vendor in their local area to provide these services on an as-needed basis.

Answer 48

Recovery Plan Development Once you've established your business unit priorities and have a good idea of the appropriate alternative recovery sites for your organization, it's time to put pen to paper and begin drafting a true disaster recovery plan. Don't expect to sit down and write the full plan in one sitting. It's likely that the DRP team will go through many draft documents before reaching a final written document that satisfies the operational needs of critical business units and falls within the resource, time, and expense constraints of the disaster recovery budget and available personnel. In the following sections, we explore some important items to include in your disaster recovery plan. Depending on the size of your organization and the number of people involved in the DRP effort, it may be a good idea to maintain multiple types of plan documents, intended for different audiences. The following list includes various types of documents worth considering: Executive summary providing a high-level overview of the plan Department-specific plans Technical guides for IT personnel responsible for implementing and maintaining critical backup systems Checklists for individuals on the disaster recovery team Full copies of the plan for critical disaster recovery team members

Answer 49

Testing and Maintenance Every disaster recovery plan must be tested on a periodic basis to ensure that the plan's provisions are viable and that it meets an organization's changing needs. The types of tests that you conduct will depend on the types of recovery facilities available to you, the culture of your organization, and the availability of disaster recovery team members. The five main test types—checklist tests, structured walk-throughs, simulation tests, parallel tests, and full-interruption tests—are discussed in the remaining sections of this chapter. Note Icon For more information on this topic, consult NIST Special Publication 800-84, “Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities Recommendations”, available at https://csrc.nist.gov/publications/detail/sp/800-84/final.

Answer 50

The read-through test is one of the simplest tests to conduct, but it's also one of the most critical ones. In this test, you distribute copies of disaster recovery plans to the members of the disaster recovery team for review. This lets you accomplish three goals simultaneously: It ensures that key personnel are aware of their responsibilities and have that knowledge refreshed periodically. It provides individuals with an opportunity to review the plans for obsolete information and update any items that require modification because of changes within the organization. In large organizations, it helps identify situations in which key personnel have left the company and nobody bothered to reassign their disaster recovery responsibilities. This is also a good reason why disaster recovery responsibilities should be included in job descriptions.

Answer 51

A structured walk-through takes testing one step further. In this type of test, often referred to as a table-top exercise, members of the disaster recovery team gather in a large conference room and role-play a disaster scenario. Usually, the exact scenario is known only to the test moderator, who presents the details to the team at the meeting. The team members then refer to their copies of the disaster recovery plan and discuss the appropriate responses to that particular type of disaster. Walk-throughs may vary in their scope and intent. Some exercises may include taking physical actions or at least considering their impact on the exercise. For example, a walk-through might require that everyone leave the building and return home to participate in the exercise.

Answer 52

Simulation tests are similar to the structured walk-throughs. In simulation tests, disaster recovery team members are presented with a scenario and asked to develop an appropriate response. Unlike with the tests previously discussed, some of these response measures are then tested. This may involve the interruption of noncritical business activities and the use of some operational personnel.

Answer 53

Parallel tests represent the next level in testing and involve relocating personnel to the alternate recovery site and implementing site activation procedures. The employees relocated to the site perform their disaster recovery responsibilities just as they would for an actual disaster. The only difference is that operations at the main facility are not interrupted. That site retains full responsibility for conducting the day-to-day business of the organization.

Answer 54

Full-interruption tests operate like parallel tests, but they involve actually shutting down operations at the primary site and shifting them to the recovery site. These tests involve a significant risk, as they require the operational shutdown of the primary site and transfer to the recovery site, followed by the reverse process to restore operations at the primary site. For this reason, full-interruption tests are extremely difficult to arrange, and you often encounter resistance from management.

Answer 55

At the conclusion of any disaster recovery operation or other security incident, the organization should conduct a lessons learned session. The lessons learned process is designed to provide everyone involved with the incident response effort an opportunity to reflect on their individual role in the incident and the team's response overall. It is an opportunity to improve the processes and technologies used in incident response to better respond to future security crises. The most common way to conduct lessons learned is to gather everyone in the same room, or connect them via videoconference or telephone, and ask a trained facilitator to lead a lessons learned session. Ideally, this facilitator should have played no role in the incident response, leaving them with no preconceived notions about the response. The facilitator should be a neutral party who simply helps guide the conversation. Time is of the essence with the lessons learned session because, as time passes, details quickly become fuzzy and memories are lost. The more quickly you conduct a lessons learned session, the more likely it is that you will receive valuable feedback that can help guide future responses.

Answer 56

Cybersecurity analysts often use network segmentation as a proactive strategy to prevent the spread of future security incidents. For example, the network shown in Figure 8.2 is designed to segment different types of users from each other and from critical systems. An attacker who can gain access to the guest network would not be able to interact with systems belonging to employees or in the data center without traversing the network firewall.

Answer 57

Two primary isolation techniques may be used during a cybersecurity incident response effort: isolating affected systems and isolating the attacker.

Answer 58

The scope of an incident's impact depends on the degree of impairment that it causes the organization as well as the effort required to recover from the incident.

Answer 59

The functional impact of an incident is the degree of impairment that it causes to the organization. This may vary based on the criticality of the data, the system(s) or process(es) affected by the incident, and the organization's ability to continue providing services to users as an incident unfolds and in its aftermath.

Answer 60

Category Definition None No effect on the organization's ability to provide all services to all users. Low Minimal effect; the organization can still provide all critical services to all users but has lost efficiency. Medium Organization has lost the ability to provide a critical service to a subset of system users. High Organization is no longer able to provide some critical services to any users.

Answer 61

Security practitioners may find themselves conducting investigations for a wide variety of reasons. Some of these investigations involve law enforcement and must follow rigorous standards designed to produce evidence that will be admissible in court.

Answer 62

Administrative investigations are internal investigations that examine either operational issues or a violation of the organization's policies. They may be conducted as part of a technical troubleshooting effort or in support of other administrative processes, such as HR disciplinary procedures.

Answer 63

Criminal investigations, typically conducted by law enforcement personnel, investigate the alleged violation of criminal law. Criminal investigations may result in charging suspects with a crime and the prosecution of those charges in criminal court.

Answer 64

Civil investigations typically do not involve law enforcement but rather involve internal employees and outside consultants working on behalf of a legal team. They prepare the evidence necessary to present a case in civil court, resolving a dispute between two parties.

Answer 65

Government agencies may conduct regulatory investigations when they believe that an individual or corporation has violated administrative law. Regulators typically conduct these investigations with a standard of proof commensurate with the venue where they expect to try their case. Regulatory investigations vary widely in scope and procedure and are often conducted by government agents.

Answer 66

The functional impact of an incident is the degree of impairment that it causes to the organization. The economic impact is the amount of financial loss that the organization incurs. In addition to measuring the functional and economic impact of a security incident, organizations should measure the time that services will be unavailable and the recoverability effort. Finally, the nature of the data involved in an incident also contributes to the severity of the information impact.

Answer 67

The BCP team will require some resources to perform the four elements of the BCP process (project scope and planning, business impact analysis, continuity planning, and approval and implementation). It's more than likely that the major resource consumed by this BCP phase will be the effort expended by members of the BCP team and the support staff they call on to assist in the development of the plan.

Answer 68

Many industries may find themselves bound by federal, state, and local laws or regulations that require them to implement various degrees of BCP.

Answer 69

Once your BCP team completes the four stages of preparing to create a business continuity plan, it's time to dive into the heart of the work—the). The BIA identifies the business processes and tasks that are critical to an organization's ongoing viability and the threats posed to those resources. I

Answer 70

s” phase of the business impact analysis. It simply involves listing the functions considered critical to continued business operations in a prioritized order. When listing these priorities, you should also include a statement that they were developed as part of the BCP process and reflect the importance of the functions to continued business operations in the event of an emergency and nothing more.

Answer 71

In an electronic vaulting scenario, database backups are moved to a remote site using bulk transfers. The remote location may be a dedicated alternative recovery site (such as a hot site) or simply an offsite location managed within the company or by a contractor for the purpose of maintaining backup data. When a disaster is declared, technicians retrieve the appropriate transaction logs and apply them to the production database, bringing the database up to the current production state.

Answer 72

, data transfers are performed in a more expeditious manner. Data transfers still occur in a bulk transfer mode, b

Answer 73

Remote mirroring is the most advanced database backup solution. Not surprisingly, it's also the most expensive! Remote mirroring goes beyond the technology used by remote journaling and electronic vaulting; with remote mirroring, a live database server is maintained at the backup site. The remote server receives

Answer 74

Business continuity planning involves four distinct phases: project scope and planning, business impact analysis, continuity planning, and approval and implementation. Each task contributes to the overall goal of ensuring that business operations continue uninterrupted in the face of an emergency.

Answer 75

In the business organization analysis, the individuals responsible for leading the BCP process determine which departments and individuals have a stake in the business continuity plan. This analysis serves as the foundation for BCP team selection and, after validation by the BCP team, is used to guide the next stages of BCP development.

Answer 76

The BCP team should contain, at a minimum, representatives from each of the operational and support departments; technical experts from the IT department; physical and IT security personnel with BCP skills; legal representatives familiar with corporate legal, regulatory, and contractual responsibilities; and representatives from senior management. Additional team members depend on the structure and nature of the organization.

Answer 77

Business leaders must exercise due diligence to ensure that shareholders' interests are protected in the event disaster strikes. Some industries are also subject to federal, state, and local regulations that mandate specific BCP procedures. Many businesses also have contractual obligations to their clients that they must meet before, during, and after a disaster.

Answer 78

During the strategy development phase, the BCP team determines which risks they will mitigate. In the provisions and processes phase, the team designs mechanisms and procedures that will mitigate identified risks. The plan must then be approved by senior management and implemented. Personnel must also receive training on their roles in the BCP process.

Answer 79

The five types of disaster recovery plan tests are: read-through tests, structured walk-throughs, simulation tests, parallel tests, and full-interruption tests. Checklist tests are purely paperwork exercises, whereas structured walk-throughs involve a project team meeting. Neither has an impact on business operations. Simulation tests may shut down noncritical business units. Parallel tests involve relocating personnel but do not affect day-to-day operations. Full-interruption tests involve shutting down primary systems and shifting responsibility to the recovery facility.

Answer 80

Manager provides interference: The role of a manager in incident response is to coordinate and direct all facets of the incident response effort. The manager is responsible for ensuring that the incident is resolved as quickly and efficiently as possible, while minimizing the impact on the organization. The specific responsibilities of a manager in incident response will vary depending on the size and complexity of the organization, as well as the nature of the incident. However, some common responsibilities include: Assembling and leading the incident response team: The manager is responsible for assembling a team of qualified individuals to respond to the incident. This team may include representatives from IT, security, legal, and other departments. The manager is also responsible for leading the team and ensuring that everyone is working together effectively. Assessing the situation: The manager must quickly assess the situation to determine the nature of the incident, its impact on the organization, and the best course of action. Developing and implementing a response plan: The manager must develop and implement a response plan to resolve the incident. This plan should include specific steps to be taken, timelines, and resource requirements. Communicating with stakeholders: The manager must keep stakeholders informed of the incident and the response effort. This includes communicating with senior management, customers, and the public (if necessary). Evaluating the response: Once the incident has been resolved, the manager must evaluate the response effort to identify areas for improvement. The role of a manager in incident response is critical to the success of the response effort. An effective manager will be able to quickly assess the situation, develop a response plan, and lead the team to a successful resolution. Here are some key tips for managers in incident response: Be prepared: Develop an incident response plan before an incident occurs. This plan should identify the key roles and responsibilities, communication protocols, and escalation procedures. Be decisive: Don't be afraid to make decisions, even if you don't have all the information. It is better to make a decision and move forward than to be paralyzed by indecision. Be communicative: Keep stakeholders informed of the incident and the response effort. This will help to reduce anxiety and uncertainty. Be flexible: Things don't always go according to plan, so be prepared to adjust your response as needed. Learn from your mistakes: After the incident, take the time to evaluate the response effort and identify areas for improvement. By following these tips, managers can play a vital role in ensuring the success of the incident response effort.

Answer 81

To build an incident response team, you should follow these steps: Identify the key roles and responsibilities. What skills and experience do you need on your team? What are the roles and responsibilities of each team member? Recruit qualified individuals. Once you have identified the key roles and responsibilities, you need to recruit qualified individuals to fill those roles. You may be able to find qualified individuals within your organization, or you may need to hire externally. Provide training and support. Once you have assembled your team, you need to provide them with the training and support they need to be successful. This includes training on the organization's incident response plan, as well as training on the latest incident response tools and techniques. Test your team. Once your team is trained, you should test them regularly to ensure that they are prepared to respond to an incident. This can be done through tabletop exercises, simulations, and other training exercises. Maintain your team. The needs of your organization may change over time, so it is important to regularly review your incident response team and make adjustments as needed. Here are some additional tips for building an effective incident response team: Include a variety of perspectives. Your incident response team should include individuals from a variety of departments, including IT, security, legal, and communications. This will help to ensure that all aspects of the incident are considered when developing a response plan. Empower your team. Give your team the authority to make decisions and take action. This will help to ensure that the incident is resolved quickly and efficiently. Foster communication and collaboration. Encourage team members to communicate and collaborate with each other. This will help to ensure that everyone is on the same page and that the response is coordinated. Learn from your experiences. After each incident, take the time to evaluate the response effort and identify areas for improvement. This will help to make your incident response team even more effective in the future. By following these tips, you can build an incident response team that is prepared to respond to any incident.

Answer 82

A security event is any occurrence in an information system or the environment in which it operates that has the potential to adversely affect the system's security. Security events can be caused by a variety of factors, including human error, technical failures, and malicious attacks. A security incident is a security event that has resulted in a negative impact on an organization's security. Security incidents can result in a variety of consequences, including data breaches, financial losses, and reputational damage. An adverse event is any occurrence that has a negative impact on an organization. Adverse events can be caused by a variety of factors, including security incidents, natural disasters, and business disruptions. The key difference between a security event and a security incident is that a security incident has resulted in a negative impact on the organization's security. An adverse event, on the other hand, can be caused by a variety of factors, including security incidents, but does not necessarily have to involve security. Here are some examples of security events, security incidents, and adverse events: Security event: A hacker attempts to log into the organization's network using a stolen password. Security incident: A hacker successfully logs into the organization's network and steals sensitive data. Adverse event: The organization experiences a power outage that disrupts its operations. The organization in the first example experienced a security event, but it did not result in a security incident because the hacker was not able to log into the network. In the second example, the organization experienced a security incident because the hacker was able to log into the network and steal sensitive data. In the third example, the organization experienced an adverse event because the power outage disrupted its operations, but it was not a security incident because it was not caused by a malicious attack. It is important to note that the distinction between a security event and a security incident can be subjective. For example, some organizations may consider a failed login attempt to be a security incident, while others may not. Organizations should have a process in place for identifying and responding to security events and incidents. This process should include steps for investigating security events, assessing the risk, and taking action to mitigate the risk.

Answer 83

To determine the incident severity, you can use the following factors: Impact: What is the impact of the incident on the organization? This could include the impact on business operations, customers, or reputation. Urgency: How quickly does the incident need to be resolved? This could be based on the impact of the incident, the potential for further damage, or regulatory requirements. Complexity: How difficult is the incident to resolve? This could be based on the nature of the incident, the skills and resources required, and the availability of a fix. Once you have considered these factors, you can assign a severity level to the incident. Common severity levels include: Critical: The incident has a severe impact on business operations, customers, or reputation, and it needs to be resolved immediately. Major: The incident has a significant impact on business operations, customers, or reputation, and it needs to be resolved quickly. Minor: The incident has a minor impact on business operations, customers, or reputation, and it can be resolved within a reasonable timeframe. Low: The incident has a negligible impact on business operations, customers, or reputation, and it can be resolved at your convenience. It is important to note that the severity of an incident can change over time. For example, a minor incident may become a major incident if it is not resolved quickly. Organizations should have a process in place for determining the severity of incidents. This process should be documented and communicated to all employees. Here are some additional tips for determining the incident severity: Consider the stakeholders. Who is impacted by the incident? What are their needs and expectations? Consider the business impact. How is the incident impacting the organization's ability to do business? Consider the potential for further damage. Could the incident lead to more serious consequences if it is not resolved quickly? Consider regulatory requirements. Are there any regulatory requirements that apply to the incident? By considering all of these factors, you can make an informed decision about the severity of the incident. This will help you to prioritize the incident and to allocate resources accordingly.

Answer 84

The National Institute of Standards and Technology (NIST) classifies incident severity using a four-level scale: Severity 1: A critical incident with very high impact. This type of incident may cause significant disruption to business operations, financial losses, or damage to reputation. Severity 2: A major incident with significant impact. This type of incident may cause moderate disruption to business operations, financial losses, or damage to reputation. Severity 3: A minor incident with low impact. This type of incident may cause minor disruption to business operations, but is unlikely to cause financial losses or damage to reputation. Severity 4: A negligible incident with very low impact. This type of incident is unlikely to cause any disruption to business operations, financial losses, or damage to reputation. NIST also provides a number of factors to consider when determining the severity of an incident, including: Impact: The impact of the incident on the organization, including its business operations, customers, and reputation. Urgency: The urgency with which the incident needs to be resolved. Complexity: The difficulty of resolving the incident. Scope: The number of people or systems affected by the incident. Organizations can use the NIST classification system to develop their own incident severity levels. This can help organizations to prioritize incidents and to allocate resources accordingly. Here are some examples of incidents that might be classified as Severity 1: A data breach that exposes sensitive customer information A ransomware attack that encrypts critical business systems A denial-of-service attack that makes the organization's website or online services unavailable Here are some examples of incidents that might be classified as Severity 2: A malware infection that disrupts a critical business process A security vulnerability that could be exploited by attackers A system outage that impacts a significant number of users Here are some examples of incidents that might be classified as Severity 3: A phishing attack that results in a few users having their accounts compromised A minor security misconfiguration that is easily fixed A system outage that impacts a small number of users Here are some examples of incidents that might be classified as Severity 4: A failed login attempt A minor software bug that does not cause any disruption A system outage that impacts a single user It is important to note that the severity of an incident can change over time. For example, a Severity 3 incident may become a Severity 1 incident if it is not resolved quickly or if it has a greater impact than originally anticipated. Organizations should develop a process for classifying incidents based on their severity. This process should be documented and communicated to all employees.

Answer 85

Documentary evidence is any written or recorded information that is presented to a court of law to prove a fact. Documentary evidence can include contracts, leases, receipts, emails, and photographs. Documentary evidence is often used to corroborate real evidence or to provide additional context for the case. The key difference between real evidence and documentary evidence is that real evidence is physical, while documentary evidence is not. Real evidence can be seen, touched, and smelled, while documentary evidence can only be read or heard. Here are some examples of real evidence: A murder weapon A bloodstained shirt A piece of DNA A fingerprint A tire track A video recording of a crime Here are some examples of documentary evidence: A contract A lease A receipt An email A photograph A medical record A business record Both real evidence and documentary evidence can be used to prove facts in a court of law. However, real evidence is often more persuasive because it is difficult to refute. Documentary evidence can be fabricated or altered, but it is much more difficult to do the same with real evidence. In some cases, real evidence and documentary evidence may be used together to prove a fact. For example, a prosecutor might introduce a murder weapon as real evidence and a witness's testimony as documentary evidence to prove that the defendant committed murder. The admissibility of both real evidence and documentary evidence is subject to the rules of evidence. These rules vary from jurisdiction to jurisdiction, but they generally require that the evidence be relevant and reliable.

Answer 86

A write blocker is a technology that prevents a forensic examiner from accidentally corrupting evidence while creating an image of a disk. It is a device that is inserted between the disk drive and the computer being used to create the image. The write blocker prevents the computer from writing any data to the disk, which helps to ensure that the original evidence is preserved. Write blockers are typically used in conjunction with forensic imaging software to create a bit-by-bit copy of the disk. The forensic imaging software will read all of the data on the disk and create a file that contains the data. The write blocker will prevent the computer from writing any data to the disk while the image is being created. Write blockers are an important tool for forensic examiners because they help to ensure that the original evidence is preserved. Without a write blocker, it is possible to accidentally corrupt the evidence while creating an image. This could happen if the computer writes data to the disk while the image is being created. Here are some of the benefits of using a write blocker: Preserves the original evidence: A write blocker prevents the computer from writing any data to the disk while the image is being created. This helps to ensure that the original evidence is preserved. Reduces the risk of errors: A write blocker can help to reduce the risk of errors during the imaging process. If an error does occur, the write blocker can help to prevent the error from corrupting the image. Increases the reliability of the evidence: A write blocker can help to increase the reliability of the evidence by ensuring that the image is an accurate copy of the original disk. If you are involved in a forensic investigation, it is important to use a write blocker to create an image of the disk. This will help to ensure that the original evidence is preserved and that the image is an accurate copy of the original disk.

Answer 87

During the production phase of eDiscovery, organizations share information with the other side. This is the phase where the electronically stored information (ESI) that has been collected and processed is exchanged between the parties involved in the litigation. The production phase can be a complex and time-consuming process, depending on the volume and complexity of the ESI involved. It is important to have a plan in place for producing ESI in a timely and efficient manner, and to comply with all applicable laws and regulations. Here are some of the key steps involved in the production phase of eDiscovery: Identify the ESI to be produced: The first step is to identify the ESI that is relevant to the litigation and that is required to be produced under the applicable laws and regulations. This may involve reviewing the discovery requests from the other side, as well as the organization's own policies and procedures. Collect and process the ESI: Once the ESI to be produced has been identified, it needs to be collected and processed. This may involve extracting the ESI from various sources, such as email servers, file shares, and mobile devices. The ESI may also need to be converted to a standard format, such as PDF or TIFF. Review the ESI: Before producing the ESI, it is important to review it to ensure that it is relevant and that it does not contain any privileged or confidential information. The ESI may need to be redacted to remove any privileged or confidential information. Produce the ESI: Once the ESI has been reviewed and redacted, it can be produced to the other side. The ESI may be produced on physical media, such as CDs or DVDs, or it may be produced electronically, such as through a secure file sharing service. It is important to note that the production phase of eDiscovery is not the end of the eDiscovery process. After the ESI has been produced, the parties may engage in additional discovery activities, such as depositions and expert witness discovery. The parties may also file motions with the court to address any disputes that arise during the eDiscovery process. By unders

Domain 4: Incident Management Flashcards

(112 cards)