Module 9: Incident Reporting Flashcards Preview

CIH > Module 9: Incident Reporting > Flashcards

Flashcards in Module 9: Incident Reporting Deck (33)
Loading flashcards...
1
Q

What is incident reporting

A

The process of reporting the information regarding the encountered security breach in a proper format

2
Q

When a breach occurs what needs to be reported

A
  • Logs of unauthorized access
  • Disturbances in services
  • DoS
  • The system used to store or process data
  • Modifications in system hardware or software
3
Q

Why is it important to report an incident

A

It is able to generate assistance in responding to the incident and helps the victim to be in touch with others who have encountered similar incidents

4
Q

TRUE or FALSE: It is necessary to report an incident in order to receive technical assistance including guidance on detecting and handling the incidents

A

TRUE

5
Q

TRUE or FALSE: Reporting an incident doesn’t help with legal issues

A

FALSE

6
Q

TRUE or FALSE: Reporting an incident improves awareness on IT security issues and prevent other nuisance

A

TRUE

7
Q

What are some of the reasons why organizations do not report computer crimes

A
  • Misunderstanding the scope (Assuming no one else has had this incident)
  • Fear of negative publicity (Negatively impact their reputation via the media)
  • Potential loss of customers (Customers lose faith in the organization)
  • Desire to handle things internally
  • Lack of awareness of the attack (Unaware of the methods of attack or its impact)
8
Q

Why is it a good idea to know who to report an incident to

A

Timely reporting and notification to all who need to be involved will be able to exercise their roles efficiently

9
Q

Who are some of the people you need to report an incident to

A
  • Head of IT Security (Dave)
  • Local Information Security Officer (Danny)
  • Incident response teams in the organization (IT Forensics)
  • Human Resources
  • Public Affairs Officer
  • Legal
  • CERT
10
Q

What kind of communication methods should be used to communicate the incident to other teams

A
  • E-mail
  • Telephone calls
  • FAX
  • Online forms
  • In person
  • Voice mailbox, memos, bulletin boards

Pretty much any sort of communication that we have at Gulfstream

11
Q

Who needs to observe every step and sign all the documents regarding the incident which helps in legal issues

A

Incident handler

12
Q

TRUE or FALSE: Such things such as the nature of the private data involved in the incident, circumstances that revealed the incident, other individuals involved, immediate responses taken, etc. Are details that need to be reported

A

TRUE

Think of the information that we put into FIR.

13
Q

Who should collect all the facts regarding the incident

A

Incident Response Team

The SOC

14
Q

What does CERT use to keep track of incidents

A

Incident reference numbers

15
Q

How are the reference numbers selected

A

They are unique and random

16
Q

TRUE or FALSE: It isn’t necessary to include the incident reference number when coming up with an incident report instead you can just use an inhouse assigned value

A

FALSE

It is mandatory to use incident reference numbers assigned by CERT

17
Q

When emailing the CERT where must the incident reference number be

A

The subject line of any message

18
Q

How does the CERT incident reference number look

A

CERT-date-XXXX

CERT-06-0001 is an incident from 2006

19
Q

What two primary pieces of contact information should be included in an incident report

A

Email address and telephone number

20
Q

TRUE or FALSE: Hosts involved in the incident or related activity is the most obvious information to be noted

A

TRUE

21
Q

What information from the affected machine needs to be collected

A
  • Hostname or IP
  • Time zone
  • Purpose or function of the host
22
Q

What information from the source of attach needs to be collected

A
  • Hostname or IP

* Time zone

23
Q

Why is it important to include a description of the activity

A

This helps incident handlers to provide assistance specific to the incident

24
Q

What are some details that need to be included in the description of activity

A
  • Date and time
  • Methods of intrusion
  • Tools used to attack
  • Details of vulnerabilities exploited
  • Source of attack
  • Any other information that might be important to describe the attack
25
Q

Why are logs important

A

They help to identify the system related activities

26
Q

How can one avoid confusion when reviewing the logs

A

Removing the unnecessary log entries

27
Q

According to EC Council what should we do to sensitive information present in the logs

A

Replace them with X’s

28
Q

Why is reporting the time zone important

A

An incident can occur at one time zone and be reported in a different time zone

29
Q

To avoid misinterpretations of time zones what is used in preference

A

GMT or UTC

30
Q

TRUE or FALSE: Any inaccuracy in time should be mentioned in the report if it exceeds by a minute or two

A

TRUE

31
Q

What protocol is used to determine whether the systems are synced with the national time server

A

NTP (Network Time Protocol)

It is important to include this information in the statement

32
Q

What are the categories used by US-CERT and other federal agencies

A

CAT0 - Exercise - Reporting: N/A

CAT1 - Unauthorized Access - Reporting: Within 1 hour

CAT2 - DoS - Reporting: Within 2 hours

CAT3 - Malicious Code - Reporting: Within 1 hour if widespread across agency

CAT4 - Improper Usage - Reporting: Weekly

CAT5 - Scans/Probes/Attempted Access - Reporting: Monthly

CAT6 - Investigation - Reporting: N/A

33
Q

What is United State Internet Crime Task Force

A

A non-profit, government assist, and victim advocate agency