Busy. Please wait.
or
show password
Forgot Password?
Don't have an account?  Sign up 
or
Username is available taken
show password

why


Make sure to remember your password. If you forget it there is no way for StudyStack to send you a reset link. You would need to create a new account. We do not share your email address with others. It is only used to allow you to reset your password. For details read our Privacy Policy and Terms of Service.

Already a StudyStack user? Log In

Reset Password
Enter the associated with your account, and we'll email you a link to reset your password.

Remove ads
Don't know
Know
remaining cards
Save
0:01
To flip the current card, click it or press the Spacebar key.  To move the current card to one of the three colored boxes, click on the box.  You may also press the UP ARROW key to move the card to the "Know" box, the DOWN ARROW key to move the card to the "Don't know" box, or the RIGHT ARROW key to move the card to the Remaining box.  You may also click on the card displayed in any of the three boxes to bring that card back to the center.

Pass complete!

"Know" box contains:
Time elapsed:
Retries:
restart all cards




share
<embed>
apps
export
edit
print
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.

  Normal Size     Small Size show me how

IR Midterm 1

Incident Response Midterm 1

QuestionAnswer
What is an event? Any observable occurrence in a system or network.
What is an incident? Violation or imminent threat of violation of security policies or compromise of CIA
What is IR IR is essentially a system for getting a business back into production quickly after an incident occurs
What are the different models of CSIRT? Central, Distributed, Coordinating, Employees, Partial Outsourcing, Full-on Outsourcing
What does a CSIRT do? Intrusion Detection, Advisory Distribution, Education and Awareness, Information Sharing
What is the 7 step incident response methodology? Preparation, Identification, Containment, Investigation, Eradication, Recovery, Follow-up
What is the NIST IR methodology? 1. Preparation, Detection and Analysis. 2. Containment, Eradication and Recovery. 3. Post-incident activity.
What are 6 incident categories? Level 1 – Unauthorized Access Level 2 – DoS Level 3 – Malicious Code Level 4 – Improper Usage Level 5 – Scans/probes/attempted access Level 6 – Investigation Incident
What are 3 methods for containment? 1. Disconnect the system from the network and allow the threat to work. 2. Shut down everything immediately. 3. Continue to allow the system to run and monitor its activities.
Explain OODA. Observe, Orient, Decide, Act.
Explain Observe from the OODA Loop. Gather information about your surroundings .
Explain Orient from the OODA Loop. Pull apart elements of multiple situations to create uncertainty, then reassemble these parts to re-orient yourself.
Explain Decide from the OODA Loop. Select and hypothesize action alternatives generated during orientation.
Explain Act from the OODA Loop. Test out your hypotheses and gather feedback from the actions (back to observation).
Name 3 characteristics of a CIRT member. Flexible, knowledgeable, curious.
Name 3 essential items of CIRT training. 1. Technical and security training 2. Network and device familiarity 3. Policy acquaintance
Name some pre-incident preparation tasks 1. Information gathering 2. Prevention of incidents 3. Providing maximum visibility of network and assets 4. Implementing measures to ensure that an incident will have the smallest impact possible 5. Ensuring CIRT staff are in place and capable
Name 5 elements of an IR Toolkit 1. Software and Hardware 2. Computer systems 3. Contact/escalation list 4. Evidence gathering tools 5. Jump bag
What do the core CIRT members do? 1. Watchers 2. Educators 3. Advisors
Who typically makes up a CIRT? 1. Management 2. Elite members of different operational teams 3. Responders (core member) 4. Analysts (core member)
Name some pre-incident preparation tasks 1. Information gathering 2. Prevention of incidents 3. Providing maximum visibility of network and assets 4. Implementing measures to ensure that an incident will have the smallest impact possible 5. Ensuring CIRT staff are in place and capable
Name 5 elements of an IR Toolkit 1. Software and Hardware 2. Computer systems 3. Contact/escalation list 4. Evidence gathering tools 5. Jump bag
What do the core CIRT members do? 1. Watchers 2. Educators 3. Advisors
Who typically makes up a CIRT? 1. Management 2. Elite members of different operational teams 3. Responders (core member) 4. Analysts (core member)
Name 3 characteristics of a SOC. 1. Generally consists of analysts and senior analysts 2. Monitor network security appliances 3. Raise tickets from security events and perform initial triage of security incidents
What are 4 means of detecting security events? 1. Syslog events 2. Security appliance alerts 3. File system anomalies 4. External notifications. I.e. User ticket, ISP email, customer email
What are 7 required categories of incident information needed to identify an incident? 1. Attacker information 2. Target information 3. Zoning information 4. Times (start and end) 5. What kind of attack is it? 6. Where is the attack coming from? 7. Are there any related attacks?
What does containment mean? 1. Limiting the size and overall damage caused by the threat 2. Protecting resources 3.Protecting users
What are 6 methods used for eradication? 1. Run our antivirus software 2. Pull a system off the network 3. Reimage a system 4. Replace faulty hardware 5. Fire the person who poked holes in the FW 6. Blackhole that malicious traffic/Autonomous System
Created by: evilfrosty