CHAPTER SUMMARY
You learned in this chapter what incident response policies are needed to respond effectively to security breaches. It’s important that policies define what an incident is. They should also state clearly how to classify an event. You also learned how to build a team charter. The chapter examined the difference between on-site response teams and teams that facilitate responses. The chapter discussed key roles and responsibilities within the team during an incident. The chapter discussed how incident plans are built, including the importance of a BIA assessment. Additionally, the chapter discussed the alignment among the BIA, BCP, and DRP.
The chapter also examined typical procedures you should follow during an incident. It examined key decisions that are needed at each step in responding to an incident. This includes containing the incident and gathering evidence. The chapter also discussed best practices and the importance of using outside firms to supplement an organization’s skill sets. Finally, the chapter explored how these principles are applied in the real world. Implementing well-defined incident response policies takes significant time and effort. However, the value in containing threats and limiting damage to an organization outweighs the costs.
KEY CONCEPTS AND TERMS
CHAPTER 12 ASSESSMENT
- All incidents, regardless of how small, should be handled by an incident response team.
- True
- False
- Which of the following should not be in an information response team charter?
- Mission
- Organizational structure
- Detailed line budget
- Roles and responsibilities
- Which of the following IRT members should be consulted before communicating to the public about an incident?
- Management
- Public relations
- IRT manager
- All of the above
- As defined by this chapter, what is not a step in responding to an incident?
- Discovering an incident
- Reporting an incident
- Containing an incident
- Creating a budget to compare options
- Analyzing an incident response
- A method outlined in this chapter to determine if an incident is major or minor is to classify an incident with a(n) __________ rating.
- When containing an incident, you should always apply a long-term preventive solution.
- True
- False
- The IRT starts recording events once a(n) __________.
- During the containment step, you should also gather as much evidence as reasonably possible about the incident.
- True
- False
- To clean up after an incident, you should always wipe the affected machine clean and rebuild it from scratch.
- True
- False
- What value does a forensic tool bring?
- Gathers evidence
- Helps evidence to be accepted by the court
- Can take a bit image of a machine
- All of the above
- How important is it to identify the attacker before issuing a final IRT report?
- Critically important; do not issue the report without it.
- Moderately important; nice to have but issue the report if not available.
- Not important; focus on the incident and do not include identity of attacker even if you have it.
- Important; allow law enforcement to brief management about attacker’s identity.
- When analyzing an incident, you must try to determine which of the following?
- The tool used to attack
- The vulnerability that was exploited
- The result of the attack
- All of the above
- Which IRT member is responsible for handling the media?
- The business impact analysis (BIA) is created after the business has created a business continuity plan (BCP).
- True
- False
- What is the difference between a BCP and a DRP?
- A BCP focuses on the business recovery, and a DRP focuses on technology recovery.
- A DRP focuses on the business recovery, and a BCP focuses on technology recovery.
- There is no difference. The two terms mean the same thing.
- The BIA assessment is created by the IRT team primarily for use during a security incident.
- True
- False