CHAPTER SUMMARY

This chapter covered computer incident response teams (CIRTs) and CIRT plans. Organizations should expect attacks that result in computer security incidents, and several types of incidents exist. Denial of service attacks try to prevent a system from providing a service. Malicious software attacks include viruses, worms, Trojan horses, and other types of malware. Unauthorized access incidents result when individuals gain access to data that they shouldn’t have access to. Unauthorized access can be from technical attacks or social engineering tactics. Inappropriate usage incidents result when employees or internal users violate the organization’s policies. Some incidents have multiple components.

A CIRT can respond to the attack and mitigate the effects. The CIRT plan identifies organizational policies. For example, a policy may explain the conditions when a CIRT member can attack the attacker. It will certainly include procedures or checklists to use when responding to different types of incidents. Through preparation and training, the CIRT plan helps an organization mitigate the risks associated with incidents.

KEY CONCEPTS AND TERMS

anonymizer

CIRT plan

computer incident

computer incident response team (CIRT)

data leakage

malware

CHAPTER 15 ASSESSMENT

  1. A(n) _______ is a violation of a security policy or security practice.
  2. All events on a system or network are considered computer security incidents.
    1. True
    2. False
  3. An administrator has discovered that a web server is responding slowly. Investigation shows that the processor, memory, and network resources are being consumed by outside attackers. This is a _______ attack.
  4. A user has installed P2P software on a system, and the organization’s policy specifically states that this is unauthorized. An administrator discovers the software on the user’s system. Is this a computer security incident? If so, what type?
    1. This is not a computer security incident.
    2. This is a form of inappropriate usage.
    3. This is a form of unauthorized access.
    4. This is a form of malware.
  5. Some malware can execute on a user’s system after the user accesses a website. The malware executes from within the web browser. What type of malware is this?
    1. Virus
    2. Worm
    3. Trojan horse
    4. Mobile code
  6. A malicious virus is replicating and causing damage to computers. How do security professionals refer to the virus?
    1. In the open
    2. In the containment field
    3. In the jungle
    4. In the wild
  7. What is the greatest risk to an organization when peer-to-peer software is installed on a user’s system?
    1. Loss of copyrights
    2. Piracy of the organization’s copyrighted material
    3. Data leakage
    4. DoS attacks
  8. Only police or other law enforcement personnel are allowed to do computer forensics investigations.
    1. True
    2. False
  9. A log shows that a user has copied proprietary data to his computer. The organization wants to take legal action against him, so it seizes the computer as evidence. What should be established as soon as the computer is seized?
    1. Chain of command
    2. Forensic chain
    3. Permission from the user
    4. Chain of custody
    5. All of the above
  10. Many steps are taken before, during, and after an incident. Of the following choices, what accurately identifies the incident response life cycle?
    1. Preparation, deletion and analysis, eradication and recovery, and postincident recovery
    2. Detection and analysis, containment, backup and eradication, and postincident recovery
    3. Preparation, detection and analysis, containment, eradication and recovery, and postincident recovery
    4. Preparation, detection, deletion and analysis, containment and recovery, and postincident recovery
  11. In general, members of a CIRT taking actions to attack attackers is acceptable because this is one of the normal responsibilities of a CIRT.
    1. True
    2. False
  12. After an incident has been verified, it must be kept from spreading to other systems. What is this called?
    1. Spread avoidance
    2. Containment
    3. Incident response
    4. Impact and priority calculation.
  13. Which of the following may be included in a CIRT plan?
    1. Policies
    2. Definition of incidents
    3. CIRT member responsibilities
    4. Incident handling procedures
    5. All of the above
    6. C and D only
  14. Attackers attempt a DoS attack on servers in an organization. The CIRT responds and mitigates the attack. What should be the last step that the CIRT completes in response to this incident?
    1. Attacking the attacker
    2. Containing the threat
    3. Documenting the incident
    4. Reporting the incident
  15. Several types of malicious code exist. Malware that appears to be one thing but is actually something else is _______.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.214.155