This chapter covered computer incident response teams (CIRTs) and CIRT plans. Organizations should expect attacks that result in computer security incidents, and several types of incidents exist. Denial of service attacks try to prevent a system from providing a service. Malicious software attacks include viruses, worms, Trojan horses, and other types of malware. Unauthorized access incidents result when individuals gain access to data that they shouldn’t have access to. Unauthorized access can be from technical attacks or social engineering tactics. Inappropriate usage incidents result when employees or internal users violate the organization’s policies. Some incidents have multiple components.
A CIRT can respond to the attack and mitigate the effects. The CIRT plan identifies organizational policies. For example, a policy may explain the conditions when a CIRT member can attack the attacker. It will certainly include procedures or checklists to use when responding to different types of incidents. Through preparation and training, the CIRT plan helps an organization mitigate the risks associated with incidents.
A(n) _______ is a violation of a security policy or security practice.
All events on a system or network are considered computer security incidents.
True
False
An administrator has discovered that a web server is responding slowly. Investigation shows that the processor, memory, and network resources are being consumed by outside attackers. This is a _______ attack.
A user has installed P2P software on a system, and the organization’s policy specifically states that this is unauthorized. An administrator discovers the software on the user’s system. Is this a computer security incident? If so, what type?
This is not a computer security incident.
This is a form of inappropriate usage.
This is a form of unauthorized access.
This is a form of malware.
Some malware can execute on a user’s system after the user accesses a website. The malware executes from within the web browser. What type of malware is this?
Virus
Worm
Trojan horse
Mobile code
A malicious virus is replicating and causing damage to computers. How do security professionals refer to the virus?
In the open
In the containment field
In the jungle
In the wild
What is the greatest risk to an organization when peer-to-peer software is installed on a user’s system?
Loss of copyrights
Piracy of the organization’s copyrighted material
Data leakage
DoS attacks
Only police or other law enforcement personnel are allowed to do computer forensics investigations.
True
False
A log shows that a user has copied proprietary data to his computer. The organization wants to take legal action against him, so it seizes the computer as evidence. What should be established as soon as the computer is seized?
Chain of command
Forensic chain
Permission from the user
Chain of custody
All of the above
Many steps are taken before, during, and after an incident. Of the following choices, what accurately identifies the incident response life cycle?
Preparation, deletion and analysis, eradication and recovery, and postincident recovery
Detection and analysis, containment, backup and eradication, and postincident recovery
Preparation, detection and analysis, containment, eradication and recovery, and postincident recovery
Preparation, detection, deletion and analysis, containment and recovery, and postincident recovery
In general, members of a CIRT taking actions to attack attackers is acceptable because this is one of the normal responsibilities of a CIRT.
True
False
After an incident has been verified, it must be kept from spreading to other systems. What is this called?
Spread avoidance
Containment
Incident response
Impact and priority calculation.
Which of the following may be included in a CIRT plan?
Policies
Definition of incidents
CIRT member responsibilities
Incident handling procedures
All of the above
C and D only
Attackers attempt a DoS attack on servers in an organization. The CIRT responds and mitigates the attack. What should be the last step that the CIRT completes in response to this incident?
Attacking the attacker
Containing the threat
Documenting the incident
Reporting the incident
Several types of malicious code exist. Malware that appears to be one thing but is actually something else is _______.