8. During incident handling, incident handlers should not focus on which of the following?
a. Incident containment
b. Incident eradication
c. Attacker identification
d. Recovery from incident
8. c. During incident handling, system owners and IT security staff frequently want to identify the attacker. Although this information can be important, particularly if the organization wants to prosecute the attacker, incident handlers should stay focused on containment, eradication, and recovery. Identifying the attacker can be a time-consuming and futile exercise that can prevent a team from achieving its primary goal of minimizing the business impact.
9. Which of the following attacker identification activities can violate an organization’s policies or break the law?
a. Validating the attacker’s IP address
b. Scanning the attacker’s systems
c. Using incident database
d. Monitoring attacker communication channels
9. b. Some incident handlers may perform pings, trace-routes, and run port and vulnerability scans to gather more information on the attacker. Incident handlers should discuss these activities with the legal department before performing such scans because the scans may violate an organization’s privacy policies or even break the law. The other choices are technical in nature.
10. Which of the following post-incident activities and benefits can become the basis for subsequent prosecution by legal authorities?
a. Learning and improving
b. Training material for new team members
c. Follow-up report for each incident
d. Lessons learned meetings
10. c. The follow-up report provides a reference that can be used to assist in handling similar, future incidents. Creating a formal chronology of events (including time-stamped information such as log data from systems) is important for legal reasons, as is creating a monetary estimate of the amount of damage the incident caused in terms of any loss of software and files, hardware damage, and staffing costs (including restoring services). This estimate may become the basis for subsequent prosecution activity by legal authorities. The other choices deal with issues that are internal to an organization.
11. Which of the following security metrics for incident-related data are generally not of value in comparing multiple organizations?
a. Number of unauthorized access incidents
b. Number of denial-of-service attacks
c. Number of malicious code spreads
d. Total number of incidents handled
11. d. Security metrics such as the total number of incidents handled are generally not of value in comparing multiple organizations because each organization is likely to have defined key-incident terms differently. The “total number of incidents handled” is not specific and is best taken as a measure of the relative amount of work that the incident response team had to perform, not as a measure of the quality of the team. It is more effective to produce separate and specific incident counts for each incident category or subcategory, as shown in the other three choices. Stronger security controls can then be targeted at these specific incidents to minimize damage or loss.
12. Which of the following indications is not associated with an inappropriate usage action such as internal access to inappropriate materials?
a. User reports
b. Network intrusion detection alerts
c. Inappropriate files on workstations or servers
d. Network, host, and application log entries
12. d. Network, host, and application log entries provide indications of attacks against external parties. The other three choices are examples of possible indications of internal access to inappropriate materials.
13. Which of the following is not generally a part of auditing the incident response program?
a. Regulations
b. Security policies
c. Incident metrics
d. Security best practices
13. c. At a minimum, an incident response audit should evaluate compliance with applicable regulations, security policies, and security best practices. Incident metrics is usually used to measure the incident response team’s success. Audits identify problems and deficiencies that can then be corrected.
