182. A computer security incident handling capability should meet which of the following?

a. Users’ requirements

b. Auditors’ requirements

c. Security requirements

d. Safety requirements

182. a. There are a number of start-up costs and funding issues to consider when planning an incident handling capability. Because the success of an incident handling capability relies so heavily on the users’ perceptions of its worth and whether they use it, it is important that the capability meets users’ requirements. Two important funding issues are personnel and education and training.

183. Which of the following is not a primary benefit of an incident handling capability?

a. Containing the damage

b. Repairing the damage

c. Preventing the damage

d. Preparing for the damage

183. d. The primary benefits of an incident handling capability are containing and repairing damage from incidents and preventing future damage. Preparing for the damage is a secondary and side benefit.

184. All the following can co-exist with computer security incident handling except:

a. Help-desk function

b. System backup schedules

c. System development activity

d. Risk management process

184. c. System development activity is engaged in designing and constructing a new computer application system, whereas incident handling is needed during operation of the same application system. For example, for purposes of efficiency and cost-savings, incident-handling capability is co-operated with a user help desk. Also, backups of system resources need to be used when recovering from an incident. Similarly, the risk analysis process benefits from statistics and logs showing the numbers and types of incidents that have occurred and the types of controls that are effective in preventing such incidents. This information can be used to help select appropriate security controls and practices.

185. Which of the following decreases the response time for computer security incidents?

a. Electronic mail

b. Physical bulletin board

c. Terminal and modem

d. Electronic bulletin board

185. a. With computer security incidents, rapid communications is important. The incident team may need to send out security advisories or collect information quickly; thus some convenient form of communication, such as electronic mail (e-mail), is generally highly desirable. With e-mail, the team can easily direct information to various subgroups within the constituency, such as system managers or network managers, and broadcast general alerts to the entire constituency as needed. When connectivity already exists, e-mail has low overhead and is easy to use.

Although there are substitutes for e-mail, they tend to increase response time. An electronic bulletin board system (BBS) can work well for distributing information, especially if it provides a convenient user interface that encourages its use. A BBS connected to a network is more convenient to access than one requiring a terminal and modem; however, the latter may be the only alternative for organizations without sufficient network connectivity. In addition, telephones, physical bulletin boards, and flyers can be used, but they increase response time.

186. Which of the following incident response life-cycle phases is most challenging for many organizations?

a. Preparation

b. Detection

c. Recovery

d. Reporting

186. b. Detection, for many organizations, is the most challenging aspect of the incident response process. Actually detecting and assessing possible incidents is difficult. Determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem is not an easy task.

The other three phases such as preparation, recovery, and reporting are not that challenging. The scope of preparation and prevention phase covers establishing plans, policies, and procedures. The scope of recovery phase includes containment, restore, and eradication. The scope of reporting phase involves understanding the internal and external reporting requirements in terms of the content and timeliness of the reports.

187. Regarding incident response data, nonperformance of which one of the following items makes the other items less important?

a. Quality of data

b. Review of data

c. Standard format for data

d. Actionable data

187. b. If the incident response data is not reviewed regularly, the effectiveness of detection and analysis of incidents is questionable. It does not matter whether the data is of high quality with standard format for data, or actionable data. Proper and efficient reviews of incident-related data require people with extensive specialized technical knowledge and experience.

188. Which of the following statements about incident management and response is not true?

a. Most incidents require containment.

b. Containment strategies vary based on the type of incident.

c. All incidents need eradication.

d. Eradication is performed during recovery for some incidents.

188. c. For some incidents, eradication is either unnecessary or is performed during recovery. Most incidents require containment, so it is important to consider it early in the course of handling each incident. Also, it is true that containment strategies vary based on the type of incident.

189. Which of the following is the correct sequence of events taking place in the incident response life cycle process?

a. Prevention, detection, preparation, eradication, and recovery

b. Detection, response, reporting, recovery, and remediation

c. Preparation, containment, analysis, prevention, and detection

d. Containment, eradication, recovery, detection, and reporting

189. b. The correct sequence of events taking place in the incident response life cycle is detection, response, reporting, recovery, and remediation. Although the correct sequence is started with detection, there are some underlying activities that should be in place prior to detection. These prior activities include preparation and prevention, addressing the plans, policies, procedures, resources, support, metrics, patch management processes, host hardening measures, and properly configuring the network perimeter.

Detection involves the use of automated detection capabilities (for example, log analyzers) and manual detection capabilities (for example, user reports) to identify incidents. Response involves security staff offering advice and assistance to system users for the handling and reporting of security incidents (for example, held desk or forensic services). Reporting involves understanding the internal and external reporting requirements in terms of the content and timeliness of the reports. Recovery involves containment, restore, and eradication. Containment addresses how to control an incident before it spreads to avoid consuming excessive resources and increasing damage caused by the incident. Restore addresses bringing systems to normal operations and hardening systems to prevent similar incidents. Eradication addresses eliminating the affected components of the incident from the overall system to minimize further damage to the overall system. Remediation involves tracking and documenting security incidents on an ongoing basis.