The “report” is a secondary element and is a byproduct of the primary elements. Reporting can be done internally to management, which is required, and externally to public (for example, media/press, law enforcement authorities, and incident reporting organizations), which is optional. How much external reporting is done depends on the organization’s management openness to report due to adverse publicity and reputation risk involved from bad security breaches.

5. Which of the following makes the security incident event correlation work much easier and faster?

a. Distributed logging

b. Local logging

c. Centralized logging

d. Centralized monitoring

5. c. Using centralized logging makes security incident event correlation work much easier and faster because it pulls together data from various sources such as networks, hosts, services, applications, and security devices.

6. Networks and systems profiling is a technical measure for aiding in incident analysis and is achieved through which of the following means?

1. Running file integrity checking software on hosts

2. Monitoring network bandwidth usage

3. Monitoring host resource usage

4. Determining the average and peak usage levels

a. 2 only

b. 3 only

c. 4 only

d. 1, 2, 3, and 4

6. d. Networks and systems profiling measures the characteristics of expected activity so that changes to it can be more easily identified. Examples of profiling include running integrity checking software on hosts to derive checksums for critical files, monitoring network bandwidth usage, and monitoring host resource usage to determine what the average and peak usage volumes are on various days and times.

7. The incident response team should discuss which of the following containment strategies with its legal department to determine if it is feasible?

a. Full containment

b. Phase containment

c. Partial containment

d. Delayed containment

7. d. When an incident has been detected and analyzed, it is important to contain it before the spread of the incident overwhelms resources or the damage increases. In certain cases, some organizations delay the containment of an incident so that they can monitor the attacker’s activity, usually to gather additional evidence. The incident response team should discuss delayed containment strategy with its legal department to determine if it is feasible. The delayed containment strategy is dangerous because an attacker could escalate unauthorized access or compromise other systems in a fraction of a second. The value of delayed containment is usually not worth the high risk that it poses.

8. During incident handling, incident handlers should not focus on which of the following?

a. Incident containment

b. Incident eradication

c. Attacker identification

d. Recovery from incident

8. c. During incident handling, system owners and IT security staff frequently want to identify the attacker. Although this information can be important, particularly if the organization wants to prosecute the attacker, incident handlers should stay focused on containment, eradication, and recovery. Identifying the attacker can be a time-consuming and futile exercise that can prevent a team from achieving its primary goal of minimizing the business impact.

9. Which of the following attacker identification activities can violate an organization’s policies or break the law?

a. Validating the attacker’s IP address

b. Scanning the attacker’s systems

c. Using incident database

d. Monitoring attacker communication channels

9. b. Some incident handlers may perform pings, trace-routes, and run port and vulnerability scans to gather more information on the attacker. Incident handlers should discuss these activities with the legal department before performing such scans because the scans may violate an organization’s privacy policies or even break the law. The other choices are technical in nature.

10. Which of the following post-incident activities and benefits can become the basis for subsequent prosecution by legal authorities?

a. Learning and improving

b. Training material for new team members

c. Follow-up report for each incident

d. Lessons learned meetings

10. c. The follow-up report provides a reference that can be used to assist in handling similar, future incidents. Creating a formal chronology of events (including time-stamped information such as log data from systems) is important for legal reasons, as is creating a monetary estimate of the amount of damage the incident caused in terms of any loss of software and files, hardware damage, and staffing costs (including restoring services). This estimate may become the basis for subsequent prosecution activity by legal authorities. The other choices deal with issues that are internal to an organization.

11. Which of the following security metrics for incident-related data are generally not of value in comparing multiple organizations?

a. Number of unauthorized access incidents

b. Number of denial-of-service attacks

c. Number of malicious code spreads

d. Total number of incidents handled

11. d. Security metrics such as the total number of incidents handled are generally not of value in comparing multiple organizations because each organization is likely to have defined key-incident terms differently. The “total number of incidents handled” is not specific and is best taken as a measure of the relative amount of work that the incident response team had to perform, not as a measure of the quality of the team. It is more effective to produce separate and specific incident counts for each incident category or subcategory, as shown in the other three choices. Stronger security controls can then be targeted at these specific incidents to minimize damage or loss.

12. Which of the following indications is not associated with an inappropriate usage action such as internal access to inappropriate materials?

a. User reports

b. Network intrusion detection alerts

c. Inappropriate files on workstations or servers

d. Network, host, and application log entries

12. d. Network, host, and application log entries provide indications of attacks against external parties. The other three choices are examples of possible indications of internal access to inappropriate materials.

13. Which of the following is not generally a part of auditing the incident response program?

a. Regulations

b. Security policies

c. Incident metrics

d. Security best practices

13. c. At a minimum, an incident response audit should evaluate compliance with applicable regulations, security policies, and security best practices. Incident metrics is usually used to measure the incident response team’s success. Audits identify problems and deficiencies that can then be corrected.