Scribd Logo
Upload

Welcome to Scribd!

  • Preparation - Identification - Containment - Eradication - Recovery - Documentation

    Uploaded by

    U Minh
    29 views3 pages

    Original Title

    Lab 8

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    29 views3 pages

    Preparation - Identification - Containment - Eradication - Recovery - Documentation

    Uploaded by

    U Minh

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Lab #8 – Assessment Worksheet

    Craft a Security or Computer Incident Response Policy – CIRT Response Team

    Course Name: ______IAP301_____________________________ _______

    Student Name: ______Vu Tuan Anh__________________________ _____

    Instructor Name: ______Nguyen Tan Danh______________ ____ _____

    Lab Due Date: _________5/3/2021________________________________

    1. What are the 6-steps in the incident response methodology?


    - Preparation
    - Identification
    - Containment
    - Eradication
    - Recovery
    - Documentation

    2. If an organization has no intention of prosecuting a perpetrator or attacker, does it still need an


    incident response team to handle forensics?
    - The Incident response team needs to take responsibility for forensics as all of itevidence of a
    crime.

    3. Why is it a good idea to include human resources on the Incident Response Management Team?
    - They can help develop job descriptions tohire CSIRT staff, and develop policies and
    procedures for removing internal employees found engaging in unauthorized or illegal
    computer activity.

    4. Why is it a good idea to include legal or general counsel in on the Incident Response
    Management Team?
    - Legal staff may also be needed to reviewnon-disclosure agreements, develop appropriate
    wording for contacting other sites and organizations, and determine site liability for
    computer security incidents.

    5. How does an incide/nt response plan and team help reduce risks to the organization?
    - It reduces risk in how you create and maintain the Incident Response Plan.

    6. If you are reacting to a malicious software attack such as a virus and its spreading, during which
    step in the incident response process are you attempting to minimize its spreading?
    - In most areas of life, prevention is better than cure, and security is no exception. Wherever
    possible, you will want to prevent security incidents from happening in the first place.
    However, it is impossible to prevent all security incidents. When a security incident does
    happen, you will need to ensure that its impact is minimized. To minimize the number and
    impact of security incidents.

    7. If you cannot cease the spreading, what should you do to protect your non-impacted mission-
    critical IT infrastructure assets?
    - Remove the affected factors from the system to stop the spread of the virus or code to
    other critical areas of IT.

    8. When a security incident has been declared, does a PC technician have full access and authority
    to seize and confiscate a vice president’s laptop computer? Why or why not?
    - This depends on the situation.

    9. Which step in the incident response methodology should you document the steps and
    procedures to replicate the solution?
    - You document stepsand procedures in the follow up step of the process.

    10. Why is a port mortem review of an incident the most important step in the incident response
    methodology?
    - This is done so that in the future when there is a similar incident, the incident response
    team will have a better idea of how to handle it and be able to react more effectively and
    efficiently.

    11. Why is a policy definition required for Computer Security Incident Response Team?
    - Policy definition is important because it allows an organization to have documentation on
    how the incident response team is supposed to operate as well as who is involved in the
    team and what authority each member possesses.

    12. What is the purpose of having well documented policies as it relates to the CSIRT function and
    distinguishing events versus an incident?
    - A policy for the CSIRT team would be more detailed as far as how the organization handles
    incidents. The policy for the CSIRT team is would be more broad and easier to organize
    instead by identifying members and their functions. Creating a policy for incidents could be
    helpful however, not all incidents are the same and therefore multiple policies would be
    required
    -
    13. Which 4 steps in the incident handling process requires the Daubert Standard for Chain-of-
    Custody evidence collection?
    - Identification, containment, eradication, recovery

    14. Why is syslog and audit trail event correlation a critical application and tool for CSIRT incident
    response handling?
    - They are critical to the CSIRT incident response handling because they track and log
    incidents.
    15. Why is File Integrity Monitoring alerts/alarms a critical application and tool for the CSIRT
    incident response identification?
    - These are critical application and tools for CSIRT incident response identification because it
    provides the real-time monitoring of an incident.

    You might also like