A user has received an email from an external source which asks for details on the company’s new product line set for release in one month. The user has a detailed spec sheet but it is marked “Internal Proprietary Information”. Which of the following should the user do NEXT?
A. Contact their manager and request guidance on how to best move forward B. Contact the help desk and/or incident response team to determine next steps C. Provide the requestor with the email information since it will be released soon anyway D. Reply back to the requestor to gain their contact information and call them
Answer: B
Explanation: This is an incident that has to be responded to by the person who discovered it- in this case the user. An incident is any attempt to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information. It’s important that an incident response policy establish at least the following items: Outside agencies that should be contacted or notified in case of an incident Resources used to deal with an incident Procedures to gather and secure evidence List of information that should be collected about an incident Outside experts who can be used to address issues if needed Policies and guidelines regarding how to handle an incident Since the spec sheet has been marked Internal Proprietary Information the user should refer the incident to the incident response team.
Who should be contacted FIRST in the event of a security breach?
A. Forensics analysis team B. Internal auditors C. Incident response team D. Software vendors
Answer: C
Explanation: A security breach is an incident and requires a response. The incident response team would be better equipped to deal with any incident insofar as all their procedures are concerned. Their procedures in addressing incidents are: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control.
The incident response team has received the following email message. From: monitor@ext-company.com To: security@company.com Subject: Copyright infringement A copyright infringement alert was triggered by IP address 13.10.66.5 at 09: 50: 01 GMT. After reviewing the following web logs for IP 13.10.66.5, the team is unable to correlate and identify the incident. 09: 45: 33 13.10.66.5 http: //remote.site.com/login.asp?user=john 09: 50: 22 13.10.66.5 http: //remote.site.com/logout.asp?user=anne 10: 50: 01 13.10.66.5 http: //remote.site.com/access.asp?file=movie.mov 11: 02: 45 13.10.65.5 http: //remote.site.com/download.asp?movie.mov=ok Which of the following is the MOST likely reason why the incident response team is unable to identify and correlate the incident?
A. The logs are corrupt and no longer forensically sound. B. Traffic logs for the incident are unavailable. C. Chain of custody was not properly maintained. D. Incident time offsets were not accounted for.
Answer: D
Explanation: It is quite common for workstation times to be off slightly from actual time, and that can happen with servers as well. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system.
A recent intrusion has resulted in the need to perform incident response procedures. The incident response team has identified audit logs throughout the network and organizational systems which hold details of the security breach. Prior to this incident, a security consultant informed the company that they needed to implement an NTP server on the network. Which of the following is a problem that the incident response team will likely encounter during their assessment?
A. Chain of custody B. Tracking man hours C. Record time offset D. Capture video traffic
Answer: C
Explanation: It is quite common for workstation as well as server times to be off slightly from actual time. Since a forensic investigation is usually dependent on a step-by-step account of what has happened, being able to follow events in the correct time sequence is critical. Because of this, it is imperative to record the time offset on each affected machine during the investigation. One method of assisting with this is to add an entry to a log file and note the time that this was done and the time associated with it on the system. There is no mention that this was done by the incident response team.
The security administrator is currently unaware of an incident that occurred a week ago. Which of the following will ensure the administrator is notified in a timely manner in the future?
A. User permissions reviews B. Incident response team C. Change management D. Routine auditing
Answer: D
Explanation: Routine audits are carried out after you have implemented security controls based on risk. These audits include aspects such as user rights and permissions and specific events.
An incident response team member needs to perform a forensics examination but does not have the required hardware. Which of the following will allow the team member to perform the examination with minimal impact to the potential evidence?
A. Using a software file recovery disc B. Mounting the drive in read-only mode C. Imaging based on order of volatility D. Hashing the image after capture
Answer: B
Explanation: Mounting the drive in read-only mode will prevent any executable commands from being executed. This is turn will have the least impact on potential evidence using the drive in question.
A company has had several virus infections over the past few months. The infections were caused by vulnerabilities in the application versions that are being used. Which of the following should an administrator implement to prevent future outbreaks?
A. Host-based intrusion detection systems B. Acceptable use policies C. Incident response team D. Patch management
Correct Answer: D
Explanation: As vulnerabilities are discovered, the vendors of the operating systems or applications often respond by releasing a patch. A patch is designed to correct a known bug or fix a known vulnerability, such as in this case to be vulnerable to virus infections, in a piece of software. A patch differs from an update, which, in addition to fixing a known bug or vulnerability, adds one or more features to the software being updated.