Based on NIST 800-61,
1. In the context of NIST 800-61, what is an incident?
It is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
2. Provide examples of three different types of incidents.
Denial of Service - is when an attacker sends specially crafted packets to a Web server, causing it to crash. It is when an attacker directs hundreds of external compromised workstations to send as many Internet Control Message Protocol (ICMP) requests as possible to the organization’s network.
Malicious Code – Is when a worm uses open file shares to quickly infect several hundred workstations within an organization. It is when an organization receives a warning from an antivirus vendor that a new worm is spreading rapidly via email throughout the Internet. The worm takes advantage of a vulnerability that is present in many of the organization’s hosts. Based on previous antivirus incidents, the organization expects that the new worm will infect some of its hosts within the next three hours.
Inappropriate Usage – When a user provides illegal copies of software to others through peer-to-peer file sharing services. It is when a person threatens another person through email.
3. What is incident response?
It is the capability to respond to incidents systematically so that appropriate steps are taken. It helps personnel recover quickly and efficiently from security incidents, minimizing loss or theft of information and disruption of services. It is using information gained during incident handling to better prepare for handling future incidents and to provide stronger protection for systems and data. It is a method of dealing properly with legal issues that may arise during incidents.
4. Why is incident response important?
An incident response capability is very important and necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring computing services. Incident response has become necessary because attacks frequently cause the compromise of personal and business data. Incidents involving viruses, worms, Trojan horses, spyware, and other forms of malicious code have disrupted or damaged millions of systems and networks around the world. To address these threats, the concept of computer security incident response has become widely accepted and implemented in the Federal government, private sector, and academia.
5. Describe the importance of communications during incident response.
During incident handling, the organization may need to communicate with outside parties, including other incident response teams, law enforcement, the media, vendors, and external victims. Such communications often need to occur quickly. Organizations should predetermine communication guidelines so that only the appropriate information is shared with the right parties. If sensitive information is released inappropriately, it can lead to greater disruption and financial loss than the incident itself. Creating and maintaining a list of internal and external POCs, along with backups for each contact, should assist in making communications among parties easier and faster.
6. Name both external and internal entities with which communications needs to be maintained.
External entities to communicate with would be Telecommunications providers, Software vendors, ISPs, Law enforcement Agencies, and Media. Internal groups to communicate would be, Human Resources, Legal, Corporate security, and internal response teams.
7. What does NISST 800-61 define as a "jump kit"?
A jump kit is a portable bag or case that contains materials that an incident handler may likely need during an offsite investigation. The jump kit is ready to go at all times so that when a serious incident occurs, incident handlers can grab the jump kit and go. Jump kits contain many of the same items listed in Table 3-1. For example, each jump kit typically includes a laptop, loaded with appropriate software (e.g., packet sniffers, computer forensics). Other important materials include backup devices, blank media, basic networking equipment and cables, and operating system and application media and patches.