Questions and Answers of Principles Incident Response

What are the two approaches that define a CSIRT’s philosophy with respect to incident response?
What is a hybrid incident?
What is inappropriate use?
What is unauthorized access?
What is spam? Can it cause an incident?
What is malware?
What is the first and most important step in preparing for DoS and DDoS attacks responses?
What is a DoS attack and how does it differ from a DDoS attack?
Why is delayed containment not recommended for most CSIRTs?
What is watchful waiting and why might we use it?
What is the primary determinant of which containment and eradication strategies are chosen for a specific incident?
What is the phase after eradication during incident response?
What is a concurrent recurrence?
What is the phase after containment during incident response?
Why might an organization forego trying to identify the attacking host during an incident response?
What is the first imperative of the CSIRT when there is a confirmed incident?
What is the best thing an organization can do to make its CSIRT most effective?
What is the second task the CSIRT leader will undertake?
What is the first task the CSIRT leader will undertake on arrival?
If an organization chooses the protect and forget instead of the apprehend and prosecute philosophy, what aspect of IR will be most affected?
What is an IR reaction strategy?
Why are performance measures collected for CSIRT activities?
What is an AAR, and why is it valuable to organizations?
Identify one advantage and one disadvantage of full-interruption testing of CSIRT plans.
The services of a CSIRT can be grouped into which three categories?
What purpose does the CSIRT mission statement provide?
What is meant by the “scope of operations” for a CSIRT?
What should be among the first tasks performed by an IR planning committee when forming a CSIRT?
What are the guiding documents for CSIRT creation or maintenance?
Once created, must a plan be maintained? How often should it be revisited?
How does the organizational structure impact staffing design for CSIRTs?
How does the need to manage employee morale affect staffing decisions for CSIRTs?
How does the need for 24/7 operations affect staffing decisions?
What are the most likely staffing models for CSIRTs?
What are the structures most often used to develop CSIRTs?
Among the skills needed by the CSIRT staff, what is required beyond technical skill?
Is management approval a simple, one-time action?
What is the most essential reason to involve upper management in the CSIRT formation process?
What is the difference in the roles between the CSIRT and the IRPT?
What is the formal definition of a CSIRT?
What are the two key facets needed to design, develop, and operate a comprehensive IDPS?
What activities go into a complete log management approach?
What general approach is recommended to distinguish real incidents from false positive events?
What is a honeypot? What is a honeynet? How are they different?
What does the term trap and trace mean?
What is a log file monitor? What is it used to accomplish?
What are the dominant approaches used to detect intrusions in IDPSs? Give one advantage and one disadvantage to each approach.
What are the three dominant placements for IDPSs? Give one advantage and one disadvantage to each approach.
What are the compelling reasons to acquire and use an IDPS?
What are the essential attributes of an IR policy document?
What is an IDPS?
What are the causes of noise?
What is noise? Is noise different from a false positive event?
What is a false positive?
What are the types of events that, having occurred, indicate an event is occurring?
What are the five types of events that are considered definite indicators of actual incidents?
What are the four types of events that are considered probable indicators of actual incidents?
What are the four types of events that are considered possible indicators of actual incidents?
What is an incident candidate?
From the perspective of incident response, what is an event?
When should the “final” version of the IR plan be assembled?
Briefly describe the possible training delivery methods?
Briefly describe the strategies used to test contingency plans?
What are the ways training can be undertaken for the CSIRT?
What is an after-action review (AAR)?
What is a “reaction force” in terms of IR planning?
What is meant by the “trigger” for an IR-related plan?
What are the three sets of time-based procedures that are often part of the IR planning process?
What characteristics must be present if an adverse event is to be considered an incident?
What is an incident response plan (IR plan)?
In order to be effective, what group is it essential to gain full support from?
What is the primary function of the IR Policy?
What should be among the first deliverables created by the IR planning committee?
Which individuals should be assembled to form the IRP team?
Who are the typical stakeholders of the IR process?
What does the organizational phase of the IRP process begin with?
What are two external sources for how IRP is performed that were mentioned in this chapter?
What are the general stages followed by the IRP team?
What are the phases of the overall IR development process?
Explain the shared-use strategies: time-share, service bureau, and mutual agreement.
Explain the site resumption strategy known as exclusive use and how it uses hot sites, warm sites, and cold sites.
What is database shadowing?
What is remote journaling, and how is it used in a backup strategy?
What is electronic vaulting, and how is it used in a backup strategy?
What is bare metal recovery?
Beyond simply identifying what to back up, when to back it up, and how to restore it, what should a complete backup recovery plan include?
In what way are the backup needs of systems that use databases different from the backups used to safeguard nondatabase systems?
What is disk striping, and how might it be considered the opposite of disk mirroring?
What is a redundant array of independent disks (RAID), and what are its primary uses? How can it be used in a backup strategy?
What is encompassed in an incremental backup?
What is encompassed in a differential backup?
What is encompassed in a full backup?
What are the major types of backups?
How have cloud computing architectures affected the backup options available for organizations?
What is a retention schedule?
What is the difference between a backup and an archive?
What is the primary site?
What are the two major component parts of BRP, and how are they related?
What purpose does business resumption planning serve?
Beyond those items that are funded in the normal course of IT operations, what are the additional budgeting areas for CP needs?

Showing 100 - 200 of 235