Term
|
Definition
- Documented incident
types/category definitions
- Roles and responsibilities
- Reporting requirements/escalation
- Cyber-incident response teams
- Exercise |
|
|
Term
Documented incident
types/category definitions |
|
Definition
-External / Removable media
-Attrition or brute force
-Web based
-Email attack - attachment
-Improper Usage deviation from AUP
-Theft of Equipment |
|
|
Term
| Roles and responsibilities |
|
Definition
IT Security Mgmt
Compliance officers
Tech Staff
USers |
|
|
Term
| Reporting requirements/escalation |
|
Definition
-Contact List
-CIO
-Information Security Officer
-Response Teams
-Human resources
-Public affairs
-Legal Department
External
-System Owner
-Law Enforcement
-US-CERT
-Involved 3rd Parties |
|
|
Term
| Cyber-incident response teams (CIRT) |
|
Definition
-Specialized group trained to deal with security
-May not be part of the formal organizational structure
-May be a group of people that are brought together when an incident occurs |
|
|
Term
|
Definition
-Scheduled update sessions
-perform them annually or semiannually
- perform some tests prior to an actual incident
-well-defined rules of engagement |
|
|
Term
| Incident response process |
|
Definition
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons learned |
|
|
Term
| Incident response process - Preparation |
|
Definition
-NIST Special Publication 800-61
-COmmunication methods phones contact info
-Incident handling software
-Established policy
-how you can detect and analyze that an incident has occurred
-how to contain eradicate and recover from an incident
-post-incident activities
-warning that attacks will occur |
|
|
Term
| Incident response process - Identification |
|
Definition
-Difficult to detect
-Requires experienced individual with extensive knowledge
-web server logs
-DIfferent detection sources, levels of detail. levels of perception |
|
|
Term
|
Definition
-isolate infected systems from the rest of the network
-Attempt to Sandbox affected system
-malware may delete itself and everything else if internet connection is lost |
|
|
Term
|
Definition
-disable affected user accounts
-fix vulnerabilities
-wipe system and rebuild from back up
-wipe system and rebuild from scratch |
|
|
Term
|
Definition
-Reconstitution starts with recovering systems that can be done quickly
-can implement new firewall policies
-install patches |
|
|
Term
|
Definition
-perform as soon as possible after incident
-asking questions and documenting the incident
-evaluate how your incident plans were able to be executed
-make some changes to make the process more efficient
-are there other precursors we should be following to prevent future incidents |
|
|
Term
| Information Impact Categories |
|
Definition
None -No information Exfiltrated, changed, deleted or compromised
Privacy Breach - PII was accessed/exfiltrated
Proprietary Breach - Unclassified Proprietary Information - Protected critical infrastructure information PCII accessed or exfiltrated.
Integrity Loss - Sensitive or proprietary information was changed or deleted. |
|
|
Term
| Recoverability Effort Categories |
|
Definition
-Regular: Time to recover predictable using existing resources
-Supplemented: Time to recover predictable but requires more resources
-Extended: Time to recover unpredictable; additional resources and outside help required
-Not Recoverable: Recovery not possible, data exfiltrated and posted publicly or exported to foreign gov't. |
|
|
Term
|
Definition
Central Incident Response Team
Distributed Incident Response Team
Coordinating Team |
|
|
Term
| Central Incident Response Team |
|
Definition
| -One team handles all incidents for an organization no matter where it occurs |
|
|
Term
| Distributed Incident Response Team |
|
Definition
| -Different teams in different geographic locations. |
|
|
Term
|
Definition
| A team used to coordinate efforts of other incident response teams |
|
|
Term
|
Definition
-Internal Employees
-Partially Outsourced
-Fully Outsourced |
|
|
Term
| Outsourcing Considerations |
|
Definition
-Current work quality vs future work quality (employee rollover)
-Division of responsibility
-Exposure of sensitive information
-Lack of company specific knowledge (Tribal Knowledge)
-Decrease in skill for in-house basic incident response handling |
|
|
Term
|
Definition
-Analysis that uses a numerical scale to evaluate probability of risk and the impact
-Monetary value is not assigned |
|
|
Term
|
Definition
-Assigns an exact monetary value to assets
-Tries to predict expected annual loss in dollars for each risk
-Evaluates and prioritizes based on cost likely to be incurred vs cost of protection |
|
|
