SANS 504 UPDATED ACTUAL Exam
Questions and CORRECT Answers
Incident Handling - CORRECT ANSWER - Incident Handling is an action plan for
dealing with the misuse of computer systems and networks, such as *Intrusions *Malicious code
Infection * Cyber-theft * Denial of Service * Other Security Related Events. A simple, well
understood, well documented approach is the best. Your plan should include hooks
Incident - CORRECT ANSWER - Incident refers to an adverse event in an information
system or network. Also refers to actions that result in harm or the significant threat of harm to
your computer systems or data.
Event - CORRECT ANSWER - An event is any observable occurance in a system or a
network. An event is something that happens that someone either directly experiences or that you
can show actually occurred.
Incident Handling Steps: - CORRECT ANSWER - 1) Preperation 2) Identification 3)
Containment 4) Eradication 5) Recovery 6) Lessons Learned
Preparation Goal - CORRECT ANSWER - The goal of Preparation is to get the team ready
to handle incidents. *People *Policy *Data *Software/Hardware *Communications *Supplies
*Transportation *Space *Power and Enviromental Controls *Documentation
Phishme - CORRECT ANSWER - A service that creates phishing campaigns that you can
use to test your workforce
Sptoolkit - CORRECT ANSWER - A service that creates phishing campaigns that you can
use to test your workforce
Preparation People - CORRECT ANSWER - People are regarded as the easiest targets to
attack and are most commonly attacked by phone call or email. Best way to prepare is constant
training and assessment.
,Warning Banners (Preparation Policy) - CORRECT ANSWER - Warning Banners must
advise the user that: *Access to the system is limited to company-authorized activity. *Any
attempt at or unauthorized access, use, or modification is prohibited. *Unauthorized users may
face criminal or civil penalties. * The use of the system may be monitored and recorded. *If the
monitoring reveals possible evidence of criminal activity, the company can provide the records to
law enforcement.
Response Strategies (Preparation Policy) - CORRECT ANSWER - Establish an
organizational approach to incident Handling. Decide generally how you will handle the "big
issues" upfront. Get Mgmt to buy-in and signoff of your default practices.
Notifying Law Enforcement - CORRECT ANSWER - Reasons you must notify Law
Enforcement: *Threat to public health or safety. *Substantial impact to third party *Legal
Requirment based on Industry. Other reasons include to benefit from criminal discovery process
and to be a good corporate citizen. You may need to notify the public if PII or PHI is breached
Not Notifying Law Enforcement - CORRECT ANSWER - Reasons NOT to notify Law
Enforcement: *Control *Publicity *Risk of continued Hacking *Risk of Equipment seizure and
or business unterruption. *Becoming an agent acting on behalf of law enforcement. Primary
downside of reporting to law enforcement involves the fact that two cases are now created.
Peer Notification (Perparation Policy) - CORRECT ANSWER - *Est a policy for outside
"peer" notification. *Est. a policy for dealing w/ incidents involving remote computers belonging
to: +business partners, employees, contractors, your company+. *For VPN usage, include a
warning banner saying that all systems connecting are subject to remote search.
Notes - CORRECT ANSWER - Use detailed hand written notes on all of your actions:
*Judges and Juries resonate with them. *Attackers cannot steal or destroy them * They keep you
organized and act as a governor on your speed.
Management Support - CORRECT ANSWER - Develop management support for an
incident handling capability.
,Building a Team - CORRECT ANSWER - Make sure your team includes people from the
following disciplines: *Security, *Operations, *Network Mgmt. *Legal Counsel *Human
Resources * Public Relations/Affairs * Disaster Recovery/Business Continuity Planning, Union
Representation
Checklists - CORRECT ANSWER - Prepare system build checklists: *Have most
experienced system admins prepare a 5-20 page procedure for backing up and rebuilding systems
under their control. *One brief build document per system type.
Team Organization - CORRECT ANSWER - Define team organization: *On-site/location
techie handlers *Command post with communications and mgmt organization support.
Emergency Comm Plan - CORRECT ANSWER - *Create a call list and est. methods of
informing people quickly. *Get a conference bridge number that can be set up with instant
notice. *Print a credit card sized list of incident response team contact information. *Test your
call list and tree to make sure it works.
Getting Access to Systems and Data - CORRECT ANSWER - * Incident handling team
needs to be able to access systems sometimes without the knowledge of system admins. To help
encourage operations team to give you admin-level access to machines, promise: *You will
notify the operations personnel on your incident-handling team before you login with admin
level credentials. *You will use only handlers who have enough experience to administer
machines of that given type
Point of Contact and Resources - CORRECT ANSWER - *Est. a primary point of contact
and an incident command communications center. *In critical sites, est. secured communications.
*Set up resource acquisition plans for the teams. - In advance, you need to get permission
because you may need to move quickly during an incident.
Reporting Facilities - CORRECT ANSWER - Establish a War Room that has a lockable
door and File cabinet*Provide easy-to-use, convenient reporting faclities for anomalous
activities.
, Cultivate Relationships - CORRECT ANSWER - *Coordinate closely with help desks
*pay particular attention to relationships with system administrators and network administrators
Train the team - CORRECT ANSWER - *Set up training scenarios. *Set up Tools and
Techniques training *Consider deploying internal Honeypot *Stock some high-capacity drives
and practice forensics imaging. *Conduct War games
GRR Rapid Response - CORRECT ANSWER - A tool made and maintained by Google
for performing large-scale incident response and hunt teaming
Forensic Software - CORRECT ANSWER - *Sleuth Kit *Autopsy *EnCase *Forensics
Toolkit * X-ways Foresnsics
Jump Bag - CORRECT ANSWER - *Keep fresh back-up media *Binary Image-creation
Software *Forensic Software *Diagnosis Software *Rootkits (pg 42) *USB Token RAM Device
* External Hard drive *Small Ethernet TAP *Patch Cables *laptop with multiple operating
systems *Small Jumpers *Flashlight *ScrewDrivers *FJ-45 Connector * Pens *tweezers
*Mechanics mirrors * telescoping Hands *business cards
Jump Bag Software - CORRECT ANSWER - *Binary image-creation software *Forensic
software.
SIFT - CORRECT ANSWER - A good bootable Linux enviroment
Assigning Handlers - CORRECT ANSWER - *Select a person to handle identification and
assessment. *Assign him to a specific set of evens on a specific set of systems. Ideally assign a
helper as well
Control the Flow of Information - CORRECT ANSWER - Enforce a "need to know"
policy *Tell the dteails of the incident to the minimum number of people possible. *Remind
them that they are trusted individuals and that your organization counts on their descretion.
*Inform them that they may be required to testify.
Questions and CORRECT Answers
Incident Handling - CORRECT ANSWER - Incident Handling is an action plan for
dealing with the misuse of computer systems and networks, such as *Intrusions *Malicious code
Infection * Cyber-theft * Denial of Service * Other Security Related Events. A simple, well
understood, well documented approach is the best. Your plan should include hooks
Incident - CORRECT ANSWER - Incident refers to an adverse event in an information
system or network. Also refers to actions that result in harm or the significant threat of harm to
your computer systems or data.
Event - CORRECT ANSWER - An event is any observable occurance in a system or a
network. An event is something that happens that someone either directly experiences or that you
can show actually occurred.
Incident Handling Steps: - CORRECT ANSWER - 1) Preperation 2) Identification 3)
Containment 4) Eradication 5) Recovery 6) Lessons Learned
Preparation Goal - CORRECT ANSWER - The goal of Preparation is to get the team ready
to handle incidents. *People *Policy *Data *Software/Hardware *Communications *Supplies
*Transportation *Space *Power and Enviromental Controls *Documentation
Phishme - CORRECT ANSWER - A service that creates phishing campaigns that you can
use to test your workforce
Sptoolkit - CORRECT ANSWER - A service that creates phishing campaigns that you can
use to test your workforce
Preparation People - CORRECT ANSWER - People are regarded as the easiest targets to
attack and are most commonly attacked by phone call or email. Best way to prepare is constant
training and assessment.
,Warning Banners (Preparation Policy) - CORRECT ANSWER - Warning Banners must
advise the user that: *Access to the system is limited to company-authorized activity. *Any
attempt at or unauthorized access, use, or modification is prohibited. *Unauthorized users may
face criminal or civil penalties. * The use of the system may be monitored and recorded. *If the
monitoring reveals possible evidence of criminal activity, the company can provide the records to
law enforcement.
Response Strategies (Preparation Policy) - CORRECT ANSWER - Establish an
organizational approach to incident Handling. Decide generally how you will handle the "big
issues" upfront. Get Mgmt to buy-in and signoff of your default practices.
Notifying Law Enforcement - CORRECT ANSWER - Reasons you must notify Law
Enforcement: *Threat to public health or safety. *Substantial impact to third party *Legal
Requirment based on Industry. Other reasons include to benefit from criminal discovery process
and to be a good corporate citizen. You may need to notify the public if PII or PHI is breached
Not Notifying Law Enforcement - CORRECT ANSWER - Reasons NOT to notify Law
Enforcement: *Control *Publicity *Risk of continued Hacking *Risk of Equipment seizure and
or business unterruption. *Becoming an agent acting on behalf of law enforcement. Primary
downside of reporting to law enforcement involves the fact that two cases are now created.
Peer Notification (Perparation Policy) - CORRECT ANSWER - *Est a policy for outside
"peer" notification. *Est. a policy for dealing w/ incidents involving remote computers belonging
to: +business partners, employees, contractors, your company+. *For VPN usage, include a
warning banner saying that all systems connecting are subject to remote search.
Notes - CORRECT ANSWER - Use detailed hand written notes on all of your actions:
*Judges and Juries resonate with them. *Attackers cannot steal or destroy them * They keep you
organized and act as a governor on your speed.
Management Support - CORRECT ANSWER - Develop management support for an
incident handling capability.
,Building a Team - CORRECT ANSWER - Make sure your team includes people from the
following disciplines: *Security, *Operations, *Network Mgmt. *Legal Counsel *Human
Resources * Public Relations/Affairs * Disaster Recovery/Business Continuity Planning, Union
Representation
Checklists - CORRECT ANSWER - Prepare system build checklists: *Have most
experienced system admins prepare a 5-20 page procedure for backing up and rebuilding systems
under their control. *One brief build document per system type.
Team Organization - CORRECT ANSWER - Define team organization: *On-site/location
techie handlers *Command post with communications and mgmt organization support.
Emergency Comm Plan - CORRECT ANSWER - *Create a call list and est. methods of
informing people quickly. *Get a conference bridge number that can be set up with instant
notice. *Print a credit card sized list of incident response team contact information. *Test your
call list and tree to make sure it works.
Getting Access to Systems and Data - CORRECT ANSWER - * Incident handling team
needs to be able to access systems sometimes without the knowledge of system admins. To help
encourage operations team to give you admin-level access to machines, promise: *You will
notify the operations personnel on your incident-handling team before you login with admin
level credentials. *You will use only handlers who have enough experience to administer
machines of that given type
Point of Contact and Resources - CORRECT ANSWER - *Est. a primary point of contact
and an incident command communications center. *In critical sites, est. secured communications.
*Set up resource acquisition plans for the teams. - In advance, you need to get permission
because you may need to move quickly during an incident.
Reporting Facilities - CORRECT ANSWER - Establish a War Room that has a lockable
door and File cabinet*Provide easy-to-use, convenient reporting faclities for anomalous
activities.
, Cultivate Relationships - CORRECT ANSWER - *Coordinate closely with help desks
*pay particular attention to relationships with system administrators and network administrators
Train the team - CORRECT ANSWER - *Set up training scenarios. *Set up Tools and
Techniques training *Consider deploying internal Honeypot *Stock some high-capacity drives
and practice forensics imaging. *Conduct War games
GRR Rapid Response - CORRECT ANSWER - A tool made and maintained by Google
for performing large-scale incident response and hunt teaming
Forensic Software - CORRECT ANSWER - *Sleuth Kit *Autopsy *EnCase *Forensics
Toolkit * X-ways Foresnsics
Jump Bag - CORRECT ANSWER - *Keep fresh back-up media *Binary Image-creation
Software *Forensic Software *Diagnosis Software *Rootkits (pg 42) *USB Token RAM Device
* External Hard drive *Small Ethernet TAP *Patch Cables *laptop with multiple operating
systems *Small Jumpers *Flashlight *ScrewDrivers *FJ-45 Connector * Pens *tweezers
*Mechanics mirrors * telescoping Hands *business cards
Jump Bag Software - CORRECT ANSWER - *Binary image-creation software *Forensic
software.
SIFT - CORRECT ANSWER - A good bootable Linux enviroment
Assigning Handlers - CORRECT ANSWER - *Select a person to handle identification and
assessment. *Assign him to a specific set of evens on a specific set of systems. Ideally assign a
helper as well
Control the Flow of Information - CORRECT ANSWER - Enforce a "need to know"
policy *Tell the dteails of the incident to the minimum number of people possible. *Remind
them that they are trusted individuals and that your organization counts on their descretion.
*Inform them that they may be required to testify.
