CSIA 310 incident handling Exam Questions and Answers

CSIA 310 incident handling Exam Questions and Answers incident reporting Organizations - Answer-FISMA requires Federal agencies to report incidents to the United States Computer Emergency Readiness civilian agencies in their incident handling efforts. US-CERT does not replace existing agency response teams; rather, it augments the efforts of Federal civilian agencies by serving as a focal point for dealing with incidents. US-CERT analyzes the agency-provided information to identify trends and indicators of attacks; these are easier to discern when reviewing data from many organizations than when reviewing the data of a single organization. Each agency must designate a primary and secondary POC with US-CERT and report all incidents consistent with the agency's incident response policy. Other outside parties - Answer-Organization's ISP. An organization may need assistance from its ISP in blocking a major network- based attack or tracing its origin. Owners of Attacking Addresses. If attacks are originating from an external organization's IP address space, incident handlers may want to talk to the designated security contacts for the organization to alert them to the activity or to ask them to collect evidence. It is highly recommended to coordinate such communications with US-CERT or an ISAC. Software Vendors. Incident handlers may want to speak to a software vendor about suspicious activity. This contact could include questions regarding the significance of certain log entries or known false positives for certain intrusion detection signatures, where minimal information regarding the incident may need to be revealed. More information may need to be provided in some cases—for example, if a server appears to have been compromised through an unknown software vulnerability. Software vendors may also provide information on known threats (e.g., new attacks) to help organizations understand the current threat environment. Other Incident Response Teams. An organization may experience an incident that is similar to ones handled by other teams; proactively sharing information can facilitate more effective and efficient incident handling (e.g., providing advance warning, increasing preparedness, developing situational Groups. Groups such as the Forum of Incident Response and Security Teams (FIRST), the Government Forum of Incident Response and Security Teams (GFIRST) , and the Anti-Phishing Working Group (APWG), are not incident response teams, but they promote information sharing Affected External Parties. An incident may affect external parties directly—for example, an outside organization may contact the organization and claim th