Mod 9

To determine what must be done to restore systems

To punish those responsible for the incident

To notify law enforcement

To ignore minor damages

Incident damage assessment

Restoring data from backups

Validating security controls

Identifying and fixing vulnerabilities

Identify and fix vulnerabilities

Restore affected data and systems

Re-enable affected business processes

Install new software unrelated to the incident

Verify that backup data was not infected

Conduct hash checks to ensure data integrity

Use offline or immutable backups whenever possible

Restore all files without verification

Delaying business continuity operations

Ignoring penetration testing

Conducting staged activation of systems

Disabling real-time monitoring

New technologies and threat vectors

Changes in staff or leadership

Updated legal or compliance obligations

All of the above

To assign blame for mistakes

To reveal the timeline and response to the incident

To punish underperforming staff

To ignore lessons learned

It helps in establishing a timeline of events from multiple sources.

It ensures immediate recovery of data and systems.

It prevents future incidents from occurring.

It eliminates the need for CSIRT response.

It makes them experts in all security technologies.

It familiarizes them with the system, plans, and responses of the organization.

It guarantees they will never make mistakes.

It allows them to avoid all future incidents.

It can be used to document lessons learned and generate improvements to the IR plan.

It can provide a historical record of events.

It formally brings the IR team’s actions to a close after an incident.

All of the above are true.

Provisioning of actual or contingent credentials

Cross-training of staff members

Ensuring a sufficient pool of qualified staff

All of the above

should include cross-training of members

should ensure that all people on the team are individually trained to only perform their job

includes training for all personnel of the team to handle public press briefings

includes training for all personnel to be highly proficient in linux and penetration testing

Better equipped at processing evidence than business organizations

Can handle warrants and subpoenas

May do more harm than good when extracting information

Adept at obtaining statements and required documents

Only if requested by law enforcement

Whenever there is a data breach

When evidence is lost

When an incident violates civil or criminal law

Healthcare organizations

Financial institutions

Breaches of government

Private industries

evidentiary material

legal data

collected analysis

forensic files

an allegation of wrongdoing

collection of digital evidence

analysis using digital and electronic forensic techniques

a grand jury investigation

safeguards can be removed, and business may resume as it had previously

controls that had been insufficient before the incident must be replaced, upgraded, or fixed

restore previous monitoring capabilities

outsource all monitoring and response processes