The purpose of the CIRT plan is to help an organization prepare for computer incidents. Preparation helps the organization identify potential incidents. Security personnel can then identify the best responses to reduce the potential damage
2 Describe what the three models are for a CIRT plan based on the NIST SP 800-61 template.
Central Incident Response Team
Distributed Incident Response Team
3 Define three of the responsibilities that an Incident Response Team would have. List them and describe the responsibilities.
Develop incident response procedures Develop and write down how to respond to incidents. Investigate incidents Responding to incidents and fulfilling all requirements as outlined in the response procedures. Protect collected evidence Collect, store, and keep a chain of custody for any/all evidence collected during the investigation
4 As much as 80% of all incidents are a result of internal attacks. List four inappropriate usages from users
Spamming coworkers Accessing prohibited websites Purposely circumventing security policies Sending files with sensitive data outside the organization.
5 List and explain three basic protection steps you can take to ensure all servers are hardened, thus reducing incidents.
Limit what services are running on the server to only what is absolutely needed, use unique id/strong password in combination with principle of least privilege to help prevent unauthorized access, use up-to-date anti-malware software, use firewalls to prevent unauthorized access, use intrusion detection software to monitor for unauthorized access
6 Define a DRP and explain when it is invoked.
A disaster recovery plan is a plan to restore a critical business process or system to operation after a disaster. It is invoked after a disaster such as flood, tornado and hurricane.
7 Describe two CSFs for a DRP.