Register
Study the following scenario. Discuss and determine the incident response handling questions that should be asked at each stage of the incident response process. Consider the details of the organization
111k views
2 votes
Study the following scenario. Discuss and determine the incident response handling questions that should be asked at each stage of the incident response process. Consider the details of the organization and the CSIRC when formulating your questions. This scenario is about a mid-sized hospital with multiple satellite offices and medical services. The organization has dozens of locations employing more than 5000 employees. Because of the size of the organization, they have adopted a CSIRC model with distributed incident response teams. They also have a coordinating team that watches over the security operations team and helps them to communicate with each other. On a Wednesday evening, the organization’s physical security team receives a call from a payroll administrator who saw an unknown person leave her office, run down the hallway, and exit the building. The administrator had left her workstation unlocked and unattended for only a few minutes. The payroll program is still logged in and on the main menu, as it was when she left it, but the administrator notices that the mouse appears to have been moved. The incident response team has been asked to acquire evidence related to the incident and to determine what actions were performed. The security teams practice the kill chain model and they understand how to use the VERIS database. For an extra layer of protection, they have partially outsourced staffing to an MSSP for 24/7 monitoring.

User Ahmed Ahmed
by
7.3k points

1 Answer

5 votes

Answer:

In this scenario, the incident response process should be followed to handle the security incident effectively. The incident response process typically consists of the following stages: preparation, identification, containment, eradication, recovery, and lessons learned. At each stage, specific questions should be asked to guide the incident response team. Here are the incident response handling questions for each stage:

1. Preparation Stage:

- Are the incident response team members trained and equipped to handle security incidents?

- Is there a well-defined incident response plan in place?

- Are the incident response team members aware of their roles and responsibilities?

- Have the incident response team members been trained on the organization's CSIRC model and the kill chain model?

- Is the MSSP fully aware of their responsibilities and escalation procedures?

2. Identification Stage:

- What information is available about the incident? (e.g., time, location, witness statements)

- What systems or resources were potentially compromised?

- What evidence needs to be collected to understand the scope and impact of the incident?

- Has the incident been properly classified based on its severity and potential impact?

3. Containment Stage:

- Have the affected systems or resources been isolated from the network to prevent further damage?

- Are there any immediate actions that need to be taken to mitigate the incident?

- Are there any additional security measures that need to be implemented to prevent similar incidents in the future?

4. Eradication Stage:

- What actions were performed by the unknown person in the payroll administrator's office?

- What changes were made to the payroll program or system?

- Are there any indicators of compromise that need to be investigated further?

- What steps should be taken to remove any malicious presence from the network?

5. Recovery Stage:

- What steps should be taken to restore the affected systems or resources to their normal state?

- Are there any backups or redundant systems that can be used to recover the data or functionality?

- Are there any additional security measures that need to be implemented to prevent future incidents?

6. Lessons Learned Stage:

- What were the root causes of the incident and how can they be addressed?

- What improvements can be made to the incident response plan or processes?

- Are there any training or awareness programs that need to be conducted to prevent similar incidents?

- How can the incident response team collaborate more effectively with the MSSP and other stakeholders?

By asking these questions at each stage of the incident response process, the incident response team can effectively handle the security incident, mitigate its impact, and prevent future incidents.

User MatijaG
by
7.3k points
Ask a Question
Welcome to QAmmunity.org, where you can ask questions and receive answers from other members of our community.

8.4m questions

11.0m answers

Other Questions

“What does it mean when we “rework” copyrighted material?”
The book shows how to add and subtract binary and decimal numbers. However, other numbering systems are also very popular when dealing with computers. The octal (base 8) numbering system is one of these.
Seven basic internal components found in a computer tower
Please help me ! All you do is just put it it all in your own words ! Please this is for my reported card!i don't know how to put it in my own words because my English is not that good!
Disadvantages of using animation in advertising? advantages and disadvantages of using animation for education? advantages and disadvantages of using animation in entertainment?
Link Copied!