Question

When you are notified that a user’s workstation or system is acting strangely and log files indicate system compromise, what is the first thing you should do to the workstation or system and why?

2. When an antivirus program identifies a virus and quarantines this file, has the malware been eradicated?

3. What is the SANS Institute’s six-step incident handling process?

4. What is the risk of starting to contain an incident prior to completing the identification process?

5. Why is it a good idea to have a security policy that defines the incident response process in your organization?

6. The post-mortem, lessons learned step is the last in the incident response process. Why is this the most important step in the process?

Answer 1

When a system is compromised, the first step is isolation to prevent further spread. The SANS Institute's incident handling process includes preparation, identification, containment, eradication, recovery, and lessons learned. A post-mortem analysis is crucial for improving future security measures.

Step-by-step explanation:

Response to a Compromised Workstation and Incident Handling

When notified of a system acting strangely with indications of a compromise, the first thing you should do is isolate the workstation or system. This is critical to prevent the spread of the threat to other systems and to contain any potential damage. Quarantining a file with antivirus software does not necessarily mean that the malware has been completely eradicated from the system. It is important to investigate further to ensure that all parts of the malware have been removed and to understand the full scope of the compromise.

The SANS Institute outlines a six-step incident handling process, which includes preparation, identification, containment, eradication, recovery, and lessons learned. Jumping into containment before fully identifying the incident can result in incomplete understanding, potentially causing more damage or overlooking parts of the breach. Therefore, having a security policy that defines the incident response process is essential for preparing and guiding an organization through properly handling such incidents.

Conducting a post-mortem or lessons learned is indeed the most important step. It provides opportunities for improvement, not just in incident response tactics, but in overarching security measures to prevent future data breaches. Through this process, businesses, organizations, medical systems, governments, and individuals learn and adjust their security posture to better protect sensitive information.

Answer 2

1) When you are notified that a user’s workstation or system is acting strangely and log files indicate system compromise,The first thing you should do is to perform a review of every security and service account in the system and all of the connected systems because what you are looking for accounts that shouldnt be in the system

2) When an antivirus program identifies a virus and quarantines this file, The virus and any other malicious malware/software is eradicated from the system at that particular time.

3) SANS Institute’s six-step incident handling process are: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

4) the risk of starting to contain an incident prior to completing the identification process is very little if any.

5) it is a good idea to have a security policy that defines the incident response process in your organization because the Incident response team is responsible for receiving, reviewing, and responding to computer security incident reports.

6) The post-mortem, lessons learned step is the last in the incident response process are;

- There should be a scheduled follow-up meeting to discuss the incident and make recommendations to improve the incident handling plan.

This is the most important step in the process because it helps to prevent future occurrences of the incident that have happened before.

Step-by-step explanation: