CR ExamplesSample Case Scenario Analysis: You have been appointed as CISO (Chief information security officer) for ABC Company. Very often, the chief Information Officer (CIO) will delegate much of the responsibility of risk management to the CISO. Given that contingency planning is considered part of risk management process. The CISO had conducted his or her risk assessment to include the major threats or attacks as shown in table below. This risk assessment will become later the input to the BIA process of your Contingency plan. 1. NOTE: this is just a sample. Create your own. Threats and the corresponding Attacks and priortizations using weighted score analysis (see power point) Task 1: Threat categories/Attacks & Priortization Categorize threats faced by today’s organization along with their types of attacks and then use weighted score anlysis technique to priortize them from high, mediam to low. Since the responsibility for creating an organization’s IR plan often falls in his/her major duties, you have selected members from each community of interest to form the CSIRT that will execute the IR plan. For every potential attack scenario, the IR team creates the incident plan, which is made up of three sets of incident-handling procedures. These procedures address steps to be taken during, after, and before an incident. Task 2: Choose and document one of the below Incident Handling procedures to include during the incident, after the encident and before the incient. A) Handling DOS Incident (Page 278) B) Handling Malware Incident (Page 282) C) Unauthorized Access (Page 287) D) Inappropriate Use (Page 295) Note: preferably use of a template. One of the most used automated incident response technologies is called IDPS. Task 3: IDPS Explain the components of an Intrusion detection & Prevention system. Draw a simple LAN/WAN diagram indicating the best practices of IDPS placement. Practical Lab1: Using SecurityOnion to simulate an attack or incident and the action to be taken. Description: In this practical lab you will use Security Onion Virtual Machine to create a new rule for use by Snort. You will then test the rule using the Scapy application to create and transmit a packet designed to trip the rule. Finally, you will use the Sguil application to verify that the rule fired correctly. Submit your work using MS word document on the below network path: T:\Shared\Wissam Safeh\Student\CSF 3103 _ 04B5CSF21 _ Final _ Practical Submission Tasks Marks Allocated Marks Granted 1. Title/Objectives 1 2. Tools Used 1 3. Step by step Screen shots a) Sudo vi /etc/nsm/rules/local.rules b) Type Alert statement c) Sudo /user/bin/rule-update (restart Snort Successfully) d) Sudo scapy (sent 1 packets) e) Login to Squil f) Rule entry in squil g) Show packet data & show rule 7 4. Describe Scapy , what is it used for? 2 5. Describe Snort, what is it used for? 2 6. Describe sguil. what is it used for? 2 7. Problems / solutions 1 8. Describe the Rule Alert (step 6) 1 9. Describe the Rule entry in Sguil (step 21) 1 10. Conclusion (3)& Recommendations (3) 6 Total marks 24 Practical Lab 2 Using Linux VM or Windows Server 2008 creates RAID as one of the contingency strategies. Note: Students had already covered how to configure RAID Level 1 in CSF 2903 Course. Convert Disk 1, Disk 2 and Disk 3 and Disk 4 into RAID 5 configuration. Create a 500 MB simple volume in Disk 5 and create a mirror of this volume in Disk 6 Create a spanned volume of unallocated space in Disk 5 with the Disk 6 You can do all of these on a VM Practical Lab 3 Use Windows Server 2008 Backup and Recovery to external Hard disk driver USB flash memory. Or Use SecurityOnion backup lab Example of SR Questions 1. A(n) ____ is an investigation and assessment of the impact that various attacks can have on the organization. *a) BIA b) intellectual property c) incident d) threat 2. A(n) ____ is any clearly identified attack on the organization’s information assets that would threaten the assets’ confidentiality, integrity, or availability. a) threat b) Trojan horse c) worm *d) incident 3. A(n) ____ is prepared by the organization to anticipate, react to, and recover from events that threaten the security of information and information assets in the organization, and, subsequently, to restore the organization to normal modes of business operations. a) threat b) social plan *c) contingency plan d) asset 4. ________ plan runs concurrently with DRP when the damage is major or long term, requiring more than simple restoration of information and information resources and establishes critical business functions at an alternate site. a) IR b) DR *c) BC d) CP 5. The ____ is the period of time within which systems, applications, or functions must be recovered after an outage. a) recovery point objective b) dependency objective *c) recovery time objective d) training objective 6. A(n) ____ is a fully configured computer facility with all services, communications links, and physical plant operations that is capable of establishing operations at a moment’s notice. *a) hot site b) independent site c) electronic vault d) cold site 7. The ____ is the location or group of locations at which the organization executes its functions. *a) primary site b) secondary site c) backup site d) Towers of Hanoi 8. ____ is most commonly used in organizations that balance safety and redundancy against the costs of acquiring and operating the systems. a) RAID level 4 *b) RAID level 5 c) RAID level 0 d) RAID level 7 9. ____ is the storage of duplicate online transaction data, along with the duplication of the databases at the remote site to a redundant server. a) Remote journaling b) Electronic vaulting c) Hot swapping *d) Database shadowing 10. ____ is the transfer of live transactions to an off-site facility. a) Electronic vaulting *b) Remote journaling c) Database shadowing d) Data warehousing 11. A favorite pastime of information security professionals is ____, which is realistic, head-to-head attack and defend information, security attacks, and incident response methods. a) simulation *b) war gaming c) parallel testing d) structured walk-through 12. A(n) ____ is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets. a) announcement plan b) awareness plan c) risk analysis plan *d) incident response plan. 13. The responsibility for creating an organization’s IR plan usually falls to the ____. a) database administrator b) project manager c) forensic expert *d) chief information security officer. 14. A ____ is an alarm or alert that indicates that an attack is in progress or that an attack has successfully occurred when in fact there was no such attack. *a) false positive b) false negative c) Confidence Value d) site policy 15. A(n) ____ is an event that triggers alarms and causes a false positive when no actual attacks are in progress. a) alert b) false negative *c) false attack stimulus d) True Attack Stimulus 16. A(n) ____ is an indication that a system has just been attacked or continues to be under attack. a) event *b) alert c) stimulus d) honeypot 17. A(n) ____ is designed to be placed in a network to determine whether or not the network is being used in ways that are out of compliance with the policy of the organization. a) alert b) security policy *c) intrusion detection system d) DNS cache 18. ________ triggers an alert or alarm when one of the following changes occurs: file attributes change, new files are created, or existing files are deleted. a) IDS b) IPS *c) HIDS d) NIDS 19. The failure of an IDS system to react to an actual attack event is known as a ____. a) false positive *b) false negative c) Confidence Value d) site policy 20. When placed next to a hub, switch, or other key networking device, the NIDS may use that device’s monitoring port, also known as a(n) ____ port or mirror port. a) SWAN b) HIDS c) NIDS *d) SPAN 21. Which of the following is an advantage of outsourcing the incident response process? a) Potential loss of control of response to incidents b) Possible exposure of classified organizational data to service providers c) Locked in to proprietary equipment and services *d) 24/7 monitoring 22. Directed against information assets owned or operated by the organization, It has a realistic chance of success, it threatens the C.I.A of information resources and assets are characteristics of an information security __________. a) policy b) risk response c) threat agent *d) incident 23. _______________ is the foundation of the incident response program. It defines which events are considered incidents, establishes the organizational structure for incident response, defines roles and responsibilities, and lists the requirements for reporting incidents, among other items. a) Disaster Recovery Policy *b) Incident response policy c) Contingency Plan Policy d) Business Impact Analysis Policy 24. A(n) ____ is a document containing contact information for the individuals that need to be notified in the event of an actual incident. a) sequential roster b) hierarchical roster c) root roster *d) alert roster 25. Incident ____________________ strategies focus on two tasks: stopping the incident and recovering control of the affected systems. *a) containment b) Preparation c) detection d) post-incident activity 26. Once an incident has been contained, and system control has been regained, incident ____________________ can begin. a) reaction *b) recovery c) preparation d) classification 27. The ____ is a scripted description of the incident and consists of just enough information so that each responder knows what portion of the IR plan to implement without impeding the notification process. a) sequential roster *b) alert message c) hierarchical roster d) alert roster 28. Based on recommendations by the management team, this group can work from preauthorized purchase orders to quickly order replacement equipment, applications, and services, as the individual teams work to restore recoverable systems. a) Logistics Team *b) Vendor Team c) Data Management Team d) Business interface Team 30. The ____ should contain the specific and detailed guidance and procedures for restoring lost or damaged capability. a) Forensic report b) Event schedule c) Contingency report *d) DR planning document 31. The _______ assembles a disaster recovery team. *a) CPMT b) AAR c) CIRST d) PAR 32. When developing the LAN contingency plan, the contingency planning coordinator should identify ____ ____that affect critical systems or processes outlined in the BIA. a) Events b) Filters c) Servers *d) Single points of failure 33. ____ are those that occur suddenly, with little warning, taking the lives of people and destroying the means of production. a) Slow onset disasters b) Communication disasters *c) Rapid onset disasters d) Data disasters 34. ____ system components are critical to ensure that a failure of a system component, such as a power supply, does not cause a system failure. a) Restore b) Contingency c) BIA *d) Redundant 35. ______________ is the preparation for and recovery from a disaster, whether natural or man-made. a) IRP *b) DRP c) CP d) BIA 36. During the ____ phase the organization begins the recovery of the most time-critical business functions - those necessary to reestablish business operations and prevent further economic and image loss to the organization. *a) recovery b) Risk analysis c) Parallel testing d) Audit review 37. __________ focuses on functions that are not as critical. a) Recovery phase *b) Resumption phase c) Restoration phase d) Data-management practices 38. __________ focuses on critical business operations. *a) Recovery phase b) Resumption phase c) Restoration phase d) Data preparation practices 39. The ____ team is responsible for reestablishing connectivity between systems and to the Internet (if applicable). a) Applications recovery b) System recovery c) Storage recovery *d) Network recovery 40. ____ requires effective backup strategies and flexible hardware configurations. a) War gaming b) DR plan simulation c) System response *d) Data recovery