225. Computer incident response process is a part of which of the following?
a. Directive controls
b. Preventive controls
c. Detective controls
d. Corrective controls
Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Preventive controls deter security incidents from happening in the first place. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented.
Scenario-Based Questions, Answers, and Explanations
Use the following information to answer questions 1 through 5.
The ERD Company has just had a theft of 2.5 million dollars via the Internet. The IT management believes the cause to be malware installed by an attacker. This represents 2 percent of the company’s total assets. The senior executives have been notified, but they will not be available for the next 36 hours. The last policy update for incident response was 4 years ago. Since the update, the people in charge of incident handling have left the company. The contact information for the virtual team is not current.
1. A search of the malware database did not lead to the identification of the worm. In analyzing the current state of the host, the incident handler feels that the worm has created a backdoor. Which of the following aspects of the host’s current state can identify that backdoor?
a. Unusual connections
b. Unexpected listening ports
c. Unknown processes
d. Unusual entries
2. A worm has infected a system. From a network data analysis perspective, which of the following contains more detailed information?
a. Network-based IDS and firewalls
b. Routers
c. Host-based IDS and firewalls
d. Remote access servers
Network-based IDS is incorrect because they indicate which server was attacked and on what port number, which indicates which network service was targeted. Network-based firewalls are typically configured to log blocked connection attempts, which include the intended destination IP address and port number. Other perimeter devices that the worm traffic may have passed through, such as routers, VPN gateways, and remote access servers may record information similar to that logged by network-based firewalls.