CR Examples

Sample Case Scenario Analysis:

You have been appointed as CISO (Chief information security officer) for ABC Company. Very
often, the chief Information Officer (CIO) will delegate much of the responsibility of risk
management to the CISO. Given that contingency planning is considered part of risk
management process. The CISO had conducted his or her risk assessment to include the major
threats or attacks as shown in table below. This risk assessment will become later the input to
the BIA process of your Contingency plan.
1. NOTE: this is just a sample. Create your own. Threats and the corresponding Attacks and
priortizations using weighted score analysis (see power point)



Task 1: Threat categories/Attacks & Priortization
Categorize threats faced by todays organization along with their types of attacks and then use
weighted score anlysis technique to priortize them from high, mediam to low.

Since the responsibility for creating an organizations IR plan often falls in his/her major duties,
you have selected members from each community of interest to form the CSIRT that will
execute the IR plan.
For every potential attack scenario, the IR team creates the incident plan, which is made up of
three sets of incident-handling procedures. These procedures address steps to be taken during,
after, and before an incident.
Task 2: Choose and document one of the below Incident Handling procedures to include during
the incident, after the encident and before the incient.
A) Handling DOS Incident (Page 278)
B) Handling Malware Incident (Page 282)
C) Unauthorized Access (Page 287)
D) Inappropriate Use (Page 295)
Note: preferably use of a template.

One of the most used automated incident response technologies is called IDPS.
Task 3: IDPS
Explain the components of an Intrusion detection & Prevention system. Draw a simple
LAN/WAN diagram indicating the best practices of IDPS placement.

Practical Lab1:
Using SecurityOnion to simulate an attack or incident and the action to be taken.
Description:
In this practical lab you will use Security Onion Virtual Machine to create a new rule for use by
Snort. You will then test the rule using the Scapy application to create and transmit a packet
designed to trip the rule. Finally, you will use the Sguil application to verify that the rule fired
correctly.
Submit your work using MS word document on the below network path:
T:\Shared\Wissam Safeh\Student\CSF 3103 _ 04B5CSF21 _ Final _ Practical Submission
Tasks Marks Allocated Marks Granted
1. Title/Objectives 1
2. Tools Used 1
3. Step by step Screen shots
a) Sudo vi
/etc/nsm/rules/local.rules
b) Type Alert statement
c) Sudo /user/bin/rule-update
(restart Snort Successfully)
d) Sudo scapy (sent 1 packets)
e) Login to Squil
f) Rule entry in squil
g) Show packet data & show
rule
7
4. Describe Scapy , what is it used
for?
2
5. Describe Snort, what is it used
for?
2
6. Describe sguil. what is it used
for?
2
7. Problems / solutions 1
8. Describe the Rule Alert (step 6) 1
9. Describe the Rule entry in Sguil
(step 21)
1
10. Conclusion (3)&
Recommendations (3)
6
Total marks 24


Practical Lab 2
Using Linux VM or Windows Server 2008 creates RAID as one of the contingency strategies.
Note: Students had already covered how to configure RAID Level 1 in CSF 2903 Course.
Convert Disk 1, Disk 2 and Disk 3 and Disk 4 into RAID 5 configuration.
Create a 500 MB simple volume in Disk 5 and create a mirror of this volume in Disk 6
Create a spanned volume of unallocated space in Disk 5 with the Disk 6
You can do all of these on a VM


Practical Lab 3
Use Windows Server 2008 Backup and Recovery to external Hard disk driver USB flash
memory.

Or Use SecurityOnion backup lab


Example of SR Questions

1. A(n) ____ is an investigation and assessment of the impact that various attacks can have on the
organization.
*a) BIA
b) intellectual property
c) incident
d) threat

2. A(n) ____ is any clearly identified attack on the organizations information assets that would threaten
the assets confidentiality, integrity, or availability.
a) threat
b) Trojan horse
c) worm
*d) incident

3. A(n) ____ is prepared by the organization to anticipate, react to, and recover from events that
threaten the security of information and information assets in the organization, and, subsequently, to
restore the organization to normal modes of business operations.
a) threat
b) social plan
*c) contingency plan
d) asset

4. ________ plan runs concurrently with DRP when the damage is major or long term, requiring more
than simple restoration of information and information resources and establishes critical business
functions at an alternate site.
a) IR
b) DR
*c) BC
d) CP

5. The ____ is the period of time within which systems, applications, or functions must be recovered
after an outage.
a) recovery point objective
b) dependency objective
*c) recovery time objective
d) training objective

6. A(n) ____ is a fully configured computer facility with all services, communications links, and physical
plant operations that is capable of establishing operations at a moments notice.
*a) hot site
b) independent site
c) electronic vault
d) cold site

7. The ____ is the location or group of locations at which the organization executes its functions.
*a) primary site
b) secondary site
c) backup site
d) Towers of Hanoi

8. ____ is most commonly used in organizations that balance safety and redundancy against the costs of
acquiring and operating the systems.
a) RAID level 4
*b) RAID level 5
c) RAID level 0
d) RAID level 7

9. ____ is the storage of duplicate online transaction data, along with the duplication of the databases at
the remote site to a redundant server.
a) Remote journaling
b) Electronic vaulting
c) Hot swapping
*d) Database shadowing

10. ____ is the transfer of live transactions to an off-site facility.
a) Electronic vaulting
*b) Remote journaling
c) Database shadowing
d) Data warehousing



11. A favorite pastime of information security professionals is ____, which is realistic, head-to-head
attack and defend information, security attacks, and incident response methods.
a) simulation
*b) war gaming
c) parallel testing
d) structured walk-through

12. A(n) ____ is a detailed set of processes and procedures that anticipate, detect, and mitigate the
effects of an unexpected event that might compromise information resources and assets.
a) announcement plan
b) awareness plan
c) risk analysis plan
*d) incident response plan.

13. The responsibility for creating an organizations IR plan usually falls to the ____.
a) database administrator
b) project manager
c) forensic expert
*d) chief information security officer.

14. A ____ is an alarm or alert that indicates that an attack is in progress or that an attack has
successfully occurred when in fact there was no such attack.
*a) false positive
b) false negative
c) Confidence Value
d) site policy

15. A(n) ____ is an event that triggers alarms and causes a false positive when no actual attacks are in
progress.
a) alert
b) false negative
*c) false attack stimulus
d) True Attack Stimulus

16. A(n) ____ is an indication that a system has just been attacked or continues to be under attack.
a) event
*b) alert
c) stimulus
d) honeypot

17. A(n) ____ is designed to be placed in a network to determine whether or not the network is being
used in ways that are out of compliance with the policy of the organization.
a) alert
b) security policy
*c) intrusion detection system
d) DNS cache



18. ________ triggers an alert or alarm when one of the following changes occurs: file attributes change,
new files are created, or existing files are deleted.
a) IDS
b) IPS
*c) HIDS
d) NIDS

19. The failure of an IDS system to react to an actual attack event is known as a ____.
a) false positive
*b) false negative
c) Confidence Value
d) site policy

20. When placed next to a hub, switch, or other key networking device, the NIDS may use that devices
monitoring port, also known as a(n) ____ port or mirror port.
a) SWAN
b) HIDS
c) NIDS
*d) SPAN

21. Which of the following is an advantage of outsourcing the incident response process?
a) Potential loss of control of response to incidents
b) Possible exposure of classified organizational data to service providers
c) Locked in to proprietary equipment and services
*d) 24/7 monitoring

22. Directed against information assets owned or operated by the organization, It has a realistic chance
of success, it threatens the C.I.A of information resources and assets are characteristics of an
information security __________.
a) policy
b) risk response
c) threat agent
*d) incident

23. _______________ is the foundation of the incident response program. It defines which events are
considered incidents, establishes the organizational structure for incident response, defines roles and
responsibilities, and lists the requirements for reporting incidents, among other items.
a) Disaster Recovery Policy
*b) Incident response policy
c) Contingency Plan Policy
d) Business Impact Analysis Policy

24. A(n) ____ is a document containing contact information for the individuals that need to be notified
in the event of an actual incident.
a) sequential roster
b) hierarchical roster
c) root roster
*d) alert roster

25. Incident ____________________ strategies focus on two tasks: stopping the incident and recovering
control of the affected systems.
*a) containment
b) Preparation
c) detection
d) post-incident activity

26. Once an incident has been contained, and system control has been regained, incident
____________________ can begin.
a) reaction
*b) recovery
c) preparation
d) classification

27. The ____ is a scripted description of the incident and consists of just enough information so that
each responder knows what portion of the IR plan to implement without impeding the notification
process.
a) sequential roster
*b) alert message
c) hierarchical roster
d) alert roster




28. Based on recommendations by the management team, this group can work from preauthorized
purchase orders to quickly order replacement equipment, applications, and services, as the individual
teams work to restore recoverable systems.
a) Logistics Team
*b) Vendor Team
c) Data Management Team
d) Business interface Team

30. The ____ should contain the specific and detailed guidance and procedures for restoring lost or
damaged capability.
a) Forensic report
b) Event schedule
c) Contingency report
*d) DR planning document

31. The _______ assembles a disaster recovery team.
*a) CPMT
b) AAR
c) CIRST
d) PAR




32. When developing the LAN contingency plan, the contingency planning coordinator should identify
____ ____that affect critical systems or processes outlined in the BIA.
a) Events
b) Filters
c) Servers
*d) Single points of failure

33. ____ are those that occur suddenly, with little warning, taking the lives of people and destroying the
means of production.
a) Slow onset disasters
b) Communication disasters
*c) Rapid onset disasters
d) Data disasters

34. ____ system components are critical to ensure that a failure of a system component, such as a
power supply, does not cause a system failure.
a) Restore
b) Contingency
c) BIA
*d) Redundant

35. ______________ is the preparation for and recovery from a disaster, whether natural or man-made.
a) IRP
*b) DRP
c) CP
d) BIA

36. During the ____ phase the organization begins the recovery of the most time-critical business
functions - those necessary to reestablish business operations and prevent further economic and image
loss to the organization.
*a) recovery
b) Risk analysis
c) Parallel testing
d) Audit review

37. __________ focuses on functions that are not as critical.
a) Recovery phase
*b) Resumption phase
c) Restoration phase
d) Data-management practices

38. __________ focuses on critical business operations.
*a) Recovery phase
b) Resumption phase
c) Restoration phase
d) Data preparation practices




39. The ____ team is responsible for reestablishing connectivity between systems and to the Internet (if
applicable).
a) Applications recovery
b) System recovery
c) Storage recovery
*d) Network recovery

40. ____ requires effective backup strategies and flexible hardware configurations.
a) War gaming
b) DR plan simulation
c) System response
*d) Data recovery