- When you are notified that a user’s workstation or system is acting strangely
and log files indicate system compromise, what is the first thing you should do to the workstation or system and why?
The first thing you should do is to isolate and quarantine the workstation. This is done in an attempt to stop the spread of the infection and/or close off access to the perpetrator.
- When an antivirus program identifies a virus and quarantines this file, has the
malware been eradicated?
No, this means the identified virus has been isolated so that it can no longer be activated. This does not mean that all malicious software has been eradicated or that all of it is even quarantined, given that a virus scan can potentially miss newer viruses if the antivirus software’s signature database is not up to date.
- What is the SANS Institute’s six-step incident handling process?
Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.
- What is the risk of starting to contain an incident prior to completing the
identification process?
There is no risk in taking the infected workstation offline to prevent contamination to other workstations or server on the network. The isolated machine should not be powered off, it should be left in its steady state for further analysis.
- Why is it a good idea to have a security policy that defines the incident
response process in your organization?
It is a good idea to have a security policy that defines the incident response process because it would allow for users to act quickly and efficiently in the case of an attack/breach. At the very minimum the security policy would list who to notify in this type of situation.
- The post-mortem, lessons learned step is the last in the incident response
process. Why is this the most important step in the process?
There should always be a follow-up meeting to discuss the incident and make suggestions to improve the incident handling plan. Focus on preventing future occurrences of the incident that just happened.
The lessons learned during the debriefing can then be used to determine the changes that will be made to improve the incident response process next time it is put into effect.