2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	692/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 688 689 690 691 692 693 694 695 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Lessons Learned
During the lessons learned stage, personnel examine the incident and the response to
see if there are any lessons to be learned. The incident response team will be involved
in this stage, but other employees who are knowledgeable about the incident will also
participate.
While examining the response to the incident, personnel look for any areas where
they can improve their response. For example, if it took a long time for the response
team to contain the incident, the examination tries to determine why. It might be that
personnel don’t have adequate training and didn’t have the knowledge and expertise to
respond effectively. They may not have recognized the incident when they received the
first notification, allowing an attack to continue longer than necessary. First responders
may not have recognized the need to protect evidence and inadvertently corrupted it dur-
ing the response.
Remember, the output of this stage can be fed back to the detection stage of incident
management. For example, administrators may realize that attacks are getting through
undetected and increase their detection capabilities and recommend changes to their intru-
sion detection systems.
It is common for the incident response team to create a report when they complete a
lessons learned review. Based on the findings, the team may recommend changes to pro-
cedures, the addition of security controls, or even changes to policies. Management will
decide what recommendations to implement and is responsible for the remaining risk for
any recommendations they reject.

Implementing Detective and Preventive Measures
745
delegating Incident Response to users
In one organization, the responsibility to respond to computer infections was extended to
users. Close to each computer was a checklist that identifi ed common symptoms of mal-
ware infection. If users suspected their computers were infected, the checklist instructed
them to disconnect the NIC and contact the help desk to report the issue. By disconnect-
ing the NIC, they helped contain the malware to their system and stopped it from spread-
ing any further.
This isn’t possible in all organizations, but in this case, users were part of a very large
network operations center and they were all involved in some form of computer support.
In other words, they weren’t typical end users but instead had a substantial amount of
technical expertise.
Implementing Detective and
Preventive Measures
Ideally, an organization can avoid incidents completely by implementing preventive coun-
termeasures. This section covers several preventive security controls that can prevent many
attacks and describes many common well-known attacks. When an incident does occur, an
organization will want to detect it as soon as possible. Intrusion detection and prevention
systems are one of the ways that organizations do detect incidents and are also included in
this section, along with some specifi c measures organizations can take to detect and pre-
vent successful attacks.
You may notice the use of both
preventative
and
preventive
. While
most documentation currently uses only
preventive
, the CISSP objec-
tives include both usages. For example, Domain 1 includes references to
preventive controls. This chapter covers objectives from Domain 7, and
Domain 7 refers to preventative measures. For simplicity, we are using pre-
ventive in this chapter, except when quoting the CISSP objectives.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 688 689 690 691 692 693 694 695 ... 881