IS4560 Lab 9
1. When you are notified that a userâ€™s workstation or system is acting strangely and log files indicate system compromise, what is the first thing you should do to the workstation or system and why?
Inform the IT help desk to have the user cease all activity on the workstation and to wait for you to arrive at the physical desktop location. The workstation must first be physically disconnected from the network leaving it physically isolated but now powered off. It should be left in its steady-state.
This isolates the contaminated workstation from the organizationâ€™s network and Internet, as well as preventing the contamination from spreading. Logs, memory forensics, ...view middle of the document...
f. Lessons Learned
6. What is the risk of starting to contain an incident prior to completing the identification process?
If the cause of the security incident has not been identified, re-infection may occur if the problem or vulnerability has not been fixed.
7. Why do you want to have the incident response handled by the security incident response team and not the IT organization?
There must be a separation of duties to provide an unbiased and objective assessment of the contamination and compromise
If there is a violation of security policies and IT standards, then this must be mentioned in the report.
This is similar to an audit which is performed by a third-party or others, etc.
8. Do you think it is a good idea to have a security policy defining incident response process in your organization?
The organization should have a security policy defining the roles, responsibilities, and processes for performing an incident response for the organization. This should include the process, security incident response team members, goals and objectives, and the scope of the policy. This policy will help streamline authorizations and define which executive...