Page 1265 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1265

Summary


               The CISSP Security Operations domain lists six specific incidence
               response steps. Detection is the first step and can come from
               automated tools or from employee observations. Personnel investigate

               alerts to determine if an actual incident has occurred, and if so, the
               next step is response. Containment of the incident is important during
               the mitigation stage. It’s also important to protect any evidence during
               all stages of incident response. Reporting may be required based on
               governing laws or an organization’s security policy. In the recovery

               stage, the system is restored to full operation, and it’s important to
               ensure that it is restored to at least as secure a state as it was in before
               the attack. The remediation stage includes a root cause analysis and
               will often include recommendations to prevent a reoccurrence. Last,
               the lessons learned stage examines the incident and the response to
               determine if there are any lessons to be learned.

               Several basic steps can prevent many common attacks. They include

               keeping systems and applications up-to-date with current patches,
               removing or disabling unneeded services and protocols, using
               intrusion detection and prevention systems, using anti-malware
               software with up-to-date signatures, and enabling both host-based and
               network-based firewalls.

               Denial-of-service (DoS) attacks prevent a system from processing or
               responding to legitimate requests for service and commonly attack

               systems accessible via the internet. The SYN flood attack disrupts the
               TCP three-way handshake, sometimes consuming resources and
               bandwidth. While the SYN flood attack is still common today, other
               attacks are often variations on older attack methods. Botnets are often
               used to launch distributed DoS (DDoS) attacks. Zero-day exploits are
               previously unknown vulnerabilities. Following basic preventive
               measures helps to prevent successful zero-day exploit attacks.


               Automated tools such as intrusion detection systems use logs to
               monitor the environment and detect attacks as they are occurring.
               Some can automatically block attacks. There are two types of detection
               methods employed by IDSs: knowledge-based and behavior-based. A
   1260   1261   1262   1263   1264   1265   1266   1267   1268   1269   1270