Page 1597 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1597
Chapter 17: Preventing and Responding to
Incidents
1. Incident response steps listed in the CISSP Security Operations
domain are detection, response, mitigation, reporting, recovery,
remediation, and lessons learned.
2. Intrusion detection systems can be described as host based or
network based, based on their detection methods (knowledge
based or behavior based), and based on their responses (passive or
active).
Host-based IDSs examine events on individual computers in great
detail, including file activities, accesses, and processes. Network-
based IDSs examine general network events and anomalies
through traffic evaluation.
A knowledge-based IDS uses a database of known attacks to detect
intrusions. A behavior-based IDS starts with a baseline of normal
activity and measures network activity against the baseline to
identify abnormal activity.
A passive response will log the activity and often provide a
notification. An active response directly responds to the intrusion
to stop or block the attack.
3. Auditing is a methodical examination or review of an environment
and encompasses a wide variety of activities to ensure compliance
with regulations and to detect abnormalities, unauthorized
occurrences, or outright crimes. Audit trails provide the data that
supports such examination or review and essentially are what
make auditing and subsequent detection of attacks and
misbehavior possible.
4. Organizations should regularly perform access reviews and audits.
These can detect when an organization is not following its own
policies and procedures related to account management. They can
