978-0840020932 Chapter 18

Chapter 18: Incident Handling

TRUE/FALSE

1. Organizations that handle and document incidents may be less likely to have repeat occurrences.

2. Defaced-page incidents result in loss of revenue, reputation, and morale of a company.

3. Statistics reveal that most incidents of fraud involve “outside” individuals.

4. The skills represented in an emergency response team always belong to the IT department.

5. How one approaches incident detection can seriously impact the number and kinds of incidents that are

detectable.

MULTIPLE CHOICE

1. The most common incidents that affect network security are attacks from malicious code and ____.

a.

inside jobs

c.

network flooding

b.

denial-of-service attacks

d.

password cracking

2. This type of incident means an attacker has hacked your Web server.

a.

Malicious code

c.

Errors and omissions

b.

Defaced pages

d.

Fraud and theft

3. ____ attacks send a large quantity of packets to a server so that resources are overutilized.

a.

Defaced pages

c.

Errors and omissions

b.

Intrusion

d.

Denial-of-service

4. ____ attacks send input data of a greater size than the capacity of an unchecked variable in the server

application.

a.

Network flooding

c.

Buffer overflow

b.

Stack error

d.

Errors and omissions

5. ____ tools record unusual activities performed by users, such as repeated attempts to connect to the

server or attempts to access restricted resources.

a.

System-monitoring

c.

Network analysis

b.

User-analysis

d.

Log-analysis

COMPLETION

1. A(n) ____________________ in a computer-security environment is an event that tests the security

solutions in place on a network or, in the case of a stand-alone machine, on that machine itself.

2. ____________________ is the most basic form of a DoS attack. Large numbers of requests are sent to

the server. This results in the slowing down or failure of the network.

3. ____________________ tools monitor the events of attacks made on specific computers, such as

password cracking or executing unauthorized programs.

4. In UNIX and Linux, ____________________ is a dumping ground for automated CRON jobs, as well

as various logged functions by applications that do not maintain their own log files.

5. The chief difference between a worm and a virus is that ____________________ replicate in a network.

SHORT ANSWER

1. What are some of the most common events that may indicate an attack in progress?

2. What are some of the reasons to develop effective incident handling policies?

3. What are some of the most common types of incidents that can occur on a network or a computer?

4. What are the key phases of incident handling?

5. Create a checklist for managing a denial-of-service attack.

1. Identify areas that would be affected if the attack is successful.

2. Determine the attack method used by the hacker.

3. Locate a point where the attack can be stopped that will cause minimal disruption.

4. Implement the procedures that need to be taken to block the attack.

5. Reestablish normal network conditions.

6. Analyze any loopholes in network security.

7. Identify permanent solutions to cover security loopholes.

8. Implement the chosen solutions.