Chapter 8: Recovery and Post-Incident Response
-
1. A. The containment, eradication, and recovery phase of incident response includes active undertakings designed to minimize the damage caused by the incident and restore normal operations as quickly as possible.
-
2. C. NIST recommends using six criteria to evaluate a containment strategy: the potential damage to resources, the need for evidence preservation, service availability, time and resources required (including cost), effectiveness of the strategy, and duration of the solution.
-
3. C. In a segmentation approach, the suspect system is placed on a separate network where it has very limited access to other networked resources.
-
4. B. In the isolation strategy, the quarantine network is directly connected to the Internet or restricted severely by firewall rules so that the attacker may continue to control it but not gain access to any other networked resources.
-
5. D. In the removal approach, Alice keeps the systems running...