Skip to content

Chapter 17 Preventing and Responding to Incidents

Domain 7 & 8

Written Lab

  1. Define an incident.

    An incident is any event that has a negative effect on the confidentiality, integrity, or availability of an organization's assets.

  2. List the different phases of incident management identified in the CISSP Security Operations domain.

    Detection, response, mitigation, reporting, recovery, remediation, and lessons learned.

  3. Describe the primary types of intrusion detection systems.

    • Host-based intrusion detection systems (HIDSs)

    • Network-based intrusion detection systems (NIDSs)

    • Knowledge-based intrusion detection systems (KIDSs) use a database of known attacks to detect intrusions.

    • Behavior-based intrusion detection systems (BIDSs) start with a baseline of normal activity and measures network activity against the baseline to identify abnormal activity. An anomaly-based IDS is a variant of BIDS.

  4. Discuss the benefits of a SIEM system.

    A SIEM system collects log entries from multiple sources in a centrailzed application. It can accept data from dissimilar devices and correlate and aggregate all of the data into useful information. It can also be configured to send alerts in real time to specific items of interest.

  5. Describe the purpose of SOAR technologies.

    SOAR stands for security orchestration, automation, and response. It refers to a group of technologies that automatically respond to some incidents. This reduces the workload on administrators.