I have 14 discussions that need to be completed.
EVERY WEEK HAS 2 DISCUSSIONS.
EVERY DISCUSSION HAS 2 BE 200 WORDS OR MORE.
SUBJECT RELATED
GOOD GRAMMAR.
Week 1 Discussions
Please respond to at least two main topics and reply to at least two classmates this week.
Stakeholders in Cyber Incident Response Plan
Discuss the roles and importance of three key stakeholders in the development and design of a cyber incident response plan.
Fire Alarm and Building Evacuation Plans
Occasionally, fire alarm and building evacuation plans are exercised. Is there any value in exercising a cyber incident response plan?
Cyber Incident Response Plan
A cyber incident response plan contains several sections. Are these organizationally dependent, or should they all be addressed regardless of the organization or its functions
Week 2 Discussions
Please respond to both main topics and reply to at least two classmates this week.
Indicator and Precursor
Must post first.
Which would you consider more important: indicators or precursors? Provide examples to support your answer and describe how you would discover the indicator or precursor.
System Logs
Log collection has always proved to be the biggest challenge when it comes to incident analysis. Discuss three types of logs that you would deem important postincident, the method and content collected, and any anomalies (such as time) that you would deem a challenge in event correlation.
Week 3 Discussions
Please respond to at least two main topics and reply to at least two classmates this week.
Key Personnel in Incident Response
Discuss roles and responsibilities of key personnel when handling and responding to an incident.
RAM vs Volatile Data
If you had limited time to conduct incident response collection on a system, would you choose to image RAM, or just collect volatile data? Why would you choose one over the other?
Expenses
When an incident occurs, it incurs expenses. Discuss at least three expenses associated with handling and responding to an incident, and describe the impact of those expenses on an organization.
Week 4 Discussions
Please respond to at least two main topics and reply to at least two classmates this week.
Permanent File Deletion
If you were an attacker, why would you choose to (or not to) permanently delete files from a drive? Given the nature of drives, and the task of reliably deleting a file, is it worth the time and effort to ensure a file is deleted securely?
Imaging Disk
Based on the readings for this week, discuss the advantages and disadvantages of forensically imaging HDDs and SSDs. Is there ever a point in time when it’s more advantageous just to work on the original media?
Running Captured Disk Image
Once a drive image has been captured, is there any way possible to bring it “back to life” and run it as a live system—as a virtual machine or as actual hardware? Would there be any advantage in doing this type of forensic work as it pertains to an exploited system?
Week 5 Discussions
Please respond to at least two main topics and reply to at least two classmates this week.
Common Mistakes in Incident Handling
The McAfee article lists 10 common mistakes of incident responders. Select at least three of the common mistakes listed and describe why you think these particular ones are important. Do you agree with all 10 mistakes? Could the list be narrowed down and still be considered effective?
Decision-Making Processes
In the articles on containment, the decision-making processes define which critical steps to take. Choose one and define a situation where your chosen critical step would apply. Consider the collection of volatile and nonvolatile data and how your critical-step decision would impact the collection effort.
Containment Strategies
The NIST Computer Security Incident Handling Guide, chapter 3, section 3.3.1, lists a small number of criteria for determining appropriate containment strategies. Define three more criteria that would be important in choosing an appropriate containment strategy. Describe why your strategies are important, and what items must be considered with regard to the collection of volatile and nonvolatile data.
Week 6 Discussions
Please respond to both main topics and reply to at least two classmates this week.
Vulnerability Discovery and Removal
The Informit article includes a bulleted list under the heading of “Vulnerability Discovery and Removal.” Prioritize the items in this list from most important (at the top of the list) to least important (at the bottom of the list). Then describe how you would go about locating each item, and why you felt its order of precedence was as you placed it.
Postincident Activities
The HealthIT Security article discusses incident response from a malware perspective. With regard to just the postincident activity section, what lessons learned would you feel worthwhile to document? Would you seek any organizational changes, policy implementations, or changes to existing policies? Finally, would you recommend the organization conduct any refresher training?
Week 7 Discussions
Please respond to at least two main topics and reply to at least two classmates this week.
Trusted Toolset
If you did not have a trusted toolset when you went to perform your initial collection—keeping in mind that time is critical—what would you do? How would you justify your actions for collection?
Data Tampering or Tool Misuse
Find at least one case where data tampering or tool misuse prevented or nearly prevented evidence from being accepted into a court proceeding.