Detecting and Responding to Information System Intrusions

Identifying and Handling Intrusions in Your Organization's Information System

Prev Question Next Question

Question

When a possible intrusion into your organization's information system has been detected, which of the following actions should be performed first?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

Once an intrusion into your organization's information system has been detected, the first action that needs to be performed is determining to what extent systems and data are compromised (if they really are), and then take action.

This is the good old saying: "Do not cry wolf until you know there is a wolf for sure"Sometimes it smells like a wolf, it looks like a wolf, but it may not be a wolf.

Technical problems or bad hardware might cause problems that looks like an intrusion even thou it might not be.You must make sure that a crime has in fact been committed before implementing your reaction plan.

Information, as collected and interpreted through analysis, is key to your decisions and actions while executing response procedures.

This first analysis will provide information such as what attacks were used, what systems and data were accessed by the intruder, what the intruder did after obtaining access and what the intruder is currently doing (if the intrusion has not been contained)

The next step is to communicate with relevant parties who need to be made aware of the intrusion in a timely manner so they can fulfil their responsibilities.

Step three is concerned with collecting and protecting all information about the compromised systems and causes of the intrusion.

It must be carefully collected, labelled, catalogued, and securely stored.

Containing the intrusion, where tactical actions are performed to stop the intruder's access, limit the extent of the intrusion, and prevent the intruder from causing further damage, comes next.

Since it is more a long-term goal, eliminating all means of intruder access can only be achieved last, by implementing an ongoing security improvement process.

Reference used for this question: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 271-289).

When a possible intrusion into an organization's information system has been detected, the first action that should be performed is to contain the intrusion (Option B).

Containment is the process of isolating the affected system(s) or network(s) from the rest of the organization's infrastructure to prevent further damage. This can involve disconnecting affected systems from the network, disabling user accounts, changing passwords, and taking other actions to prevent the intruder from causing further harm.

Once the intrusion has been contained, the next step should be to determine the extent to which systems and data are compromised (Option C). This includes conducting a thorough investigation to determine what data may have been accessed, stolen, or modified by the intruder.

Once the extent of the intrusion has been determined, the organization should communicate with relevant parties (Option D), including law enforcement, customers, and employees, as appropriate. The goal of communication is to provide accurate and timely information about the intrusion, what data may have been compromised, and what steps the organization is taking to mitigate the damage.

Eliminating all means of intruder access (Option A) is an important step in preventing future intrusions, but it should not be the first step when a possible intrusion has already been detected. Instead, containment, investigation, and communication should be the top priorities to limit the damage and protect the organization's reputation.