Which of the following is the most significant challenge when developing an incident management plan?

Cybersecurity professionals around the world work to prevent security incidents that would undermine the confidentiality, integrity or availability of their organization's information assets. Unfortunately, the stark reality we face is that these incidents are virtually inevitable. Incidents will occur, and organizations should understand the incident response steps that they will take in the event of a cyberattack or other adverse event that has an impact on business operations.

Security incidents are extremely stressful times that place business and IT leaders under enormous pressure to react quickly to minimize damage. This fast-paced, high-pressure environment is not conducive to sound decision-making. Developing an incident response and management plan enables organizations to make many of these important, strategic decisions in advance of an incident. Instead of creating plans in the pressure cooker environment of a security breach, they can carefully think through their decisions in the calm pre-incident environment.

Fortunately, organizations don't need to develop these plans in isolation. Instead, they may follow frameworks developed by thought leaders in the field. The "NIST Computer Security Incident Handling Guide" is widely considered to be the authoritative source for incident response planning efforts. Organizations can begin with this widely adopted approach and tailor it to meet the specific business needs of their environment. For example, the NIST guide outlines a four-step incident response cycle:

Preparation
Detection and analysis
Containment, eradication and recovery
Post-incident activity

Organizations developing their own incident response plans can work within this framework to create the policies and procedures that guide their own actions.

Let's take a look at six critical steps that organizations can take when developing their own incident response plans.

The first step in creating an incident response plan is to develop or update the organization's incident remediation and response policy. This foundational document serves as the basis for all incident handling activities and provides incident responders with the authority they need to make crucial decisions. The policy should be approved by as senior an executive as possible and should outline the organization's high-level priorities for incident response.

Importantly, the policy should designate a senior leader as having primary authority and responsibility for incident handling. This person may delegate some or all of their authority to others involved in the incident handling process, but the policy should clearly designate a specific position as bearing primary responsibility for incident response.

When creating a policy, organizations should strive to keep the language high-level and generalized. The policy should serve as a guiding force for incident response but not dive into the granular details. Procedures and playbooks will fill out those details. The objective is to develop a policy that will be long-lasting.

While a single leader should bear primary responsibility for the incident response process, this person leads a team of experts who carry out the many tasks required to effectively handle an information security incident. The size and structure of an incident response team will vary based upon the nature of the organization and the number of incidents that take place. For example, a large global company may have different incident response teams that handle specific geographic areas using dedicated personnel. A smaller organization may use a single centralized team that draws on team members from elsewhere in the organization on a part-time basis. Other organizations may choose to outsource some or all of their incident response efforts.

Playbooks are the lifeblood of a mature incident response team.

Whatever team model an organization chooses, team members should be trained on their responsibilities at the various stages of incident handling and conduct regular exercises to ensure that they are ready to respond to future incidents.

Playbooks are the lifeblood of a mature incident response team. While every security incident differs in some ways, the reality is that most incidents follow standard patterns of activity and would benefit from standardized responses. For example, when an employee's smartphone is stolen, the organization may follow some standard steps:

Issue a remote wipe command to the device.
Verify that the device was encrypted.
File a stolen device report with law enforcement and the service provider.
Issue the employee a replacement device.

This sequence of steps forms a basic procedure template for responding to lost or stolen devices -- it's a playbook for handling a device theft. The incident response team does not need to figure out what steps to take every time a device is lost or stolen because they can simply refer to the playbook.

As organizations build out their incident response teams, they should develop a series of playbooks that address their most common incident types.

Incident response efforts involve a significant level of communication between different groups within the organization, as well as external stakeholders. The incident response communication plan should address how these groups will work together during an active incident and the types of information that may be shared with internal and external responders.

One crucial issue that should be addressed by the communication plan is the involvement of law enforcement. Who in the organization is authorized to call in law enforcement, and when is it appropriate to do so? Involving law enforcement often generates adverse publicity, and organizations should make this decision deliberately.

Each incident that occurs is a learning opportunity for the organization. The incident response plan should require a formal lessons-learned session at the conclusion of every major security incident. These sessions should include all team members who played a substantial role in the response and provide an opportunity to identify both security control gaps that contributed to the incident and places where the incident response plan itself can be adjusted. This enables the organization to reduce the likelihood of future incidents and improve its ability to handle those incidents that do occur.

Security incidents occur in every organization. Well-designed incident response plans are often the crucial differentiator that enables organizations to quickly contain the damage from an incident and rapidly recover normal business operations.

Page 2

Security incidents are events that may indicate that an organization's systems or data have been compromised or that measures put in place to protect them have failed.

In IT, a security event is anything that has significance for system hardware or software, and an incident is an event that disrupts normal operations. Security events are usually distinguished from security incidents by the degree of severity and the associated potential risk to the organization.

If just one user is denied access to a requested service, for example, that may be a security event because it could indicate a compromised system. However, the access failure could also be caused by a number of things. Typically, that one event doesn't have a severe impact on the organization.

However, if large numbers of users are denied access, it likely means that there's a more serious problem, such as a denial-of-service attack, so that event may be classified as a security incident.

A security breach is a confirmed incident in which sensitive, confidential or otherwise protected data has been accessed or disclosed in an unauthorized fashion.

Unlike a security breach, a security incident doesn't necessarily mean information has been compromised, only that the information was threatened. For example, an organization that successfully thwarts a cyberattack has experienced a security incident but not a breach.

Nearly every day there's a new headline about one high-profile data breach or another. But there are many more incidents that go unnoticed because organizations don't know how to detect them.

Here are some ways enterprises can detect security incidents:

Unusual behavior from privileged user accounts. Any anomalies in the behavior of a privileged user account can indicate that someone is using it to gain a foothold into a company's network.
Unauthorized insiders trying to access servers and data. Many insiders will test the waters to determine exactly what systems and data they can access. Warning signs include unauthorized users attempting to access servers and data, requesting access to data that isn't related to their jobs, logging in at abnormal times from unusual locations or logging in from multiple locations in a short time frame.
Anomalies in outbound network traffic. It's not just traffic that comes into a network that organizations should worry about. Organizations should monitor for traffic leaving their perimeters as well. This could include insiders uploading large files to personal cloud applications; downloading large files to external storage devices, such as USB flash drives; or sending large numbers of email messages with attachments outside the company.
Traffic sent to or from unknown locations. For a company that only operates in one country, any traffic sent to other countries could indicate malicious activity. Administrators should investigate any traffic to unknown networks to ensure it's legitimate.
Excessive consumption. An increase in the performance of server memory or hard drives may mean an attacker is accessing them illegally.
Changes in configuration. Changes that haven't been approved, including reconfiguration of services, installation of startup programs or firewall changes, are a sign of possible malicious activity. The same is true of scheduled tasks that have been added.
Hidden files. These can be considered suspicious because of their file names, sizes or locations, which indicate the data or logs may have been leaked.
Unexpected changes. These include user account lockouts, password changes or sudden changes in group memberships.
Abnormal browsing behavior. This could be unexpected redirects, changes in the browser configuration or repeated pop-ups.
Suspicious registry entries. This happens mostly when malware infects Windows systems. It's one of the main ways malware ensures it remains in the infected system.

An attack vector is a path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including human operators.

Attack vectors include viruses, email attachments, webpages, pop-up windows, instant messages, chat rooms and deception. All of these methods involve programming -- or, in a few cases, hardware. The exception is deception, which is when a human operator is fooled into removing or weakening system defenses.

Although organizations should be able to handle any incident, they should focus on handling incidents that use common attack vectors. These include the following:

External/removable media. The attack is executed from removable media -- e.g., CD, flash drive or a peripheral device.
Attrition. This type of attack uses brute-force methods to compromise, degrade or destroy networks, systems or services.
Web. The attack is executed from a website or web-based application.
Email. The attack is executed via an email message or attachment to an email. A hacker entices the recipient to either click on a link that takes him to an infected website or to open an infected attachment.
Improper usage. This type of incident stems from the violation of an organization's acceptable-use policies by an authorized user.
Drive-by downloads. A user views a website that triggers a malware download; this can happen without the user's knowledge. Drive-by downloads, which take advantage of vulnerabilities in web browsers, inject malicious code using JavaScript and other browsing features.
Ad-based malware (malvertising). The attack is executed via malware embedded in advertisements on websites. Merely viewing a malicious ad could inject malicious code into an unsecured device. In addition, malicious ads can also be embedded directly into otherwise trusted apps and served via them.
Mouse hovering. This takes advantage of vulnerabilities in well-known software, such as PowerPoint. When a user hovers over a link -- rather than clicking on it -- to see where it goes, shell scripts can be launched automatically. Mouse hovering takes advantage of system flaws that make it possible to launch programs based on innocent actions of the user.
Scareware. This persuades a user to purchase and download unwanted and potentially dangerous software by scaring him. Scareware tricks a user into thinking that his computer has a virus, then recommends that he download and pay for fake antivirus software to remove the virus. However, if the user downloads the software and allows the program to execute, his systems will be infected with malware.

Although an organization can never be sure which path an attacker will take through its network, hackers typically employ a certain methodology -- i.e., a sequence of stages to infiltrate a network and steal data. Each stage indicates a certain goal along the attacker's path. This security industry-accepted methodology, dubbed the Cyber Kill Chain, was developed by Lockheed Martin Corp.

According to Lockheed Martin, these are the stages of an attack:

Reconnaissance (identify the targets). The threat actor assesses the targets from outside the organization to identify the targets that will enable him to meet his objectives. The goal of the attacker is to find information systems with few protections or with vulnerabilities that he can exploit to access the target system.
Weaponization (prepare the operation). During this stage, the attacker creates malware designed specifically for the vulnerabilities discovered during the reconnaissance phase. Based on the intelligence gathered in that phase, the attacker customizes his tool set to meet the specific requirements of the target network.
Delivery (launch the operation). The attacker sends the malware to the target by any intrusion method, such as a phishing email, a man-in-the-middle attack or a watering hole attack.
Exploitation (gain access to victim). The threat actor exploits a vulnerability to gain access to the target's network.
Installation (establish beachhead at the victim). Once the hacker has infiltrated the network, he installs a persistent backdoor or implant to maintain access for an extended period of time.
Command and control (remotely control the implants). The malware opens a command channel, enabling the attacker to remotely manipulate the target's systems and devices through the network. The hacker can then take over the control of the entire affected systems from its administrator.
Actions on objectives (achieve the mission's goals). What happens next, now that the attacker has the command and control of the target's system, is entirely up to the attacker, who may corrupt or steal data, destroy systems or demand ransom, among other things.

There are many types of cybersecurity incidents that could result in intrusions on an organization's network:

1. Unauthorized attempts to access systems or data

To prevent a threat actor from gaining access to systems or data using an authorized user's account, implement two-factor authentication. This requires a user to provide a second piece of identifying information in addition to a password. Additionally, encrypt sensitive corporate data at rest or as it travels over a network using suitable software or hardware technology. That way, attackers won't be able to access confidential data.

2. Privilege escalation attack

An attacker who attempts to gain unauthorized access to an organization's network may then try to obtain higher-level privileges using what's known as a privilege escalation exploit. Successful privilege escalation attacks grant threat actors privileges that normal users don't have.

Typically, privilege escalation occurs when the threat actor takes advantage of a bug, configuration oversight and programming errors, or any vulnerability in an application or system to gain elevated access to protected data.

This usually occurs after a hacker has already compromised a network by gaining access to a low-level user account and is looking to gain higher-level privileges -- i.e., full access to an enterprise's IT system -- either to study the system further or perform an attack.

To decrease the risk of privilege escalation, organizations should look for and remediate security weak spots in their IT environments on a regular basis. They should also follow the principle of least privilege -- that is, limit the access rights for users to the bare minimum permissions they need to do their jobs -- and implement security monitoring. Organizations should also evaluate the risks to their sensitive data and take the necessary steps to secure that data.

3. Insider threat

This is a malicious or accidental threat to an organization's security or data typically attributed to employees, former employees or third parties, including contractors, temporary workers or customers.

To detect and prevent insider threats, implement spyware scanning programs, antivirus programs, firewalls and a rigorous data backup and archiving routine. In addition, train employees and contractors on security awareness before allowing them to access the corporate network. Implement employee monitoring software to reduce the risk of data breaches and the theft of intellectual property by identifying careless, disgruntled or malicious insiders.

4. Phishing attack

In a phishing attack, an attacker masquerades as a reputable entity or person in an email or other communication channel. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including extracting login credentials or account information from victims. A more targeted type of phishing attack known as spear phishing occurs when the attacker invests time researching the victim to pull off an even more successful attack.

Effective defense against phishing attacks starts with educating users to identify phishing messages. In addition, a gateway email filter can trap many mass-targeted phishing emails and reduce the number of phishing emails that reach users' inboxes.

5. Malware attack

This is a broad term for different types of malicious software (malware) that are installed on an enterprise's system. Malware includes Trojans, worms, ransomware, adware, spyware and various types of viruses. Some malware is inadvertently installed when an employee clicks on an ad, visits an infected website or installs freeware or other software.

Signs of malware include unusual system activity, such as a sudden loss of disk space; unusually slow speeds; repeated crashes or freezes; an increase in unwanted internet activity; and pop-up advertisements. Installing an antivirus tool can detect and remove malware. These tools can either provide real-time protection or detect and remove malware by executing routine system scans.

6. Denial-of-service (DoS) attack

A threat actor launches a DoS attack to shut down an individual machine or an entire network so that it's unable to respond to service requests. DoS attacks do this by flooding the target with traffic or sending it some information that triggers a crash.

An organization can typically deal with an DoS attack that crashes a server by simply rebooting the system. In addition, reconfiguring firewalls, routers and servers can block any bogus traffic. Keep routers and firewalls updated with the latest security patches.

Also, application front-end hardware that's integrated into the network can help analyze and screen data packets -- i.e., classify data as priority, regular or dangerous -- as they enter the system. The hardware can also help block threatening data.

7. Man-in-the-middle (MitM) attack

A man-in-the-middle attack is one in which the attacker secretly intercepts and alters messages between two parties who believe they are communicating directly with each other. In this attack, the attacker manipulates both victims to gain access to data. Examples of MitM attacks include session hijacking, email hijacking and Wi-Fi eavesdropping.

Although it's difficult to detect MitM attacks, there are ways to prevent them. One way is to implement an encryption protocol, such as TLS (Transport Layer Security), that provides authentication, privacy and data integrity between two communicating computer applications. Another encryption protocol is SSH, a network protocol that gives users, particularly system administrators, a secure way to access a computer over an unsecured network.

Enterprises should also educate employees to the dangers of using open public Wi-Fi, as it's easier for hackers to hack these connections. Organizations should also tell their workers not to pay attention to warnings from browsers that sites or connections may not be legitimate. Companies should also use VPNs to help ensure secure connections.

8. Password attack

This type of attack is aimed specifically at obtaining a user's password or an account's password. To do this, hackers use a variety of methods, including password-cracking programs, dictionary attack, password sniffers or guessing passwords via brute force (trial and error).

A password cracker is an application program used to identify an unknown or forgotten password to a computer or network resources. This helps an attacker obtain unauthorized access to resources. A dictionary attack is a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password.

To handle password attacks, organizations should adopt multifactor authentication for user validation. In addition, users should use strong passwords that include at least seven characters as well as a mix of upper and lowercase letters, numbers and symbols. Users should change their passwords regularly and use different passwords for different accounts. In addition, organizations should use encryption on any passwords stored in secure repositories.

9. Web application attack

This is any incident in which a web application is the vector of the attack, including exploits of code-level vulnerabilities in the application as well as thwarting authentication mechanisms. One example of a web application attack is a cross-site scripting attack. This is a type of injection security attack in which an attacker injects data, such as a malicious script, into content from otherwise trusted websites.

Enterprises should review code early in the development phase to detect vulnerabilities; static and dynamic code scanners can automatically check for these. Also, implement bot detection functionality to prevent bots from accessing application data. And a web application firewall can monitor a network and block potential attacks.

10. Advanced persistent threat (APT)

An APT is a prolonged and targeted cyberattack typically executed by cybercriminals or nation-states. In this attack, the intruder gains access to a network and remains undetected for an extended period of time. The APT's goal is usually to monitor network activity and steal data rather than cause damage to the network or organization.

Monitoring incoming and outgoing traffic can help organizations prevent hackers from installing backdoors and extracting sensitive data. Enterprises should also install web application firewalls at the edge of their networks to filter traffic coming into their web application servers. This can help filter out application layer attacks, such as SQL injection attacks, often used during the APT infiltration phase. Additionally, a network firewall can monitor internal traffic.

Here are several examples of well-known security incidents.

Cybersecurity researchers first detected the Stuxnet worm, used to attack Iran's nuclear program, in 2010. It is still considered to be one of the most sophisticated pieces of malware ever detected. The malware targeted supervisory control and data acquisition systems and was spread with infected USB devices. Both the U.S. and Israel have been linked to the development of Stuxnet, and while neither nation has officially acknowledged its role in developing it, there have been unofficial confirmations that they were responsible for it.

In October 2016, another major security incident occurred when cybercriminals launched a distributed DoS attack on domain name system provider Dyn, which disrupted online services worldwide. The attack hit a number of websites, including Netflix, Twitter, PayPal, Pinterest and the PlayStation Network.

In July 2017, a massive breach was discovered involving 14 million Verizon Communications Inc. customer records, including phone numbers and account PINs, which were reportedly exposed to the internet, although Verizon claimed no data was stolen. A month earlier, a researcher from security firm UpGuard found the data on a cloud server maintained by data analytics firm Nice Systems. The data wasn't password protected, and as such, cybercriminals could have been easily downloaded and exploited it, according to the security firm.

According to the 2019 "Data Security Incident Response Report" by BakerHostetler LLP, a U.S. law firm, certain types of security incidents are on the rise.

Phishing is still the leading cause of security incidents. Nearly one-quarter of all the incidents BakerHostetler responded to in 2018 resulted from lost devices, inadvertent disclosures or system misconfigurations. Employees were responsible for 55% of the 750 incidents the firm responded to in 2018, partly due to simple mistakes and falling for phishing scams. Increasing employee awareness and implementing multifactor authentication are still two of the best defenses to address the employee risk factor, the report noted.

On the bright side, organizations continue to improve their in-house detection capabilities. In 2018, 74% of incidents were detected internally, an increase from only 52% in 2015. However, although more companies have invested in security tools to help investigate security incidents, few organizations have the experience and capacity to investigate security incidents without third-party help.

Attacks by nation-states are increasing. Nation-states continue to engage in cyberoperations to support espionage, economic development (via the thefts of intellectual property and trade secrets) or sabotage. And it has become more difficult to differentiate between the methods and procedures used by nation-state actors and criminal actors. The reason: It's hard to find good data on how often these attacks occur, in part because they go undetected or unreported.

The expanding threat landscape puts organizations at more risk of being attacked than ever before. As a result, enterprises must constantly monitor the threat landscape and be ready to respond to security incidents, data breaches and cyberthreats when they occur. Putting a well-defined incident response plan in place and taking into consideration some of the tips provided in this report, will enable organizations to effectively identify these incidents, minimize the damage and reduce the cost of a cyberattack. Such a plan will also help companies prevent future attacks.

Page 3

The threat landscape gets progressively worse by the day. Cross-site scripting, SQL injection, exploits of sensitive data, phishing and denial of service (DDoS) attacks are far too common. More and more sophisticated attacks are being spotted, and security teams are scrambling to keep up. Faced with many new types of issues -- including advanced phishing attacks that are all too successful, and ransomware attacks that many seem helpless to prevent -- endpoint security strategies are evolving rapidly. In the SANS "Endpoint Protection and Response" survey from 2018, 42% of respondents indicated at least one of their endpoints had been compromised, and 20% didn't know if any endpoints had been compromised at all.

How are hackers able to wreak havoc on enterprises and cause sensitive data loss and exposure? The answer is through a variety of cybersecurity vulnerabilities in processes, technical controls and user behaviors that allow hackers to perform malicious actions. Many different vulnerabilities exist, including code flaws in operating systems and applications, systems and services misconfiguration, poor or immature processes and technology implementations, and end user susceptibility to attack.

Some of the most common attacks that resulted in data breaches and outages included phishing, the use of stolen credentials, advanced malware, ransomware and privilege abuse, as well as backdoors and command and control channels on the network set up to allow continued access to and control over compromised assets, according to the Verizon "2019 Data Breach Investigations Report," or Verizon DBIR.

What are the major types of cybersecurity vulnerabilities that could lead to successful attacks and data breaches and how can we ideally mitigate them? Check out the top five most common vulnerabilities organizations should work toward preventing or remediating as soon as possible to avoid potentially significant cybersecurity incidents, like phishing, malware, denial-of-service and password attacks.

Most enterprise organizations have some sort of endpoint protection in place, usually antivirus tools. But zero-day exploits are becoming more common and many of the endpoint security defenses in place have proved inadequate to combat advanced malware and intrusions targeting end users and server platforms.

Causes. Many factors can lead to inadequate endpoint security defenses that become vulnerabilities. First, standard signature-based antivirus systems are no longer considered good enough, as many savvy attackers can easily bypass the signatures. Second, smart attackers may only be caught through unusual or unexpected behaviors at the endpoint, which many tools don't monitor. Finally, many endpoint security defenses haven't offered security teams the ability to dynamically respond to or investigate endpoints, particularly on a large scale.

More organizations need to invest in modern endpoint detection and response tools that incorporate next-generation antivirus, behavioral analysis and actual response capabilities.

How to fix it. More organizations need to invest in modern endpoint detection and response tools that incorporate next-generation antivirus, behavioral analysis and actual response capabilities. These tools provide more comprehensive analysis of malicious behavior, along with more flexible prevention and detection options. If you're still using traditional antivirus tools, consider an upgrade to incorporate more behavioral inspection, more detailed forensic details and compromise indicators, as well as real-time response capabilities.

With the recent threat of ransomware looming large, along with traditional disasters and other failures, organizations have a pressing need to back up and recover data. Unfortunately, many organizations don't excel in this area due to a lack of sound backup and recovery options.

Causes. Many organizations neglect one or more facets of backup and recovery, including database replication, storage synchronization or end-user storage archival and backup.

How to fix it. Most organizations need a multi-pronged backup and recovery strategy. This should include data center storage snapshots and replication, database storage, tape or disk backups, and end user storage (often cloud-based). Look for enterprise-class tools that can accommodate granular backup and recovery metrics and reporting.

Many attackers rely on weak network segmentation and monitoring to gain full access to systems in a network subnet once they've gained initial access. This huge cybersecurity vulnerability has been common in many large enterprise networks for many years. It has led to significant persistence in attackers compromising new systems and maintaining access longer.

Causes. A lack of subnet monitoring is a major root cause of this vulnerability, as is a lack of monitoring outbound activity that could indicate command and control traffic. Especially in large organizations, this can be a challenging initiative, as hundreds or thousands of systems may be communicating simultaneously within the network and sending outbound traffic.

How to fix it. Organizations should focus on carefully controlling network access among systems within subnets, and building better detection and alerting strategies for lateral movement between systems that have no business communicating with one another. They should focus on odd DNS lookups, system-to-system communication with no apparent use, and odd behavioral trends in network traffic. Proxies, firewalls and microsegmentation tools may help create more restrictive policies for traffic and systems communications.

One of the most common causes of compromise and breaches for this cybersecurity vulnerability is a lack of sound credential management. People use the same password over and over, and many systems and services support weak authentication practices. This is one of the major causes of related attack vectors listed in the Verizon DBIR.

Causes. In many cases, weak authentication and credential management is due to lack of governance and oversight of credential lifecycle and policy. This includes user access, password policies, authentication interfaces and controls, and privilege escalation to systems and services that shouldn't be available or accessible in many cases.

How to fix it. For most organizations, implementing stringent password controls can help. This may consist of longer passwords, more complex passwords, more frequent password changes or some combination of these principles. In practice, longer passwords that aren't rotated often are safer than shorter passwords that are. Password authentication may also impede users from making poor password decisions. For any sensitive access, users should also be required to use multifactor authentication for accessing sensitive data or sites, often with the aid of multifactor authentication tools.

Much has been written about the susceptibility of end users to social engineering, but it continues to be a major issue that plagues organizations. The 2019 Verizon DBIR states that end user error is the top threat action in breaches. Many organizations find the initial point of attack is through targeted social engineering, most commonly phishing.

Causes. The most common cause of successful phishing, pretexting and other social engineering attacks is a lack of sound security awareness training and end-user validation. Organizations are still struggling with how to train users to look for social engineering attempts and report them.

How to fix it. More organizations need to conduct regular training exercises, including phishing tests, pretexting and additional social engineering as needed. Many training programs are available to help reinforce security awareness concepts; the training needs to be contextual and relevant to employees' job functions whenever possible. Track users' success or failure rates on testing, as well as "live fire" tests with phishing emails and other tactics. For users who don't improve, look at remediation measures appropriate for your organization.

While other major cybersecurity vulnerabilities can be spotted in the wild, the issues addressed here are some of the most common seen by enterprise security teams everywhere. Look for opportunities to implement more effective processes and controls in your organization to more effectively prevent these issues from being realized.

Page 4

Even a highly skilled IT security practitioner can be challenged by interview questions. They are often stump-worthy and contrived questions posed to job candidates to separate the wheat (skilled candidates) from the chaff (those who are not). By the time a candidate has reached the point in the interview process that someone is asking these questions, that candidate is usually hopeful of getting the job. A desire to perform well can translate to jitters, panic-induced brain freeze and all sorts of other mental states unconducive to clear, lucid and well-informed answers. Second, the questions themselves are usually designed to be challenging -- often in ways that aren't intuitive. For example, questions can include erroneous or misleading information, have multiple right answers or may test something other than what's immediately apparent.

With this in mind, we've put together a list of incident response interview questions you might encounter during an interview for an incident response position. We've tried to start with those more easily answered, building up to the more difficult. This is not intended to be a complete list of every question you might encounter. Instead, the goal is to help defuse the situation. Just like you'd prep for a security event by conducting a tabletop or other drill to test incident response planning efforts (ensuring you've thought things through in advance), so too can thinking through interview questions give you a muscle memory when you're interviewing for a job you really hope to land.

Start by brushing up on recent incident response frameworks from recognized information security standards organizations like NIST, ISACA and the International Organization for Standardization (ISO).

Before we get into the nuances of the questions themselves, it's useful to point out that there are a few different types of incident response interview questions you might encounter. There are technical questions, of course, designed to solicit how well you understand how to navigate the technology landscape you're likely to encounter on the job. But there are other types of questions beyond this. For example, there are ethics-based questions designed to assess how well your ethical compass aligns to what the organization expects. Likewise, there are culture-oriented questions designed to elicit what type of person you are -- i.e., your personality. There are also brain teaser questions, designed to evaluate how well you think creatively, solve problems on the fly, or how much you are curious about the world around you.

It's always useful to think about what type of question the one being posed is in formulating your answer. Answer honestly, of course, but be alert to what your response highlights about you along each of these axes: Are you demonstrating a full understanding of the technical space? Are you demonstrating the ethical framework the organization expects? Does your response align with the culture the organization embraces? The key to this is doing a bit of research about the organization beforehand -- for example, on the company itself and, when you can, the interviewer. A quick glance over the company's website or the interviewer's LinkedIn profile can give you some good insight into what might be valuable to them, allowing you to showcase these qualities in your responses.

The second thing to keep in mind is that you can always ask for more information. In fact, for some of the brain-teaser type questions, this is a near-must. For example, in response to a question like "Why are manhole covers round," you might ask for additional clarification -- are they looking at it from a manufacturing (minimization of deviance during manufacturing), a safety (minimization of the chance for the cover to fall through the open aperture) an engineering (minimization of warp or misalignment in cold temperatures) perspective, or something else?

Lastly, be honest. If you don't know the answer to a technical question, say so -- and then follow up with what you do know about the topic they asked about. Explain clearly where the boundary of your knowledge ends if you don't know it. Pretty much the worst thing you can do is try to bluff your way through it. If they catch you doing this (and if you do it, they will), it's usually a deal breaker. However, stating unambiguously and frankly that you don't know something can even sometimes serve to your advantage.

Generic advice and caveats out of the way, let's look at a few questions that you might encounter. You'll notice that some of these are generic in nature -- that's by design, as each interviewer will likely put their own spin on it. Also, since some of the questions will be about specific security technology or products, the incident response tool sets used in various organizations will vary and they're likely to ask about the tools they're actually using in their environment. We've also tried to order them from easiest to hardest -- you'll notice, though, that where something falls on this spectrum is open to interpretation. A straight-forward, fact-based question will of course be hard to answer if you don't know it … but a question like that shows up earlier on this list for two reasons: It has single, definite answer and it's unambiguous what the interviewer is looking for.

From an incident-response point of view, one of the most important things that you'll need to do is examine components in the technology ecosystem and how they interact, and look at traffic patterns to monitor for -- or resolve -- potential security-relevant events. Understanding of networking is foundational to this exercise. If your interviewer asks technical questions at all, it is almost a given that at least one of them will be an in-depth question about the operation of some network protocol.

The question might be focused at a higher level of the stack (e.g., "How does the TLS handshake work in TLS <1.3?"), it might be in the middle ("How does the TCP three-way handshake work?") or maybe lower down ("What are the elements of an Ethernet frame?"). Unfortunately, the only way to really prepare for this one is to know it -- cold. If you don't, now's a good time to bone up. You might want to look at some packet-capture data (for example, using a tool like Wireshark) to help you refresh or do a quick review of a book like TCP/IP First-Step that explains the topic in depth. As you prepare, quiz yourself and practice walking through how you'd explain how these elements work to someone else.

The second thing they might ask about is how to perform some task that you will likely need to do often using a given toolset. For example, how would you export syslog data to another system, how would you generate a list of running Docker containers or how would you view an endpoint's software inventory in SpiceWorks? Again, this falls in the easier category because it's binary -- either you know the tool (and have the answer at your fingertips) or you don't. The truth is, you're not going to know every tool that exists: It's likely that the toolset you're using in your current job will differ from the one being used at the potential employer. Therefore, a useful strategy here is to explain that you use a different tool in your current role for the same purpose and offer to explain how to accomplish the same thing in the tool you do know. Savvy interviewers know that learning the concepts involved is hard while learning what button to push is comparatively easy: You'll pick up the minutiae of security product X versus product Y in very little time so long as you understand the goals and purpose behind them.

You'll notice that this is similar to the last question, except it asks you to author commands or write a script to accomplish some task instead of asking you for detailed knowledge of a particular product. The difference is subtle, but it actually makes the question a little more challenging because there are almost always multiple paths to accomplish the goal. The task here is usually on a given platform -- for example, PowerShell on Windows or Bash on Linux (though other platforms are possible). What questions like this are designed to test is your ability to use tools at your disposal (i.e., the native tools built into the platforms in their environment) to gather data or effect remediation and recovery. Leverage your strengths on this one -- for example, maybe you're not much of a whiz with Bash, sed or AWK, but you're a cool hand with Python or Perl. Play to your strengths, and don't be shy to ask for clarifying detail and additional data.

Everyone hates sorting through log data. It is, however, a part of the job. This means that the ability to use shortcuts to help you find what you're looking for is a must. Regular expressions are used so often in doing this that creating them (sometimes reading and unpacking them) comes up frequently during the technical vetting portion of job interviews. It's useful, therefore, to have at least a passing familiarity with how they work and how to write one. You probably won't be expected to demonstrate mastery of advanced constructions, but you should at least be able to search through log information looking for specific patterns (both case-insensitive and case-sensitive), ranges of possible values, work with positions using anchors (e.g., start of line, end of line), account for whitespace, escape characters, and so on. It's not a given that you'll get this question, though, so don't over-prepare if this isn't your strongest area. (Instead, maybe be ready to explain how you'd use some other tool to accomplish the same goal.)

Counterintuitively, one of the hardest types of questions are ethically based. You might think that "don't be a crook" would suffice as an answer, but questions along these lines can be nuanced and difficult. For example, the interviewer at a managed security service provider (MSSP) might ask you what you'd do if you discover that your company accidentally put a client at risk (e.g., due to a failure or oversight relating to a service or tool the MSSP supplies). Do you tell the customer? If so, how do you do it? If not, how do you handle it? A question like that directly pits the business interests of the organization (and potential profitability) against the ethically appropriate path. Another example might be an internal team or your manager telling you to do something that undermines the security of a customer or the organization -- how do you respond?

There's no easy way to prepare for these, as each situation and incident response interview question will be different. The trick is to fully flesh out the parameters of the question by asking for additional data about the incident and responding honestly about how you would actually approach it. Likewise, the culture of the organization matters as well as your own worldview; for example, when I worked for a large MSSP (where we asked a similar question during interviews), the "right" answer to the service-failure question was along the lines of "alert your manager and inform the customer." I'm sure there are organizations where failure to inform is the right answer -- though, frankly, I wouldn't want to work there.

I'd like to close with one type of question that you might get, but that's a little different from the ones above. This type of question is designed to solicit who you are as a person -- to see if you fit in culturally with the organization. It's hard to be overly specific about what these might be in advance (which is why it's a bonus rather than in the top five), since organizational culture varies so much from organization to organization.

However, I did want to point out that, intimidating as these types of questions might be, keep in mind that we're in a buyer's market for incident-responder positions. Because of the skills gap and the challenge that organizations have in finding talented incident responders, this means that candidates can afford to be a little bit choosy when it comes to the positions they accept. As a consequence, the interview process is every bit as much the potential employer auditioning for the candidate as it is vice versa. So pay careful attention to what cultural questions are being asked -- these tell you about the organization and what it's like to work there. Be critical, objective and remember that finding out beforehand if an organization isn't a good fit is a huge win compared to finding the same thing out afterward.

Page 5

Although the terms security threat, security event and security incident are related, in the world of cybersecurity these information security threats have different meanings.

A security threat is a malicious act that aims to corrupt or steal data or disrupt an organization's systems or the entire organization. A security event refers to an occurrence during which company data or its network may have been exposed. And an event that results in a data or network breach is called a security incident.

As cybersecurity threats continue to evolve and become more sophisticated, enterprise IT must remain vigilant when it comes to protecting their data and networks. To do that, they first have to understand the types of security threats they're up against.

Below are the top 10 types of information security threats that IT teams need to know about.

An insider threat occurs when individuals close to an organization who have authorized access to its network intentionally or unintentionally misuse that access to negatively affect the organization's critical data or systems.

Careless employees who don't comply with their organizations' business rules and policies cause insider threats. For example, they may inadvertently email customer data to external parties, click on phishing links in emails or share their login information with others. Contractors, business partners and third-party vendors are the source of other insider threats.

Some insiders intentionally bypass security measures out of convenience or ill-considered attempts to become more productive. Malicious insiders intentionally elude cybersecurity protocols to delete data, steal data to sell or exploit later, disrupt operations or otherwise harm the business.

Preventing insider threats

The list of things organizations can do to minimize the risks associated with insider threats include the following:

limit employees' access to only the specific resources they need to do their jobs;
train new employees and contractors on security awareness before allowing them to access the network. Incorporate information about unintentional and malicious insider threat awareness into regular security training;
set up contractors and other freelancers with temporary accounts that expire on specific dates, such as the dates their contracts end;
implement two-factor authentication, which requires each user to provide a second piece of identifying information in addition to a password; and
install employee monitoring software to help reduce the risk of data breaches and the theft of intellectual property by identifying careless, disgruntled or malicious insiders.

Viruses and worms are malicious software programs (malware) aimed at destroying an organization's systems, data and network. A computer virus is a malicious code that replicates by copying itself to another program, system or host file. It remains dormant until someone knowingly or inadvertently activates it, spreading the infection without the knowledge or permission of a user or system administration.

A computer worm is a self-replicating program that doesn't have to copy itself to a host program or require human interaction to spread. Its main function is to infect other computers while remaining active on the infected system. Worms often spread using parts of an operating system that are automatic and invisible to the user. Once a worm enters a system, it immediately starts replicating itself, infecting computers and networks that aren't adequately protected.

Preventing viruses and worms

To reduce the risk of these types of information security threats caused by viruses or worms, companies should install antivirus and antimalware software on all their systems and networked devices and keep that software up to date. In addition, organizations must train users not to download attachments or click on links in emails from unknown senders and to avoid downloading free software from untrusted websites. Users should also be very cautious when they use P2P file sharing services and they shouldn't click on ads, particularly ads from unfamiliar brands and websites.

A botnet is a collection of Internet-connected devices, including PCs, mobile devices, servers and IoT devices that are infected and remotely controlled by a common type of malware. Typically, the botnet malware searches for vulnerable devices across the internet. The goal of the threat actor creating a botnet is to infect as many connected devices as possible, using the computing power and resources of those devices for automated tasks that generally remain hidden to the users of the devices. The threat actors -- often cybercriminals -- that control these botnets use them to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service attacks.

Preventing botnets

Organizations have several ways to prevent botnet infections:

monitor network performance and activity to detect any irregular network behavior;
keep the operating system up to date;
keep all software up-to-date and install any necessary security patches;
educate users not to engage in any activity that puts them at risk of bot infections or other malware, including opening emails or messages, downloading attachments or clicking links from unfamiliar sources; and
implement antibotnet tools that find and block bot viruses. In addition, most firewalls and antivirus software include basic tools to detect, prevent and remove botnets.

In a drive-by download attack, malicious code is downloaded from a website via a browser, application or integrated operating system without a user's permission or knowledge. A user doesn't have to click on anything to activate the download. Just accessing or browsing a website can start a download. Cybercriminals can use drive-by downloads to inject banking Trojans, steal and collect personal information as well as introduce exploit kits or other malware to endpoints.

Preventing drive-by download attacks

One of the best ways a company can prevent drive-by download attacks is to regularly update and patch systems with the latest versions of software, applications, browsers, and operating systems. Users should also be warned to stay away from insecure websites. Installing security software that actively scans websites can help protect endpoints from drive-by downloads.

Phishing attacks are a type of information security threat that employs social engineering to trick users into breaking normal security practices and giving up confidential information, including names, addresses, login credentials, Social Security numbers, credit card information and other financial information. In most cases, hackers send out fake emails that look as if they're coming from legitimate sources, such as financial institutions, eBay, PayPal -- and even friends and colleagues.

In phishing attacks, hackers attempt to get users to take some recommended action, such as clicking on links in emails that take them to fraudulent websites that ask for personal information or install malware on their devices. Opening attachments in emails can also install malware on users' devices that are designed to harvest sensitive information, send out emails to their contacts or provide remote access to their devices.

Preventing phishing attacks

Enterprises should train users not to download attachments or click on links in emails from unknown senders and avoid downloading free software from untrusted websites.

In a distributed denial-of-service (DDoS) attack, multiple compromised machines attack a target, such as a server, website or other network resource, making the target totally inoperable. The flood of connection requests, incoming messages or malformed packets forces the target system to slow down or to crash and shut down, denying service to legitimate users or systems.

Preventing DDoS attacks

To help prevent DDoS attacks, companies should take these steps:

Implement technology to monitor networks visually and know how much bandwidth a site uses on average. DDoS attacks offer visual clues so administrators who understand the normal behaviors of their networks will be better able to catch these attacks.
Ensure servers have the capacity to handle heavy traffic spikes and the necessary mitigation tools necessary to address security problems.
Update and patch firewalls and network security programs.
Set up protocols outlining the steps to take in the event of a DDoS attack occurring.

In a ransomware attack, the victim's computer is locked, typically by encryption, which keeps the victim from using the device or data that's stored on it. To regain access to the device or data, the victim has to pay the hacker a ransom, typically in a virtual currency such as Bitcoin. Ransomware can be spread via malicious email attachments, infected software apps, infected external storage devices and compromised websites.

You've been hacked

Preventing ransomware

To protect against ransomware attacks, users should regularly back up their computing devices and update all software, including antivirus software. Users should avoid clicking on links in emails or opening email attachments from unknown sources. Victims should do everything possible to avoid paying ransom. Organizations should also couple a traditional firewall that blocks unauthorized access to computers or networks with a program that filters web content and focuses on sites that may introduce malware. In addition, limit the data a cybercriminal can access by segregating the network into distinct zones, each of which requires different credentials.

An exploit kit is a programming tool that enables a person without any experience writing software code to create, customize and distribute malware. Exploit kits are known by a variety of names, including infection kit, crimeware kit, DIY attack kit and malware toolkit. Cybercriminals use these toolkits to attack system vulnerabilities to distribute malware or engage in other malicious activities, such as stealing corporate data, launching denial of service attacks or building botnets.

Preventing exploit kits

To guard against exploit kits, an organization should deploy antimalware software as well as a security program that continually evaluates if its security controls are effective and provide protection against attacks. Enterprises should also install antiphishing tools because many exploit kits use phishing or compromised websites to penetrate the network.

An advanced persistent threat (APT) is a targeted cyberattack in which an unauthorized intruder penetrates a network and remains undetected for an extended period of time. Rather than causing damage to a system or network, the goal of an APT attack is to monitor network activity and steal information to gain access, including exploit kits and malware. Cybercriminals typically use APT attacks to target high-value targets, such as large enterprises and nation-states, stealing data over a long period.

Preventing APT attacks

Detecting anomalies in outbound data may be the best way for system administrators to determine if their networks have been targeted.

Indicators of APTs include the following:

unusual activity on user accounts;
extensive use of backdoor Trojan horse malware, a method that enables APTs to maintain access;
odd database activity, such as a sudden increase in database operations involving massive amounts of data; and
the presence of unusual data files, possibly indicating that data that has been bundled into files to assist in the exfiltration process.

To combat this type of information security threat, an organization should also deploy a software, hardware or cloud firewall to guard against APT attacks. Organizations can also use a web application firewall to detect and prevent attacks coming from web applications by inspecting HTTP traffic.

Malvertising is a technique cybercriminals use to inject malicious code into legitimate online advertising networks and web pages. This code typically redirects users to malicious websites or installs malware on their computers or mobile devices. Users' machines may get infected even if they don't click on anything to start the download. Cybercriminals may use malvertising to deploy a variety of moneymaking malware, including cryptomining scripts, ransomware and banking Trojans.

Some of the websites of well-known companies, including Spotify, The New York Times and the London Stock Exchange, have inadvertently displayed malicious ads, putting users at risk.

Preventing malvertising

To prevent malvertising, ad networks should add validation; this reduces the chances a user could be compromised. Validation could include: Vetting prospective customers by requiring legal business paperwork; two-factor authentication; scanning potential ads for malicious content before publishing an ad; or possibly converting Flash ads to animated gifs or other types of content.

To mitigate malvertising attacks, web hosts should periodically check their websites from an unpatched system and monitor that system to detect any malicious activity. The web hosts should disable any malicious ads.

To reduce the risk of malvertising attacks, enterprise security teams should be sure to keep software and patches up to date as well as install network antimalware tools.