Objective of this assignment is to understand detailed concepts of the Module (7 to 9) that you have studied from the book. To solve the following questions, you will need to carefully read and understand all the topics of the Module 7 to 9. Note: The question sets are defined based on the Modules/Chapters from the book (Principles of Incident Response and Disaster RecoveryExternal tool ). You will see questions of Module 7 followed by Module 8 & 9.

Module 7/Chapter 7 (To answer following question read module 7): PART 1: Discussion/Ethical Decision-Making Question

1. If open-source software is free to use without licensing costs, what other factors should be considered when evaluating the total cost of operating such software?

2. Suppose JJ had a close friend who was a very experienced IDPS specialist, with broad and deep experience with a specific IDPS software vendor. JJ thought she would be an excellent candidate for the new position. JJ told her about the opportunity, but she was not quite as enthused about applying for it as JJ had hoped. You see, there was a referral bonus, and JJ would get a tidy sum of cash if she were hired based on his recommendation. JJ told her that she needed to get on board and that he would split the referral bonus with her. Do you think that is an ethical way to encourage the candidate to apply?

PART 2: Review Questions

1. What is a SPAN port and how is it different from a tap?

2. What is the clipping level?

3. What is a log file monitor? What is it used to accomplish?

4. What does the term trap and trace mean?

5. What is a honeypot? What is a honeynet? How are they different?

PART 3: Real-World Exercises

1. Find out more about defense in depth. Visit youtube.com and search for network defense in depth. Select one or two of the options and watch the videos. What is the primary value or justification for using this approach?

2. Visit the site www.honeynet.org. What is this Web site, and what does it offer the information security professional? Visit the Know Your Enemy white paper series and select a paper based on the recommendation of your professor. Read it and prepare a short overview for your class.

Module 8/Chapter 8 (To answer following questions, read module 8):

PART 1: Discussion/Ethical Decision-Making Question

1. Was Osbert acting ethically when he wrote his worm program? On what do you base your position?

2. Was Osberts professor acting ethically by assigning him the worm program? On what do you base your position?

3. Who is responsible for this catastrophe? Osbert? His professor? The student who changed the network configuration.? The university? On what do you base your position?

PART 2: Review Questions

1. What is an IR reaction strategy?

2. If an organization chooses the protect and forget approach instead of the apprehend and prosecute philosophy, what aspect of IR will be most affected?

3. What is the first task the CSIRT leader will undertake on arrival?

4. What is the second task the CSIRT leader will undertake?

PART 3: Real-World Exercises

1. Depending on where you live and copyright requirements, the documentary The KGB, the Computer and Me may be available for viewing on public video-streaming services. Use a search engine to find the title and watch the documentary if it is available. (The video remains available as of 2020; its run time is about 57 minutes.) As you watch the film, note what makes Cliff start the search for the hacker.

2. One example of unauthorized access occurs when a relatively low-level account is used to gain access and then the commandeered account has its privileges escalated. Enter the search term privilege escalation demonstration. Choose at least two of the options and view the videos. As you watch, look for the techniques used to achieve the desired result.

Module 9/Chapter 9 (To answer following questions, read module 9):

PART 1: Discussion/Ethical Decision-Making Questions

1. Was the CSIRT response appropriate, given the circumstances? On what do you base your position?

2. Can the team access Osberts personal devices to examine them? Under what constraints? How might the team accomplish this legally?

3. During the investigation and forensic effort in response to the worm outbreak, you are examining a hard drive and find love letters between two employees of the organization who are not married to each other. This activity is not illegal, and it is not related to the worm attack. Do you report it in the investigation?

PART 2: Review Questions

1. What is an incident damage assessment?

2. What are some of the reasons a safeguard or control may not have been successful in stopping or limiting an incident?

PART 3: Real-World Exercises

1. Do a Web search for Trojan horse defense. How can it be used to question the conclusions drawn from a forensic investigation?

2. At the end of 2006, a new edition of the Federal Rules of Civil Procedure (FRCP) went into effect. Do a Web search to learn more about the FRCP. What likely effect will its emphasis on electronically stored information (ESI) have on an organizations need for a digital forensic capability?