Topic: CS0-002 topic 1 question 23

A help desk technician inadvertently sent the credentials of the company's CRM in cleartext to an employee's personal email account. The technician then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident. According to the incident response procedure, which of the following should the security team do NEXT?

A.
Contact the CRM vendor.
B.
Prepare an incident summary report.
C.
Perform postmortem data correlation.
D.
Update the incident response plan.

Re: CS0-002 topic 1 question 23

The technician sent to employees PERSONAL EMAIL. I think that is the key word. The actions technician took don't seem to contain the issue at hand. How does resetting Corporate Account or Corporate Email affect PERSONAL email?     The incident report document needs to be updated or technician needs to contact CRM.   I would go with A to contain.

Re: CS0-002 topic 1 question 23

After the incident has been handled by the help desk technician and reported to the security team, the immediate next step in the incident response process is to prepare an incident summary report.

This report should document the details of the incident, including what happened, when it occurred, how it was discovered, and the actions taken to mitigate and remediate the incident.

The incident summary report provides a formal record of the incident for internal documentation purposes and may also be used for reporting to senior management, compliance purposes, or future incident response planning.

While updating the incident response plan (Option D) may be necessary in the long term to incorporate lessons learned from the incident, it is not the immediate next step following the incident.

  • RobV
  • New member
  • Offline

Re: CS0-002 topic 1 question 23

Based on the official steps, the NEXT step after recovery is a postmortem.

Recovery:
Restore affected systems and services to normal operation.

Lessons Learned:
Conduct a postmortem analysis of the incident.

Re: CS0-002 topic 1 question 23

I agree witch skibby16

Re: CS0-002 topic 1 question 23

The security team should perform postmortem data correlation next after receiving notification of the incident from the help desk technician. Postmortem data correlation is an activity that involves analyzing data from various sources (such as logs, alerts, reports, etc.) to identify root causes, impacts, indicators of compromise (IoCs), lessons learned, and recommendations for improvement after an incident3. Postmortem data correlation can help the security team to Determine how the incident occurred and how it was detected and resolved, Assess the scope and severity of the incident and its effects on confidentiality, integrity, and availability, Identify any gaps or weaknesses in security controls or processes that contributed to the incident, Develop action plans or remediation strategies to prevent recurrence or mitigate future incidents

Re: CS0-002 topic 1 question 23

Among the given options, performing a postmortem data correlation (Option C) seems to be a logical next step as it will help the security team to analyze the incident in detail, learn from it, and identify measures to prevent such incidents in the future. However, preparing an incident summary report (Option B) could also be a viable next step for documentation and initial analysis. The specific next step would depend on the organization's established incident response procedures.

Re: CS0-002 topic 1 question 23

Given the context of the situation, the most appropriate next step is:

B. Prepare an incident summary report.

This step allows the security team to document the incident and its initial response, which is crucial for maintaining a record of the incident and ensuring that all relevant information is captured for further analysis and decision-making. After this step, the team can proceed with a more detailed analysis, data correlation, and any necessary follow-up actions, such as contacting the CRM vendor or updating the incident response plan.
-chatGPT

Re: CS0-002 topic 1 question 23

It cracks me up when people use chatgpt. It just gave me a different answer than the one you have posted lolAccording to the incident response procedure described, the next step the security team should take is:

C. Perform postmortem data correlation.

Performing postmortem data correlation involves analyzing the incident to understand the full scope of the incident, how it occurred, and what data was potentially exposed. This analysis helps the security team identify any potential risks, vulnerabilities, or areas for improvement in the organization's security practices. It's an important step in incident response to ensure that similar incidents can be prevented in the future.

While the other options (A, B, and D) may be necessary in the broader incident response process, the immediate next step, in this case, should be to perform postmortem data correlation to understand the incident's details and implications.

Re: CS0-002 topic 1 question 23

I would go with A.  They're asking what should be done NEXT... not the near future.

Re: CS0-002 topic 1 question 23

This incident has nothing to do with the users account but with the CRM credentials, I would go with A, contact the CRM to change their credentials

Re: CS0-002 topic 1 question 23

A. There is a longer period of time to assess the environment.
A longer period of time to assess the environment during a vulnerability assessment/penetration test can be more dangerous to the client environment as it provides an opportunity for attackers to exploit vulnerabilities and take advantage of any weaknesses in the system. This potentially gives attackers more time to gather sensitive information, create persistent backdoors into the system, and launch attacks against the organization.
The other options are not as dangerous as a longer period for assessment.

  • 2Fish
  • New member
  • Offline

Re: CS0-002 topic 1 question 23

B.  This verbiage is terrible, but B looks to be the best option for what would come next from an IR team.

Re: CS0-002 topic 1 question 23

First of all, I despise all these questions as they are structured badly. But I can see why they claim the answer is D. Their incident response plan is is flawed or they at least need to train their help desk better. However, based on the incident response plan,, containment should be achieved by contacting the CRM and resetting the password for the CRM account. My vote is A

Re: CS0-002 topic 1 question 23

When you look at what the technican did to "remedy" the mistake, it clearly contains some odd actions. Could be that the incident response procedure is wrong and needs to be updated. That's the only aspect I could see that would justify D.

Re: CS0-002 topic 1 question 23

I feel like it is A.

Re: CS0-002 topic 1 question 23

b correct answer

Re: CS0-002 topic 1 question 23

B is the best answer here

  • TeyMe
  • New member
  • Offline

Re: CS0-002 topic 1 question 23

Incident Responce Phase: Preparation>Detection and Analysis>Containment>Eradication and Recovery>Post-incident Activity:It is imperative to document the incident. This phase is very commonly referred to as lessons learned...
all phases were accomplished to Eradication and Recovery so next step is 5.