Module 2: Escalate Incidents

Q: What security term describes the identification of a potential security event, triaging it, and handing it off to a more experienced team member?

• SOC operations
• Incident escalation 
• Social engineering
• Data security protection

Explanation: Incident escalation is a security word that represents the process of identifying a possible security event, organizing it into a hierarchy of severity, and then passing it on to a member of the team who has more expertise. By incorporating professionals who possess the appropriate skills and resources to manage and resolve the problem, this procedure guarantees that security events are properly handled and resolved.

Q: Fill in the blank: _____ is a skill that will help you identify security incidents that need to be escalated.

• Leadership
• Graphics design
• Attention to detail 
• Linux operations

Explanation: Your ability to pay close attention to detail is a quality that will assist you in recognizing security situations that need further investigation. You will be able to identify possible risks or breaches that call for further investigation and escalation if you possess this talent, which requires you to carefully observe and comprehend the intricacies of security occurrences.

Q: What elements of security do terms like unauthorized access, malware infections, and improper usage describe?

• Public press releases
• Company job descriptions
• Phishing attempts
• Incident classification types 

Explanation: In the context of security, the phrases "unauthorized access," "malware infections," and "improper usage" are synonymous with the classified categories of incidents. These phrases classify many sorts of security incidents according to the nature and impact of the occurrences, which assists security teams in prioritizing which incidents to react to and successfully responding to each type of incident.

Q: Which incident type involves an employee violating an organization’s acceptable use policy?

• Phishing
• Unauthorized access
• Malware infection
• Improper usage

Explanation: Inappropriate use is the sort of occurrence that occurs when an employee violates the acceptable use policy of a company. In most cases, this refers to acts that violate corporate rules about the permissible use of technology and resources, such as accessing unsuitable material, illegal use of company resources, or participating in activities that violate company standards.

Q: Which of the following security incidents can have the most damaging impact to an organization?

• An employee forgets their password and logs too many failed login attempts
• A system containing customer PII is compromised 
• The guest Wi-Fi network for a company is hacked
• A company’s social media account is compromised

Explanation: A system that contains personally identifiable information (PII) about customers is the kind of security breach that has the potential to have the greatest detrimental effect on an enterprise. As a result of the disclosure of sensitive personal data, this kind of occurrence may result in substantial repercussions such as regulatory penalties, a loss of confidence from customers, and legal obligations.

Q: What is the best way to determine the urgency of a security incident?

• Email the Chief Information Security Officer (CISO) of the company for clarification.
• Identify the importance of the assets affected by the security incident.
• Reach out to the organization’s Red Team supervisor to determine urgency.
• Contact the risk assessment team to determine urgency.

Explanation: The most effective method for determining the level of urgency associated with a security event is to establish the significance of the assets that are having their security compromised. To prioritize the response activities effectively, it is helpful to have an understanding of which assets are affected and how vital they are to the operations and security posture of the business. The use of this strategy guarantees that the resources are distributed efficiently, taking into consideration the probable impact and severity of the event on the company.

Q: What security term is defined as a set of actions that outlines who should be notified when an incident alert occurs?

• A vulnerability scan system
• A security risk assessor
• A network architecture alert
• An escalation policy 

Explanation: An escalation policy is a security phrase that is described as a set of steps that describes an individual or group of individuals who should be contacted when an incident alert happens. In order to ensure that security events are handled in a timely and efficient manner, this policy details the processes that must be followed and the stakeholders who must be contacted at various stages of the incident response process.

Q: Why is it important for analysts to follow a company’s escalation policy? Select two answers.

• An escalation policy can help analysts prioritize which security events need to be escalated with more or less urgency.
• An escalation policy can help analysts determine the best way to cross-collaborate with other members of their organization.
• An escalation policy instructs analysts on the right person to contact during an incident. 
• An escalation policy can help analysts determine which tools to use to solve an issue.

Explanation: This guarantees that important security occurrences are dealt with in a timely and suitable manner. By doing so, communication is streamlined, and it is ensured that situations are escalated to the appropriate staff who possess the competence to successfully manage them.

Q: A new security analyst has just been hired to an organization and is advised to read through the company’s escalation policy. What kind of information will the analyst be educated on when reading through this policy?

• They will learn when and how to escalate security incidents. 
• They will learn the best way to create visual dashboards to communicate with executives.
• They will learn how to use the Linux operating system. They will learn the best way to communicate with stakeholders.

Explanation: The policy is centered on ensuring that security events are handled in an efficient and timely manner, under the standards and objectives of the company. It is not customary for an escalation policy to encompass topics such as learning about the Linux operating system or developing visual dashboards to communicate with executives. These topics would normally come under distinct training or standards that are relevant to those various areas.

Q: Which skills will help you identify security incidents that need to be escalated? Select two answers.

• Excellent communication skills
• Ability to follow an organization’s escalation guidelines or processes 
• Ability to collaborate well with others
• Attention to detail

Explanation: This guarantees that issues are escalated per the procedures that have been established, hence prioritizing the proper treatment of events. You can carefully examine and evaluate security events, finding minor signs or trends that may suggest possible security issues that need escalation. This competence gives you the ability to do so.

Q: As a security analyst, you might be asked to escalate various incidents. Which of the following are common incident classification types? Select two answers.

• Gift card scam
• Unauthorized access 
• SPAM
• Malware infection 

Explanation: To assist security analysts in prioritizing and successfully responding to each kind of security event, these categories classify various types of security incidents according to the nature and impact of the individual occurrences.

Q: An employee attempting to access software on their work device for personal use can be an example of what security incident type?

• Unauthorized access
• Improper usage 
• Social engineering
• Malware infection

Explanation: As an illustration of inappropriate use, consider the scenario in which an employee attempts to access software on their work computer for personal use. Employees who violate an organization's acceptable usage regulations or guidelines about the proper use of business resources for personal purposes are the sort of occurrence that falls under this category.

Q: A security analyst for an organization notices unusual log activity in an app that was recently banned from the organization. However, the analyst forgets to escalate this activity to the proper personnel. What potential impact can this small incident have on the organization?

• The third-party assessment team might be removed by the organization.
• Small incidents rarely have any impact on an organization.
• The organization might need to delete its social media profile.
• It can become a bigger threat. 

Explanation: If anomalous log behavior in an application that was just recently prohibited from the company is not escalated, the possible effect might result in the application becoming an even more significant danger. Should this minor event go untreated, it has the potential to develop into a more severe security breach or compromise, which would result in considerable damage to the organization's security posture and data integrity, as well as the possibility of regulatory non-compliance or reputational damage. For this reason, security analysts must elevate occurrences of this kind as soon as possible to avert further risks and to guarantee effective incident response and mitigation.

Q: How can an escalation policy help security analysts do their jobs?

• An escalation policy educates analysts on how to be aware of phishing attempts.
• An escalation policy outlines who should be notified when an incident occurs.
• An escalation policy instructs the analysts on how to scan for vulnerabilities.
• An escalation policy outlines when to alert the public of a data breach.

Explanation: When an event takes place, security analysts can do their tasks more effectively thanks to an escalation strategy that specifies who should be alerted. During the various phases of incident handling, this policy outlines the necessary stakeholders and management levels who need to be notified of the situation. This clarity ensures that events are escalated to the appropriate staff promptly, which in turn facilitates efficient communication, decision-making, and response actions within the business.

Q: You have recently been hired as a security analyst for an organization. You previously worked at another company doing security, and you were very familiar with their escalation policy. Why would it be important for you to learn your new company’s escalation policy?

• Every company has a different escalation policy, and it is an analyst’s job to ensure incidents are handled correctly.
• The escalation policy will help you with vulnerability scanning.
• The policy will help you analyze data logs.
• The policy will advise you on who to report to each day.

Explanation: The escalation policy of your new firm is something that you should familiarize yourself with since every organization has a distinct policy regarding escalation, and it is the responsibility of an analyst to make sure that events are handled properly. This policy details the protocols that should be followed during incident response, as well as how issues should be escalated, who should be informed, and how they should be handled. To properly handle security events, you must comprehend and adhere to this policy. This will ensure that you are in alignment with the organization's policies and goals. Acquiring knowledge of the escalation policy of the new firm helps to maintain consistency in incident management processes and assures compliance with organizational standards and security goals.

Q: Fill in the blank: A/An _____ will help an entry-level analyst to know when and how to escalate a security incident.

• escalation policy
• blue team CIRT guideline
• executive security dashboard
• employee security handbook

Explanation: When it comes to knowing when and how to escalate a security event, an entry-level analyst will benefit from having access to an escalation policy. To guarantee that security events are dealt with in an efficient and timely manner inside the company, this policy stipulates the processes and criteria that must be followed to escalate them.

Q: Which of the following security incidents is likely to have the most negative impact on an organization?

• An employee having a phone conversation about a work project in the breakroom
• Unauthorized access to a manufacturing application 
• An employee sends an email to the wrong colleague
• An employee’s account flagged for multiple login attempts

Explanation: Unauthorized access to a manufacturing application is likely to have the most detrimental effect on a company out of all the possibilities that are available to them. This occurrence has the potential to result in significant repercussions, including the loss of confidential information, the interruption of production operations, regulatory penalties (if sensitive data is compromised), and harm to the organization's image and the confidence of its stakeholders. Because it constitutes a severe security breach, prompt attention and mitigation activities are required to limit the damage that it should have on the company.

Q: Fill in the blank: Entry-level analysts might need to escalate various incident types, including _____.

• mismanagement of funds
• missing software
• noncompliance of tax laws
• improper usage 

Explanation: events that occur when workers break organization regulations or standards governing the authorized use of corporate resources are referred to as improper use. These events may constitute a threat to the company's security and may need escalation to ensure that they are handled and resolved properly.

Q: You are alerted that a hacker has gained unauthorized access to one of your organization’s manufacturing applications. At the same time, an employee’s account has been flagged for multiple failed login attempts. Which incident should be escalated first?

• The best thing to do is escalate the incident that your supervisor advised you to escalate first.
• The incident involving the malicious actor who has gained unauthorized access to the manufacturing application should be escalated first.
• The incident involving the employee who is unable to log in to their account should be escalated first.
• Both security incidents should be escalated at the same time.

Explanation: In this particular circumstance, the incident that involves the hostile actor who has acquired unauthorized access to the manufacturing application of the firm need to be escalated first. Unauthorized access is a more immediate and possibly serious security breach that demands rapid action to limit additional harm and analyze the effect on the integrity of the organization's systems and data when it occurs.

Q: What is a potential negative consequence of not properly escalating a small security incident? Select two answers.

• The company can suffer a financial loss. 
• The company can suffer a loss in reputation. 
• The company’s antivirus software can be uninstalled.
• The company’s employee retention percentage can decrease drastically.

Explanation: If not handled on time, even relatively minor occurrences have the potential to develop into more serious security breaches, which might result in financial obligations such as regulatory penalties or a loss of income.The firm can suffer harm to its image and confidence among customers, stakeholders, and the general public if it fails to handle security events. This may have an effect on relationships as well as future business possibilities.

Q: Unauthorized access to a system with PII is _____ critical than an employee’s account being flagged for multiple failed login attempts.

• less
• equally
• marginally
• more 

Explanation: It is more important to prevent unauthorized access to a system that contains Personally Identifiable Information (PII) than it is to highlight an employee's account for many unsuccessful attempts to log in. Unauthorized access to sensitive data may result in substantial risks, including data breaches, failure to comply with legal requirements, and the possibility of damage being inflicted upon persons whose personally identifiable information has been compromised. On the other hand, many unsuccessful login attempts, although they are troubling, do not often offer an immediate danger or risk of data disclosure equivalent to episodes of unauthorized access.