Module 2: Escalate Incidents  

by
Contents hide
1 INTRODUCTION – Escalate Incidents
2 TEST YOUR KNOWLEDGE: TO ESCALATE OR NOT TO ESCALATE
3 TEST YOUR KNOWLEDGE: TIMING IS EVERYTHING
4 PRACTICE QUIZ: Test your knowledge on Analytical Thinking
5 CONCLUSION – Escalate Incidents
Spread the love

INTRODUCTION – Escalate Incidents

This module towards the critical aspects of cyber security incident prioritization and escalation. Such processes are very essentials and contribute towards maintaining the secure and complete business. This learning module has a significant role in making clear the decision-making framework adopted by security experts showing how they deploy strategic decisions for protecting the security posture of organizations.

With that insightful comprehension behind complexity in the priority of an incident, the understanding of how security teams judge the seriousness and urgency of different events will prove enlightening. Incident escalation will further refer to some mechanisms professionals use to elevate the response level concerning the criticality of the incident. This interesting and comprehensive overview should adequately empower the learner with adequate skills and competences on incident management complexity for taking informed decisions to secure organizational assets and cybersecurity resilience.

Learning Objectives

  • Define incident escalation from the perspective of a security analyst.
  • Examine different categories of security incident classification.
  • Observe how various security incidents can affect the functioning of businesses.
  • When and how to escalate a security incident.

TEST YOUR KNOWLEDGE: TO ESCALATE OR NOT TO ESCALATE

1. Fill in the blank: A malware infection is an incident type that occurs when _____.

  • a computer’s speed and performance improves
  • an employee of an organization violates the organization’s acceptable use policies
  • a website experiences high traffic volumes
  • malicious software designed to disrupt a system infiltrates an organization’s computers or network (CORRECT)

2. Fill in the blank: Improper usage is an incident type that occurs when _____.

  • an employee that runs an organization’s public relations posts incorrect data on the company’s social media page
  • an individual gains digital or physical access to a system or application without permission
  • malicious software designed to disrupt a system infiltrates an organization’s computers or network.
  • an employee of an organization violates the organization’s acceptable use policies (CORRECT)

Misuse of a system is a security incident defined as when an employee is using the system in a way not intended by the organization to allow. For example, an employee accessing unauthorized data, using the company’s systems for personal matters, or even indulging in things such as sports that compromise the organization’s security protocols.

3. When should you escalate improper usage to a supervisor?

  • Improper usage incidents should always be escalated out of caution. (CORRECT)
  • Improper usage incidents should be escalated if there is a high level of improper usage.
  • Improper usage attempts that affect high-priority assets should be escalated; other improper usage instances are not as important.
  • Improper usage does not need to be escalated because these are in-house scenarios that can be handled without reporting them to the security team.

Improper usage is a security incident that occurs when an employee misuses the access rights granted to him or her by the company. Some typical actions committed under this meaning include accessing unauthorized data or files, using company resources for personal purposes, or indulging in activities compromising the organization’s security protocols.

4. Fill in the blank: Unauthorized access is an incident type that occurs when _____.

  • malicious software designed to disrupt a system infiltrates an organization’s computers or network
  • an employee of an organization violates the organization’s acceptable use policies
  • an individual gains digital or physical access to a system, data, or an application without permission (CORRECT)
  • an authorized employee sends a job description to a friend before the job description has been released to the public
  • Unauthorized access is an incident type that occurs when an individual gains digital or physical access to a system, data, or an application without permission.

TEST YOUR KNOWLEDGE: TIMING IS EVERYTHING

1. All security incidents should be escalated.

  • True
  • False (CORRECT)

Not every single security incident is to be escalated. Though, most of them are to be escalated with some exceptions by exposure to high risk and greater impact. Some of them tend to be a bit more urgent than others and require prompt action with a more immediate response as a means to avoid any potential damage.

2. You’ve recently been hired as a cybersecurity analyst for an office supply organization.  Which incident can have the most impact on the organization’s operations?

  • The organization’s guest Wi-Fi network is down
  • An employee forgets their login credentials
  • The organization’s manufacturing network is compromised (CORRECT)
  • A user’s social media profile has the wrong birthday displayed

Manufacturing network is that part which holds a company in its operations. If this gets jambed up, there will be a major loss, as far as finances are concerned, through disruption of manufacturing, loss of intellectual property, and customer trust.

3. Fill in the blank: A(n) _____ is a set of actions that outlines who should be notified when an incident alert occurs and how that incident should be handled.

  • event
  • escalation policy (CORRECT)
  • security incident
  • playbook

An escalation policy will define what happens to whom when an incident alert is received and figure out how to manage that incident. It assures that incidents are responded to by appropriate people at the right level of urgency so that prioritization will help minimize potential impact.

4. Which incident classification type occurs when an employee violates an organization’s acceptable use policy?

  • Improper usage (CORRECT)
  • Containment
  • Unauthorized access
  • Malware infection

Such an incident of improper usage type is when an employee violates the policies of acceptable use of the organization. This includes unauthorized access of data, misuse of company resources, or unauthorized engagement in activities that compromise security or operation of the organization.

PRACTICE QUIZ: Test your knowledge on Analytical Thinking

1. What security term describes the identification of a potential security event, triaging it, and handing it off to a more experienced team member?

  • SOC operations
  • Incident escalation (CORRECT)
  • Social engineering
  • Data security protection

2. Fill in the blank: _____ is a skill that will help you identify security incidents that need to be escalated.

  • Leadership
  • Graphics design
  • Attention to detail (CORRECT)
  • Linux operations

3. What elements of security do terms like unauthorized access, malware infections, and improper usage describe?

  • Public press releases
  • Company job descriptions
  • Phishing attempts
  • Incident classification types (CORRECT)

4. Which incident type involves an employee violating an organization’s acceptable use policy?

  • Phishing
  • Unauthorized access
  • Malware infection
  • Improper usage (CORRECT)

5. Which of the following security incidents can have the most damaging impact to an organization?

  • An employee forgets their password and logs too many failed login attempts
  • A system containing customer PII is compromised (CORRECT)
  • The guest Wi-Fi network for a company is hacked
  • A company’s social media account is compromised

6. What is the best way to determine the urgency of a security incident?

  • Email the Chief Information Security Officer (CISO) of the company for clarification.
  • Identify the importance of the assets affected by the security incident. (CORRECT)
  • Reach out to the organization’s Red Team supervisor to determine urgency.
  • Contact the risk assessment team to determine urgency.

7. What security term is defined as a set of actions that outlines who should be notified when an incident alert occurs?

  • A vulnerability scan system
  • A security risk assessor
  • A network architecture alert
  • An escalation policy (CORRECT)

8. Why is it important for analysts to follow a company’s escalation policy? Select two answers.

  • An escalation policy can help analysts prioritize which security events need to be escalated with more or less urgency. (CORRECT)
  • An escalation policy can help analysts determine the best way to cross-collaborate with other members of their organization.
  • An escalation policy instructs analysts on the right person to contact during an incident. (CORRECT)
  • An escalation policy can help analysts determine which tools to use to solve an issue.

9. A new security analyst has just been hired to an organization and is advised to read through the company’s escalation policy. What kind of information will the analyst be educated on when reading through this policy?

  • They will learn when and how to escalate security incidents. (CORRECT)
  • They will learn the best way to create visual dashboards to communicate with executives.
  • They will learn how to use the Linux operating system. They will learn the best way to communicate with stakeholders.

10. Which skills will help you identify security incidents that need to be escalated? Select two answers.

  • Excellent communication skills
  • Ability to follow an organization’s escalation guidelines or processes (CORRECT)
  • Ability to collaborate well with others
  • Attention to detail (CORRECT)

11. As a security analyst, you might be asked to escalate various incidents. Which of the following are common incident classification types? Select two answers.

  • Gift card scam
  • Unauthorized access (CORRECT)
  • SPAM
  • Malware infection (CORRECT)

12. An employee attempting to access software on their work device for personal use can be an example of what security incident type?

  • Unauthorized access
  • Improper usage (CORRECT)
  • Social engineering
  • Malware infection

13. A security analyst for an organization notices unusual log activity in an app that was recently banned from the organization. However, the analyst forgets to escalate this activity to the proper personnel. What potential impact can this small incident have on the organization?

  • The third-party assessment team might be removed by the organization.
  • Small incidents rarely have any impact on an organization.
  • The organization might need to delete its social media profile.
  • It can become a bigger threat. (CORRECT)

14. How can an escalation policy help security analysts do their jobs?

  • An escalation policy educates analysts on how to be aware of phishing attempts.
  • An escalation policy outlines who should be notified when an incident occurs. (CORRECT)
  • An escalation policy instructs the analysts on how to scan for vulnerabilities.
  • An escalation policy outlines when to alert the public of a data breach.

15. You have recently been hired as a security analyst for an organization. You previously worked at another company doing security, and you were very familiar with their escalation policy. Why would it be important for you to learn your new company’s escalation policy?

  • Every company has a different escalation policy, and it is an analyst’s job to ensure incidents are handled correctly. (CORRECT)
  • The escalation policy will help you with vulnerability scanning.
  • The policy will help you analyze data logs.
  • The policy will advise you on who to report to each day.

16. Fill in the blank: A/An _____ will help an entry-level analyst to know when and how to escalate a security incident.

  • escalation policy (CORRECT)
  • blue team CIRT guideline
  • executive security dashboard
  • employee security handbook

17. Which of the following security incidents is likely to have the most negative impact on an organization?

  • An employee having a phone conversation about a work project in the breakroom
  • Unauthorized access to a manufacturing application (CORRECT)
  • An employee sends an email to the wrong colleague
  • An employee’s account flagged for multiple login attempts

18. Fill in the blank: Entry-level analysts might need to escalate various incident types, including _____.

  • mismanagement of funds
  • missing software
  • noncompliance of tax laws
  • improper usage (CORRECT)

19. You are alerted that a hacker has gained unauthorized access to one of your organization’s manufacturing applications. At the same time, an employee’s account has been flagged for multiple failed login attempts. Which incident should be escalated first?

  • The best thing to do is escalate the incident that your supervisor advised you to escalate first.
  • The incident involving the malicious actor who has gained unauthorized access to the manufacturing application should be escalated first. (CORRECT)
  • The incident involving the employee who is unable to log in to their account should be escalated first.
  • Both security incidents should be escalated at the same time.

20. What is a potential negative consequence of not properly escalating a small security incident? Select two answers.

  • The company can suffer a financial loss. (CORRECT)
  • The company can suffer a loss in reputation. (CORRECT)
  • The company’s antivirus software can be uninstalled.
  • The company’s employee retention percentage can decrease drastically.

21. Unauthorized access to a system with PII is _____ critical than an employee’s account being flagged for multiple failed login attempts.

  • less
  • equally
  • marginally
  • more (CORRECT)

22. Fill in the blank: Incident escalation is the process of _____.

  • properly assessing security events
  • reporting a security incident to a human resource department for compliance purposes
  • identifying a potential security incident, triaging it, and handing it off to a more experienced team member (CORRECT)
  • creating a visual dashboard that shows security stakeholders the amount of security incidents taking place

23. Fill in the blank: Security incidents involving the PII of customers should be escalated with a ____ level of urgency compared to incidents that do not involve customer PII.

  • moderate
  • minimal
  • lower
  • higher (CORRECT)

24. Fill in the blank: _____ is important when following a company’s escalation policy to ensure you follow the policy correctly.

  • Working remotely
  • Delegating tasks
  • Attention to detail (CORRECT)
  • Reading quickly

25. Which of the following is an essential part of incident escalation?

  • Communicate a potential security incident to a more experienced team member (CORRECT)
  • Make reactive decisions
  • Maintain data logs that detail previous security events
  • Create a visual dashboard that details a solution to the security problem

26. Fill in the blank: An escalation policy is a set of actions that outlines _____.

  • how to manage the security stakeholders of an organization
  • how to escalate customer service complaints
  • how to handle a security incident alert (CORRECT)
  • how to defend an organization’s data and assets

CONCLUSION – Escalate Incidents

Conclusively, this module acts as a very significant introduction to incident prioritization and escalation as the participants acquire a thorough understanding of their very critical roles in cybersecurity. This equips the learners with the knowledge and ability to meet the challenges posed by dynamic incident management.

This learned decision-making, severity assessment, and escalation skill enable making a truly holistic cybersecurity professional. At the end of this segment, students earn those capabilities to maintain an organization’s security posture and respond to a wide range of cybersecurity incidents continuously for keeping business operations.

Leave a Comment