Practice identifying the parts of a cybersecurity incident response plan, making response decisions, and improving procedures after an incident.
Read each scenario carefully. Answer in complete sentences and show your reasoning where appropriate.
Planning, documenting, and improving a response to cyber incidents
Computer Science - Grade 9-12
- 1
List the six common phases of a cybersecurity incident response plan and briefly explain the purpose of each phase.
- 2
A student reports that a school laptop suddenly displays a message demanding payment to unlock files. Which incident response phase begins first after the report, and what should the response team do during that phase?
- 3
Explain the difference between containment and eradication in an incident response plan.
- 4
A company detects that one employee account is sending suspicious emails to hundreds of contacts. Write two immediate containment actions the company should take.
- 5
Read the event log summary: 8:05 a.m. login from the employee's city, 8:10 a.m. failed login attempts from another country, 8:12 a.m. successful login from that country, 8:15 a.m. password changed, 8:18 a.m. mass email sent. Identify the most likely incident and explain your evidence.
- 6
Why should an incident response plan define roles such as incident commander, technical lead, communications lead, and legal or compliance contact?
- 7
A school server may have been hacked. Write three pieces of information that should be included in the first incident ticket or report.
- 8
Choose the better communication message for students and explain why it is better. Message A: There was a huge hack and everything may be unsafe. Message B: We are investigating a security issue affecting the student portal. Please do not reset passwords until further notice, and we will provide an update by 3:00 p.m.
- 9
During an incident, why is it important to preserve evidence before wiping a computer or reinstalling software?
- 10
A web application was attacked through an unpatched vulnerability. Give one eradication action and one recovery action for this incident.
- 11
The table shows possible incidents: phishing email, lost phone with school email access, malware on a lab computer, and leaked database password. For each incident, name one containment action.
- 12
Explain what a severity level is in an incident response plan. Give an example of a low-severity incident and a high-severity incident.
- 13
A backup is available after a ransomware attack, but it was last made three weeks ago. What should the response team check before restoring from the backup?
- 14
Create a short checklist of five actions that should be completed during the preparation phase of an incident response plan.
- 15
After a data breach, the team holds a lessons learned meeting. Write three questions the team should ask and explain how the answers can improve the incident response plan.