M01_L03 M01_L03 Incident Analysis Methodology links ../M01_L03/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked disaiar03_01 1 Welcome to the lesson on the incident analysis methodology. When you have completed this lesson, you will be able to identify the objectives of incident analysis, identify the phases of the incident analysis methodology, and use the Impact Assessment Matrix to rate the severity of a given incident. There are five topics in this lesson. After completing the introduction, you will review the essential concepts of incident analysis. You will then explore the six phases of the incident analysis methodology. And finally, you will examine how the Impact Assessment Matrix is used to rate the severity of an incident. Rich Media Text Description. Course: D O D Intrusion Detection System (I D S) Analysis, Part 4: C N D Analysis: Incident Response and Analysis, Lesson 3: Incident Analysis Methodology. For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 15. Lesson title: Incident Analysis Methodology. Topic title: Introduction. Screen title: Objectives and Topics. Three learning objectives display in support of audio. Five topics display. The first topic is titled Introduction. The second topic is titled Overview of Incident Analysis. The third topic is titled Incident Analysis Methodology. The fourth topic is titled Impact Assessment Matrix. The fifth and final topic is the Conclusion. Text displays: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service, or agency for guidance on the use of these products. disaiar03_02 2 So, what exactly is incident analysis? Incident analysis is a series of analytical steps taken to find out what happened during an incident. The overall purpose of incident analysis is for you to understand the technical details, root causes, and potential impact of an incident. This understanding will help you to identify what additional information you need to gather, coordinate information sharing with others, and develop a course of action for your response. The primary objectives of incident analysis are to systematically capture the methods used in the attack and the security controls that could prevent future occurrences, understand patterns of activity to characterize the threat and direct protective and defensive strategies, identify root causes of the incident through technical analysis, research actions that can be taken to respond to and eradicate the risk and/or threat, characterize and communicate the potential impact of the incident, and ensure the accuracy and completeness of incident reports. Screen 2 of 15. Topic title: Overview of Incident Analysis. Screen title: What is Incident Analysis? Images display of basic network and C N D analyst. Text displays in support of audio. disaiar03_03 3 As a CND analyst, you are responsible for conducting each step of the incident analysis methodology, as well as other activities that support this process. The incident analysis methodology has six distinct steps: gather information, validate the incident, identify attack vectors, identify information system weaknesses, identify root causes, and determine the impact. In addition to these steps, you are also responsible for identifying common artifacts between incidents and malware and identifying gaps in defenses to provide security guidance and defense recommendations. Note that if there is a chance the incident might require the pursuit of administrative or criminal action, then you must contact the appropriate law enforcement, counterintelligence, or General Counsel organization to ensure that proper legal and administrative procedures are taken during the investigation of the incident. Technical analysis is iterative in nature and can be conducted many times throughout the incident handling life cycle. Some degree of analysis must occur in order to detect and adequately report an incident. Once an incident has been reported, however, it may go through several levels of analysis to identify the root causes. Each successive level requires personnel that possess more sophisticated skills and have access to additional tools or systems. A final caveat of the incident handling process is that various organizations may be involved at different phases of the incident handling and technical analysis process. The involvement of other organizations depends on the organizational structure and requires coordination and cooperation among these groups. Screen 3 of 15. Screen title: Roles and Responsibilities of the C N D Analyst. Image displays of C N D analyst. Image displays of Incident Analysis Methodology, which contains six steps. Step 1 is gather information. Step 2 is validate the incident. Step 3 is identify attack vectors. Step 4 is identify information system weaknesses. Step 5 is identify root causes. Step 6 is determine impact. Text displays in support of audio disaiar03_04 4 The first step of the incident analysis methodology is to gather information. In this step, you will identify and collect all relevant information about the incident for use in your incident analysis. This information may include data previously acquired and preserved; system, application, or network device logs; personal accounts; all-source intelligence; technical information; or information on the current operational situation. Note that any software artifacts that are suspected of being malware should be submitted to the Joint Malware Catalog, or JMC. Select Joint Malware Catalog to learn more. disaiar03_04_01 4 Joint Malware CatalogPopup 1 of 1. Popup title: Joint Malware Catalog. Text displays reading as follows: From C J C S M sixty-five ten dot oh one A Enclosure G, C N D Incident Handling Tools, Section 3. Joint Malware Catalog. a. The J M C is the central repository for storing malware and associated analysis. It serves as the primary reporting mechanism for submitting software artifacts suspected of being adversarial tradecraft (e g, viruses, rootkits, and worms). b. The J M C is the basis for the Department of Defense's capability to rapidly analyze malicious code and provide accurate understanding of its behavior and capabilities. By maintaining a current malware repository, the Department of Defense can leverage previous analytical experience, identify and respond to new attack techniques, and perform applied research to improve analysis capabilities. c. The C S Ays and field activities submit malware to the J M C. Malware recorded in the J M C can then be analyzed, viewed, correlated, and shared with other D O D organizations. Some analytical results are produced automatically using automated run-time analysis tools. More in-depth analysis may be conducted by technical analysts and recorded in the J M C to share with others. d. The U S cyber com is the functional owner of the J M C. The U S cyber com maintains and manages the J M C. Access to the J M C can be obtained through U S cyber com. Note that the Joint Malware Catalog is currently under development. C N D developers interested in participating should contact U S cyber com. The term U S cyber com becomes a rollover that reads U.S. Cyber Command. The acronym C S A becomes a rollover that reads commands, services, and agencies. Screen 4 of 15. Topic title: Incident Analysis Methodology. Screen title: Step 1: Gather Information. Reprised image displays of basic network. Text displays in support of audio. Image displays of Joint Malware Catalog. Joint Malware Catalog becomes selectable as a popup. disaiar03_05 5 The second step of the incident analysis process is to validate the incident. In this step, you will review, corroborate, and update the incident report to ensure that all information is accurate as reported. There are several reasons for this review of the reported incident: to maintain situational awareness, to fill in the gaps left by incomplete information, or to correct erroneous information contained in the report. Report validation may require the review of trusted network and system logs or affected systems to determine whether the suspected activities happened as reported. Finally, this step requires that you properly categorize the incident. The CJCSM 6510.01A contains instructions for categorizing the incident and determining the precedence when more than one category applies. Select Categorize the Incident to learn more about incident and reportable event categories. disaiar03_05_01 5 As part of the incident handling process, each event or incident is assigned one or more incident or reportable event categories. There are nine distinct categories of incidents and events. In cases where more than one category applies, the category assigned should be determined based on the category precedence. For example, consider an incident that could be reported as either a Denial of Service, that is, Category 4, or Reconnaissance, that is, Category 6. When you assess the precedence, you find that the denial of service takes precedence over the reconnaissance event. Therefore, the incident should be reported as a Category 4 incident. Note that incident categories take precedence over event categories. Select Job Aid to learn more about the incident and reportable event categories. Categorize the IncidentPopup 1 of 1. Popup title: Categorize the Incident. Text displays: Incident and Reportable Event Categories. Table displays with two columns. One column is labeled Precedence, and the other column is labeled Category. The rows in the table are arranged in order of precedence. Precedence 1 is Category 1 Root Level Intrusion. Precedence 2 is Category 2 User Level Intrusion. Precedence 3 is Category 4 Denial of Service. Precedence 4 is Category 7 Malicious Logic. Precedence 5 is Category 3 Unsuccessful Activity Attempt. Precedence 6 is Category 5 Non-Compliance Activity. Precedence 7 is Category 6 Reconnaissance. Precedence 8 is Category 8 Investigating. Precedence 9 is Category 9 Explained Anomaly. The first four items, Categories 1, 2, 4, and 7 are labeled incidents. The last five items, Categories 3, 5, 6, 8, and 9 are labeled Events. Job aid icon displays and becomes selectable to open a P D F version of the job aid. Screen 5 of 15. Screen title: Step 2: Validate the Incident. Reprised image displays of basic network. Text displays in support of audio. Table displays with columns labeled Incident Event, Category, and Subcategory. Table is labeled Incident Categories. Image displays of C J C S M sixty-five ten dot oh one A. The text Categorize the incident becomes selectable as a popup. The term C J C S M sixty-five ten dot oh one A becomes a rollover that reads as follows: Chairman of the Joint Chiefs of Staff Manual sixty-five ten dot oh one A. Information Assurance (I A) and Computer Network Defense (C N D) Volume 1 (Incident Handling Program). disaiar03_06 6 The third step of the incident analysis methodology is to identify the attack vectors that were used to gain access. An attack vector is defined as the primary path or method used by the adversary to cause the incident or event to occur. In this step, you will analyze the incident information to identify the vector or vectors used by the threat actor. If more than one attack vector is identified, distinguish between the primary and secondary vectors used by the threat actor. The identification of attack vectors is a process used to systematically record major classes of vectors used by adversaries. However, it is important to note that identifying attack vectors does not identify the system-specific root causes of an incident. Finally, not only must you determine the attack vectors, but you must also properly categorize them. Select Categorize the Attack Vectors to learn more about attack vector categories. disaiar03_06_01 6 Attack vectors are highly variable; however, they can generally be grouped into several distinct categories. There are ten major categories of attack vectors, each with one or more subcategories that can help you to further characterize an incident and provide more granularity to the type of information you are reporting. For example, if an attack is determined to be a result of an authorized user, then you must determine whether the attack was intentional or accidental. Due to the complexity of some attacks, it is not unusual for an attack to employ more than one attack vector. Therefore, an incident or reportable event may be assigned more than one attack vector. Select Job Aid to learn more about the attack vector categories. Categorize the Attack VectorsPopup 1 of 1. Popup title: Categorize the Attack Vectors. Text displays: Attack Vector Categories. Table displays with two columns. One column is labeled Category, and the other is labeled Subcategory. The rows in the table are arranged in order of category number and subcategory letter. Category 1, reconnaissance, has three subcategories. A is information gathering and data mining. B is network scan. And C is system scan. Category 2, authorized user, has two subcategories. A is purposeful, and B is accidental. Category 3, social engineering, has three subcategories. A is e-mail. B is Website. C is other. Category 4, configuration management, has three subcategories. A is network. B is operating system. And C is application. Category 5, software flaw, has two subcategories. A is exploited new vulnerability. B is exploited known vulnerability. Category 6, transitive trust, has two subcategories. A is other system compromise. B is distributed network activity. Category 7, resource exhaustion, has two subcategories. A is nondistributed network activity. B is distributed network activity. Category 8, physical access, has three subcategories. A is mis handled or lost resource. B is local access to system. And C is abuse of resources. Category 9, other, has one subcategory. A is new attack vector. Category 10, unknown, has one subcategory. A is unable to determine. Job aid icon displays and becomes selectable to open a P D F version of the job aid. Screen 6 of 15. Screen title: Step 3: Identify Attack Vectors. Reprised image displays of basic network showing adversary gaining access to network components. Text displays in support of audio. Table displays with columns labeled Incident Event, Attack Vector, and Class. Table is labeled Attack Vectors. The text Categorize the attack vectors becomes selectable as a popup. disaiar03_07 7 The fourth step of the incident analysis methodology is to identify the information system weaknesses that contributed to the incident. In this step, you will analyze the incident data to identify any underlying system weaknesses or vulnerabilities as well as any security controls that could have prevented or mitigated the impact of the incident. The identification of system weaknesses is a process used to systematically record and categorize major classes of security controls that could prevent similar incidents from occurring in the future. However, it is important to note that identifying system weaknesses does not identify the system-specific root causes of an incident. System weakness should be identified in accordance with Appendix B to Enclosure D of the CJCSM 6510.01A. Screen 7 of 15. Screen title: Step 4: Identify Information System Weaknesses. Reprised image displays of basic network showing adversary gaining access to network components. Text displays in support of audio. Table displays with columns labeled Incident Event, Security Control, and Category. Table is labeled System Weaknesses. Image displays of C J C S M sixty-five ten dot oh one A document. The term C J C S M sixty-five ten dot oh one A becomes a rollover that reads as follows: Chairman of the Joint Chiefs of Staff Manual sixty-five ten dot oh one A. Information Assurance (I A) and Computer Network Defense (C N D) Volume 1 (Incident Handling Program). disaiar03_08 8 The fifth step of the incident analysis methodology is to identify the root causes of the incident. Here you will analyze the data to determine the specific cause or causes of the incident. Root cause identification expands upon the identified attack vectors and information system weaknesses by identifying the precise sets of conditions that allowed the incident to occur. The process of identifying an attack vector may also reveal system weaknesses, both of which can provide useful insight in correlation and trending. However, neither identifies the specific root cause of the incident, which means that alone, neither provides enough information to mitigate future occurrences. Root cause identification would determine precisely which system configurations allowed the incident to occur. In general, the root cause of an incident should be identified and mitigated prior to the recovery and restoration of any system, unless otherwise approved by your command authority. The decision to restore a system without identifying the root causes of the incident must be weighed carefully, as doing so may leave the system vulnerable in other ways. For example, if the root cause of an incident stemmed from a missing patch in the baseline configuration, then a system restoration using the same baseline configuration would leave the system open to future compromise. Finally, it is important to note that a risk assumed by one is potentially a risk shared by many. Failing to identify and report the root cause of an incident may expose multiple commands and organizations to increased risk, especially in situations where they share similar configurations or defensive measures. Screen 8 of 15. Screen title: Step 5: Identify Root Causes. Reprised image displays of basic network showing adversary gaining access to network components and showing weaknesses in network protection. Text displays in support of audio. disaiar03_09 9 The final step of the incident handling process is to coordinate with site- and application-knowledgeable people to determine the impact of the incident. During this final step, you will further analyze the information to validate and expand on the initial impact assessment conducted during the preliminary analysis. You will assess the impact based on the degree to which the incident or event adversely affects, or has the potential to adversely affect, the successful accomplishment of operational missions. This impact assessment is one of the key factors you should consider when assigning priority to an incident or event. When determining the impact of an incident or event, you must determine both the technical impact and the operational impact of the event. This step of the Incident Analysis methodology is supported by the Impact Assessment Matrix, which is described on the following screens. Select Technical Impact and Operational Impact to learn more. disaiar03_09_01 9 Technical impact, or TI, refers to detrimental effects on the technical capabilities of the organization. TI typically refers to the impacts on the network or systems that are directly or indirectly affected by the incident. Here are some examples of technical impact. Technical ImpactPopup 1 of 2. Popup title: Technical Impact. Text displays in support of audio. Text displays reading as follows: Examples. Network health status. Potential data compromise or loss. Equipment downtime or destruction. Residual impact on other systems or components. disaiar03_09_02 9 Operational impact, or OI, refers to detrimental effects on an organization's ability to perform its mission. This may include consequences that diminish or incapacitate system or network capabilities, the compromise and/or loss of mission-critical data, or the temporary or permanent loss of mission-critical applications or systems. Here are some examples of direct and indirect operational impact. Operational ImpactPopup 2 of 2. Popup title: Operational Impact. Text displays in support of audio. Text displays as follows: Examples of Direct Impact. A secretary is unable to process temporary duty (T D Y) orders, thus delaying personnel from performing T D Y. An organization is unable to perform effective command and control (C 2) with its parent and or subordinate organization due to a disabled mail server. An organization cancels a tactical mission due to compromised mission plans or orders. Examples of Indirect Impact. An Army division is unable to order track process repair parts using a networked system and is therefore unable to conduct combat operations due to insufficient availability of repair parts. Barges on the Mississippi River are unable to deliver supplies because of the inability of their crews to access the D O D-supplied river hazard data. A Reserve unit goes unpaid because of an incident affecting time-phased force deployment data (T P F D D), and the unit does not meet its deployment timeline. Screen 9 of 15. Screen title: Step 6: Determine Impact. Reprised image displays of basic network. Text displays in support of audio. Matrix displays with label Impact Assessment Matrix. Top row reads Potential Impact and has three impact ratings beneath it: Low, Moderate, and High. The left-hand column is titled Security Objective and has three rows beneath it: Confidentiality, Integrity, and Availability. The terms technical impact and operational impact become selectable as popups. disaiar03_10 10 As part of the incident handling process, each event or incident must be assessed and assigned an impact rating. This impact assessment considers both the current impact and the potential impact of the incident or event on three security objectives; the confidentiality, the integrity, and the availability of organizational operations, organizational assets, or individuals. Confidentiality refers to the preservation of authorized restrictions on information access and disclosure, including any means for protecting personal privacy and proprietary information. Integrity refers to the protection of information against improper modification or destruction and includes the assurance of information nonrepudiation and authenticity. And finally, availability refers to the assurance of timely and reliable access to and use of information. Screen 10 of 15. Topic title: Impact Assessment Matrix. Screen title: Security Objectives. Reprised image displays of basic network with infection. Reprised image displays of Impact Assessment Matrix. Top row reads Potential Impact and has three impact ratings beneath it: Low, Moderate, and High. The left-hand column is titled Security Objective and has three rows beneath it: Confidentiality, Integrity, and Availability. Text displays in support of audio. disaiar03_11 11 Because the impact assessment is such an important element in assigning priority to an incident or event, you need to understand what each impact rating means for each security objective. Each rating assesses the potential adverse effect that a loss of confidentiality, integrity, or availability could be expected to have on organizational operations, organizational assets, or individuals. In assessing each of these security objectives, ask yourself what potential adverse effect may result from its loss or compromise. To assess confidentiality, ask, "What potential adverse effect would result from the unauthorized disclosure of information?" To assess integrity, ask, "What potential adverse effect would result from the unauthorized modification or destruction of information?" And to assess availability, ask, "What potential adverse effect would result from the disruption of access to or use of an information system?" For any of these security objectives, a LOW rating should be assigned if the potential adverse effect is limited. A MODERATE rating should be assigned if the potential adverse effect is serious. And finally, a HIGH rating should be assigned if the potential adverse effect is severe or catastrophic. The CJCSM 6510.01A shows how the Impact Assessment Matrix can be applied specifically to the identification of potential technical and operational impacts. Select the Examples button in each column to view examples for that impact rating. Select Job Aid to open a printable copy of the Impact Assessment Matrix. disaiar03_11_01 11 Examples of LOW ImpactPopup 1 of 3. Popup title: Examples of LOW Impact. Text displays as follows: A limited adverse effect may cause degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced. Result in minor damage to organizational assets. Result in minor financial loss. Result in minor harm to individuals. disaiar03_11_02 11 Examples of MODERATE ImpactPopup 2 of 3. Popup title: Examples of MODERATE Impact. Text displays as follows. A serious adverse effect may cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced. Result in significant damage to organizational assets. Result in significant financial loss. Result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. disaiar03_11_03 11 Examples of HIGH ImpactPopup 3 of 3. Popup title: Examples of HIGH Impact. Text displays as follows: A severe or catastrophic adverse effect may cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions. Result in major damage to organizational assets. Result in major financial loss. Result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries. Screen 11 of 15. Screen title: Impact Ratings. Reprised image displays of Impact Assessment Matrix. Top row reads Potential Impact and has three impact ratings beneath it: Low, Moderate, and High. The left-hand column is titled Security Objective and has three rows beneath it: Confidentiality, Integrity, and Availability. Text displays in support of audio. Image displays of C J C S M sixty-five ten dot oh one A document. The following phrases become selectable as popups. Examples of Low impact. Examples of Moderate impact. Examples of High impact. Job aid icon displays and becomes selectable to open a P D F version of the job aid. The term Confidentiality becomes a rollover that reads as follows: What potential adverse effect would result from the unauthorized disclosure of information? The term Integrity becomes a rollover that reads as follows: What potential adverse effect would result from the unauthorized modification or destruction of information? The term Availability becomes a rollover that reads as follows: What potential adverse effect would result from the disruption of access to or use of an information system? disaiar03_12 12 Knowledge Check 1 550 564 Which of the following is an objective of incident analysis? Ensure the accuracy and completeness of incident reports Research actions that can be taken to respond to and eradicate the risk and/or threat Characterize and communicate the potential impact of the incident Identify root causes of the incident through technical analysis Correct. All of these are objectives of incident analysis. Other objectives of incident analysis include systematically capturing the methods used in the attack and the security controls that could prevent future occurrences, and understanding patterns of activity to characterize the threat and direct protective and defensive strategies. Incorrect. All of these are objectives of incident analysis. Other objectives of incident analysis include systematically capturing the methods used in the attack and the security controls that could prevent future occurrences, and understanding patterns of activity to characterize the threat and direct protective and defensive strategies. Now check your knowledge. Screen 12 of 15. Topic title: Knowledge Check. Screen title: Knowledge Check. Knowledge check is a multiple-response question with four possible answers. Select all answers that apply, and then select Done. Use the keyboard to cycle through the answers. disaiar03_13 13 Knowledge Check 1 500 565 The Incident and Reportable Event Categories matrix supports which step of the methodology? Question 1 of 5. Step 1: Gather Information Step 2: Validate the Incident Step 3: Determine Attack Vectors Step 4: Determine System Weaknesses Step 5: Identify Root Causes Step 6: Determine Impact Correct. The Incident and Reportable Event Categories matrix supports Step 2, Validate the Incident. Incorrect. The Incident and Reportable Event Categories matrix supports Step 2, Validate the Incident. Further analyzing the incident information to expand on the initial impact assessment is part of which step? Question 2 of 5. Step 1: Gather Information Step 2: Validate the Incident Step 3: Determine Attack Vectors Step 4: Determine System Weaknesses Step 5: Identify Root Causes Step 6: Determine Impact Correct. Step 6, Determine Impact, requires that you further analyze the incident information to validate and expand on the initial impact assessment that was conducted during the preliminary analysis. Incorrect. Step 6, Determine Impact, requires that you further analyze the incident information to validate and expand on the initial impact assessment that was conducted during the preliminary analysis. Systematically recording and categorizing major classes of security controls is part of which step? Question 3 of 5. Step 1: Gather Information Step 2: Validate the Incident Step 3: Determine Attack Vectors Step 4: Determine System Weaknesses Step 5: Identify Root Causes Step 6: Determine Impact Correct. Step 4, Determine System Weaknesses, includes systematically recording and categorizing major classes of security controls that could prevent similar events from occurring in the future. Note that identifying system weaknesses does not identify the system-specific root causes of an incident. Incorrect. Step 4, Determine System Weaknesses, includes systematically recording and categorizing major classes of security controls that could prevent similar events from occurring in the future. Note that identifying system weaknesses does not identify the system-specific root causes of an incident. Identifying and collecting all relevant information about the incident for use in your incident analysis is part of which step? Question 4 of 5. Step 1: Gather Information Step 2: Validate the Incident Step 3: Determine Attack Vectors Step 4: Determine System Weaknesses Step 5: Identify Root Causes Step 6: Determine Impact Correct. Identifying and collecting all relevant information about the incident for use in your incident analysis is part of Step 1, Gather Information. During this step, you should also submit any suspected malware to the Joint Malware Catalog (JMC). Incorrect. Identifying and collecting all relevant information about the incident for use in your incident analysis is part of Step 1, Gather Information. During this step, you should also submit any suspected malware to the Joint Malware Catalog (JMC). Which step expands upon the identified attack vectors and system weaknesses by identifying the conditions that allowed the incident to occur? Question 5 of 5. Step 1: Gather Information Step 2: Validate the Incident Step 3: Determine Attack Vectors Step 4: Determine System Weaknesses Step 5: Identify Root Causes Step 6: Determine Impact Correct. Step 5, Identify Root Cause, expands upon the identified attack vectors and system weaknesses by identifying the precise sets of conditions that allowed the incident to occur. Failing to identify the root cause of an incident may expose other commands and organizations to increased risk. Incorrect. Step 5, Identify Root Cause, expands upon the identified attack vectors and system weaknesses by identifying the precise sets of conditions that allowed the incident to occur. Failing to identify the root cause of an incident may expose other commands and organizations to increased risk. Now try these. Screen 13 of 15. Screen title: Knowledge Check. Knowledge check is a series of five multiple-choice questions, each with the same six possible answers. For each question, select the best answer, and then select Done. Use the keyboard to cycle through the answers. disaiar03_14 14 Knowledge Check 1 500 650 Confidentiality Low for Statement: Confidentiality Moderate for Statement: Confidentiality High for Statement: Confidentiality Correct. The unauthorized disclosure of aircraft maintenance logs is a confidentiality issue that could have a <b><i>serious</i></b> adverse effect on the organization’s operations, assets, and individuals. The disclosure of this type of information could allow privileged information to fall into the wrong hands. <br/><br/>This issue has a <b><i>moderate impact</i></b> on confidentiality. Incorrect. The unauthorized disclosure of aircraft maintenance logs is a confidentiality issue that could have a <b><i>serious</i></b> adverse effect on the organization’s operations, assets, and individuals. The disclosure of this type of information could allow privileged information to fall into the wrong hands. <br/><br/>This issue has a <b><i>moderate impact</i></b> on confidentiality. Integrity Low for Statement: Integrity Moderate for Statement:Integrity High for Statement: Integrity Correct. The compromise of the aircraft maintenance records system is an integrity issue that could have a <b><i>severe</i></b> adverse effect on the organization’s operations, assets, and individuals. The compromise of this records system could result in tampering with aircraft maintenance and inventory records that puts the lives of both airmen and civilians at risk. <br/><br/>This incident has a <b><i>high impact</i></b> on integrity. Incorrect. The compromise of the aircraft maintenance records system is an integrity issue that could have a <b><i>severe</i></b> adverse effect on the organization’s operations, assets, and individuals. The compromise of this records system could result in tampering with aircraft maintenance and inventory records that puts the lives of both airmen and civilians at risk. <br/><br/>This incident has a <b><i>high impact</i></b> on integrity. Availability Low for Statement: Availability Moderate for Statement: Availability High for Statement: Availability Correct. The inability of individual workers to access the aircraft parts inventory is an availability issue that could have a <b><i>limited</i></b> adverse effect on the organization’s operations, assets, and individuals. Though this event causes an inconvenience for the individuals affected, the effect is limited to the inability of the individuals to perform their work. <br/><br/>This incident has a <b><i>low impact</i></b> on availability. Incorrect. The inability of individual workers to access the aircraft parts inventory is an availability issue that could have a <b><i>limited</i></b> adverse effect on the organization’s operations, assets, and individuals. Though this event causes an inconvenience for the individuals affected, the effect is limited to the inability of the individuals to perform their work. <br/><br/>This incident has a <b><i>low impact</i></b> on availability. Now practice using the Impact Assessment Matrix. Select Job Aid to view a full version of the Impact Assessment Matrix. Screen 14 of 15. Screen title: Knowledge Check. Knowledge check is a survey-style activity based on the Impact Assessment Matrix. Activity has with three rows labeled Confidentiality, Integrity, and Availability and three answer columns labeled LOW, MODERATE, and HIGH. Select the best answer for each of the three security objectives, and then select Done. Use the keyboard to cycle through the answers. Job aid icon displays and becomes selectable to open a P D F version of the Impact Assessment Matrix. disaiar03_15 15 Congratulations! You have completed the lesson on the incident analysis methodology. You should now be able to identify the objectives of incident analysis, identify the phases of the incident analysis methodology, and use the Impact Assessment Matrix to rate the severity of a given incident. Screen 15 of 15. Topic title: Conclusion. Screen title: Summary and Conclusion. Congratulations text displays. Text displays in support of audio. Objectives bullets change to checkmarks in sync with audio.