SC570: Incident Practitioner of the BSI™ Cyber Security Network

Agenda:

• Introduction to CSN and summary of basic courses
  • Digital response chain
  • Roles and boundaries of the task
  • Legal and regulatory framework conditions
  • Summary of the basic course for digital first responders
    
    
• Phone behavior incl. non-technical measures
  • Service-oriented phone call
  • Non-technical measures
    
    
• Threats and attack forms and overview of the current threat landscape
  • Term definitions (threat, vulnerability, risk, attacker etc.)
  • Types of attacks or attack forms
  • Causes of attacks
  • Different attack methods
  • Phases of a cyber attack
  • Top current attack forms or current threat landscape
  • Detection of attacks or infections
  • Action recommendations for the incident practitioner
  • Limits of assistance by the incident practitioner
    
    
• Standard procedure workflow
  • Preparation for potential incidents
  • Identification of the IT security incident
  • Containment of the damage extent
  • Determination of the causes or triggers of the IT security incident
  • Recovery of systems
  • Documentation of the IT security incident
    
    
• Handling of IT security incidents e.g. phishing incidents, ransomware incidents
  • Introduction to phishing, phishing channels, possible consequences of phishing
  • Additional information on the most common consequences and statistics on economic damage incurred
  • Detection of Phishing Attacks, Response to Successful Phishing Attacks
  • Introduction to ransomware, current ransomware situation
  • Typical approach of ransomware attackers
  • Managing ransomware incidents
  • Legal issues
    
    
• Remote support
  • Remote or on-site support
  • Communication with the customer
  • Connection and access options
  • Data collection and analysis options
    
    
• Incident handling of IT systems "beyond usual office applications"
  • IT systems are also used beyond usual office applications
  • Examples of architectures. Which technology is used?
  • What are possible threats to control technology?
  • Limits of the task
  • Standard procedure workflow
  • Attack scenarios and immediate or countermeasures
  • Limits of analysis
    
    
• After an incident is before an incident
  • Sensitization of the company for preventive security measures
  • Building security awareness
  • Analysis of business processes
  • Building a security and emergency concept
  • Design of exercises
  • Providing info package through CSN
  • Maintaining the competence of the incident practitioner

Objectives:

Target audience:

The course SC570 Incident Practitioner of the Cyber Security Network of the BSI™ is specifically designed for participants who already possess knowledge and practice in the field of Cyber Security and are now seeking registration as an Incident Practitioner in the CSN of the BSI™:

• IT Specialists
• IT Technicians/Theorists
• ISMS Experts

Course participants are often decision-makers, consultants, and employees who already have expertise in the areas of IT Security and IT Technology.

Prerequisites:

Description:

Other Info:

Examination Conditions
The candidate must arrive at the designated training room 15 minutes before the scheduled examination time. Late arrivals may be denied entry and participation by the examiner. On the examination day, the candidate must present a photo ID. Accepted documents include, for example, an identity card, passport, or driver's license.

Permitted Aids During the Examination
Candidates are not allowed to use any aids, reference materials, blank sheets, or notebooks. Additionally, no communication, monitoring, or recording devices (e.g., mobile phones, tablets, smart glasses, smartwatches, or other mobile devices) may be used. All electronic devices must be turned off during the examination. Otherwise, an attempt to deceive may be assumed, and the candidate may be excluded from the examination.

Basis for the Examination
The aim of the examination is for the examinee to demonstrate their professional and personal competence, as well as the competence acquired through the basic course and additional training required for working as an Incident Practitioner, to an independent third party, i.e., an examiner or experienced incident expert. The foundations for the examination are:

• The Guide for Responding to IT Security Incidents for Digital First Responders, and
• The Guide for Responding to IT Security Incidents for Incident Practitioners and Incident Experts, specifically the chapters for the Incident Practitioner.

Form and Language of the Examination
The examination consists of two parts (written and oral), including a

• 15-minute knowledge assessment (written multiple-choice examination) and a
• 15-minute practical assessment (oral examination workshop).

The oral examination takes place together with all other examinees in a group. This allows other participants to gain additional learning success through the presentation and processing of case studies. The examination is offered in German.

Knowledge Assessment The written part of the examination comprises 20 multiple-choice questions, which must be answered within 15 minutes without any aids. The correct statements must be marked. Each multiple-choice question has four answer options.
It is possible that

• all statements are correct,
• one statement is correct,
• several statements are correct,
• none of the statements are correct.

One point is awarded for each correctly answered multiple-choice question. A question is considered correctly answered if all correct answers are marked. If one answer is incorrect, the entire question is considered incorrectly answered (zero points). There are no point deductions. In written examinations (on paper), it must be ensured that mistakenly marked answers are clearly recognizable and the correct answer is marked. In case of doubt, the question will be considered incorrect.

Practical Assessment
At the beginning of the oral examination, each participant receives an envelope with a case study, which they must present to the group after a preparation time of 15 minutes. The order of the oral examinations is noted on the case studies and is thus randomly determined.
The oral examination takes place together with all other examinees, allowing participants to gain additional learning success through the presentation and processing of the case studies of other participants.
During the oral examination, the examiner notes whether the examinee has covered all aspects of the solution pattern. The evaluation is based on the following assessment criteria for the practical example:

• The problem statement of the case study is correctly reproduced.
• The issue was correctly delineated and analyzed.
• Action proposals are presented in a practical and understandable manner.
• The approach corresponds to the telephone guide in the Guide for Responding to IT Security Incidents for Digital First Responders.
• The examiner has the opportunity to ask additional questions.

A maximum of 20 points can be awarded for the oral examination.

Examination Evaluation
To pass the examination for Incident Practitioner, at least 60% of all points must be achieved. This means the examination is considered passed if 24 out of the 40 possible points are achieved in both parts.

Examination Retake
If a candidate does not achieve the required minimum score or if there are reasons why the examination result is not valid, a one-time retake of the examination can be undertaken. Individual parts of the examination generally cannot be retaken separately. A second retake of the examination is not possible.

Since October 2021, the CSN concept DIGITAL RESCUE CHAIN consists of:

• Self-help assistance (website)
• Contact point of the CSN hotline
• Qualification as a Digital First Responder
• Qualification as an Incident Practitioner according to BSI™/ACS standard
• Qualification as an Incident Expert according to BSI™/ACS standard
• IT service provider with a team of Incident Experts

qSkills™ has been an active partner of the Alliance for Cybersecurity (ACS) since its inception and supports the BSI™ in the Cyber Security Network CSN, among other things, with the training of security officers to become Incident Practitioners.

The BSI™ Incident Practitioners are, alongside the BSI™ Incident Experts, a significant part of the new Digital Rescue Chain for victims of cyberattacks. The CSN of the BSI™ aims to assist citizens and companies as quickly as possible in the event of a "K-case" (cyberattack).