CNS PreFinals

Question 1

is an unexpected event occurring when an attack, whether natural or human-made, affects information resources and/or assets, causing actual damage or disruption to a business’s assets.

Answer 1

incident

Question 2

is a detailed set of processes that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets.

Answer 2

incident response plan (IRP)

Question 3

the set of procedures, policies, and guidelines that commence at the detection of an incident

Answer 3

incident response (IR).

Question 4

• It is important to point out that an IRP is one of three major components of ____.

Answer 4

contingency plan (CP)

Question 5

three major components of contingency plan (CP).

Answer 5

Incident Response
Disaster Recovery
Business Continuity

Question 6

Personnel and Plan Preparation

• In a large business or organization the delegation of tasks is essential to maintaining effective operations. When looking at the makeup of an IRP, a __ assumes responsibility for the creation of it.

Answer 6

company’s CISO

Question 7

With the aid of other managers and systems administrators on the contingency planning (CP) team, the __ should select members from each community of interest to form an independent IR team, which executes the IRP.

Answer 7

CISO

Question 8

• __ should follow this six-step process when creating each of the three CP components [_, _, and _]:

Answer 8

Contingency planners

IRP, DRP, and BCP

Question 9

six-step process when creating each of the three CP components [IRP, DRP, and BCP]:

Answer 9

1. Identify the mission-or business-critical functions
2. Identify the resources that support the critical functions
3. Anticipate potential contingencies or disasters
4. Select contingency planning strategies
5. Implement the selected strategy
6. Test and revise contingency plans

Question 10

4. Select contingency planning strategies
   In regards to step four, for every incident, the CP team creates three sets of incident-handling procedures:

Answer 10

1. During the incident
2. After the incident
3. Before the incident

Question 11

1. __: The planners develop and document the procedures that must be performed ____.

Answer 11

During the incident

_ during the incident

Question 12

2. _: Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed immediately after the incident has ceased.

Answer 12

After the incident

Question 13

• _, _, or _, or s may be hard to distinguish from an actual incident.

Answer 13

Incident Detection

Overloaded networks, computers, or servers, misbehaving computers systems or software packages

Question 14

3. _: The planners draft a third set of procedures which are tasks that must be performed to prepare for the incident.

Answer 14

Before the incident

Question 15

• It is the responsibility of the __ to determine if an incident is a valid incident or is just the product of “normal” system use.

Answer 15

Incident Detection

_ IR team

Question 16

• Incident candidates can be detected and tracked by end-users through several means; _

Answer 16

Incident Detection

; intrusion detection systems (IDS), host- and network-based virus detection software, and systems administrators.

Question 17

• Therefore, managers must ensure IT professionals receive training to detect __

Answer 17

Incident Detection

possible, probable, and definite indicators.

Question 18

• Possible Indicators:

Answer 18

• Presence of unfamiliar files
• Presence or execution of unknown programs or processes
• Unusual consumption of computing resources
• Unusual system crashes

Question 19

• Probable Indicators:

Answer 19

• Activities at unexpected times
• Presence of new accounts
• Reported attacks
• Notification from a host- or network-based
  intrusion detection system (IDS)

Question 20

• Definite Indicators:

Answer 20

• Use of dormant accounts
• Changes to logs
• Presence of hacker tools
• Notifications by business partner
• Notification by hacker

Question 21

• Once an actual incident has been confirmed and properly classified, the __ needs to be directed to move from the detection phase to the reaction phase.

Answer 21

Incident Response

_IR team

Question 22

is designed to first stop the incident (if still continuing), mitigate its effects, and provide information for the recovery from the incident.

Answer 22

Incident Response

_IR

Question 23

Incident Response

• Three key steps include:

Answer 23

❑ Notification of Key personnel
❑ Documentation of an Incident
❑ Incident Containment strategies

Question 24

Notification of key Personnel.

Answer 24

Incident Response

Question 25

document of contact information - sequential or hierarchical roster

Answer 25

Alert Roster

Question 26

scripted description of incident and what components of IRP to implement

Answer 26

Alert message

Question 27

- Who, What, When, Where, Why, and How

Answer 27

Documenting an Incident

Question 28

- Serves as a case study - improvements in IR and IRP - provide legal protection - future training simulations

Answer 28

Documenting an Incident

Question 29

❑Incident Containment Strategies

Answer 29

- Disabling compromised user accounts - Reconfiguring a firewall to block the problem traffic - Temporarily disabling the compromised process or service - Taking down the conduit application or server—for example, the e-mail server - Stopping all computers and network devices

Question 30

The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets

Answer 30

Incident Recovery * Incident damage assessment

Question 31

Incident damage assessment

Answer 31

- System logs - Intrusion detection logs - Configuration logs - Documentation from the actual incident

Question 32

* The recovery process includes the following steps:

Answer 32

Identify and resolve vulnerabilities that allowed the incident to occur and spread. Address the safeguards that failed to stop or limit the incident – install, replace, or upgrade them. Evaluate monitoring capabilities – improve detection and reporting methods, or install new monitoring capabilities Restore systems backups Restore the services and processes in use – compromised services and processes must be examined, cleaned, then restored. Continuously monitor the system to prevent incident from happening again. -Don’t allow your system to become the hackers playground. Restore confidence in member’s of the organization by ensuring them appropriate measures have been taken to resolve the matter.

Question 33

* Finally, before an organization can return to routine duties it is management’s responsibility to see that an __ is conducted. - Detailed examination of events from detection to final recovery. - All parties involved give input on positives and negatives of the entire IR process. - Management should give a summary to bring the IR team’s actions to a close.

Answer 33

after-action review (AAR)

Question 34

Threat Statistics

Answer 34

*47% of browser attacks – Microsoft, Google *Average 6110 DoS attacks per day *28 days average vulnerability exposure *86% of all attacks are against home user *54% of DoS attacks world-wide against US *69% of vulnerabilities against Web applications

Question 35

*__ attacks – Microsoft, Google

Answer 35

47% of browser

Question 36

*__ attacks per day

Answer 36

Average 6110 DoS

Question 37

*__ average vulnerability exposure

Answer 37

*28 days

Question 38

*__ of all attacks are against home user

Answer 38

86%

Question 39

*___ world-wide against US

Answer 39

54% of DoS attacks

Question 40

*__ against Web applications

Answer 40

69% of vulnerabilities

Question 41

Threats to the Enterprise

Answer 41

* Virus, worms, Trojan horses * Web site hacking * Hackers and crackers * Terrorist attacks * Cyber crime and information warfare * Effects of emerging standards and technologies

Question 42

* Virus, worms, Trojan horses

Answer 42

Threats to the Enterprise

Question 43

* Web site hacking

Answer 43

Threats to the Enterprise

Question 44

* Hackers and crackers

Answer 44

Threats to the Enterprise

Question 45

* Cyber crime and information warfare

Answer 45

Threats to the Enterprise

Question 46

* Terrorist attacks

Answer 46

Threats to the Enterprise

Question 47

Security Challenges

Answer 47

*ID and prioritize opportunities to improve security effectiveness and efficiency *Manage security in dynamic threat environment with limited budget *Courts and government policy expectations *Securing Web services *Managing identity and access privileges

Question 48

* Effects of emerging standards and technologies

Answer 48

Threats to the Enterprise

Question 49

*ID and prioritize opportunities to improve security effectiveness and efficiency

Answer 49

Security Challenges

Question 50

*Manage security in dynamic threat environment with limited budget

Answer 50

Security Challenges

Question 51

*Courts and government policy expectations

Answer 51

Security Challenges

Question 52

*Securing Web services

Answer 52

Security Challenges

Question 53

*Managing identity and access privileges

Answer 53

Security Challenges

Question 54

Six Step Process

Answer 54

1. Inventory 2. Risk Assessment 3. ID Needs 4. Support 5. Execute 6. Review

Question 55

___ “The first thing we need to do is to actually__ on our computing system and understand what the relationship of each asset is to our business process” * * *

Answer 55

Inventory Environment _ draft out all of the assets that run * Prioritize assets * Ensure critical systems are protected * Use Enterprise Architecture

Question 56

Inventory Environment

Answer 56

* Prioritize assets * Ensure critical systems are protected * Use Enterprise Architecture

Question 57

Risk Assessment - Portfolio

Answer 57

* Look at all assets * Best Practices * Service Levels Risks and Costs

Question 58

Risks

Answer 58

* Threats * Loss of Data

Question 59

Costs

Answer 59

* Prevention * Data Recovery

Question 60

ID Needs and Write Plan

Answer 60

* Define, align, and prioritize opportunities *Vulnerability vs largest risks *ID and define security goals * Determine costs and ROI – Key is Impact!

Question 61

ID/Define Organizational Goals

Answer 61

*Protect sensitive and critical information *Prevent unauthorized access to the network *Avoid embarrassing publicity *Maintain uninterrupted operations *Protect privacy *Set a “zero-incident” culture *Comply with federal and state regulations

Question 62

Obtain Support and Approval

Answer 62

1. Need executive champion – CIO 2. Know top management priorities 3. Know what the competition is doing 4. Projects in line with market’s thinking 5. Use federal mandates and audit findings

Question 63

• Use annual tactical plans — Execute strategic plan in small steps — Used to define and execute budget • Manage using cost planning and portfolio management • Report progress using balanced scorecard

Answer 63

Execute Plan

Question 64

Cost Planning and Portfolio Management

Answer 64

Zero-based Budget Management Review ID Problems Early Track Initiatives

Question 65

Answers ... * How am I doing? * Am I on time? * Within budget? * Are there any problems or issues

Answer 65

Balance Scorecard

Question 66

Plan Maintenance * Review annually * Compare against best practices * Adjust as necessary

Answer 66

Review

Question 67

*An __ will provide…. • Better use of limited resources • Phased deployment and enhancements • Improved justification of security projects • Direct tie to university IT strategic plan • Better planning & execution of security spending •Implement best security practices and strategies to create an enterprise that is well managed and secure

Answer 67

IT Security Strategic Plan

Question 68

* Phased deployment and enhancements

Answer 68

IT Security Strategic Plan

Question 69

* Improved justification of security projects

Answer 69

IT Security Strategic Plan

Question 70

* Direct tie to university IT strategic plan

Answer 70

IT Security Strategic Plan

Question 71

* Better planning & execution of security spending

Answer 71

IT Security Strategic Plan

Question 72

*Implement best security practices and strategies to create an enterprise that is well managed and secure

Answer 72

IT Security Strategic Plan

Question 73

Your organization experiences a sudden system crash. What should the IR team do first? a. Restart the system immediately b. Check for possible incident indicators c. Ignore the crash d. Call the software vendor

Answer 73

b. Check for possible incident indicators

Question 74

An employee reports an unfamiliar file appearing on their desktop. What is the best response? a. Delete the File ' b. Report to the IT security team for investigation c. Open the file to check its contents d. ignore it

Answer 74

b. Report to the IT security team for investigation

Question 75

Your IDS detects unusual activity at midnight. What should you do? a. Assume its a false alarm b. Notify the IR team immediately c. Restart the system d. ignore it

Answer 75

b. Notify the IR team immediately

Question 76

A hacker claims to have access to your company's database. What is the first step? a. Verify the claim and check system logs b. Pay the ransom c. Announce the breach publicly d. Shut down all systems permanently

Answer 76

a. Verify the claim and check system logs

Question 77

Your company experiences a ransomware attack that encrypts critical files. What should you do first? a. Pay the ransom to recover das b. Disconnect affected systems from the network c. Notify all employees to stop working d. Restore from backups immediately

Answer 77

b. Disconnect affected systems from the network

Question 78

A server handling financial transactions is running unusually slow. What is the best action? a. Restart the server b. Check for potential security breaches c. Upgrade the hardware d. Ignore the issue if transactions still process

Answer 78

b. Check for potential security breaches

Question 79

A phishing email is reported by on employee. What is the best response? a. Instruct all employees to delete similar emalis b. Report the email to the security team for analysis c. Click the link to check if it's harmful d. Do nothing unless someone gets affected

Answer 79

b. Report the email to the security team for analysis

Question 80

8. An employee leaves their workstation unlocked, and someone Installs unauthorized software, What should the IR team do? a. Remove the software and warn the employee b. Format the workstation immediately c. Suspend the employee d. Ignore it unless data is stolen

Answer 80

a. Remove the software and warn the employee

Question 81

9.

Question 82

10. A company detects malware spreading across multiple devices. What is the best course of action? a. Isolate Infected devices and analyze the malware b. Reboot all machines to stop the malware c. Continue normal operations until it affects critical data d. Shut down the internet connection permanently

Answer 82

a. Isolate Infected devices and analyze the malware

Question 83

A network administrator discovers unauthorized access from a foreign IP address. What should they do? a. Block the IP and check logs for further signs of compromise b. Wait to see if further attacks happen c. Notify employees to change their passwords immediately d. Announce the breach on social media

Answer 83

a. Block the IP and check logs for further signs of compromise

Question 84

After a security breach, employees are concerned about their personal data. What should management do? a. Be transparent and provide guidance on protective measures b. Deny any data breach happened c. Offer compensation immediately d. Ignore employee concerns

Answer 84

a. Be transparent and provide guidance on protective measures

Question 85

13. What is the purpose of incident containment strategies? a. To completely eliminate all cyber threats b. To prevent the incident from spreading c. To notify law enforcement d. To test new security software

Answer 85

b. To prevent the incident from spreading

Question 86

14. What is the first step in the recovery process? a. Restore system backups b. Identify vulnerabilities c. Evaluate monitoring capabilities d. Restore services

Answer 86

b. Identify vulnerabilities

Question 87

15. What does an After-Action Review (AAR) include? a. Examination of events b. Evaluation of IR process c. Summary report d. All of the above

Answer 87

d. All of the above

Question 88

16. What should be done after restoring services post-incident? a. Remove all system logs b. Conduct system monitoring c. Disable all security measures d. Ignore user feedback

Answer 88

b. Conduct system monitoring

Question 89

19. What does incident damage assessment evaluate?  a. Financial impact only b. Scope of confidentiality, integrity, and availability breach c. Legal consequences only d. Only hardware damage

Answer 89

b. Scope of confidentiality, integrity, and availability breach

Question 90

17. What is the potential method for incident containment? a. Allowing unauthorized access b. Disabling compromised accounts c. Ignoring minor threats d. Removing firewall restrictions

Answer 90

b. Disabling compromised accounts

Question 91

20. What should be the final step after handling an incident? a. Conducting an After-Action Review b. Ignoring the past incident c. Shutting down the affected systems permanently d. Upgrading all company software immediately

Question 92

18. Which of the following is an example of incident recovery? a. Installing new monitoring tools b. Disabling user accounts c. Blocking network access d. Deleting backup files

Answer 92

a. Installing new monitoring tools