IS3340 CHAPTER 13 Flashcards Preview

Question 1

1

Documentation that provides details of every move and access of evidence is called ___?

Answer

CHAIN OF CUSTODY

Question 2

2

A team of representatives from IT, management, legal, and public relations that is organized to respond to incidents is called ___?

Answer

COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Question 3

3

Any written evidence, such as printed reports or data in log files is called ___?

Answer

DOCUMENTARY EVIDENCE

Question 4

4

Any observable occurrence within computer or network is called ___?

EVENT

Answer

REAL EVIDENCE

Answer

Validate that an incident has occurred

Answer

Preparation

Answer

Containment

Answer

lessons learned

Answer

Failed attempt to access any account

Answer

Identification

Answer

Eradication

Answer

Documentary evidence

Answer

Chain of custody log

Question 5

5

An event that results in violation your security policy, or poses an imminent threat to your security policy is called ___?

INCIDENT

Question 6

6

Any physical object that you can bring into court that you can touch, hold, and irately observe is called ___?

Question 7

7

1. To ensure a secure computing environment, investigate each reported event.
TRUE OR FALSE

FALSE

Question 8

8

2. Many incidents go unreported because they are never recognized.
TRUE OR FALSE

TRUE

Question 9

9

3. Which of the following is the best description of the CSIRT's initial responsibility for incidents?

1. Recognize incidents
2. Validate that an incident has occurred
3. Initiate the incident investigation
4. Contain the incident damage

Question 10

10

4. The ___ step of handling incidents should always occur before an incident happens.

Question 11

11

5. Which incident handling step might include disconnecting a computer from the network?

1. Identification
2. Eradication
3. Containment
4. Recovery

Question 12

12

6. The ___ step to handling incidents is the most important step to continuously improving your incident response plan.

Question 13

13

7. IT investigators (SMEs) are all CSIRT team members.
TRUE OR FALSE

FALSE

Question 14

14

8. Which incident classification would apply to a situation where you find that your user account is locked due to too many logon tries using an incorrect password?

1. Unauthorized access of a limited account
2. AUP violation
3. Failed attempt to access any account
4. Unauthorized scan of one or more systems

Question 15

15

9. Which incident security level would be appropriate after discovering that several of your workstations are infected with worms that will launch a coordinated DoS attack against your Web servers in 12 hours?
1. Severe
2. High
3. Moderate
4. Low

High

Question 16

16

10. Which incident handling step might include scanning a computer for malware?

1. Identification
2. Containment
3. Eradication
4. Recovery

Question 17

17

11. Which incident handling step might include removing a virus from a computer?

1. Identification
2. Containment
3. Eradication
4. Recovery

Question 18

18

12. The contents of log files are which type of evidence?

1. Real evidence
2. Documentary evidence
3. Testimonial evidence
4. Demonstrative evidence

Question 19

19

13. The documentation that provides details of every move and access of evidence is called the ___?

Question 20

20

14. You should treat every incident as if it might end up in court.
TRUE OR FALSE

TRUE

Question 21

21

IS3340 CHAPTER 13 Flashcards Preview

IS3340 SEC. STRAT. IN WINDOWS PLATFORM & APPS. > IS3340 CHAPTER 13 > Flashcards

Documentation that provides details of every move and access of evidence is called ___?

CHAIN OF CUSTODY

A team of representatives from IT, management, legal, and public relations that is organized to respond to incidents is called ___?

COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Any written evidence, such as printed reports or data in log files is called ___?

DOCUMENTARY EVIDENCE

Any observable occurrence within computer or network is called ___?

EVENT

An event that results in violation your security policy, or poses an imminent threat to your security policy is called ___?

INCIDENT

Any physical object that you can bring into court that you can touch, hold, and irately observe is called ___?

REAL EVIDENCE

1. To ensure a secure computing environment, investigate each reported event.TRUE OR FALSE

FALSE

2. Many incidents go unreported because they are never recognized.TRUE OR FALSE

TRUE

3. Which of the following is the best description of the CSIRT's initial responsibility for incidents?1. Recognize incidents2. Validate that an incident has occurred3. Initiate the incident investigation4. Contain the incident damage

Validate that an incident has occurred

4. The ___ step of handling incidents should always occur before an incident happens.

Preparation

5. Which incident handling step might include disconnecting a computer from the network?1. Identification2. Eradication3. Containment4. Recovery

Containment

6. The ___ step to handling incidents is the most important step to continuously improving your incident response plan.

lessons learned

7. IT investigators (SMEs) are all CSIRT team members.TRUE OR FALSE

FALSE

Failed attempt to access any account

9. Which incident security level would be appropriate after discovering that several of your workstations are infected with worms that will launch a coordinated DoS attack against your Web servers in 12 hours?1. Severe2. High3. Moderate4. Low

High

10. Which incident handling step might include scanning a computer for malware?1. Identification2. Containment3. Eradication4. Recovery

Identification

11. Which incident handling step might include removing a virus from a computer?1. Identification2. Containment3. Eradication4. Recovery

Eradication

12. The contents of log files are which type of evidence?1. Real evidence2. Documentary evidence3. Testimonial evidence4. Demonstrative evidence

Documentary evidence

13. The documentation that provides details of every move and access of evidence is called the ___?

Chain of custody log

14. You should treat every incident as if it might end up in court.TRUE OR FALSE

TRUE

15. Any small change to evidence data may render that evidence unusable to your case.TRUE OR FALSE

TRUE

Decks in IS3340 SEC. STRAT. IN WINDOWS PLATFORM & APPS. Class (15):

1. To ensure a secure computing environment, investigate each reported event.
TRUE OR FALSE

2. Many incidents go unreported because they are never recognized.
TRUE OR FALSE

3. Which of the following is the best description of the CSIRT's initial responsibility for incidents?

1. Recognize incidents
2. Validate that an incident has occurred
3. Initiate the incident investigation
4. Contain the incident damage

5. Which incident handling step might include disconnecting a computer from the network?

1. Identification
2. Eradication
3. Containment
4. Recovery

7. IT investigators (SMEs) are all CSIRT team members.
TRUE OR FALSE

9. Which incident security level would be appropriate after discovering that several of your workstations are infected with worms that will launch a coordinated DoS attack against your Web servers in 12 hours?
1. Severe
2. High
3. Moderate
4. Low

10. Which incident handling step might include scanning a computer for malware?

1. Identification
2. Containment
3. Eradication
4. Recovery

11. Which incident handling step might include removing a virus from a computer?

1. Identification
2. Containment
3. Eradication
4. Recovery

12. The contents of log files are which type of evidence?

1. Real evidence
2. Documentary evidence
3. Testimonial evidence
4. Demonstrative evidence

14. You should treat every incident as if it might end up in court.
TRUE OR FALSE

15. Any small change to evidence data may render that evidence unusable to your case.
TRUE OR FALSE