IS3340 CHAPTER 13 Flashcards Preview

IS3340 SEC. STRAT. IN WINDOWS PLATFORM & APPS. > IS3340 CHAPTER 13 > Flashcards

Flashcards in IS3340 CHAPTER 13 Deck (21):
1

Documentation that provides details of every move and access of evidence is called ___?

CHAIN OF CUSTODY

2

A team of representatives from IT, management, legal, and public relations that is organized to respond to incidents is called ___?

COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

3

Any written evidence, such as printed reports or data in log files is called ___?

DOCUMENTARY EVIDENCE

4

Any observable occurrence within computer or network is called ___?

EVENT

5

An event that results in violation your security policy, or poses an imminent threat to your security policy is called ___?

INCIDENT

6

Any physical object that you can bring into court that you can touch, hold, and irately observe is called ___?

REAL EVIDENCE

7

1. To ensure a secure computing environment, investigate each reported event.
TRUE OR FALSE

FALSE

8

2. Many incidents go unreported because they are never recognized.
TRUE OR FALSE

TRUE

9

3. Which of the following is the best description of the CSIRT's initial responsibility for incidents?

1. Recognize incidents
2. Validate that an incident has occurred
3. Initiate the incident investigation
4. Contain the incident damage

Validate that an incident has occurred

10

4. The ___ step of handling incidents should always occur before an incident happens.

Preparation

11

5. Which incident handling step might include disconnecting a computer from the network?

1. Identification
2. Eradication
3. Containment
4. Recovery

Containment

12

6. The ___ step to handling incidents is the most important step to continuously improving your incident response plan.

lessons learned

13

7. IT investigators (SMEs) are all CSIRT team members.
TRUE OR FALSE

FALSE

14

8. Which incident classification would apply to a situation where you find that your user account is locked due to too many logon tries using an incorrect password?

1. Unauthorized access of a limited account
2. AUP violation
3. Failed attempt to access any account
4. Unauthorized scan of one or more systems

Failed attempt to access any account

15

9. Which incident security level would be appropriate after discovering that several of your workstations are infected with worms that will launch a coordinated DoS attack against your Web servers in 12 hours?
1. Severe
2. High
3. Moderate
4. Low

High

16

10. Which incident handling step might include scanning a computer for malware?

1. Identification
2. Containment
3. Eradication
4. Recovery

Identification

17

11. Which incident handling step might include removing a virus from a computer?

1. Identification
2. Containment
3. Eradication
4. Recovery

Eradication

18

12. The contents of log files are which type of evidence?

1. Real evidence
2. Documentary evidence
3. Testimonial evidence
4. Demonstrative evidence

Documentary evidence

19

13. The documentation that provides details of every move and access of evidence is called the ___?

Chain of custody log

20

14. You should treat every incident as if it might end up in court.
TRUE OR FALSE

TRUE

21

15. Any small change to evidence data may render that evidence unusable to your case.
TRUE OR FALSE

TRUE