Flashcards in IS3340 CHAPTER 13 Deck (21):
1
Documentation that provides details of every move and access of evidence is called ___?
CHAIN OF CUSTODY
2
A team of representatives from IT, management, legal, and public relations that is organized to respond to incidents is called ___?
COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)
3
Any written evidence, such as printed reports or data in log files is called ___?
DOCUMENTARY EVIDENCE
4
Any observable occurrence within computer or network is called ___?
EVENT
5
An event that results in violation your security policy, or poses an imminent threat to your security policy is called ___?
INCIDENT
6
Any physical object that you can bring into court that you can touch, hold, and irately observe is called ___?
REAL EVIDENCE
7
1. To ensure a secure computing environment, investigate each reported event.
TRUE OR FALSE
FALSE
8
2. Many incidents go unreported because they are never recognized.
TRUE OR FALSE
TRUE
9
3. Which of the following is the best description of the CSIRT's initial responsibility for incidents?
1. Recognize incidents
2. Validate that an incident has occurred
3. Initiate the incident investigation
4. Contain the incident damage
Validate that an incident has occurred
10
4. The ___ step of handling incidents should always occur before an incident happens.
Preparation
11
5. Which incident handling step might include disconnecting a computer from the network?
1. Identification
2. Eradication
3. Containment
4. Recovery
Containment
12
6. The ___ step to handling incidents is the most important step to continuously improving your incident response plan.
lessons learned
13
7. IT investigators (SMEs) are all CSIRT team members.
TRUE OR FALSE
FALSE
14
8. Which incident classification would apply to a situation where you find that your user account is locked due to too many logon tries using an incorrect password?
1. Unauthorized access of a limited account
2. AUP violation
3. Failed attempt to access any account
4. Unauthorized scan of one or more systems
Failed attempt to access any account
15
9. Which incident security level would be appropriate after discovering that several of your workstations are infected with worms that will launch a coordinated DoS attack against your Web servers in 12 hours?
1. Severe
2. High
3. Moderate
4. Low
High
16
10. Which incident handling step might include scanning a computer for malware?
1. Identification
2. Containment
3. Eradication
4. Recovery
Identification
17
11. Which incident handling step might include removing a virus from a computer?
1. Identification
2. Containment
3. Eradication
4. Recovery
Eradication
18
12. The contents of log files are which type of evidence?
1. Real evidence
2. Documentary evidence
3. Testimonial evidence
4. Demonstrative evidence
Documentary evidence
19
13. The documentation that provides details of every move and access of evidence is called the ___?
Chain of custody log
20
14. You should treat every incident as if it might end up in court.
TRUE OR FALSE
TRUE
21