Practice Questions Flashcards by Ashland Mullins

Risk is defined as the probability of the occurrence of an incident. Risk formulation generally begins with the likeliness of an event’s occurrence, the harm it may cause, and is usually denoted as:

Significances
Probability
Magnitudes
Consequences

Consequences

How well did you know this?

Not at all

Perfectly

Which of the following refers to the process of identifying, labeling, recording, and acquiring data from all possible sources?

a. Collection
b. Preservation
c. Examination
d. Analysis

Collection

How well did you know this?

Not at all

Perfectly

Which among the following incidents refer to a person gaining access to system and network resources which he/she was not authorized to have?

a. Handling Inappropriate Usage Incidents
b. Unauthorized Access Incident
c. Handling Multiple Component Incidents
d. Authorized Access Incident

Unauthorized Access Incident

How well did you know this?

Not at all

Perfectly

What is the purpose of proactive services offered by a CERT?

a. To find the cost of fixing a problem
b. To develop the infrastructure and security processes
c. To provide services to the constituency
d. None of the above

To develop the infrastructure and security processes

How well did you know this?

Not at all

Perfectly

Which one of the following CSIRT services include alerts and warnings, incident handling, vulnerability handling, and artifact handling activities?

a. Reactive Services
b. Proactive Services
c. Security Quality Management Services
d. Vulnerability Management Services

Reactive Services

How well did you know this?

Not at all

Perfectly

Which of the following is defined as the existence of a weakness in the design or implementation error that can lead to an unexpected, undesirable event compromising the security of the system?

a. Vulnerability
b. Patch
c. Attack
d. Accident

Vulnerability

How well did you know this?

Not at all

Perfectly

Which one of the following is the intangible cost for an incident?

a. Lost productivity hours
b. Investigation and recovery efforts
c. Loss of business
d. Loss of reputation

Loss of reputation

How well did you know this?

Not at all

Perfectly

Which of the following document contains logs, records, documents, and any other information that is found on a system?

a. Incident preparation report
b. Incident response report
c. Host-based evidence report
d. Network-based evidence report

Host-based evidence report

How well did you know this?

Not at all

Perfectly

Which among the following malware pretends to be a program that offers useful applications, but acquires the information of the computer and sends it to a remote attacker?

a. Spyware
b. Worm
c. Virus
d. Rootkit

Spyware

How well did you know this?

Not at all

Perfectly

Rob, an incident manager, was informed about an incident where a suspicious application was found residing in the active memory of multiple systems on a network. Upon investigation, he found that the application was self-replicating and degrading the systems’ performance, but it did not affect the files in those systems.

What is your inference from the above scenario?

a. The application is a Worm
b. The application is a Virus
c. The application is a Trojan
d. The application is a Backdoor

The application is a Worm

How well did you know this?

Not at all

Perfectly

Identify the malicious program that is masked as a genuine harmless program, and gives the attacker unrestricted access to the user’s information and system. These programs may unleash dangerous programs that may erase the unsuspecting user’s disk, and send the victim’s credit card numbers and passwords to a stranger.

Cookie tracker
Worm
Virus
Trojan

Trojan

How well did you know this?

Not at all

Perfectly

Which policy recommends controls for securing and tracking organizational resources?

Access control policy
Administrative security policy
Acceptable use policy
Asset control policy

Asset control policy

How well did you know this?

Not at all

Perfectly

Which of the following terms may be defined as “a measure of possible inability to achieve a goal, objective, or target within a defined security, cost, plan, and technical limitations that adversely affects the organization’s operations and revenues?”

Incident Response
Threat
Vulnerability
Risk

Risk

How well did you know this?

Not at all

Perfectly

The goal of incident response is to handle the incidents in a way that minimizes damage and reduces recovery time and costs. Which of the following does not constitute a goal of incident response?

Dealing properly with legal issues that may arise during incidents
Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data
Helping personnel to recover quickly and efficiently from security incidents, minimizing loss or theft of information and disruption of services
Dealing with human resource department and various employee conflict behaviors

Dealing with human resource department and various employee conflict behaviors

How well did you know this?

Not at all

Perfectly

Organizations, or incident response teams, need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. Evidence protection is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage?

Chain-of-Custody
Chain-of-Precedence
Forensic analysis report
Network and Host log records

Chain-of-Custody

How well did you know this?

Not at all

Perfectly

An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, an application, or user activities. Which of the following statements is not true for an audit trail policy?

It helps in reconstructing the events after a problem has occurred
It helps in calculating intangible losses to the organization due to an incident
It helps in compliance to various regulatory laws, rules, and guidelines
It helps in tracking individual actions and allows users to be personally accountable for their actions

It helps in calculating intangible losses to the organization due to an incident

How well did you know this?

Not at all

Perfectly

Which of the following risk mitigation strategy make an organization absorb minor risks while preparing to respond to major ones?

a. Risk avoidance
b. Risk limitation
c. Risk assumption
d. Risk planning

Risk assumption

How well did you know this?

Not at all

Perfectly

Which among the following CERTs is an Internet provider to higher education institutions and various other research institutes in the Netherlands, and deals with all cases related to computer security incidents in which a customer is involved, either as a victim or as a suspect?

Funet CERT
SURFnet-CERT
NET-CERT
DFN-CERT

SURFnet-CERT

How well did you know this?

Not at all

Perfectly

Which of the following is defined as an organized approach to address and manage the aftermath of a security breach or attack?

a. Threat
b. Risk Assessment
c. Vulnerability assessment
d. Incident response

Incident response

How well did you know this?

Not at all

Perfectly

Which of the following is an indication of unauthorized usage of the standard user account?

a. Usage of secret account
b. Alert of network and host IDS
c. Misplaced hardware parts
d. Increase in the usage of resource

Usage of secret account

How well did you know this?

Not at all

Perfectly

A file or an object found on the system that might involve attacking systems and networks is known as an “artifact”. Handling an artifact involves receiving information about the artifacts that are used in intruder attacks, investigation, and other unauthorized activities causing distortions. Identify the CSIRT service category that artifact handling belongs to?

Reactive services
Proactive services
Incident tracking and reporting systems services
Security quality management services

Reactive services

How well did you know this?

Not at all

Perfectly

Which of the following is a process that ensures systems and major applications adhere to formal and established security requirements that are well documented and authorized?

a. Penetration testing
b. Computer forensics
c. Certification and Accreditation (C&A)
d. Incident handling

Certification and Accreditation (C&A)

How well did you know this?

Not at all

Perfectly

Mysoft, a major software developer located out of New Jersey, realized that sensitive information from folders shared across its network is being accessed by unauthorized people and leaked to third parties, which could result in huge financial losses for the organization. In this context, which of the following statements most appropriately defines “computer security incident”?

Events related to physical security incidents and trouble- shooting issues in corporate networks
Any real or suspected adverse event in relation to the security of computer systems or networks
Policies guaranteeing access to information system resources
Rectifying the loss of information that may affect the investment of the organization in different business activities

Any real or suspected adverse event in relation to the security of computer systems or networks

How well did you know this?

Not at all

Perfectly

A Distributed Denial-of-Service (DDoS) attack is a more common type of DoS attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:

a. Spyware
b. Zombies
c. Worms
d. Trojans

Zombies

How well did you know this?

Not at all

Perfectly

Signs of an Incident are categorized into one of two categories: Precursor or Indication. Precursor indicates the possibility of a security incident occurrence, and Indication implies that an incident has probably occurred or is in progress. Identify which of the following is a precursor to an incident? The network administrator notices an unusual deviation from the typical network traffic flows A user approaches the help desk to report of abusing/threatening email Warning from an antivirus program or scanner that threat(s) from virus/worm is identified on the user’s system. A new found vulnerability in the organization server, in case the vendor makes an announcement of the same

A new found vulnerability in the organization server, in case the vendor makes an announcement of the same

The type of relationship between CSIRT and its constituency have an impact on the services provided by the CSIRT. Identify the level of authority that enables the members of CSIRT to undertake any necessary actions on behalf of their constituency? Half-level authority Shared-level authority Mid-level authority Full-level authority

Full-level authority

Which policy recommends controls for securing and tracking organizational resources? Administrative security policy Access control policy Asset control policy Acceptable use policy

Asset control policy

How will you define quantitative risk analysis? a. Probability of loss x value of loss b. Value of loss/Probability of loss c. Probability of loss + value of loss d. Probability of loss - value of loss

Probability of loss x value of loss

An access control policy authorizes a group of users to perform a set of actions on a set of resources. Access to resources is based on necessity and if a particular job role requires the use of those resources. Which of the following is not a fundamental element of an access control policy? Action group: Group of actions performed by the user on resources Development group: Group of persons who develop the policy Access group: Group of users to which the policy applies Resource group: Resources controlled by the policy

Development group: Group of persons who develop the policy

Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT? Links the appropriate technology to the incident to ensure that the foundation’s offices are returned to normal operations as quickly as possible Links the groups that are affected by the incidents, such as legal, human resources, different business areas, and management Applies the appropriate technology and tries to eradicate and recover from the incident Focuses on the incident and handles it from management and technical point of view

Links the groups that are affected by the incidents, such as legal, human resources, different business areas, and management

One of the goals of CSIRT is to manage security problems by taking a certain approach towards the customers’ security vulnerabilities, and by responding effectively to potential information security incidents. Identify the incident response approach that focuses on developing the infrastructure and security processes before the occurrence or detection of an event or any incident. Interactive approach Qualitative approach Proactive approach Interactive approach

Proactive approach

An incident is analyzed for its nature, intensity, and its effects on the network and systems. Which stage of the incident response and handling process involves auditing the system and network log files? Identification Containment Incident recording Reporting

Identification

US-CERT and federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 federal agency category? a. Weekly b. Monthly c. Within two (2) hours of discovery/detection d. Within four (4) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity

Weekly

Which one of the following is an appropriate flow of steps in computer forensics process? a. Preparation -> Collection -> Examination -> Analysis -> Reporting b. Examination -> Analysis -> Preparation -> Collection -> Reporting c. Analysis -> Preparation -> Collection -> Reporting -> Examination d. Preparation -> Analysis -> Collection -> Examination -> Reporting

Preparation -> Collection -> Examination -> Analysis -> Reporting

Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with a high volume of traffic that consumes all existing network resources. SQL injection URL manipulation XSS attack Denial-of-Service

Denial-of-Service

The data on affected systems must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigation of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out? Containment Incident recording Incident investigation Eradication

Containment

Hexagon, a leading IT company in the USA, have received a lot of malformed TCP/IP packets, which lead the main server’s operating system to crash and thereby restricted the employees from accessing their resources. Which attack did the adversary use in the above situation? a. DoS attack b. Session Hijacking c. Man-in-the-Middle d. Cross-Site-Scripting

DoS attack

Which of the following determines the level of risk and the resulting security requirements for each system? a. Risk assessment b. Contingency planning c. Risk mitigation d. Residual risk

Risk assessment

Which one of the following is the correct flow of the stages in an incident response? a. Eradication --> Containment --> Identification --> Preparation --> Recovery --> Follow-up b. Identification --> Preparation --> Containment --> Recovery --> Follow-up - -> Eradication c. Containment --> Identification --> Preparation --> Recovery --> Follow-up --> Eradication d. Preparation --> Identification --> Containment --> Eradication --> Recovery --> Follow-up

Preparation --> Identification --> Containment --> Eradication --> Recovery --> Follow-up

Information gathering is an integral part of information warfare. Which of the following activities is a part of passive information gathering? Obtaining details of the target organization by scanning their network Obtaining details of the target organization by taking services of underground hacking forums Obtaining details of the target organization that are freely available on the Internet, and through various other techniques without coming into direct contact with the organization Obtaining details of the target organization that are freely available on the Internet, and through various other techniques by coming into direct contact with the organization

Obtaining details of the target organization that are freely available on the Internet, and through various other techniques without coming into direct contact with the organization

An information system processes data into useful information to achieve specified organizational or individual goals. It accepts, processes, and stores data in the form of records in a computer system, and automates some of the information processing activities of the organization. Who is responsible for implementing and controlling the security measures of an information system? Information Custodian Information Owner Information Implementer Information Consultant

Information Custodian

A computer forensic investigator must perform a proper investigation to protect digital evidence. During the investigation, an investigator needs to process large amounts of data using a combination of automated and manual methods. Identify the computer forensic process involved. Preparation Collection Reporting Examination

Examination

The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/services that are not required. Which service listed below, if blocked, can help in preventing Denial of Service attack? SMTP service SAM service POP3 service Echo service

Echo service

In the DoS containment strategy, at what point you will ask your ISP to implement filtering? a. After correcting the vulnerability or weakness that is being exploited b. After relocating the affected target c. After determining the method of attack d. After identifying the attackers

After determining the method of attack

In which of the steps of NIST’s risk assessment methodology are the boundaries of the IT system, along with the resources and the information that constitute the system, identified? a. Control Recommendations b. Control Analysis c. System Characterization d. Likelihood Determination

System Characterization

Which one of the following is an appropriate flow of the incident recovery steps? System Restoration --> System Validation --> System Operations --> System Monitoring System Validation --> System Operations --> System Restoration --> System Monitoring System Operations --> System Restoration --> System Validation --> System Monitoring System Restoration --> System Monitoring --> System Validation --> System Operations

System Restoration --> System Validation --> System Operations --> System Monitoring

Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures. Which of the following policies authorizes a group of users to perform a set of actions on a set of resources? Documentation policy Audit Trail Policy Logging Policy Access Control Policy

Access Control Policy

Identify a standard national process which establishes a set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site. NIASAP NIACAP NIAAAP NIPACP

NIACAP

Which of the following is a methodology to create and validate a plan for maintaining continuous business operations before, during, and after incidents and disruptive events? a. Incident response plan b. Incident recovery plan c. Business continuity planning d. Business impact analysis

Business continuity planning

Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness, or unexplained absenteeism. Select the technique that helps in detecting insider threats. a. Categorizing information according to its sensitivity and access rights b. Protecting computer systems by implementing proper controls c. Making it compulsory for employees to sign a nondisclosure agreement d. Correlating known patterns of suspicious and malicious behavior

Correlating known patterns of suspicious and malicious behavior

The insider’s incident response plan helps the organization to minimize or limit the damage caused due to malicious insiders. Organizations should ensure that the insider perpetrators are not included in the response team or are not aware of the progress. Which of the following statements is not true about the incident response plan? The organization should regularly update the employee on different forms of external and internal attacks through training program The employees should also be trained on how to report suspicious behaviors of the insiders The organization should share or provide the details of the insider’s incident response plan with all employees Persons responsible for handling insiders incidents should be trained on the contents and execution of the response plan

The organization should share or provide the details of the insider’s incident response plan with all employees

Host based evidence is the evidence gathered and available on a computer system. It may include logs, records, documents, and any other information stored in a computer system. Network-based evidence is the information gathered from the network resources. Which of the following is Host-Based evidence? Wiretaps IDS logs Router logs State of network interface

State of network interface

Which one of the following personnel in incident response team focuses on the incident and handles it from management and technical point of view? a. Incident Manager (IM) b. Incident Coordinator (IC) c. Incident Analyst (IA) d. Technical Expert

Incident Manager (IM)

Incident handling and response steps help you to detect, identify, respond, and manage an incident. Which of the following helps in recognizing and separating the infected hosts from the information system? a. Configuring firewall to default settings b. Browsing particular government websites c. Inspecting the processes running on the system d. Sending mails to only group of friends

Inspecting the processes running on the system

Which one of the following is an appropriate flow of the incident recovery steps? System Restoration --> System Monitoring --> System Validation --> System Operations System Operations --> System Restoration --> System Validation --> System Monitoring System Validation --> System Operations --> System Restoration --> System Monitoring System Restoration --> System Validation --> System Operations --> System Monitoring

System Restoration --> System Validation --> System Operations --> System Monitoring

Which one of the following is a technical threat? a. Incorrect data entry b. Shoulder surfing c. Sniffing and scanning of the network traffic d. Password guessing

Sniffing and scanning of the network traffic

When an employee is terminated from his/her job, what should be the next immediate step taken by an organization? The access requests granted to an employee should be documented and vetted by a supervisor All access rights of the employee to physical locations, networks, systems, applications, and data should be disabled The organization should enforce separation of duties The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information

All access rights of the employee to physical locations, networks, systems, applications, and data should be disabled

Roy is a software employee working in a Nexawave, a leading IT firm. One day he has downloaded few files from the internet and referred them for his current project. While developing the project document, Roy observed that his word application is crashing uninterruptedly. What could be the reason for the above situation? a. Roy’s system has infected by boot-record infectors b. Roy’s system has infected by Macro virus c. Roy’s system has infected by Micro virus d. Roy’s system has infected through phishing

Roy’s system has infected by Macro virus

In which Risk Assessment Methodology step do you identify the boundaries of the IT system and characterize it, in order to establish the scope of the risk assessment effort. a. Threats Identification b. Threat Characterization c. System Identification d. System Characterization

System Characterization

Which of the following strategy focuses on minimizing the probability of risks and losses by searching vulnerabilities in the system and appropriate controls? a. Risk planning b. Research and acknowledgment c. Risk avoidance d. Risk limitation

Research and acknowledgment

In which attack does an attacker(s) infect multiple systems called zombies, and them to attack a particular target? a. Denial of Service b. Distributed denial of service c. Identity Spoofing d. Man-in-the-Middle

Distributed denial of service

Identify the reasons that make the organizations not report computer crimes to law enforcement. I. Fear of negative publicity II. Lack of awareness of the attack III. Capability to handle incidents internally IV. Potential loss of customers a. I, II, II and IV b. I and II c. I, II, and III d. I, II, and IV

I, II, and IV

The insiders risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that: If the insiders’ technical literacy and process knowledge is high, the risk posed by the threat will be high If the insiders’ technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant If the insiders’ technical literacy is high and process knowledge is low, the risk posed by the threat will be high If the insiders’ technical literacy and process knowledge are high, the risk posed by the threat will be insignificant

If the insiders’ technical literacy and process knowledge is high, the risk posed by the threat will be high

An organization faced an information security incident, where a disgruntled employee passed sensitive access control information to a competitor. The organization’s incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incidents? High level incident Middle level incident Ultra-high level incident Low level incident

Middle level incident

Computer forensics is the branch of forensic science in which legal evidence is found in any computer or on any digital media devices. Of the following, who is responsible for examining the evidence acquired and separating the useful evidence? Evidence Manager Evidence Examiner/Investigator Evidence Documenter Evidence Supervisory

Evidence Examiner/Investigator

Which of the following activity involves all the processes, logistics, communications, coordination, and planning to respond and overcome an incident efficiently? a. Incident recovery b. Incident handling c. Incident reporting

Incident handling

Which one of the following malware takes advantage of file or information transport features on the system to propagate across systems and networks without any human interactions? a. Worms b. Virus c. Trojan d. Spyware

Worms

Multiple component incidents consist of a combination of two or more attacks in a system. Which of the following is not a multiple component incident? An insider intentionally deleting files from a workstation An attacker using email with malicious code to infect internal work station An attacker redirecting user to a malicious website and infects his system with Trojan An attacker infecting a machine to launch a DDoS attack

An insider intentionally deleting files from a workstation

Computer forensics is a methodical series of techniques and procedures for gathering evidence from computing equipment, various storage devices and/or digital media that can be presented in a court of law in a coherent and meaningful format. Which one of the following is an appropriate flow of steps in the computer forensics process? Examination> Analysis> Preparation> Collection> Reporting Analysis> Preparation> Collection> Reporting> Examination Preparation> Collection> Examination> Analysis> Reporting Preparation> Analysis> Collection> Examination> Reporting

Preparation> Collection> Examination> Analysis> Reporting

Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan; namely supporting information, notification/activation, recovery, and reconstitution and plan appendices. What is the main purpose of a reconstitution plan? To restore the original site, tests systems to prevent the incident, and terminates operations To provide the introduction and detailed concept of the contingency plan To provide a sequence of recovery activities with the help of recovery procedures To define the notification procedures, damage assessments, and offers the plan activation

To restore the original site, tests systems to prevent the incident, and terminates operations

Which of the following type of risk is defined by the formula (threats x vulnerability)?] a. Residual risk b. Qualitative risk c. Inherent risk d. Quantitative risk

Inherent risk

Which of the following is the practice of identifying the infected systems by looking for evidence of the recent infections? a. Forensic identification b. Active identification c. UManual identification d. Passive identification

Forensic identification

Which one of the following is an appropriate flow of the incident recovery steps? a. System restoration -> System validation -> System operations -> System monitoring b. System operations -> System restoration -> System validation -> System monitoring c. System validation -> System operations -> System monitoring -> System restoration d. System operations -> System validation -> System monitoring -> System restoration

System restoration -> System validation -> System operations -> System monitoring

Which of the following policy controls the access to the facilities and computers? a. Information Security Policy b. Personnel Security Policy c. Physical Security Policy d. Evidence Collection Policy

Physical Security Policy

Which category of unauthorized access is associated with changes in system status? a. Physical Intruder b. Unauthorized Data Access c. Unauthorized Usage of Standard User Account d. Unauthorized Data Modification

Physical Intruder

Which among the following steps do you implement as a part of DoS attack prevention? a. Disable Intrusion Detection Systems b. Enable Remote Desktop Connection c. Install and run packet sniffer on the workstation d. Block traffic from unassigned IP address ranges

Block traffic from unassigned IP address ranges

In a qualitative risk analysis, risk is calculated in terms of: (Attack Success + Criticality) – (Countermeasures) Probability of Loss X Loss (Countermeasures + Magnitude of Impact)- (Reports from prior risk assessments) Asset criticality assessment –(Risks and Associated Risk Levels)

(Attack Success + Criticality) – (Countermeasures)

Which of the following incident recovery testing methods works by creating a mock disaster, like a fire, to identify the reaction of the procedures that are implemented to handle such situations? a. Scenario testing b. Procedure testing c. Facility testing d. Live Walk Through testing

Scenario testing

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focuses on limiting the scope and extent of an incident? a. Identification b. Data Collection c. Containment d. Eradication

Containment

Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy. Identify the plan which is a mandatory part of a business continuity plan? New business strategy plan Business recovery plan Forensics procedure plan Sales and marketing plan

Business recovery plan

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focuses on limiting the scope and extent of an incident? Identification Eradication Data Collection Containment

Containment

Which one of the following is the correct flow of the stages in an incident response? a. Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up b. Identification -> Preparation -> Containment -> Recovery -> Follow-up -> Eradication c. Containment -> Identification -> Preparation -> Recovery -> Follow-up -> Eradication d. Eradication -> Containment -> Identification -> Preparation -> Recovery -> Follow-up

Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up

Sam, an employee from a multinational company, uses his company’s account to send e-mails to a third party with their spoofed mail address. How can you categorize this type of account? Denial-of-Service incident Network intrusion incident Unauthorized access incident Inappropriate usage incident

Inappropriate usage incident

Smith is managing a web server that runs a PHP-based web service. He was escalated an incident where users were not able to access the service. During the investigation, he discovered that the web server is live and there is no alert from the anti-malware system. However, in the Task Manager, he discovered a large number of php-cgi processes that were consuming up to ninety-nine percent of the CPU. What can Smith infer from the above observation? a. It indicates a DoS attack b. It indicates an unauthorized access attack c. It indicates a Trojan attack d. It indicates a php-cgi injection attack

It indicates a DoS attack

Which of the following activities identifies the effects of uncontrolled and non-specific events in the business process? a. Business impact analysis b. Support plan analysis c. Temporary plan analysis d. Threat Analysis

Business impact analysis

One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure. According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms? a. Detection b. Triage c. Protection d. Preparation

Protection

“Information warfare” is conflict that uses Information/Information systems as weapons. “Offensive” and “defensive” are two types of information warfare. Which of the following is an example of defensive information warfare? Disabling SSID broadcasts so that unauthorized users cannot detect the presence of a wireless network Hijacking television and radio transmissions for generating disinformation Spoofing or disabling the communication networks of a competitor or an enemy Jamming radio transmissions

Disabling SSID broadcasts so that unauthorized users cannot detect the presence of a wireless network

Which of the following techniques do you implement to respond to an insider attack? a. Place all the users in quarantine network b. Place malicious users in quarantine network c. Allow malicious users to access sensitive information d. Leave the insider’s computer open in the network

Place malicious users in quarantine network

Identifying and analyzing an incident is a very critical part of the incident response procedure. Which of the following signs do not indicate a computer security incident? System crashes or poor system performance Failed logon attempts and creation of new user accounts A system alarm or similar indication from an intrusion-detection Smoke emitting from the system

Smoke emitting from the system

Risk management consist of three processes; risk assessment, risk mitigation and evaluation and assessment. Risk assessment determines the extent of the potential threat and the risk associated with an IT system throughout its SDLC. How many primary steps does NIST’s risk assessment methodology involve? a. Nine b. Twelve c. Four d. Six

Nine

Chris is a forensic expert and was hired by a major financial company to use his services in the incidents and crimes that involve the use of computers. Being a forensic expert, he has to perform many duties day-to-day. Choose the duties that Chris has to perform being a forensic expert from the list below: I. The reason for the incident that was happened II. Determine the nature of the system by analyzing it III. Establishing the secure network measures to avoid the incident from happening IV. Preserver, analyze and submit in the court

I II and IV

A threat source does not present a risk if there is no vulnerability that can be exercised for a particular threat source. Identify the step in which different threats and threat sources are determined? Threat identification System characterization Identification Vulnerabilities Control Analysis

Threat identification

Which of the following is a set of specific strategies, guidelines, and processes to recover from an incident resulting due to a problem or emergency? a. Contingency plan b. Incident recovery testing c. Business impact analysis d. Temporary plan analysis

Contingency plan

Incident reporting and assessment, assigning event identity and severity level, assigning incident task force members are part of which phase of incident response? a. Incident Classification b. Containment c. Data collection d. Identification

Identification

Riya got the following email: ``` Dear user, Due to an unexpected software glitch, we have lost all our customer details and left with only email IDs. In order to continue our services, we request you provide your username and password in the below fields and revert back. If not, your balance amount will be lost and account will be deleted permanently. Username: _____________ Password: ______________ Click reply and send. Note: Please Forward this mail to all the HDBC users you know. Sorry for the inconvenience. Thank you for your cooperation HDBC Bank Admin Copyright © 2017 Service Providers administrator All rights reserved. On seeing the message, Riya got startled and immediately responded the sender with her username and password. Later she came to know that her account has been hacked. ``` Which trick did the attacker use to trap Riya? a. Attacker used phishing b. Attacker used sniffing technique c. Attacker used Pharming technique d. Attacker used keylogger technique

Attacker used phishing

A computer virus hoax is a message warning the recipient of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipient to forward it to everyone they know. Which of the following is not a symptom of virus hoax message? The message warns to delete certain files if the user does not take appropriate action The message prompts the user to install Anti-virus The message from a known email id is caught by SPAM filters due to change in filter settings The message prompts the end user to forward it to his/her email contact list and gain monetary benefits in doing so

The message from a known email id is caught by SPAM filters due to change in filter settings

Which of the following incident refers to a user performing actions that violate the acceptable computing use policies? a. Inappropriate usage incident b. Unauthorized access incident c. Multiple Component incident d. Distributed Denial-of-Service (DDoS) incident

Inappropriate usage incident

Risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. An organization that absorbs minor risks while preparing to respond to major risks relates to which risk mitigation strategy? Risk limitation Risk avoidance Risk absorption Risk assumption

Risk absorption

Risk analysis involves the process of defining and evaluating dangers. The numerical determination of the probability of an adverse event, and the extent of the losses due to the event, refers to which approach of risk determination? a. Descriptive risk analysis b. Analytical risk analysis c. Quantitative risk analysis d. Qualitative risk analysis

Quantitative risk analysis

Quantitative risk is the numerical determination of the probability of an adverse event, and the extent of the losses due to the event. Quantitative risk is calculated as: Significant Risks x Probability of Loss X Loss (Probability of Loss) / (Loss) (Loss) / (Probability of Loss) (Probability of Loss) X (Loss)

(Probability of Loss) X (Loss)

How will you define Qualitative risk analysis? a. (Attack Success + Criticality) – (Countermeasures) b. (Countermeasures) + (Criticality – Attack Success) c. (Attack Success + Countermeasures) – (Criticality) d. (Attack Success) + (Criticality – Countermeasures)

(Attack Success + Criticality) – (Countermeasures)

Which of the following incident response action focuses on limiting the scope and extent of an incident? a. Identification b. Containment c. Eradication d. Formulating a response strategy

Containment

Smith is a forensic expert in a reputed organization based in New York. As a part of his task, he sniffed the data packets that are trying to communicate with the server of the organization, he recorded and then analyzed the event logs. Which type of the forensic analysis did Smith perform? a. Network Forensics b. Data Forensics c. Internet Forensics d. Source-code forensics

Network Forensics

A risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. Identify the risk mitigation strategy that focuses on minimizing the probability of risks and losses by searching for vulnerabilities in the system and appropriate controls. Research and acknowledgment Risk limitation Risk absorption Risk assumption

Research and acknowledgment

Which of the following tools is a stand-alone utility used to detect and remove specific viruses? It is not a substitute for full anti-virus but assists administrators and users while dealing with an infected system, and utilizes next generation scan engine technology that includes process scanning, digitally signed DAT files and scan performance optimizations. Site Advisor Tripwire Enterprise HijackThis Stinger

Stinger

What is a residual risk? a. Risk remaining after implementation of all the possible controls b. Risk caused due to a threat exercising vulnerability c. Risk resolved with the implementation of possible controls d. Risk within the acceptable level of threshold

Risk remaining after implementation of all the possible controls

An incident recovery plan is a statement of actions that should be taken before, during, or after an incident. Identify which of the following is not an objective of the incident recovery plan? Creating new business processes to maintain profitability after incident Providing a standard for testing the recovery plan Avoiding the legal liabilities arising due to incident Providing assurance that systems are reliable

Creating new business processes to maintain profitability after incident

Which among the following is a process of rebuilding and restoring the computer systems affected by an incident to the normal operational stage? a. Incident reporting b. Incident handling c. Incident recovery d. Incident preparation

Incident recovery

A security policy will take the form of a document or a collection of documents, depending on the situation or usage. It can also become a point of reference in case a violation occurs that results in a dismissal or other penalty. Which of the following is NOT true for a good security policy? It must be approved by a court of law after verification of stated terms and facts It must clearly define the areas of responsibility for the users, administrators, and management It must be enforceable with security tools where appropriate, and with sanctions, where actual prevention is not technically feasible It must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods

It must be approved by a court of law after verification of stated terms and facts

A Computer Risk policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is not part of the computer risk policy? Provisions for continuing support if there is an interruption in the system or if the system crashes Procedures for the ongoing training of employees authorized to access the system Procedure to identify security funds to hedge risk Procedures to monitor the efficiency of the security controls

Procedures to monitor the efficiency of the security controls

Which of the following statement defines a risk policy a. Estimating the damage caused due to occurrence of a disaster b. Finding the level of the risk c. Set of ideas implemented to overcome risks d. Defined probability of the occurrence of an incident

Set of ideas implemented to overcome risks

In the Control Analysis stage of the NIST’s risk assessment methodology, technical and nontechnical control methods are classified into two categories. What are these two control categories? Preventive and Detective controls Predictive and Detective controls Detective and Disguised controls Preventive and Predictive controls

Preventive and Detective controls

The incident management team provides support to all users in the organization that are affected by the threat or attack. The organization’s internal auditor is part of the incident response team. Identify one of the responsibilities of the internal auditor as a part of the incident response team. Perform necessary action required to block the network traffic from the suspected intruder Coordinate incident containment activities with the information security officer Configure information security controls Identify and report security loopholes to the management for necessary actions

Identify and report security loopholes to the management for necessary actions

HDBC’s online banking website was knocked offline, and its customers were unable to login, and make online transactions. After few hours the bank authorities identified that some attacker had kept their server busy by establishing simultaneous login sessions which restricted their customer from logging into the bank website. Identify the attack that the invader has used to draw the bank server offline. a. DoS attack b. Session Hijacking c. Man-in-the-Middle d. Cross-Site-Scripting

DoS attack

A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency’s reporting timeframe guidelines, this incident should be reported within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which incident category of US Federal Agency does this incident belong to? CAT 5 CAT 2 CAT 1 CAT 6

CAT 2

An incident response plan consists of a set of instructions to detect and respond to an incident. It defines the areas of responsibility, and creates procedures for handling various computer security incidents. Which of the following is an essential pre-requisite for an Incident response plan? a. Availability of forensic experts b. An approval from court of law c. Incident analysis report d. Company’s financial support

Company’s financial support

Practice Questions Flashcards

(116 cards)