The Ultimate Quiz On Information Assets

1. The ____ team is responsible for reestablishing connectivity between systems and to the Internet.

System recovery

Storage recovery

Applications recovery

Network recovery

Cap 10

Explanation

Cap 10

2. The focus during a(n) ____ is on learning what worked, what didn't, and where communications and response procedures may have failed.

After action review

Advisory distribution

Incident response

CSIRT resource meeting

Cap 6

Explanation

Cap 6

3. The purpose of the ____ is to define the scope of the CP operations and establish managerial intent with regard to timetables for response to incidents, recovery from disasters, and reestablishment of operations for continuity.

Contingency planning policy

Incident response policy

Disaster recovery policy

Cross-training policy

Cap 2

Explanation

Cap 2

4. A ____ attack is much more substantial than a DoS attack because of the use of multiple systems to simultaneously attack a single target.

Heartbeat attack

Distributed denial-of-service

Networked denial-of-service

Targeted denial-of-service

Cap 7

Explanation

Cap 7

5. Information assets have ____ when authorized users - persons or computer systems - are able to access them in the specified format without interference or obstruction.

Availability

Risk assessment

Integrity

Confidentiality

Cap 1

Explanation

Cap 1

6. The ____ team is primarily responsible for data restoration and recovery.

Data management

Vendor contact

Applications recovery

Storage recovery

Cap 10

Explanation

Cap 10

7. ____ is the process of moving an organization toward its vision.

Strategic planning

Contingency planning

Enterprise information planning

Security planning

Cap 1

Explanation

Cap 1

8. In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on that network.

DNS cache poisoning

Denial-of-service (DoS)

Port mirroring

Evasion

Cap 5

Explanation

Cap 5

9. The task of monitoring file systems for unauthorized change is best performed by using a(n) ____.

HIDPS

Knowledge-based IDPS

NIDPS

AppIDPS

Cap 5

Explanation

Cap 5

10. The Southeast Collegiate Cyber Defense Competition is unique in that it focuses on the operational aspect of managing and protecting an existing network infrastructure. Unlike "capture-the-flag " exercises, this competition is exclusively a real-world ____ competition.

End-user training

Offensive

Defensive

Hacking

Cap 4

Explanation

Cap 4

11. ____ is used both for intrusion analysis and as part of evidence collection and analysis.

Loss analysis

Configuration

Forensics

Rehearsal

Cap 8

Explanation

Cap 8

12. ____ assigns a risk rating or score to each information asset. Although this number does not mean anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates the development of comparative ratings later in the risk control process.

Avoidance

BC

DR

Risk assessment

Cap 1

Explanation

Cap 1

13. ____ is a risk control approach that attempts to shift the risk to other assets, other processes, or other organizations.

Transference

Avoidance

Acceptance

Mitigation

Cap 1

Explanation

Cap 1

14. According to NIST, which of the following is an example of a UA attack?

Modifying Web-based content without permission

Asking for large numbers of resources

Knowingly sending a virus-infected message

Downloading unauthorized software

Cap 7

Explanation

Cap 7

15. A(n) ____ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization's information infrastructure for signs of an incident.

IR duty officer

Project manager

Software engineer

Forensic expert

Cap 4

Explanation

Cap 4

16. The U.S. National Institute of Standards and Technology defines the incident response life cycle as having four main processes: 1) preparation; 2) detection and analysis; 3) containment, eradication, and recovery; and 4) ____.

Post-incident activity

Incident report

Resolution

Triage

Cap 4

Explanation

Cap 4

17. One of the primary responsibilities of the IRP team is to ensure that the ____ is prepared to respond to each incident it may face.

Catalyst

Semtex

CSIRT

IR plan

Cap 4

Explanation

Cap 4

18. The first group to communicate the CSIRT's vision and operational plan is the managerial team or individual serving as the ____.

IT staff leader

Educational liaison

Champion

Technical lead

Cap 6

Explanation

Cap 6

19. A(n) ____ is an investigation and assessment of the impact that various attacks can have on the organizatio.

Business impact analysis (BIA)

Business continuity analysis (BCA)

Incident response analysis (IRA)

Threat analysis

Cap 1

Explanation

Cap 1

20. A(n) ____ is used to anticipate, react to, and recover from events that threaten the security of information and information assets in an organization; it is also used to restore the organization to normal modes of business operations;

Contingency plan

Security plan

Threat plan

Social plan

Cap 1

Explanation

Cap 1

21. Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.

Port monitoring

Signature matching

Packet sniffing

Traffic measurement

Cap 5

Explanation

Cap 5

22. ____ are highly probable when infected machines are brought back online or when other infected computers that may have been offline at the time of the attack are brought back up.

Follow-on incidents

Blue bag operations

Black bag operations

War games

Cap 9

Explanation

Cap 9

23. The ____ handles computer crimes that are categorized as felonies.

Department of Defense

U.S. Treasury Department

FBI

U.S. Secret Service

Cap 8

Explanation

Cap 8

24. ____ is a valuable resource for additional information on building and staffing CSIRTs.

IRP

CSIRT Performance Measures

AAR

NIST

Cap 6

Explanation

Cap 6

25. A ____ is used for an office or small campus, with segment distances measured in tens of meters. It may have only a few hosts, or it may have hundreds of clients with multiple servers.

WAN

LAN

Cache

Filter

Cap 9

Explanation

Cap 9

26. Some recovery strategies seek to improve the ____ of a server or system in addition to, or instead of, performing backups of data.

Speed

Accuracy

Cost-effectiveness

Robustness

Cap 3

Explanation

Cap 3

27. In the context of disaster notification, the ____ is a scripted description of the disaster and consists of just enough information so that each response knows what port of the DR plan to implement.

Desk check

Alert message

Trigger message

Stand-down

Cap 10

Explanation

Cap 10

28. A resumption location known as a ____ or a _______ is a fully configured computer facility capable of establishing operations at a moment's notice.

Mobile site

Service bureau

Hot site

Mirrored site

A resumption location known as a hot site or a mirrored site is a fully configured computer facility capable of establishing operations at a moment's notice. These sites are designed to replicate the primary site's infrastructure, systems, and data, ensuring that critical operations can be quickly resumed in the event of a disaster or disruption. The term "hot site" refers to a facility that is ready and operational, while a "mirrored site" refers to a site that replicates the primary site's data and systems in real-time, providing continuous synchronization. Both hot sites and mirrored sites are essential for business continuity and disaster recovery planning.

Explanation

A resumption location known as a hot site or a mirrored site is a fully configured computer facility capable of establishing operations at a moment's notice. These sites are designed to replicate the primary site's infrastructure, systems, and data, ensuring that critical operations can be quickly resumed in the event of a disaster or disruption. The term "hot site" refers to a facility that is ready and operational, while a "mirrored site" refers to a site that replicates the primary site's data and systems in real-time, providing continuous synchronization. Both hot sites and mirrored sites are essential for business continuity and disaster recovery planning.

Submit

29. A(n) ____ is an object, person, or other entity that is a potential risk of loss to an asset.

Threat

Intellectual property

Payload

Trojan horse

Cap 1

Explanation

Cap 1

30. When an organization completely outsources its IR work, typically to an on-site contractor, it is called a(n) ____ model.

Partially outsourced

Employees

24/7

Fully outsourced

Cap 6

Explanation

Cap 6

31. The Business Continuity Institute offers an uncertified category of membership called a(n) ____ that is accepted by application and does not require assessment or a review process.

Associate

Affiliate

Specialist

Fellow

Cap 11

Explanation

Cap 11

32. The ____ is an investigation and assessment of the impact that various events or incidents can have on the organization.

Forensic analysis

Threat of attack analysis

Cross-training analysis

Business impact analysis

Cap 2

Explanation

Cap 2

33. A key step in the ____ approach to incident response is to discover the identify of the intruder while documenting his or her activity.

Proactive security awareness

Security quality management

Protect and forget

Apprehend and prosecute

Cap 6

Explanation

Cap 6

34. The determination of what systems fall under the CSIRT 's responsibility is called its ____.

Mission

Scope of operations

Policy

Constituency

Cap 6

Explanation

Cap 6

35. The ____ system is an information system with a telephony interface that can be used to automate the alert process.

Damage assessment report

DR plan desk system

DR plan simulation

Auxiliary phone alert and reporting system

Cap 10

Explanation

Cap 10

36. The ____ phase of forensic analysis involves the use of forensic tools to recover the content of files that were deleted, operating system artifacts (such as event data and logging of user actions), and other relevant facts.

Discovery

Analysis

Field

Examination

Cap 8

Explanation

Cap 8

37. When an alert warns of new malicious code that targets software used by an organization, the first response should be to research the new virus to determine whether it is ____.

Authorized

Real

Intrusive

Aggressive

Cap 7

Explanation

Cap 7

38. The process of evaluating the circumstances around organizational events includes determining which adverse events are possible incidents, or ____.

Critical violations

Incident candidates

Service alarms

Hacker intrusions

Cap 5

Explanation

Cap 5

39. A(n) ____ is a sign that an activity now occurring may signal an incident that could occur in the future.

Inactive system

Precursor

Signal

Indication

Cap 5

Explanation

Cap 5

40. When an incident includes a breach of physical security, all aspects of physical security should be escalated under a containment strategy known as ____.

Block

Lockdown

Isolation

Disablement

Cap 7

Explanation

Cap 7

41. Clifford Stoll's book, ____, provides an excellent story about a real-world incident that turned into an international tale of espionage and intrigue.

Under Attack

The Cuckoo's Egg

The Hacker

Stalking the Wily Hacker

Cap 7

Explanation

Cap 7

42. ____ are likely in the event of a hacker attack, when the attacker retreats to a chat room and describes in specific detail to his or her associates the method and results of his or her latest conquest.

Blue bag operations

Black bag operations

Follow-on incidents

War games

Cap 9

Explanation

Cap 9

43. A ____ is a small quantity of data kept by a Web site as a means of recording that a system has visited that Web site.

Cookie

Phish

Worm

Virus

Cap 7

Explanation

Cap 7

44. Both data backups and archives should be based on a(n) ____ schedule that guides the frequency of replacement and the duration of storage.

Replication

Business resumption

Retention

Incident response

Cap 3

Explanation

Cap 3

45. A backup plan using WAN/VLAN replication and a recovery strategy using a warm site is most suitable for information systems that have ____ priority within an organization.

Moderate

Critical

Low

High

Cap 3

Explanation

Cap 3

46. When implementing a BC plan, an organization reaches a predetermined state, known as a(n) ____, at which time the responsible executive indicates that the organization is to relocate to a pre-selected alternate site.

Moving point

Critical point

Contingency point

Trigger point

Cap 11

Explanation

Cap 11

47. A CSIRT model in which a single CSIRT handles incidents throughout the organization is called a(n) ____.

Employee-based CSIRT

Coordinating team

Central CSIRT

Organizational CSIRT

Cap 6

Explanation

Cap 6

48. Once BC activities have come to a close and the organization has reoccupied its primary facility or new permanent facility, the team should meet for a(n) ____.

After-action review

Wrap-up review

Clearing review

Closing review

Cap 11

Explanation

Cap 11

49. Those services undertaken to prepare the organization or the CSIRT constituents to protect and secure systems in anticipation of problems, attacks, or other events are called ____.

Vulnerability assessment services

Reactive services

Security quality management services

Proactive services

Cap 6

Explanation

Cap 6

50. Those services performed in response to a request or a defined event such as a help desk alert are called ____.

Vulnerability assessment services

Reactive services

Proactive services

Security quality management services

Cap 6

Explanation

Cap 6

51. A certification offered by the Business Continuity Institute is called ____.

BCI Certification Fellowship

Certified Business Continuity Professional

Master Business Continuity Professional

BCI Professional Recognition Program

Cap 11

Explanation

Cap 11

52. ____ is the deactivation of the disaster recovery teams, releasing individuals back to their normal duties.

Standing down

Incidence response

A structured walk-through

War gaming

Cap 10

Explanation

Cap 10

53. ____ hack systems to conduct terrorist activities through network or Internet pathways.

Programmers

Social engineers

Script kiddies

Cyberterrorists

Cap 1

Explanation

Cap 1

54. ____ is a set of focused steps that deal primarily with the safety and state of the people from the organization who are involved in the disaster.

War gaming

Business continuity

Application recovery

Crisis management

Cap 10

Explanation

Cap 10

55. In a CPMT, a(n) ____ should be a high-level manager with influence and resources that can be used to support the project team, promote the objectives of the CP project, and endorse the results that come from the combined effort.

Project manager

Crisis manager

Incident manager

Champion

Cap 2

Explanation

Cap 2

56. Forensic investigators use ____ copying when making a forensic image of a device, which reads a sector (or block; 512 bytes on most devices) from the source drive and writes it to the target drive; this process continues until all sectors on the suspect drive have been copied.

One-to-one

Script

Block-level

Bitstream

Cap 8

Explanation

Cap 8

57. A continuously changing process presents challenges in acquisition, as there is not a fixed state that can be collected, hashed, and so forth. This has given rise to the concept of ____ forensics which captures a point-in-time picture of a process.

Point

Camera

Live

Snapshot

Cap 8

Explanation

Cap 8

58. ____ is the process of systematically examining information assets for evidentiary material that can provide insight into how an incident transpired.

War gaming

Disaster recovery

Forensics analysis

Incident response

Cap 4

Explanation

Cap 4

59. A CPMT should include _____ who can oversee the security planning of the project and provide information on threats, vulnerabilities, and recovery requirements needed in the planning process.

Human resource managers

Information security managers

Business managers

Physical plant managers

Cap 2

Explanation

Cap 2

60. ____ is the determination of the initial flaw or vulnerability that allowed an incident to occur.

Forensics

Evidentiary analysis

Incident analysis

Root cause analysis

Cap 8

Explanation

Cap 8

61. The ____ section of the business continuity policy identifies the roles and responsibilities of the key players in the business continuity operation.

Education requirements

Training requirements

Scope

Roles and responsibilities

Cap 11

Explanation

Cap 11

62. The ____ job functions and organizational roles focus on protecting the organization's information systems and stored information from attacks.

Organizational management and professionals

Information security management and professionals

Information technology management and professionals

Human resource management and professional

Cap 2

Explanation

Cap 2

63. General users require training on the technical details of how to do their jobs securely, including good security practices, ____ management, specialized access controls, and violation reporting.

War gaming

Organization

Password

"before action"

Cap 4

Explanation

Cap 4

64. The forensic tool ____ does extensive pre-processing of evidence items that recovers deleted files and extracts e-mail messages.

Guidance

EnCase

AccessData

Forensic Toolkit (FTK)

Cap 8

Explanation

Cap 8

65. The ____ is used to collect information directly from the end users and business managers.

Data management session

Forensic analysis

Facilitated data-gathering session

System log session

Cap 2

Explanation

Cap 2

66. A ____ is a description of the disasters that may befall an organization, along with information on their probability of occurrence, a brief description of the organization's actions to prepare for that disaster, and the best case, worst case, and most likely case outcomes of the disaster.

Disaster policy

Disaster scenario

Disaster follow-up

Disaster outline

Cap 9

Explanation

Cap 9

67. The first major business impact analysis task is to analyze and prioritize the organization's business processes based on their relationships to the organization's ____.

Downtime metrics

Mission

Information assets

Budget

Cap 2

Explanation

Cap 2

68. ____ ensures that only those with the rights and privileges to access information are able to do so.

Confidentiality

Risk assessment

Availability

Integrity

Cap 1

Explanation

Cap 1

69. The ____ assembles a disaster recovery team.

Information Security Department

IR team

CPMT

Senior management

Cap 9

Explanation

Cap 9

70. The ____ team is responsible for providing the initial assessments of the extent of damage to equipment and systems on-site and/or for physically recovering the equipment to be transported to a location where the other teams can evaluate it.

Data management

Business interface

Logistics

Damage assessment

Cap 10

Explanation

Cap 10

71. ____ means making an organization ready for possible contingencies that can escalate to become disasters.

Mitigation of impact

War gaming

Preparation

Crisis management

Cap 10

Explanation

Cap 10

72. ____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.

Mitigation

Acceptance

Transference

Avoidance

Cap 1

Explanation

Cap 1

73. An ____ may escalate into a disaster when it grows in scope and intensity.

Incident

Event

Action

Activity

Cap 9

Explanation

Cap 9

74. Information assets have ____ when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states.

Integrity

Availability

Confidentiality

Risk assessment

Cap 1

Explanation

Cap 1

75. ____ disasters include acts of terrorism and acts of war.

Data

Rapid-onset

Man-made

Natural

Cap 9

Explanation

Cap 9

76. The ____ illustrates the most critical characteristics of information and has been the industry standard for computer security since the development of the mainframe.

C.I.A. triangle

Asset classification

Strategic plan

Disaster recovery plan

Cap 1

Explanation

Cap 1

77. Which of the following is not usually an insurable loss?

Fire

Lightening

Electrostatic discharge

Severe windstorm

Cap 9

Explanation

Cap 9

78. Known as ____, procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT's operations.

CSIRT policies

IR reaction strategies

Disaster recovery strategies

Detection and recovery

Cap 7

Explanation

Cap 7

79. The training delivery method with the lowest cost to the organization is ____.

User support group

On-the-job training

One-on-one

Self-study (noncomputerized)

Cap 4

Explanation

Cap 4

80. Deciding which technical contingency strategies are selected, developed, and implemented is most often based on the type of ____ being used.

Service provider

Information system

Training

Recovery plan

Cap 9

Explanation

Cap 9

81. In a "block" containment strategy, in which the attacker's path into the environment is disrupted, you should use the most precise strategy possible, starting with ____.

Blocking incoming connections

Blocking a specific IP address

Blocking a port

Blocking a class of service

Cap 7

Explanation

Cap 7

82. The elements required to begin the ____ process are a planning methodology; a policy environment to enable the planning process; an understanding of the causes and effects of core precursor activities, and access to financial and other resources.

Human resource planning

Information security planning

Contingency planning

Relocation planning

Cap 2

Explanation

Cap 2

83. Useful resources in the DR planning process are the ____ provided by the Federal Agency Security Practices (FASP) section of NIST's Computer Security Resource Center (CSRC).

IT blueprints

Description documents

Contingency plan templates

Standards documents

Cap 9

Explanation

Cap 9

84. Considered to be the traditional "lock and copy" approach to database backup, _____ require the database to be inaccessible while a backup is created to a local drive.

Continuous database protections

RAID Level 1+0 applications

Online backup applications

Legacy backup applications

Cap 3

Explanation

Cap 3

85. Within an organization, a(n) ____ is a group of individuals who are united by shared interests or values and who have a common goal of making the organization function to meet its objectives.

Community of interest

Incident response community

Network community

Database community

Cap 2

Explanation

Cap 2

86. ____ uses a number of hard drives to store information across multiple drive units.

Continuous database protection

Legacy backup

RAID

Virtualization

Cap 3

Explanation

Cap 3

87. An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor, with a ____ backup strategy.

Differential

RAID

Disk-to-disk-to-cloud

Disk-to-disk-to-tape

Cap 3

Explanation

Cap 3

88. A(n) ____ is often included in legal documents to ensure that a vendor is not liable for actions taken by a client.

Covenant not to compete

Intellectual property assurance

Statement of indemnification

Nondisclosure agreement

Cap 3

Explanation

Cap 3

89. If an intruder can ____ a device, then no electronic protection can deter the loss of information.

Physically access

Log and monitor

Packet sniff

Trap and trace

Cap 5

Explanation

Cap 5

90. Advances in cloud computing have opened a new field in application redundancy and backup. Because organizations that lease ____ are in effect using a preconfigured set of applications on someone else's systems, it is reasonable to ask that the service agreement include contingencies for recovery.

SaaS

Servers

PaaS

IaaS

Cap 3

Explanation

Cap 3

91. A ____ is a document that describes how, in the event of a disaster, critical business functions continue at an alternate location while the organization recovers its ability to function at the primary site.

Disaster recovery plan

Risk assessment plan

Business continuity plan

Incident response plan

Cap 1

Explanation

Cap 1

92. The ____ is the point in the past to which the recovered applications and data at the alternate infrastructure will be restored.

Recovery point objective

Simulation point objective

Warm site objective

Relocation point objective

Cap 11

Explanation

Cap 11

93. A favorite pastime of information security professionals is ____, which is a simulation of attack and defense activities using realistic networks and information systems.

Simulation

Parallel testing

Structured walk-through

War gaming

Cap 4

Explanation

Cap 4

94. ____ is a tactic that deliberately permits an attack to continue while the entire event is observed and additional evidence is collected.

Stealthy waiting

Watchful waiting

Delayed protection

Manage and wait

Cap 7

Explanation

Cap 7

95. Two dominantly recognized professional institutions certifying business continuity professionals agree on the ____ as the basis for certification.

BC Certification Exam

BC Professional Handbook

BC Discipline Review

Common Body of Knowledge

Cap 11

Explanation

Cap 11

96. A BC subteam called the ____ is responsible for establishing the core business functions needed to sustain critical business operations.

Systems recovery team

Operations team

Applications recovery team

Logistics team

Cap 11

Explanation

Cap 11

97. A ____ is an agency that provides physical facilities in the event of a disaster for a fee.

Service bureau

Mobile site

Time-share

Cold site

Cap 3

Explanation

Cap 3

98. A(n) ____ is any clearly identified attack on the organization's information assets that would threaten the assets' confidentiality, integrity, or availability.

Incident

Trespass

Trojan horse

Risk

Cap 1

Explanation

Cap 1

99. The CSIRT must have a clear and concise ____ statement that, in a few sentences, unambiguously articulates what it will do.

Requirements

Mission

Objectives

Philosophy

Cap 6

Explanation

Cap 6

100. The ____ section of the business continuity policy identifies the organizational units and groups of employees to which the policy applies.

Scope

Training requirements

Special considerations

Roles and responsibilities

Cap 11

Explanation

Cap 11

101. The ____ section of the business continuity policy provides an overview of the information storage and retrieval plans of the organization.

Special considerations

Training requirements

Scope

Roles and responsibilities

Cap 11

Explanation

Cap 11

102. The champion for the CSIRT may be the same person as the champion for the entire IR function-typically, the ____.

IT manager

Operations manager

Chief executive officer

Chief information officer

Cap 6

Explanation

Cap 6

103. A ____ attack is much more substantial than a DoS attack because of the use of multiple systems to simultaneously attack a single target.

Heartbeat attack

Distributed denial-of-service

Networked denial-of-service

Targeted denial-of-service

Cap 7

Explanation

Cap 7

104. In evidence handling, specifically designed ____ are helpful because they are very difficult to remove without breaking.

Forensic locks

Break kits

Package guards

Evidence seals

Cap 8

Explanation

Cap 8

105. Identifying measures, called ____, that reduce the effects of system disruptions can reduce continuity life-cycle costs.

Preventive controls

Predictive controls

BC exercises

BC requirements

Cap 11

Explanation

Cap 11

106. The purpose of the ____ is to provide a way for management to obtain input and feedback from representatives of each team.

DR simulation

Business interface

After-action review

Proactive review

Cap 10

Explanation

Cap 10

107. When a second attack, using the means and methods of the first attack is undertaken while the first attack is still underway, this is considered a(n) ____ recurrence.

Simultaneous

Concurrent

Intrusive

Ongoing

Cap 7

Explanation

Cap 7

108. A(n) ____ occurs when a situation results in service disruptions for weeks or months, requiring a government to declare a state of emergency.

Trigger

Notification

After-action review

Worst-case scenario

Cap 10

Explanation

Cap 10

109. The ____ is the phase associated with implementing the initial reaction to a disaster; it is focused on controlling or stabilizing the situation, if that is possible.

Response phase

Audit review

Risk analysis phase

Reactive review

Cap 10

Explanation

Cap 10

110. A(n) ____ covers the confidentiality of information from everyone unless disclosure is mandated by the courts.

Intellectual property assurance

Nondisclosure agreement

Statement of indemnification

Covenant not to compete

Cap 3

Explanation

Cap 3

111. Essentially a DoS attack, a ____ is a message aimed at causing organizational users to waste time reacting to a nonexistent malware threat.

Worm infection

Trojan horse

Tracking cookie

Malware hoax

Cap 7

Explanation

Cap 7

112. The ____ is a detailed examination of the events that occurred, from first detection to final recovery.

IR inspection

After-action review

Case training tool

Rehearsal event

Cap 8

Explanation

Cap 8

113. The final component to the CPMT planning process is to deal with ____.

Prioritizing mission/business processes

Identifying recovery priorities

Budgeting for contingency operations

BIA data collection

Cap 2

Explanation

Cap 2

114. One way to identify a particular digital item (collection of bits) is by means of a(n) ____.

Digital code

Learning algorithm

Boot tag

Cryptographic hash

Cap 8

Explanation

Cap 8

115. The last stage of a business impact analysis is prioritizing the resources associated with the ____, which brings a better understanding of what must be recovered first.

Mission/business processes

Information assets

Contingency planning

Insurance costs

Cap 2

Explanation

Cap 2

116. The ____ is the period of time within which systems, applications, or functions must be recovered after an outage.

Dependency objective

Recovery point objective

Recovery time objective

Training objective

Cap 2

Explanation

Cap 2

117. The ____ of an organization defines the roles and responsibilities for incident response for the CSIRT and others who will be mobilized in the activation of the plan.

IR procedures

CSIRT policy

IR policy

IR plan

Cap 4

Explanation

Cap 4

118. In contingency planning, an adverse event that threatens the security of an organization's information is called a(n) ____.

Notification

Incident

Emergency

Warning

Cap 4

Explanation

Cap 4

119. The responsibility for creating an organization's IR plan often falls to the ____.

Chief information security officer

Project manager

Forensic expert

Database administrator

Cap 4

Explanation

Cap 4

120. Which of the following collects and provides reports on failed login attempts, probes, scans, denial-of-service attacks, and detected malware?

Departmental reports

System logs

Scheduled reports

Financial reports

Cap 2

Explanation

Cap 2

121. A(n) ____ attack is a method of combining attacks with rootkits and back doors.

Lockdown

Hijack

Hybrid

Unauthorized

Cap 7

Explanation

Cap 7

122. There are a number of professional IR agencies, such as ____, that can provide additional resources to help prevent and detect DoS incidents.

Egghead Software

US-CERT

US-DoS

IDPS.com

Cap 7

Explanation

Cap 7

123. The ____ team is responsible for recovering and reestablishing operating systems (OSs).

Vendor recovery

Systems recovery

Database recovery

Applications recovery

Cap 10

Explanation

Cap 10

124. The primary vehicle for articulating the purpose of a disaster recovery program is the ____.

Disaster recovery plan

Disaster recovery team

Disaster recovery contingency plan

Disaster recovery policy

Cap 9

Explanation

Cap 9

125. New systems can respond to an incident threat autonomously, based on preconfigured options that go beyond simple defensive actions usually associated with IDPS and IPS systems. These systems, referred to as ____, use a combination of resources to detect an intrusion and then to trace the intrusion back to its source.

Log file monitors

Packet exchangers

Trap and trace

Honeynets

Cap 5

Explanation

Cap 5

126. A(n) ____ is an extension of an organization's intranet into cloud computing.

Private cloud

Application cloud

Public cloud

Community cloud

Cap 3

Explanation

Cap 3

127. A(n) ____ is any system resource that is placed onto a functional system but has no normal use for that system. If it attracts attention, it is from unauthorized access and will trigger a notification or response.

Honeypot

Honeynet

Honeytoken

Wasp trap

Cap 5

Explanation

Cap 5

128. ____ are closely monitored network decoys serving that can distract adversaries from more valuable machines on a network; can provide early warning about new attack and exploitation trends; and can allow in-depth examination of adversaries during and after exploitation.

Honeypots

Log file monitors

Packet exchangers

Trap and trace systems

Cap 5

Explanation

Cap 5

129. The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.

Snort

Detector

Sniff

Match

Cap 5

Explanation

Cap 5

130. The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____.

Noise

False positive

Confidence

Tuning

Cap 5

Explanation

Cap 5

131. Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.

Unusual system crashes

Reported attacks

Definite indicators

False positives

Cap 5

Explanation

Cap 5

132. During the ____ phase, the organization begins the recovery of the most time-critical business functions - those necessary to reestablish business operations and prevent further economic and image loss to the organization.

Audit review

Risk analysis

Recovery

Parallel testing

Cap 10

Explanation

Cap 10

133. A ____ is commonly a single device or server that attaches to a network and uses TCP/IP-based protocols and communications methods to provide an online storage environment.

Remote journal

Virtual machine monitor

Network-attached storage

Storage area network

Cap 3

Explanation

Cap 3

134. A(n) ____ backup only archives the files that have been modified since the last backup.

Differential

Copy

Daily

Incremental

Cap 3

Explanation

Cap 3

135. The IR plan is usually ____ when an incident causes minimal damage with little or no disruption to business operations.

Placed on standby

Placed on alert

Not activated

Activated

Cap 4

Explanation

Cap 4

136. A(n) ____ is a plan or course of action used by an organization to convey instructions from its senior management to those who make decisions, take actions, and perform other duties on behalf of the organization.

Policy

Residual risk

Assessment

Business continuity plan

Cap 1

Explanation

Cap 1

137. The ____ is the amount of time that a business can tolerate losing capabilities until alternate capabilities are available.

Reaction time objective

Incidence response time

Disaster recovery time

Recovery time objective

Cap 11

Explanation

Cap 11

138. The ____ team is responsible for working with the remainder of the organization to assist in the recovery of nontechnology functions.

Logistics

Data management

Damage assessment

Business interface

Cap 10

Explanation

Cap 10

139. ____ (sometimes referred to as avoidance) is the risk control strategy that attempts to prevent the exploitation of a vulnerability.

Defense

Mitigation

Transference

Acceptance

Cap 1

Explanation

Cap 1

140. RAID 0 creates one logical volume across several available hard disk drives and stores the data using ____, in which data segments are written in turn to each disk drive in the array.

Disk coding

Disk duplexing

Disk striping

Disk mirroring

Cap 3

Explanation

Cap 3

141. A(n) ____ attack&seeks$to*denyiilegitimate@users\access[to>services0byXeither tying up a server's available resources or causing it to shut down.

DoS

Spyware

Trojan horse

Social engineering

Cap 1

Explanation

Cap 1

142. A potential disadvantage of a ____ site-resumption strategy is that more than one organization might need the facility simultaneously.

Cold site

Mobile site

Time-share

Service bureau

Cap 3

Explanation

Cap 3

143. ____ planning represents the final response of the organization when faced with any interruption of its critical operations.

Relocation

Business continuity

Event

Technology watch

Cap 11

Explanation

Cap 11

144. One way to build and maintain staff skills is to develop incident-handling ____ and have the team members discuss how they would handle them.

Scenarios

Technologies

IR teams

Plans

Cap 6

Explanation

Cap 6

145. A ____ deals with the preparation for and recovery from a disaster, whether natural or man-made.

Risk assessment

Mitigation plan

Risk management

Disaster recovery plan

Cap 1

Explanation

Cap 1

146. The announcement of an operational CSIRT should minimally include ____.

The IR policy statement

A list of all IDPS equipment

Statistical baselines for systems

Contact methods and numbers

Cap 6

Explanation

Cap 6

147. The ____ is the point in time, determined by the business unit, from which systems and data can be recovered after an outage.

Dependency objective

Training objective

Recovery time objective

Recovery point objective

Cap 2

Explanation

Cap 2

148. A forensics team typically uses two methods to document a scene as it exists at the time of arrival: photography and ____.

Interviewing

Authentication

Field activity log forms

Field notes

Cap 8

Explanation

Cap 8

149. In the ____ section of the business continuity policy, the training requirements for the various employee groups are defined and highlighted.

Training requirements

Scope

Roles and responsibilities

Special considerations

Cap 11

Explanation

Cap 11

150. A ____ is a contractual document guaranteeing certain minimal levels of service provided by a vendor.

Time-share agreement

Memorandum of understanding

Mutual agreement

Service agreement

Cap 3

Explanation

Cap 3

151. Grounds for challenging the results of a digital investigation can come from possible ____-that is, alleging that the relevant evidence came from somewhere else or was somehow tainted in the collection process.

Volatility

Sterilization

Contamination

Codification

Cap 8

Explanation

Cap 8

152. ____ incident responses enables the organization to react to a detected incident quickly and effectively, without confusion or wasted time and effort.

Publishing

Recording

Discussing

Predefining

Cap 4

Explanation

Cap 4

153. The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place.

Knowledge-based IDPS

Host-based IDPS

Signature-based IDPS

Anomaly-based IDPS

Cap 5

Explanation

Cap 5

154. Should an incident begin to escalate, the CSIRT team leader continues to add resources and skill sets as necessary to attempt to contain and terminate the incident. The resulting team is called the ____ for this particular incident.

Reaction force

IR unit

Forensic team

Response unit

Cap 4

Explanation

Cap 4

155. Incident analysis resources include network diagrams and lists of ____, such as database servers.

Desk checks

Protocol analyzers

Critical assets

Simulation software

Cap 4

Explanation

Cap 4

156. One modeling technique drawn from systems analysis and design that can provide an excellent way to illustrate how a business functions is a(n) ____.

Production schedule

Collaboration diagram

Focus group

IT application log

Cap 2

Explanation

Cap 2

157. A manual alternative to the normal way of accomplishing an IT task might be employed in the event that IT is unavailable. This is called a ____.

Workload shift

Business disruption experience

Work-around procedure

Work outflow

Cap 2

Explanation

Cap 2

158. The CSIRT should be available for contact by anyone who discovers or suspects that an incident involving the organization has occurred. Some organizations prefer that employees contact a ____, which then makes the determination as to whether to contact the CSIRT or not.

Computer Emergency Response Team

Help desk

Contingency Planning Team

System administration

Cap 6

Explanation

Cap 6

159. A search is constitutional if it does not violate a person's reasonable or legitimate____.

Right to policy

Probable cause

Right to consent

Expectation of privacy

Cap 8

Explanation

Cap 8

160. A CSIRT model that is effective for large organizations and for organizations with major computing resources at distant locations is the ____.

Coordinating team

Organizational CSIRT

Distributed CSIRT

Central CSIRT

Cap 6

Explanation

Cap 6

161. ____ of risk is the choice to do nothing to protect an information asset and to accept the outcome of its potential exploitation.

Acceptance

Avoidance

Mitigation

Inheritance

Cap 1

Explanation

Cap 1

162. The ____ Department of an organization needs to review the procedures of the CSIRT and understand the steps the CSIRT will perform to ensure it is within legal and ethical guidelines for the municipal, state, and federal jurisdictions.

Legal

Labor

Auditing

Public Relations

Cap 4

Explanation

Cap 4

163. ____ incidents are predominantly characterized as a violation of policy rather than an effort to abuse existing systems.

Malicious code

Unauthorized access

Inappropriate use

Denial of service

Cap 7

Explanation

Cap 7

164. ____ are those that occur suddenly, with little warning, taking the lives of people and destroying the means of production.

Rapid onset disasters

Data disasters

Slow onset disasters

Communication disasters

Cap 9

Explanation

Cap 9

165. In disaster recovery, the ____ is the point at which a management decision to react is made in reaction to a notice or other datum such as a weather report or an activity report from IT indicating the escalation of an incident.

Mirrored site

Cold site

Hot site

Trigger

Cap 9

Explanation

Cap 9

166. ____ is a common indicator of a DoS attack.

Unknown processes running

User reports of system unavailability

Unusually light network traffic

Detection of a new virus

Cap 7

Explanation

Cap 7

167. The ____ involves providing copies of the DR plan to all teams and team members for review.

DR plan desk check

DR plan parallel testing

DR plan simulation

DR plan structured walk-through

Cap 10

Explanation

Cap 10

168. Which of the following is the most suitable as a response strategy for malware outbreaks?

Escalating physical security

Blocking known attackers

Creating a strong password policy

Verifying the IP address of the attacker

Cap 7

Explanation

Cap 7

169. The CSIRT may not wish to "tip off" attackers that they have been detected, especially if the organization is following a(n) ____ approach.

Acceptable loss

Detect and recover

Contain and eradicate

Apprehend and prosecute

Cap 7

Explanation

Cap 7

170. In a CPMT, a(n) ____ leads the project to make sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed.

Champion

Crisis manager

Project manager

Incident manager

Cap 2

Explanation

Cap 2

171. The ____ job functions and organizational roles focus on costs of system creation and operation, ease of use for system users, timeliness of system creation, and transaction response time.

Human resource management and professional

Information security management and professionals

Organizational management and professionals

Information technology management and professionals

Cap 2

Explanation

Cap 2

172. In the event that a definite indicator is recognized, the corresponding ____ must be activated immediately.

Rootkit

IR plan

Alarm

IDPS

Cap 5

Explanation

Cap 5

173. What is a common approach used in the discipline of systems analysis and design to understand the ways systems operate and to chart process flows and interdependency studies?

Systems diagramming

Network diagramming

Application diagramming

Database diagramming

Cap 2

Explanation

Cap 2

174. The ____ team is responsible for providing any needed supplies, space, materials, food, services, or facilities needed at the primary site other than vendor-acquired technology and other material obtained by the vendor team.

Logistics

Data management

Business interface

Damage assessment

Cap 10

Explanation

Cap 10

175. When the measured activity is outside the baseline parameters in a behavior-based IDPS, it is said to exceed the ____ (the level at which the IDPS triggers an alert to notify the administrator).

Footprint level

Root level

Baseline level

Clipping level

Cap 5

Explanation

Cap 5

176. The ____ is the group responsible for initiating the occupation of the alternate facility.

Forensic team

Disaster recovery team

Advance party

Applications development team

Cap 11

Explanation

Cap 11

177. The organization must first understand what skills are needed to effectively respond to an incident. If necessary, management must determine if it is willing to acquire needed ____ to fill in the gaps.

Personnel

Administration

Equipment

Policies

Cap 6

Explanation

Cap 6

178. Companies may want to consider budgeting for contributions to employee loss expenses (such as funerals) as well as for counseling services for employees and loved ones as part of ____

Recovery criticality budgeting

Crisis management budgeting

Incident response budgeting

Risk assessment budgeting

Cap 2

Explanation

Cap 2

179. Essential BC supplies needed at an alternate site include portable computers, software media, and ____.

Fax capabilities

Copiers

Training documents

Licenses

Cap 11

Explanation

Cap 11

180. ____ involves an attempt made by those who may become subject to digital forensic techniques to obfuscate or hide items of evidentiary value.

Digital obstruction

Anti-discovery

Digital masking

Anti-forensics

Cap 8

Explanation

Cap 8

181. The U.S. Department of Homeland Security's Federal Emergency Management Association has developed a support Web site at ____ that includes a suite of tools to guide the development of disaster recovery/business continuity plans.

Www.prepare.gov

Www.ready.gov

Www.disaster.gov

Www.dr-bc.gov

Cap 11

Explanation

Cap 11

182. A recommended practice for the implementation of the physical IR plan is to select a ____ binder.

Green

Black

Blue

Red

Cap 4

Explanation

Cap 4

183. The stability of information over time is called its ____.

Sensitivity

Evidentiary value

Volatility

Presentation

Cap 8

Explanation

Cap 8

184. Many private sector organizations require a formal statement, called a(n) ____, which provides search authorization and furnishes much of the same information usually found in a public sector search warrant.

Private warrant

Affidavit

Field log

Incident report

Cap 8

Explanation

Cap 8

185. The functional part of forensics called ____ is about assessing the "scene," identifying the sources of relevant digital information, and preserving it for later analysis using sound processes.

First response

Investigation

Data sensitivity

Analysis and presentation

Cap 8

Explanation

Cap 8

186. A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.

Attack stimulus

Confidence

Site policy

IR policy

Cap 5

Explanation

Cap 5

187. A(n) ____ , a type of IDPS that is similar to the NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs.

Packet exchanger

Honeynet

Trap and trace system

Log file monitor

Cap 5

Explanation

Cap 5

188. A ____ is a collection of nodes in which the segments are geographically dispersed and the physical link is often a data communications channel provided by a public carrier.

WAN

Server

LAN

Web site

Cap 9

Explanation

Cap 9

189. A ____ rootkit is one that becomes a part of the system bootstrap process and is loaded every time the system boots.

User-mode

Kernel-mode

Memory-based

Persistent

Cap 5

Explanation

Cap 5

190. ____ occur over time and slowly deteriorate the organization's capacity to withstand their effects.

Communication disasters

Data disasters

Rapid onset disasters

Slow onset disasters

Cap 9

Explanation

Cap 9

191. ____ may be caused by earthquakes, floods, storm winds, tornadoes, or mud flows.

Rapid onset disasters

Communication disasters

Data disasters

Slow onset disasters

Cap 9

Explanation

Cap 9

192. The part of a disaster recovery policy that identifies the organizational units and groups of employees to which the policy applies is called the ____ section.

Responsibilities

Scope

Purpose

Resources

Cap 9

Explanation

Cap 9

193. A(n) ____ is a sign that an adverse event is underway and has a probability of becoming an incident.

Precursor

Signal

Inactive system

Indication

Cap 5

Explanation

Cap 5

194. A recommended practice for the implementation of the physical IR plan document is to organize the contents so that the first page contains the ____ actions.

Testing

"during attack"

"before attack"

Training

Cap 4

Explanation

Cap 4

195. If a user receives a message whose tone and terminology seems intended to invoke a panic or sense of urgency, it may be a(n) ____.

Trojan horse

Hoax

Virus

Indicator

Cap 7

Explanation

Cap 7

196. The committees of the CPMT follow a set of general stages to develop their subordinate plans. In the case of incident planning, the first stage is to ____.

Form the IR planning committee

Integrate the BIA

Identify preventive controls

Develop the IR planning policy

Cap 4

Explanation

Cap 4

197. The number-one IU preparation-and-prevention strategy is ____.

Configuring network devices

Minimize file sharing

Periodic audit of logs

Organizational policy

Cap 7

Explanation

Cap 7

198. Once the incident has been contained, and all signs of the incident removed, the ____ phase begins.

Actions after

Black bag operation

Chain of custody

Blue bag operation

Cap 9

Explanation

Cap 9

199. Many malware attacks are ____ attacks, which involve more than one type of malware and/or more than one type of transmission method.

Rootkit

Malicious software

Blended

Unauthorized access

Cap 7

Explanation

Cap 7

200. Contingency strategies for ____ should emphasize the need for absolutely reliable data backup and recovery procedures because they have less inherent redundancy than a distributed architecture.

Data communications systems

Mainframes

Client/server deployments

Mobile deployments

Cap 9

Explanation

Cap 9