Computer Emergency Response Team! Trivia Quiz

1. How do users prevent and protect themselves against viruses?

Missing Files or folders should be deleted

Do not delete or report SPAM from your computer

Files with weird and obscene messages should be stored

The correct answer is to not open e-mail attachments, use an OS that has virus security features, and scan other users' media storage devices before using them on your computer. This is because opening e-mail attachments can introduce viruses to your computer, using an OS with virus security features can help protect against viruses, and scanning other users' media storage devices can help identify and remove any potential viruses before they can infect your computer.

Explanation

The correct answer is to not open e-mail attachments, use an OS that has virus security features, and scan other users' media storage devices before using them on your computer. This is because opening e-mail attachments can introduce viruses to your computer, using an OS with virus security features can help protect against viruses, and scanning other users' media storage devices can help identify and remove any potential viruses before they can infect your computer.

2. The acceptance of the CSIRT team in an organization depends on:

Its ability to coordinate with other organizations

The expertise and professionalism it displays

Its perceived capabilities

All of the above

The acceptance of the CSIRT team in an organization depends on its ability to coordinate with other organizations, the expertise and professionalism it displays, and its perceived capabilities. This means that for the CSIRT team to be accepted and trusted within the organization, they need to effectively collaborate and communicate with other organizations, demonstrate their knowledge and skills in handling incidents, and create a perception of being capable and reliable in responding to and mitigating cyber threats.

Explanation

The acceptance of the CSIRT team in an organization depends on its ability to coordinate with other organizations, the expertise and professionalism it displays, and its perceived capabilities. This means that for the CSIRT team to be accepted and trusted within the organization, they need to effectively collaborate and communicate with other organizations, demonstrate their knowledge and skills in handling incidents, and create a perception of being capable and reliable in responding to and mitigating cyber threats.

3. Users must be knowledgeable not only about basic security practices but also about what constitutes an anomaly or what might be an incident in the making therefore the need for ______________.

Testing

Training

Further study

Communicating

Users must be knowledgeable not only about basic security practices but also about what constitutes an anomaly or what might be an incident in the making. This knowledge can be gained through training, which provides users with the necessary skills and understanding to identify and respond to potential security threats. Training helps users develop a proactive mindset towards security, enabling them to detect and address anomalies or incidents before they escalate. By undergoing training, users become more equipped to protect themselves and their organization from potential security breaches.

Explanation

Users must be knowledgeable not only about basic security practices but also about what constitutes an anomaly or what might be an incident in the making. This knowledge can be gained through training, which provides users with the necessary skills and understanding to identify and respond to potential security threats. Training helps users develop a proactive mindset towards security, enabling them to detect and address anomalies or incidents before they escalate. By undergoing training, users become more equipped to protect themselves and their organization from potential security breaches.

4. The __________ department typically controls all physical access to the facility.

Physical security

Law and regulations

Human resource

Administration

The physical security department is responsible for controlling all physical access to the facility. This includes implementing measures such as security guards, surveillance systems, access control systems, and visitor management protocols to ensure the safety and security of the premises. They play a crucial role in preventing unauthorized entry, theft, vandalism, and other physical threats to the facility and its occupants.

Explanation

The physical security department is responsible for controlling all physical access to the facility. This includes implementing measures such as security guards, surveillance systems, access control systems, and visitor management protocols to ensure the safety and security of the premises. They play a crucial role in preventing unauthorized entry, theft, vandalism, and other physical threats to the facility and its occupants.

5. The most important issue in forming and managing an incident response team is ________.

Skill members

Good employer

Policy

High end technology

The most important issue in forming and managing an incident response team is policy. A well-defined and comprehensive policy provides guidelines and procedures for the team to follow in the event of an incident. It ensures that the team members understand their roles and responsibilities, helps in effective decision-making, and promotes consistency in handling incidents. A strong policy also helps in coordinating with other teams, communicating with stakeholders, and maintaining compliance with legal and regulatory requirements. Without a clear policy in place, the incident response team may struggle to effectively respond to and mitigate incidents.

Explanation

The most important issue in forming and managing an incident response team is policy. A well-defined and comprehensive policy provides guidelines and procedures for the team to follow in the event of an incident. It ensures that the team members understand their roles and responsibilities, helps in effective decision-making, and promotes consistency in handling incidents. A strong policy also helps in coordinating with other teams, communicating with stakeholders, and maintaining compliance with legal and regulatory requirements. Without a clear policy in place, the incident response team may struggle to effectively respond to and mitigate incidents.

6. First point to test in the notification process:

Observing the process

Straight away conduct test

Identifying a typical user

Presenting that user with a form

The first point to test in the notification process is identifying a typical user. This is important because it allows the tester to select a representative user who will be able to provide valuable feedback on the notification system. By presenting this user with a form, the tester can gather specific information and evaluate the effectiveness of the notification process. Observing the process and conducting tests can come later in the testing process, but identifying a typical user is the initial step.

Explanation

The first point to test in the notification process is identifying a typical user. This is important because it allows the tester to select a representative user who will be able to provide valuable feedback on the notification system. By presenting this user with a form, the tester can gather specific information and evaluate the effectiveness of the notification process. Observing the process and conducting tests can come later in the testing process, but identifying a typical user is the initial step.

7. What is the main task of a CSIRT?

I. Provide assistance in preventing and handling computer security incidents

II. Shares information and lessons learned

III.A place to report local computer security incident problems

I & II

II & III

All of the above

A CSIRT, or Computer Security Incident Response Team, is responsible for multiple tasks. Firstly, it provides assistance in preventing and handling computer security incidents, which involves proactive measures and reactive responses to incidents. Secondly, it shares information and lessons learned with other organizations or teams, contributing to the overall knowledge and improvement of computer security. Lastly, it serves as a place to report local computer security incident problems, acting as a central point for incident reporting and coordination. Therefore, the correct answer is "All of the above" as it encompasses all the main tasks of a CSIRT.

Explanation

A CSIRT, or Computer Security Incident Response Team, is responsible for multiple tasks. Firstly, it provides assistance in preventing and handling computer security incidents, which involves proactive measures and reactive responses to incidents. Secondly, it shares information and lessons learned with other organizations or teams, contributing to the overall knowledge and improvement of computer security. Lastly, it serves as a place to report local computer security incident problems, acting as a central point for incident reporting and coordination. Therefore, the correct answer is "All of the above" as it encompasses all the main tasks of a CSIRT.

8. What are the barriers to success in organizing a team?

Law

Politics

Specialist

None of the above

Politics can be a barrier to success in organizing a team because it involves the use of power, influence, and manipulation to gain control or advantage. When politics come into play, individuals may prioritize personal interests over the goals of the team, leading to conflicts, lack of cooperation, and a breakdown in communication. This can hinder the team's ability to work together effectively and achieve their objectives.

Explanation

Politics can be a barrier to success in organizing a team because it involves the use of power, influence, and manipulation to gain control or advantage. When politics come into play, individuals may prioritize personal interests over the goals of the team, leading to conflicts, lack of cooperation, and a breakdown in communication. This can hinder the team's ability to work together effectively and achieve their objectives.

9. Your machine was infected by a particularly destructive virus. Luckily, you have backups of your data. Which of the following should you do first?

Restore the data from the backups

Scan the data from the backups for virus infection

Boot from an anti-virus CD or floppy to scan and disinfect your machine

Use the installed anti-virus program to scan and disinfect your machine

not-available-via-ai

Explanation

not-available-via-ai

10. Which element must computer evidence have to be admissible in court?

It must contain source code

It must be annotated

It must be printed

It must be relevant

Computer evidence must be relevant in order to be admissible in court. This means that the evidence must have a direct connection to the case and be able to provide information or support the claims being made. Irrelevant evidence would not be considered admissible as it would not have any bearing on the case at hand. Therefore, for computer evidence to be admissible, it must be relevant to the specific matter being litigated.

Explanation

Computer evidence must be relevant in order to be admissible in court. This means that the evidence must have a direct connection to the case and be able to provide information or support the claims being made. Irrelevant evidence would not be considered admissible as it would not have any bearing on the case at hand. Therefore, for computer evidence to be admissible, it must be relevant to the specific matter being litigated.

11. Attack tracing can be implemented in the PDCERF methodology such as:

Containment, eradication, recovery

Eradication, recovery, follow up

Detection, containment, eradication

Planning, detection

In the PDCERF methodology, attack tracing can be implemented by following the steps of detection, containment, and eradication. First, the attack is detected, which involves identifying any signs or indicators of an attack. Once detected, the next step is containment, which involves isolating and minimizing the impact of the attack to prevent further damage. Finally, eradication is the process of completely removing the attack and its effects from the system. This sequence ensures that the attack is identified, controlled, and eliminated effectively.

Explanation

In the PDCERF methodology, attack tracing can be implemented by following the steps of detection, containment, and eradication. First, the attack is detected, which involves identifying any signs or indicators of an attack. Once detected, the next step is containment, which involves isolating and minimizing the impact of the attack to prevent further damage. Finally, eradication is the process of completely removing the attack and its effects from the system. This sequence ensures that the attack is identified, controlled, and eliminated effectively.

12. Below are the lists of types of training suitable to train CSIRT except for:

Establish mentoring system

Encourage self study

Involve team members in incident simulation

None of the above

The given options are all types of training suitable to train CSIRT. Establishing a mentoring system can provide guidance and support to team members, encouraging self-study allows individuals to enhance their knowledge and skills independently, and involving team members in incident simulation helps them gain hands-on experience in handling real-life scenarios. Therefore, all the options listed are appropriate types of training for CSIRT.

Explanation

The given options are all types of training suitable to train CSIRT. Establishing a mentoring system can provide guidance and support to team members, encouraging self-study allows individuals to enhance their knowledge and skills independently, and involving team members in incident simulation helps them gain hands-on experience in handling real-life scenarios. Therefore, all the options listed are appropriate types of training for CSIRT.

13. There are many ways to spread the information about the incident response team. Which is first best way to do so?

Creating a website dedicated for the team

Send out email to all staffs regarding the setup of the team

Train and educate the people within the team, especially the help desks

Get the staffs to remember all the teams' contact number and email

Training and educating the people within the team, especially the help desks, is the first best way to spread information about the incident response team. By providing proper training and education, team members will have a clear understanding of their roles and responsibilities, as well as the protocols and procedures to follow during incidents. This will ensure that they are well-equipped to handle any incidents that may arise and can effectively communicate the necessary information to others. Additionally, by focusing on educating the help desks, who often interact directly with users, the team can ensure that accurate and consistent information is provided to all staff members.

Explanation

Training and educating the people within the team, especially the help desks, is the first best way to spread information about the incident response team. By providing proper training and education, team members will have a clear understanding of their roles and responsibilities, as well as the protocols and procedures to follow during incidents. This will ensure that they are well-equipped to handle any incidents that may arise and can effectively communicate the necessary information to others. Additionally, by focusing on educating the help desks, who often interact directly with users, the team can ensure that accurate and consistent information is provided to all staff members.

14. Which group causes the most risk of fraud and computer compromises?

Hackers

Contractors / Suppliers

Employees

Vendors

Employees pose the most risk of fraud and computer compromises because they have direct access to sensitive information and systems within an organization. They are familiar with the internal processes and controls, making it easier for them to exploit vulnerabilities or manipulate data for personal gain. Additionally, employees may inadvertently compromise systems through negligence, such as falling victim to phishing attacks or using weak passwords. Therefore, organizations need to implement strong security measures and regularly educate employees about the importance of cybersecurity to mitigate these risks.

Explanation

Employees pose the most risk of fraud and computer compromises because they have direct access to sensitive information and systems within an organization. They are familiar with the internal processes and controls, making it easier for them to exploit vulnerabilities or manipulate data for personal gain. Additionally, employees may inadvertently compromise systems through negligence, such as falling victim to phishing attacks or using weak passwords. Therefore, organizations need to implement strong security measures and regularly educate employees about the importance of cybersecurity to mitigate these risks.

15. There are 5 common incident prorities. In priority 3, the CSIRT should:

Protect human lives

Minimize disruption of computing resources

Protect classified and / or sensitive data

Protect important data in the organization

In priority 3, the CSIRT should protect important data in the organization. This means that when an incident occurs, the CSIRT should prioritize the security and integrity of important data within the organization. This could involve implementing measures such as encryption, access controls, and backups to ensure that important data is not compromised or lost during the incident. Protecting important data is crucial for maintaining the confidentiality, availability, and integrity of the organization's information assets.

Explanation

In priority 3, the CSIRT should protect important data in the organization. This means that when an incident occurs, the CSIRT should prioritize the security and integrity of important data within the organization. This could involve implementing measures such as encryption, access controls, and backups to ensure that important data is not compromised or lost during the incident. Protecting important data is crucial for maintaining the confidentiality, availability, and integrity of the organization's information assets.

16. A CSIRT with a _______________ relationship with it constituency, would be able to advise & influence the constituency.

Full authority

Share authority

No authority

None of the above

A CSIRT with a "share authority" relationship with its constituency would be able to advise and influence the constituency. This means that the CSIRT has a level of authority and power that is shared with the constituency, allowing for collaboration and cooperation in decision-making processes. This type of relationship fosters trust and open communication, enabling the CSIRT to effectively provide guidance and influence the actions of the constituency in matters of cybersecurity.

Explanation

A CSIRT with a "share authority" relationship with its constituency would be able to advise and influence the constituency. This means that the CSIRT has a level of authority and power that is shared with the constituency, allowing for collaboration and cooperation in decision-making processes. This type of relationship fosters trust and open communication, enabling the CSIRT to effectively provide guidance and influence the actions of the constituency in matters of cybersecurity.

17. CSIRT services that are triggered by an event or request, and are the core component of CSIRT work is called:

Real-time services

Active services

Proactive services

Reactive services

Reactive services are the correct answer because they are the CSIRT services that are triggered by an event or request. These services are responsive in nature and are designed to react to incidents or issues as they arise. They involve activities such as incident response, incident handling, and incident investigation. Unlike proactive services, which aim to prevent incidents from occurring, reactive services focus on addressing and resolving incidents that have already occurred.

Explanation

Reactive services are the correct answer because they are the CSIRT services that are triggered by an event or request. These services are responsive in nature and are designed to react to incidents or issues as they arise. They involve activities such as incident response, incident handling, and incident investigation. Unlike proactive services, which aim to prevent incidents from occurring, reactive services focus on addressing and resolving incidents that have already occurred.

18. A server has been compromised by a hacker who used it to send spam messages to thousands of people on the Internet. A member of the IT staff noticed the problem while monitoring network and service performance over the weekend, and has noticed that several windows are open on the server's monitor. He also notices that a program he is unfamiliar with is running on the computer. He has called you for instructions as to what he should do next. As the CSIRT team leader, which of the following will you tell him to do immediately?

Call the police

Reboot the server to disconnect the hacker from the machine and using the server further

Document what appears on the screen

Shut down the server to prevent the hacker from using the server further

The IT staff member should document what appears on the screen immediately. This is important because it will provide valuable information about the compromise and help in the investigation process. The open windows and unfamiliar program running on the server may contain clues about the hacker's activities and potential vulnerabilities that were exploited. Documenting this information will assist the CSIRT team in analyzing the incident, identifying the extent of the compromise, and taking appropriate actions to mitigate the attack.

Explanation

The IT staff member should document what appears on the screen immediately. This is important because it will provide valuable information about the compromise and help in the investigation process. The open windows and unfamiliar program running on the server may contain clues about the hacker's activities and potential vulnerabilities that were exploited. Documenting this information will assist the CSIRT team in analyzing the incident, identifying the extent of the compromise, and taking appropriate actions to mitigate the attack.

19. Which of these are not part of the steps taken under the preparation phase in Incident Response Methodology?

Develop the IR policy

Organize the CSIRT

Gathering incident logs and write report

Gathering information from stakeholders and constituency

The given answer "Gathering incident logs and write report" is not part of the steps taken under the preparation phase in Incident Response Methodology. The preparation phase mainly involves developing the IR policy and organizing the CSIRT (Computer Security Incident Response Team). Gathering incident logs and writing a report are typically part of the detection and analysis phase, where the incident is investigated and documented.

Explanation

The given answer "Gathering incident logs and write report" is not part of the steps taken under the preparation phase in Incident Response Methodology. The preparation phase mainly involves developing the IR policy and organizing the CSIRT (Computer Security Incident Response Team). Gathering incident logs and writing a report are typically part of the detection and analysis phase, where the incident is investigated and documented.

20. Why does organizational resistance become a barrier to the success of a CSIRT?

Feeling threatened

Overhead function

Burdened by more tasks

Reluctant to go for training

Organizational resistance becomes a barrier to the success of a CSIRT because when employees feel threatened by the establishment of a CSIRT, they may resist its implementation and hinder its effectiveness. This resistance can stem from a fear of change, a perception that the CSIRT threatens their job security or power dynamics within the organization. Such resistance can lead to a lack of cooperation, reluctance to share information, and a failure to fully engage with the CSIRT's activities, ultimately impeding its ability to effectively respond to and mitigate cybersecurity incidents.

Explanation

Organizational resistance becomes a barrier to the success of a CSIRT because when employees feel threatened by the establishment of a CSIRT, they may resist its implementation and hinder its effectiveness. This resistance can stem from a fear of change, a perception that the CSIRT threatens their job security or power dynamics within the organization. Such resistance can lead to a lack of cooperation, reluctance to share information, and a failure to fully engage with the CSIRT's activities, ultimately impeding its ability to effectively respond to and mitigate cybersecurity incidents.

21. Which factor is the most important item when it comes to ensuring that security is successful in an organization?

Effective controls and implementation methods

Security awareness by all employees

Updated and relevant security policies and procedures

Senior management support

Senior management support is the most important factor when it comes to ensuring that security is successful in an organization. This is because senior management plays a crucial role in setting the tone and priorities for security within the organization. Their support and commitment to security initiatives are essential for establishing a culture of security awareness and compliance throughout the organization. Without senior management support, it would be difficult to allocate resources, implement effective controls, and enforce security policies and procedures.

Explanation

Senior management support is the most important factor when it comes to ensuring that security is successful in an organization. This is because senior management plays a crucial role in setting the tone and priorities for security within the organization. Their support and commitment to security initiatives are essential for establishing a culture of security awareness and compliance throughout the organization. Without senior management support, it would be difficult to allocate resources, implement effective controls, and enforce security policies and procedures.

22. What has caused the rise in computer crimes and new methods of committing old computer crimes?

Creation of new software.

World Wide Web

New security methods of detecting computer crimes

Increased use of computer and expansion of the internet and its services

The rise in computer crimes and new methods of committing old computer crimes can be attributed to the increased use of computers and the expansion of the internet and its services. The World Wide Web has provided a platform for individuals to connect globally and access information, but it has also opened doors for cybercriminals to exploit vulnerabilities and commit computer crimes. As more people rely on computers and the internet for various activities, the opportunities for cybercriminals to target individuals and organizations have also increased.

Explanation

The rise in computer crimes and new methods of committing old computer crimes can be attributed to the increased use of computers and the expansion of the internet and its services. The World Wide Web has provided a platform for individuals to connect globally and access information, but it has also opened doors for cybercriminals to exploit vulnerabilities and commit computer crimes. As more people rely on computers and the internet for various activities, the opportunities for cybercriminals to target individuals and organizations have also increased.

23. Which of the below are skills needed to be included in a SCIRT team?

Cryptography

Intrusion detection systems

Documentation creation and maintenance

Re-assemble PC

Managerial experience

The skills needed to be included in a SCIRT team are cryptography, intrusion detection systems, documentation creation and maintenance, and managerial experience. Cryptography is important for ensuring secure communication and data protection. Intrusion detection systems help in identifying and responding to potential security breaches. Documentation creation and maintenance is crucial for keeping track of processes and procedures. Managerial experience is necessary for effective team coordination and decision-making. Re-assembling PCs is not mentioned as a required skill for a SCIRT team.

Explanation

The skills needed to be included in a SCIRT team are cryptography, intrusion detection systems, documentation creation and maintenance, and managerial experience. Cryptography is important for ensuring secure communication and data protection. Intrusion detection systems help in identifying and responding to potential security breaches. Documentation creation and maintenance is crucial for keeping track of processes and procedures. Managerial experience is necessary for effective team coordination and decision-making. Re-assembling PCs is not mentioned as a required skill for a SCIRT team.

Submit

24. Which of the below are important to have in the documentation of the incident?

Employees questioned and involved

Cost of repairing the damage

Expense and time logs

The date the case will be brought to court

The documentation of an incident should include information about the employees who were questioned and involved in the incident, as this helps in understanding the sequence of events and identifying any potential witnesses or individuals responsible. Additionally, including expense and time logs in the documentation is important as it provides a record of the resources utilized during the incident response and helps in assessing the impact and cost of the incident. However, the cost of repairing the damage and the date the case will be brought to court are not directly relevant to the documentation of the incident.

Explanation

The documentation of an incident should include information about the employees who were questioned and involved in the incident, as this helps in understanding the sequence of events and identifying any potential witnesses or individuals responsible. Additionally, including expense and time logs in the documentation is important as it provides a record of the resources utilized during the incident response and helps in assessing the impact and cost of the incident. However, the cost of repairing the damage and the date the case will be brought to court are not directly relevant to the documentation of the incident.

Submit

25. An organization that would like to form an incident response team would have to focus on reasons. What are the reasons?

To build experts

Ability to Work Proactively

Outsourcing

Rely on constituency

An organization would form an incident response team to build experts and have the ability to work proactively. By building a team of experts, the organization can ensure that they have the necessary skills and knowledge to effectively respond to incidents. Additionally, having the ability to work proactively allows the team to identify and address potential issues before they become major incidents, helping to minimize the impact on the organization.

Explanation

An organization would form an incident response team to build experts and have the ability to work proactively. By building a team of experts, the organization can ensure that they have the necessary skills and knowledge to effectively respond to incidents. Additionally, having the ability to work proactively allows the team to identify and address potential issues before they become major incidents, helping to minimize the impact on the organization.

Submit