700
Correct Answer: D Explanation/Reference:For the software to be effective, it must be easy to maintain and keep current. Market share and annualized cost, links to the intrusion detection system (IDS) and automatic notifications are all secondary in nature.
Which of the following are the MOST important criteria when selecting virus protection software? A. Product market share and annualized cost B. Ability to interface with intrusion detection system (IDS) software and firewalls C. Alert notifications and impact assessments for new viruses D. Ease of maintenance and frequency of updates
Correct Answer: B Explanation/Reference:
Which of the following characteristics is MOST important to a bank in a high-value online financial transaction system? A. Identification B. Confidentiality C. Authentication D. Audit monitoring
Correct Answer: C Explanation/Reference: The safety of an organization's employees should be the most important consideration given human safety laws. Human safety is considered first in any process or management practice. All of the other choices are secondary.
Which of the following has the highest priority when defining an emergency response plan? A. Critical data B. Critical infrastructure C. Safety of personnel D. Vital records
Correct Answer: D Explanation/Reference:Technical recovery plans, network redundancy and equipment needs are all associated with infrastructure disaster recovery. Only recovery time objectives (RTOs) directly relate to business continuity.
Which of the following is MOST closely associated with a business continuity program? A. Confirming that detailed technical recovery plans exist B. Periodically testing network redundancy C. Updating the hot site equipment configuration every quarter D. Developing recovery time objectives (RTOs) for critical functions
Correct Answer: C Explanation/Reference:
Which of the following is MOST important for an information security manager to regularly report to senior management? A. Results of penetration tests B. Audit reports C. Impact of unremediated risks D. Threat analysis reports
Correct Answer: B Explanation/Reference:Since a number of individuals would have access to the tape library, and could have accessed and tampered with the tape, the chain of custody could not be verified. All other choices provide clear indication of who was in custody of the tape at all times.
Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was: A. removed into the custody of law enforcement investigators. B. kept in the tape library' pending further analysis. C. sealed in a signed envelope and locked in a safe under dual control. D. handed over to authorized independent investigators.
Correct Answer: B Explanation/Reference:An assessment should be conducted to determine whether any permanent damage occurred and the overall system status. It is not necessary at this point to rebuild any servers. An impact analysis of the outage or isolating the demilitarized zone (DMZ) or screen subnet will not provide any immediate benefit.
Which of the following should be performed FIRST in the aftermath of a denial-of-service attack? A. Restore servers from backup media stored offsite B. Conduct an assessment to determine system status C. Perform an impact analysis of the outage D. Isolate the screened subnet
Correct Answer: A Explanation/Reference:Reference https://searchdisasterrecovery.techtarget.com/answer/Whats-the-difference-between-a-hot-site-and-cold-site-for-disaster-recovery
Which of the following sites would be MOST appropriate in the case of a very short recovery time objective (RTO)? A. Warm B. Redundant C. Shared D. Mobile
Correct Answer: D Explanation/Reference:The discovery of a Trojan installed on a system's administrator's laptop is highly significant since this may mean that privileged user accounts and passwords may have been compromised. The other choices, although important, do not pose as immediate or as critical a threat.
Which of the following situations would be the MOST concern to a security manager? A. Audit logs are not enabled on a production server B. The logon ID for a terminated systems analyst still exists on the system C. The help desk has received numerous results of users receiving phishing e-mails D. A Trojan was found to be installed on a system administrator's laptop
Correct Answer: B Explanation/Reference:Equipment provided "at time of disaster (ATOD), not on floor" means that the equipment is not available but will be acquired by the commercial hot site providerON a best effort basis. This leaves the customer at the mercy of the marketplace. If equipment is not immediately available, the recovery will be delayed. Many commercial providers do require sharing facilities in cases where there are multiple simultaneous declarations, and that priority may be established on a firstcome, first-served basis. It is also common for the provider to substitute equivalent or better equipment, as they are frequently upgrading and changing equipment.
Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract? A. A hot site facility will be shared in multiple disaster declarations B. All equipment is provided "at time of disaster, not on floor" C. The facility is subject to a "first-come, first-served" policy D. Equipment may be substituted with equivalent model
Correct Answer: A Explanation/Reference:
Which of the following threats is prevented by using token-based authentication? A. Password sniffing attack on the network B. Denial of service attack over the network C. Main-in-the middle attack on the client D. Session eavesdropping attack on the network
Correct Answer: A Explanation/Reference:
Which of the following will BEST protect confidential data when connecting large wireless networks to an existing wired-network infrastructure? A. Mandatory access control (MAC) address filtering B. Strong passwords C. Virtual private network (VPN) D. Firewall
Correct Answer: C Explanation/Reference:
Which of the following would BEST help to identify vulnerabilities introduced by changes to an organizations technical infrastructure? A. An intrusion detection system B. Established security baselines C. Penetration testing D. Log aggregation and correlation
Correct Answer: B Explanation/Reference
Which of the following would MOST likely require a business continuity plan to be invoked? A. An unauthorized visitor discovered in the data center B. A distributed denial of service attack on an e-mail server C. An epidemic preventing staff from performing job functions D. A hacker holding personally identifiable information hostage
Correct Answer: A Explanation/Reference:"Slack space" is the unused space between where the fdc data end and the end of the cluster the data occupy. Login information is not typically stored in the slack space. Encryption for the slack space is no different from the rest of the file system. The slack space is not a viable means of storage during an investigation.
Why is "slack space" of value to an information security manager as pan of an incident investigation? A. Hidden data may be stored there B. The slack space contains login information C. Slack space is encrypted D. It provides flexible space for the investigation
Correct Answer: C Explanation/Reference:
Without prior approval, a training department enrolled the company in a free cloud-based collaboration site and invited employees to use it. Which of the following is the BEST response of the information security manager? A. Conduct a risk assessment and develop an impact analysis. B. Update the risk register and review the information security strategy. C. Report the activity to senior management. D. Allow temporary use of the site and monitor for data leakage.
Correct Answer: B Explanation/Reference: The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law). All other options are pan of the investigative procedure, but they are not as important as preserving the integrity of the evidence.
If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on: A. obtaining evidence as soon as possible. B. preserving the integrity of the evidence. C. disconnecting all IT equipment involved. D. reconstructing the sequence of events.
Correct Answer: B Explanation/Reference:Without a copy of the business continuity plan, recovery efforts would be severely hampered or may not be effective. All other choices would not be as immediately critical as the business continuity plan itself. The business continuity plan would contain a list of the emergency numbers of service providers.
In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster? A. Copies of critical contracts and service level agreements (SLAs) B. Copies of the business continuity plan C. Key software escrow agreements for the purchased systems D. List of emergency numbers of service providers
Correct Answer: B Explanation/Reference: The recovery point objective (RPO) defines the maximum loss of data (in terms of time) acceptable by the business (i.e., age of data to be restored). It will directly determine the basic elements of the backup strategy frequency of the backups and what kind of backup is the most appropriate (disk-to-disk, on tape, mirroring). The volume of data will be used to determine the capacity of the backup solution. The recovery time objective (RTO) '" the time between disaster and return to normal operation '" will not have any impact on the backup strategy. The availability to restore backups in a time frame consistent with the interruption window will have to be checked and will influence the strategy (e.g., full backup vs. incremental), but this will not be the primary factor
In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the: A. volume of sensitive data. B. recovery point objective (RPO). C. recovery' time objective (RTO). D. interruption window.
Correct Answer: C Explanation/Reference:The best source of information is the firewall manufacturer since the manufacturer may have a patch to fix the vulnerability or a workaround solution. Ensuring dial all OS patches are up-to-date is a best practice, in general, but will not necessarily address the reported vulnerability. Blocking inbound traffic may not be practical or effective from a business perspective. Commissioning a penetration test will take too much time and will not necessarily provide a solution for corrective actions.
A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager? A. Ensure that all OS patches are up-to-date B. Block inbound traffic until a suitable solution is found C. Obtain guidance from the firewall manufacturer D. Commission a penetration test
Correct Answer: D Explanation/Reference:The original media should be used since one can never be sure of all the changes a super-user may have made nor the timelines in which these changes were made. Rebuilding from the last known verified backup is incorrect since the verified backup may have been compromised by the super-user at a different time. Placing the web server in quarantine should have already occurred in the forensic process. Shut down in an organized manner is out of sequence and no longer a problem. The forensic process is already finished and evidence has already been acquired.
A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to: A. rebuild the server from the last verified backup. B. place the web server in quarantine. C. shut down the server in an organized manner. D. rebuild the server with original media and relevant patches.
Correct Answer: B Explanation/Reference:
An organization to integrate information security into its human resource management processes. Which of the following should be the FIRST step? A. Evaluate the cost of information security integration B. Assess the business objectives of the processes C. Identify information security risk associated with the processes D. Benchmark the processes with best practice to identify gaps
Correct Answer: C Explanation/Reference: Taking an image copy of the media is a recommended practice to ensure legal admissibility. All of the other choices are subsequent and may be supplementary.
A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to: A. document how the attack occurred. B. notify law enforcement. C. take an image copy of the media. D. close the accounts receivable system.
Correct Answer: A Explanation/Reference:Since information security objectives should always be linked to the objectives of the business, it is imperative that business processes be allowed to continue whenever possible. Only when there is no alternative should these processes be interrupted. Although it is important to allow the security team to assess the characteristics of an attack, this is subordinate to the needs of the business. Permitting an incident to continue may expose the organization to additional damage.Evaluating the incident management process for deficiencies is valuable but it, too. is subordinate to allowing business processes to continue.
The BEST approach in managing a security incident involving a successful penetration should be to: A. allow business processes to continue during the response. B. allow the security team to assess the attack profile. C. permit the incident to continue to trace the source. D. examine the incident response process for deficiencies.
Correct Answer: C Explanation/Reference:Decoy files, often referred to as honeypots, are the best choice for diverting a hacker away from critical files and alerting security of the hacker's presence. Firewalls and bastion hosts attempt to keep the hacker out, while screened subnets or demilitarized zones (DM/.s) provide a middle ground between the trusted internal network and the external untrusted Internet.
The BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk is to utilize: A. firewalls. B. bastion hosts. C. decoy files. D. screened subnets.
Correct Answer: D Explanation/Reference:The first priority in responding to a security incident is to contain it to limit the impact. Documentation, monitoring and restoration are all important, but they should follow containment.
The FIRST priority when responding to a major security incident is: A. documentation. B. monitoring. C. restoration. D. containment.
Correct Answer: D Explanation/Reference:Appropriate people need to be notified; however, one must first validate the incident. Containing the effects of the incident would be completed after validating the incident. Developing response strategies for systematic attacks should have already been developed prior to the occurrence of an incident.
The FIRST step in an incident response plan is to: A. notify- the appropriate individuals. B. contain the effects of the incident to limit damage. C. develop response strategies for systematic attacks. D. validate the incident.
Correct Answer: A Explanation/Reference:The main purpose of a post incident review is to identify areas of improvement in the process. Developing a process for continuous improvement is not true in every case. Developing a business case for the security program budget and identifying new incident management tools may come from the analysis of the incident, but are not the key objectives.
The MOST important objective of a post incident review is to: A. capture lessons learned to improve the process. B. develop a process for continuous improvement. C. develop a business case for the security program budget. D. identify new incident management tools.
Correct Answer: D Explanation/Reference:The most important function of an intrusion detection system (IDS) is to identify potential attacks on the network. Identifying how the attack was launched is secondary. It is not designed specifically to identify weaknesses in network security or to identify patterns of suspicious logon attempts.
The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify: A. weaknesses in network security. B. patterns of suspicious access. C. how an attack was launched on the network. D. potential attacks on the internal network.
Correct Answer: A Explanation/Reference:It is always desirable to avoid the conflict of interest involved in having the information security team carries out the post event review. Obtaining support for enhancing the expertise of the third-party teams is one of the advantages, but is not the primary driver. Identifying lessons learned for further improving the information security management process is the general purpose of carrying out the post event review. Obtaining better buy-in for the information security program is not a valid reason for involving third-party teams.
The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to: A. enable independent and objective review of the root cause of the incidents. B. obtain support for enhancing the expertise of the third-party teams. C. identify lessons learned for further improving the information security management process. D. obtain better buy-in for the information security program.
Correct Answer: A Explanation/Reference:An internal attack and penetration test are designed to identify weaknesses in network and server security. They do not focus as much on incident response or the network perimeter.
The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify: A. weaknesses in network and server security. B. ways to improve the incident response process. C. potential attack vectors on the network perimeter. D. the optimum response to internal hacker attacks.
Correct Answer: A Explanation/Reference: The priority in this event is to minimize the effect of the virus infection and to prevent it from spreading by removing the infected server(s) from the network. After the network is secured from further infection, the damage assessment can be performed, the virus database updated and any weaknesses sought.
The PRIORITY action to be taken when a server is infected with a virus is to: A. isolate the infected server(s) from the network. B. identify all potential damage caused by the infection. C. ensure that the virus database files are current. D. establish security weaknesses in the firewall.
Correct Answer: D Explanation/Reference:
A business case for investment in an information security management infrastructure MUST include: A. evidence that the proposed infrastructure is certified. B. specifics on the security applications needed. C. data management methods currently in use. D. impact of noncompliance with applicable standards.
Correct Answer: D Explanation/Reference:Sharing a hot site facility is sometimes necessary in the case of a major disaster. Also, first come, first served usually determines priority of access based on general industry practice. Access to a hot site is not indefinite; the recovery plan should address a long-term outage. In case of a disaster affecting a localized geographical area, the vendor's facility and capabilities could be insufficient for all of its clients, which will all be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally.
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability? A. Exclusive use of the hot site is limited to six weeks B. The hot site may have to be shared with other customers C. The time of declaration determines site access priority D. The provider services all major companies in the area
Correct Answer: B Explanation/Reference:Quickly ranking the severity criteria of an incident is a key element of incident response. The other choices refer to documents that would not likely be included in a computer incident response team (CIRT) manual.
A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents? A. Risk assessment results B. Severity criteria C. Emergency call tree directory D. Table of critical backup files
Correct Answer: A Explanation/Reference:Asserting that the condition is a true security incident is the necessary first step in determining the correct response. The containment stage would follow. Notifying senior management and law enforcement could be part of the incident response process that takes place after confirming an incident.
A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to: A. confirm the incident. B. notify senior management. C. start containment. D. notify law enforcement.
Correct Answer: A Explanation/Reference:Since the password for the shared administrative account was obtained through guessing, it is probable that there were multiple unsuccessful logon attempts before the correct password was deduced. Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity. Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity since concurrent usage is common in this situation. Write access violations would not necessarily be observed since the information was merely copied and not altered. Firewall logs would not necessarily contain information regarding logon attempts.
A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following? A. Invalid logon attempts B. Write access violations C. Concurrent logons D. Firewall logs
Correct Answer: A Explanation/Reference:To preserve the integrity of the desktop computer as an item of evidence, it should be immediately disconnected from all sources of power. Any attempt to access the information on the computer by copying, uploading or accessing it remotely changes the operating system (OS) and temporary files on the computer and invalidates it as admissible evidence.
A desktop computer that was involved in a computer security incident should be secured as evidence by: A. disconnecting the computer from all power sources. B. disabling all local user accounts except for one administrator. C. encrypting local files and uploading exact copies to a secure server. D. copying all files using the operating system (OS) to write-once media.
Correct Answer: A Explanation/Reference:
A global organization has developed a strategy to share a customer information database between offices in two countries. In this situation, it is MOST important to ensure: A. data sharing complies with local laws and regulations at both locations. B. data is encrypted in transit and at rest. C. a nondisclosure agreement is signed. D. risk coverage is split between the two locations sharing data.
Correct Answer: D Explanation/Reference:
A global organization processes and stores large volumes of personal data. Which of the following would be the MOST important attribute in creating a data access policy? A. Availability B. Integrity C. Reliability D. Confidentiality
Correct Answer: B Explanation/Reference:Until signature files can be updated, incoming e-mail containing picture file attachments should be blocked. Quarantining picture files already stored on file servers is not effective since these files must be intercepted before they are opened. Quarantine of all mail servers or blocking all incoming mail is unnecessary overkill since only those e-mails containing attached picture files are in question.
A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat? A. Quarantine all picture files stored on file servers B. Block all e-mails containing picture file attachments C. Quarantine all mail servers connected to the Internet D. Block incoming Internet mail, but permit outgoing mail
Correct Answer: D Explanation/Reference:When investigating a possible incident, it should first be validated. Running a port scan on the system, disabling the logon IDs and investigating the system logs may be required based on preliminary forensic investigation, but doing so as a first step may destroy the evidence.
A possible breach of an organization's IT system is reported by the project manager. What is the FIRST thing the incident response manager should do? A. Run a port scan on the system B. Disable the logon ID C. Investigate the system logs D. Validate the incident
Correct Answer: B Explanation/Reference:Post-incident reviews are beneficial in determining ways to improve the response process through lessons learned from the attack. Evaluating the relevance of evidence, who launched the attack or what areas were affected are not the primary purposes for such a meeting because these should have been already established during the response to the incident.
A post-incident review should be conducted by an incident management team to determine: A. relevant electronic evidence. B. lessons learned. C. hacker's identity. D. areas affected.
Correct Answer: D Explanation/Reference:
An organization that has outsourced its incident management capabilities just discovered a significant privacy breach by an unknown attacker. Which of the following is the MOST important action of the information security manager? A. Follow the outsourcer's response plan. B. Alert the appropriate law enforcement authorities. C. Refer to the organization's response plan. D. Notify the outsourcer of the privacy breach.
Correct Answer: B Explanation/Reference:Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained within an incident response policy. Telephone trees, press release templates and lists of critical backup files are too detailed to be included in a policy document.
An incident response policy must contain: A. updated call trees. B. escalation criteria. C. press release templates. D. critical backup files inventory.
Correct Answer: A Explanation/Reference:
An information security manager is recommending an investment in a new security initiative to address recently published threats. Which of the following would be MOST important to include in the business case? A. Business impact if threats materialize B. Availability of unused funds in the security budget C. Threat information from reputable sources D. Alignment of the new initiative with the approved business strategy
Correct Answer: A Explanation/Reference:
An information security manager is reviewing the impact of a regulation on the organizations human resources system. The NEXT course of action should be to: A. perform a gap analysis of compliance requirements. B. assess the penalties for non-compliance. C. review the organizations most recent audit report. D. determine the cost of compliance.
Correct Answer: A Explanation/Reference: If an intrusion detection system (IDS) does not run continuously the business remains vulnerable. An IDS should detect, not ignore anomalies. An IDS should be flexible enough to cope with a changing environment. Both host and network based IDS are recommended for adequate detection.
An intrusion detection system (IDS) should: A. run continuously B. ignore anomalies C. require a stable, rarely changed environment D. be located on the network
Correct Answer: D Explanation/Reference:Installing an intrusion detection system (IDS) will allow the information security manager to better pinpoint the source of the attack so that countermeasures may then be taken. An IDS is not limited to detection of attacks originating externally. Proper placement of agents on the internal network can be effectively used to detect an internally based attack. Requiring the use of strong passwords will not be sufficiently effective against a network-based attack. Assigning IP addresses would not be effective since these can be spoofed. Implementing centralized logging software will not necessarily provide information on the source of the attack.
An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to: A. require the use of strong passwords. B. assign static IP addresses. C. implement centralized logging software. D. install an intrusion detection system (IDS).
Correct Answer: A Explanation/Reference: The security manager should first assess the likelihood of a similar incident occurring, based on available information. Discontinuing the use of the vulnerable technology would not necessarily be practical since it would likely be needed to support the business. Reporting to senior management that the organization is not affected due to controls already in place would be premature until the information security manager can first assess the impact of the incident. Until this has been researched, it is not certain that no similar security breaches have taken place.
An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is: A. assess the likelihood of incidents from the reported cause. B. discontinue the use of the vulnerable technology. C. report to senior management that the organization is not affected. D. remind staff that no similar security breaches have taken place.
Correct Answer: B Explanation/Reference:Before reporting to senior management, affected customers or the authorities, the extent of the exposure needs to be assessed.
An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation? A. Inform senior management. B. Determine the extent of the compromise. C. Report the incident to the authorities. D. Communicate with the affected customers.
Correct Answer: B Explanation/Reference:A warm site is not fully equipped with the company's main systems; therefore, the tapes should be tested using the company's production systems. Inspecting the facility and checking the tape inventory does not guarantee that the tapes are usable.
An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to: A. use the test equipment in the warm site facility to read the tapes. B. retrieve the tapes from the warm site and test them. C. have duplicate equipment available at the warm site. D. inspect the facility and inventory the tapes on a quarterly basis.
Correct Answer: B Explanation/Reference:If data centers are operating at or near capacity, it may prove difficult to recover critical operations at an alternate data center. Although line capacity is important from a mirroring perspective, this is secondary to having the necessary capacity to restore critical systems. By comparison, differences in logical and physical security and synchronization of system software releases are much easier issues to overcome and are, therefore, of less concern.
An organization with multiple data centers has designated one of its own facilities as the recovery site. The MOST important concern is the: A. communication line capacity between data centers. B. current processing capacity loads at data centers. C. differences in logical security at each center. D. synchronization of system software release versions.
Correct Answer: A Explanation/Reference:For security and privacy reasons, all organizational data and software should be erased prior to departure. Evaluations can occur back at the office after everyone is rested, and the overall results can be discussed and compared objectively.
At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor's hot site facility? A. Erase data and software from devices B. Conduct a meeting to evaluate the test C. Complete an assessment of the hot site provider D. Evaluate the results from all test scripts
Correct Answer: D Explanation/Reference:A recovery strategy identifies the best way to recover a system in ease of disaster and provides guidance based on detailed recovery procedures that can be developed. Different strategies should be developed and all alternatives presented to senior management. Senior management should select the most appropriate strategy from the alternatives provided. The selected strategy should be used for further development of the detailed business continuity plan. The selection of strategy depends on criticality of the business process and applications supporting the processes. It need not necessarily cover all applications. All recovery strategies have associated costs, which include costs of preparing for disruptions and putting them to use in the event of a disruption. The latter can be insured against, but not the former. The best recovery option need not be the least expensive.
Detailed business continuity plans should be based PRIMARILY on: A. consideration of different alternatives. B. the solution that is least expensive. C. strategies that cover all applications. D. strategies validated by senior management.
Correct Answer: C Explanation/Reference:The data owner should be notified prior to any action being taken. Copying sample files as evidence is not advisable since it breaches confidentiality requirements on the file. Removing access privileges to the folder containing the data should be done by the data owner or by the security manager in consultation with the data owner, however, this would be done only after formally reporting the incident. Training the human resources (MR) team on properly controlling file permissions is the method to prevent such incidents in the future, but should take place once the incident reporting and investigation activities are completed.
During the security review of organizational servers, it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should: A. copy sample files as evidence. B. remove access privileges to the folder containing the data. C. report this situation to the data owner. D. train the HR team on properly controlling file permissions.
Correct Answer: D Explanation/Reference:During an incident, emergency actions should minimize or eliminate casualties and damage to the business operation, thus reducing business interruptions. Determining the extent of property damage is not the consideration; emergency actions should minimize, not determine, the extent of the damage. Protecting/ preserving environmental conditions may not be relevant. Ensuring orderly plan activation is important but not as critical as reducing damage to the operation.
Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and: A. determining the extent of property damage. B. preserving environmental conditions. C. ensuring orderly plan activation. D. reducing the extent of operational damage.
Correct Answer: A Explanation/Reference:The bit-level copy image file ensures forensic quality evidence that is admissible in a court of law. Choices B and D may not provide forensic quality data for investigative work, while choice C alone may not provide enough evidence.
Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source? A. A bit-level copy of all hard drive data B. The last verified backup stored offsite C. Data from volatile memory D. Backup servers
Correct Answer: A Explanation/Reference:
Executive management is considering outsourcing all IT operations. Which of the following functions should remain internal? A. Data ownership B. Data monitoring C. Data custodian D. Data encryption
Correct Answer: B Explanation/Reference:Legal follow-up will most likely be performed locally where the incident took place; therefore, it is critical that the procedure of treating evidence is in compliance with local regulations. In certain countries, there are strict regulations on what information can be collected. When evidence collected is not in compliance with local regulations, it may not be admissible in court. There are no common regulations to treat computer evidence that are accepted internationally. Generally accepted best practices such as a common chain-of-custody concept may have different implementation in different countries, and thus may not be a good assurance that evidence will be admissible. Local regulations always take precedence over organizational security policies.
In the course of responding 10 an information security incident, the BEST way to treat evidence for possible legal action is defined by: A. international standards. B. local regulations. C. generally accepted best practices. D. organizational security policies.
Correct Answer: C Explanation/Reference:When investigating a security breach, it is important to preserve all traces of evidence left by the invader. For this reason, it is imperative to preserve the memory' contents of the machine in order to analyze them later. The correct answer is choice C because a copy of the whole system's memory is obtained for future analysis by running the appropriate tools. This is also important from a legal perspective since an attorney may suggest that the system was changed during the conduct of the investigation. Running a computer forensics tool in the compromised machine will cause the creation of at least one process that may overwrite evidence. Rebooting the machine will delete the contents of the memory, erasing potential evidence. Collecting information about current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports is correct, but doing so by using tools may also erase memory contents.
Isolation and containment measures for a compromised computer has been taken and information security management is now investigating. What is the MOST appropriate next step? A. Run a forensics tool on the machine to gather evidence B. Reboot the machine to break remote connections C. Make a copy of the whole system's memory D. Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/ I'DP) ports
Correct Answer: C Explanation/Reference:In most businesses where an e-commerce site is in place, it would need to be restored in a matter of hours, if not minutes. Contractor payroll, change management and fixed assets would not require as rapid a recovery time.
Which of the following application systems should have the shortest recovery time objective (RTO)? A. Contractor payroll B. Change management C. E-commerce web site D. Fixed asset system
Correct Answer: B Explanation/Reference:Recovery criteria, indicating the circumstances under which specific actions are undertaken, should be contained within a business continuity policy. Telephone trees, business impact assessments (BIAs) and listings of critical backup files are too detailed to include in a policy document.
The business continuity policy should contain which of the following? A. Emergency call trees B. Recovery criteria C. Business impact assessment (BIA) D. Critical backups inventory
Correct Answer: D Explanation/Reference:
Which of the following architectures for e-business BEST ensures high availability? A. Availability of an adjacent hot site and a standby server with mirrored copies of critical data B. Intelligent middleware to direct transactions from a downed system to an alternative C. A single point of entry allowing transactions to be received and processed quickly D. Automatic failover to the web site of another e-business that meets the user's needs
Correct Answer: C Explanation/Reference:In the case of a probe, the situation should be monitored and the affected network segment isolated. Rebooting the router, powering down the demilitarized zone (DMZ) servers and enabling server trace routing are not warranted.
When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken? A. Reboot the router connecting the DMZ to the firewall B. Power down all servers located on the DMZ segment C. Monitor the probe and isolate the affected segment D. Enable server trace logging on the affected segment
Correct Answer: C Explanation/Reference: To accurately reconstruct the course of events, a time reference is needed and that is provided by the time server. The other choices would not assist in the correlation and review of these logs.
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs? A. Database server B. Domain name server (DNS) C. Time server D. Proxy server
Correct Answer: A Explanation/Reference:Before performing analysis of impact, resolution, notification or isolation of an incident, ii must be validated as a real security incident.
Which of the following actions should lake place immediately after a security breach is reported to an information security manager? A. Confirm the incident B. Determine impact C. Notify affected stakeholders D. Isolate the incident
Correct Answer: D Explanation/Reference:Business benefits from incident impact reduction would be the most important goal for establishing an incident management team. The assessment of business impact of past incidents would need to be completed to articulate the benefits. Having an independent review benefits the incident management process. The need for constant improvement on the security level is a benefit to the organization.
To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective? A. Assessment of business impact of past incidents B. Need of an independent review of incident causes C. Need for constant improvement on the security level D. Possible business benefits from incident impact reduction
Correct Answer: B Explanation/Reference:Packet filtering techniques are the only ones which reduce network congestion caused by a network denial of service (DoS) attack. Patching servers, in general, will not affect network traffic. Implementing network address translation and load balancing would not be as effective in mitigating most network DoS attacks.
What is the BEST method for mitigating against network denial of service (DoS) attacks? A. Ensure all servers are up-to-date on OS patches B. Employ packet filtering to drop suspect packets C. Implement network address translation to make internal addresses nonroutable D. Implement load balancing for Internet facing devices
Correct Answer: C Explanation/Reference:The key step in such an incident is to report it to mitigate any loss. After this, the other actions should follow.
What is the FIRST action an information security manager should take when a company laptop is reported stolen? A. Evaluate the impact of the information loss B. Update the corporate laptop inventory C. Ensure compliance with reporting procedures D. Disable the user account immediately
Correct Answer: C Explanation/Reference:The primary objective is to find any weakness in the current process and improve it. The other choices are all secondary.
What is the PRIMARY objective of a post-event review in incident response? A. Adjust budget provisioning B. Preserve forensic data C. Improve the response process D. Ensure the incident is fully documented
Correct Answer: C Explanation/Reference:
What of the following is MOST important to include in an information security policy? A. Maturity levels B. Best practices C. Management objectives D. Baselines
Correct Answer: A Explanation/Reference:If all of the plans exist only in electronic form, this presents a serious weakness if the electronic version is dependent on restoration of the intranet or other systems that are no longer available. Versioning control and tracking changes in personnel and plan assets is actually easier with an automated system. Broken hyperlinks are a concern, but less serious than plan accessibility.
When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern? A. Ensuring accessibility should a disaster occur B. Versioning control as plans are modified C. Broken hyperlinks to resources stored elsewhere D. Tracking changes in personnel and plan assets
Correct Answer: A Explanation/Reference: Without the initial assignment of forensic expertise, the required levels of evidence may not be preserved. In choice B. the IT department is unlikely to have that level of expertise and should, thus, be prevented from taking action. Choice C may be a subsequent necessity that comes after choice A. Choice D, notifying law enforcement, will likely occur after the forensic analysis has been completed.
When collecting evidence for forensic analysis, it is important to: A. ensure the assignment of qualified personnel. B. request the IT department do an image copy. C. disconnect from the network and isolate the affected devices. D. ensure law enforcement personnel are present before the forensic analysis commences.
Correct Answer: C Explanation/Reference:The length of the recovery window is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services/applications. The technical implementation of the disaster recovery (DR) site will be based on this constraint, especially the choice between a hot, warm or cold site. The service delivery objective is supported during the alternate process mode until the normal situation is restored, which is directly related to business needs. The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal operations. It is then longer than the interruption window and is very difficult to estimate in advance. The time frame between the reduced operation mode at the end of the interruption window and the return to normal operations depends on the magnitude of the disaster. Technical disaster recovery solutions alone will not be used for returning to normal operations. Maximum tolerable outage (MTO) is the maximum time acceptable by a company operating in reduced mode before experiencing losses. Theoretically, recovery time objectives (RTOs) equal the interruption window plus the maximum tolerable outage. This will not be the primary factor for the choice of the technical disaster recovery solution.
When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the: A. services delivery objective. B. recovery time objective (RTO). C. recovery window. D. maximum tolerable outage (MTO).
Correct Answer: D Explanation/Reference:
When messages are encrypted and digitally signed to protect documents transferred between trading partners, the GREATEST concern is that: A. trading partners can repudiate the transmission of messages. B. hackers can eavesdrop on messages. C. trading partners can repudiate the receipt of messages. D. hackers can introduce forgery messages.
Correct Answer: D Explanation/Reference:
When outsourcing data to a cloud service provider, which of the following should be the information security managers MOST important consideration? A. Roles and responsibilities have been defined for the subscriber organization. B. Cloud servers are located in the same country as the organization. C. Access authorization includes biometric security verification. D. Data stored at the cloud service provider is not co-mingled.
Correct Answer: C Explanation/Reference:Business process owners are in the best position to understand the true impact on the business that a system outage would create. The business continuity coordinator, industry averages and even information security will not be able to provide that level of detailed knowledge.
When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates? A. Business continuity coordinator B. Information security manager C. Business process owners D. Industry averages benchmarks
Correct Answer: C Explanation/Reference:An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities pertaining to all parties involved in responding to an information security breach. A business continuity plan or disaster recovery plan would be triggered during the execution of the incident response plan in the case of a breach impacting the business continuity. A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through configuration changes (patch management).
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach? A. Business continuity plan B. Disaster recovery plan C. Incident response plan D. Vulnerability management plan
Correct Answer: B Explanation/Reference:Information security should check the intrusion detection system (IDS) logs and continue to monitor the situation. It would be inappropriate to take any action beyond that. In fact, updating the IDS could create a temporary exposure until the new version can be properly tuned. Rebooting the router and enabling server trace routing would not be warranted.
Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter? A. Reboot the border router connected to the firewall B. Check IDS logs and monitor for any active attacks C. Update IDS software to the latest available version D. Enable server trace logging on the DMZ segment
Correct Answer: C Explanation/Reference:Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing. Shutting off all network access points would create a denial of service that could result in loss of revenue. Dumping event logs and enabling trace logging, while perhaps useful, would not mitigate the immediate threat posed by the network attack.
Which of the following actions should be taken when an online trading company discovers a network attack in progress? A. Shut off all network access points B. Dump all event logs to removable media C. Isolate the affected network segment D. Enable trace logging on all event
Correct Answer: C Explanation/Reference:To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions were successfully recovered and duplicated. Although ensuring that only materials taken from offsite storage are used in the test is important, this is not as critical in determining a test's success. While full recovery of the processing infrastructure is a key recovery milestone, it does not ensure the success of a test. Achieving the RTOs is another important milestone, but does not necessarily prove that the critical business functions can be conducted, due to interdependencies with other applications and key elements such as data, staff, manual processes, materials and accessories, etc.
Which of the following is MOST important in determining whether a disaster recovery test is successful? A. Only business data files from offsite storage are used B. IT staff fully recovers the processing infrastructure C. Critical business processes are duplicated D. All systems are restored within recovery time objectives (RTOs)
Correct Answer: C Explanation/Reference:The complexity and business sensitivity of the processing infrastructure and operations largely determines the viability of such an option; the concern is whether the recovery site meets the operational and security needs of the organization. The cost to build a redundant facility is not relevant since only a fraction of the total processing capacity is considered critical at the time of the disaster and recurring contract costs would accrue over time. Invocation costs are not a factor because they will be the same regardless. The incremental daily cost of losing different systems and the recovery time objectives (RTOs) do not distinguish whether a commercial facility is chosen. Resulting criticality from the business impact analysis (BIA) will determine the scope and timeline of the recovery efforts, regardless of the recovery location.
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site? A. Cost to build a redundant processing facility and invocation B. Daily cost of losing critical systems and recovery time objectives (RTOs) C. Infrastructure complexity and system sensitivity D. Criticality results from the business impact analysis (BIA)
Correct Answer: C Explanation/Reference:
Which of the following is MOST likely to reduce the effectiveness of a signature-based intrusion detection system (IDS)? A. The activities being monitored deviate from what is considered normal. B. The information regarding monitored activities becomes stale. C. The pattern of normal behavior changes quickly and dramatically.D. The environment is complex.
Correct Answer: A Explanation/Reference:Diverting incoming traffic corrects the situation and. therefore, is a corrective control. Choice B is a preventive control. Choices C and D are detective controls.
Which of the following is an example of a corrective control? A. Diverting incoming traffic upon responding to the denial of service (DoS) attack B. Filtering network traffic before entering an internal network from outside C. Examining inbound network traffic for viruses D. Logging inbound network traffic
Correct Answer: D Explanation/Reference:
Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities? A. Automation of controls B. Documentation of control procedures C. Integration of assurance efforts D. Standardization of compliance requirements
Correct Answer: D Explanation/Reference:Post event reviews are designed to identify gaps and shortcomings in the actual incident response process so that these gaps may be improved over time. The other choices will not provide the same level of feedback in improving the process.
Which of the following is the BEST mechanism to determine the effectiveness of the incident response process? A. Incident response metrics B. Periodic auditing of the incident response process C. Action recording and review D. Post incident review
Correct Answer: D Explanation/Reference:The only accurate way to check the signature files is to look at a sample of servers. The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server. Checking the vendor information to the management console would still not be indicative as to whether the file was properly loaded on the server. Personnel should never release a virus, no matter how benign.
Which of the following is the BEST way to verify that all critical production servers are utilizing up-to- date virus signature files? A. Verify the date that signature files were last pushed out B. Use a recently identified benign virus to test if it is quarantined C. Research the most recent signature file and compare to the console D. Check a sample of servers that the signature files are current
Correct Answer: A Explanation/Reference:Proper messages need to be sent quickly through a specific identified person so that there are no rumors or statements made that may damage reputation. Choices B, C and D are not recommended until the message to be communicated is made clear and the spokesperson has already spoken to the media.
Which of the following is the MOST important consideration for an organization interacting with the media during a disaster? A. Communicating specially drafted messages by an authorized person B. Refusing to comment until recovery C. Referring the media to the authorities D. Reporting the losses and recovery strategy to the media
Correct Answer: A Explanation/Reference:
Which of the following is the MOST important driver when developing an effective information security strategy? A. Information security standards B. Compliance requirements C. Benchmark reports D. Security audit reports
Correct Answer: D Explanation/Reference:Disaster recovery testing requires the allocation of sufficient resources to be successful. Without the support of management, these resources will not be available, and testing will suffer as a result. Testing on weekends can be advantageous but this is not the most important choice. As vendor-provided hot sites are in a state of constant change, it is not always possible to have network addresses defined in advance. Although it would be ideal to provide for identical equipment at the hot site, this is not always practical as multiple customers must be served and equipment specifications will therefore vary.
Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site? A. Tests are scheduled on weekends B. Network IP addresses are predefined C. Equipment at the hot site is identical D. Business management actively participates
Correct Answer: A Explanation/Reference:In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business knowledge can be lost. It is therefore critical to maintain an updated copy of the detailed recovery plan at an offsite location. Continuity of the business requires adequate network redundancy, hot site infrastructure that is certified as compatible and clear criteria for declaring a disaster. Ideally, the business continuity program addresses all of these satisfactorily. However, in a disaster situation, where all these elements are present, but without the detailed technical plan, business recovery will be seriously impaired.
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster? A. Detailed technical recovery plans are maintained offsite B. Network redundancy is maintained through separate providers C. Hot site equipment needs are recertified on a regular basis D. Appropriate declaration criteria have been established
Correct Answer: B Explanation/Reference:
Which of the following is the MOST important reason for performing vulnerability assessments periodically? A. Management requires regular reports. B. The environment changes constantly. C. Technology risks must be mitigated. D. The current threat levels are being assessed.
Correct Answer: A Explanation/Reference:Unless backup media are available, all other preparations become meaningless. Recovery site location and security are important, but would not prevent recovery in a disaster situation. Having a secondary hot site is also important, but not as important as having backup media available. Similarly, alternate data communication lines should be tested regularly and successfully but, again, this is not as critical.
Which of the following is the MOST important to ensure a successful recovery? A. Backup media is stored offsite B. Recovery location is secure and accessible C. More than one hot site is available D. Network alternate links are regularly tested
Correct Answer: C Explanation/Reference:Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released during the week; far more frequent updating is essential. All other issues are secondary to this very serious exposure.
Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23.00 hrs.)? A. Most new viruses* signatures are identified over weekends B. Technical personnel are not available to support the operation C. Systems are vulnerable to new viruses during the intervening week D. The update's success or failure is not known until Monday
Correct Answer: D Explanation/Reference:
Which of the following messages would be MOST effective in obtaining senior managements commitment to information security management? A. Effective security eliminates risk to the business B. Adopt a recognized framework with metrics C. Security is a business product and not a process D. Security supports and protects the business
Correct Answer: A Explanation/Reference:
Which of the following presents the GREATEST challenge in calculating return on investment (ROI) in the security environment? A. Number of incidents cannot be predetermined B. Project cost overruns cannot be anticipated C. Cost of security tools is difficult to estimate D. Costs of security incidents cannot be estimated
Correct Answer: A Explanation/Reference:A business impact analysis (BIA) provides results, such as impact from a security incident and required response times. The BIA is the most critical process for deciding which part of the information system/ business process should be given prioritization in case of a security incident. Risk assessment is a very important process for the creation of a business continuity plan. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures. but not in the prioritization. As in choice B, a vulnerability assessment provides information regarding the security weaknesses of the system, supporting the risk analysis process. Business process mapping facilitates the creation of the plan by providing mapping guidance on actions after the decision on critical business processes has been made-translating business prioritization to IT prioritization. Business process mapping does not help in making a decision, but in implementing a decision.
Which of the following processes is critical for deciding prioritization of actions in a business continuity plan? A. Business impact analysis (BIA) B. Risk assessment C. Vulnerability assessment D. Business process mapping
Correct Answer: A Explanation/Reference: Consistent achievement of recovery time objective (RTO) objectives during testing provides the most objective evidence that business continuity/disaster recovery plan objectives have been achieved. The successful testing of the business continuity/disaster recover) plan within the stated RTO objectives is the most indicative evidence that the business needs are being met. Objective testing of the business continuity/ disaster recovery plan will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning. Mere valuation and assignment of information assets to owners (per the business continuity/disaster recovery plan) will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.
Which of the following provides the BKST confirmation that the business continuity/disaster recovery plan objectives have been achieved? A. The recovery time objective (RTO) was not exceeded during testing B. Objective testing of the business continuity/disaster recovery plan has been carried out consistently C. The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing D. Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan
Correct Answer: B Explanation/Reference:Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different systems. This will allow recovery time objectives to be determined which, in turn, affects the location and cost of offsite recovery facilities, and the composition and mission of individual recovery teams. Determining the cost to rebuild information processing facilities would not be the first thing to determine.
Which of the following should be determined FIRST when establishing a business continuity program? A. Cost to rebuild information processing facilities B. Incremental daily cost of the unavailability of systems C. Location and cost of offsite recovery facilities D. Composition and mission of individual recovery teams
