CYBR 4330 - Inc. Resp & Cont Plng
____ of risk is the choice to do nothing to protect an information asset and to accept the outcome of its potential exploitation.
Avoidance
____ planning represents the final response of the organization when faced with any interruption of its critical operations.
Business continuity
The ____ illustrates the most critical characteristics of information and has been the industry standard for computer security since the development of the mainframe.
C.I.A. triangle
The ____ assembles a disaster recovery team.
CPMT
____ ensures that only those with the rights and privileges to access information are able to do so.
Confidentiality
____ are those steps taken to inform stakeholders regarding the timeline of events, the actions taken, and sometimes the reasons for those actions.
Crisis communications
____ is a set of focused steps that deal primarily with the safety and state of the people from the organization who are involved in the disaster.
Crisis management
____ is the set of actions taken by an organization in response to an emergency situation in an effort to minimize injury or loss of life.
Crisis management
____ hack systems to conduct terrorist activities through network or Internet pathways.
Cyberterrorists
In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on that network.
DNS cache poisoning
____ are used for recovery from disasters that threaten on-site backups.
Data archives
____ requires effective backup strategies and flexible hardware configurations.
Data recovery
____ (sometimes referred to as avoidance) is the risk control strategy that attempts to prevent the exploitation of a vulnerability.
Defense
A ____ attack seeks to deny legitimate users access to services by either tying up a server's available resources or causing it to shut down.
DoS
Which of the following is not usually an insurable loss?
Electrostatic discharge
____ are those actions taken in order to manage the immediate physical, health, and environmental impacts resulting from an incident.
Emergency response
The ____ handles computer crimes that are categorized as felonies.
FBI
A Disaster Recovery Plan (DR plan) deals with identifying, classifying, responding to, and recovering from an incident.
False
A business continuity plan should be a single unified plan.
False
A business impact analysis (BIA) identifies threats, vulnerabilities, and potential attacks to determine what controls can protect the information.
False
According the to NIST definition of an event as "any observable occurrence in a system or network," all events are computer or network oriented.
False
An enterprise information security policy (EISP) addresses specific areas of technology and contains a statement on the organization's position on each specific area.
False
Database shadowing techniques are generally used in organizations that do not need immediate data recovery after an incident or disaster.
False
E-mail spoofing attacks require an immediate response, typically no more than 30 minutes to one hour.
False
For recovery from an incident (as opposed to a disaster), archives are used as the most common solution.
False
In computer-based training settings, trainees receive a seminar presentation at their computers.
False
In disaster recovery planning, there is a prevention phase similar to that in IR planning.
False
In general, a law enforcement organization can become the target of a retaliatory lawsuit for damages arising from an investigation that proves to be groundless.
False
Mainframe systems leverage data communications to decentralize and/or distribute capacity.
False
Most disaster-related loss occurs because of physical damage to property.
False
Most modern antivirus/anti-malware utilities cannot detect rootkits.
False
Natural disasters such as earthquakes can usually be mitigated with multipurpose casualty insurance.
False
Once a compromised system is disconnected, it is safe from further damage.
False
One activity that occurs during the clearing phase of a BC implementation is scheduling a move back to the primary site.
False
One of the first signals that an organization is making progress in the development of its IR program, specifically in the development of its CSIRT, is a dramatic drop in the number of identified incidents.
False
Organizing the incident response planning process begins with staffing the disaster recovery committee.
False
Regardless of which IR model an organization chooses, multiple employees should be in charge of incident response.
False
Team leaders from the subordinate teams, including the IR, DR, and BC teams, should not be included in the CPMT.
False
Testing the BC plan is an ongoing activity, with each scenario tested annually at walk-through level or higher.
False
The Windows Task Manager can be used to seek out Trojan programs on Microsoft Windows computers.
False
The involvement of the CSIRT in incident response typically starts with prevention.
False
The laws governing search and seizure in the public sector are much more straightforward than those in the private sector.
False
The recovery time objective (RTO) downtime metric is the defined as the point in time to which lost systems and data can be recovered after an outage as determined by the business unit.
False
The term unauthorized access is a synonym for hacking.
False
The vision of an organization is a written statement of an organization's purpose.
False
____ are highly probable when infected machines are brought back online or when other infected computers that may have been offline at the time of the attack are brought back up.
Follow-on incidents
____ are likely in the event of a hacker attack, when the attacker retreats to a chat room and describes in specific detail to his or her associates the method and results of his or her latest conquest.
Follow-on incidents
____ is used both for intrusion analysis and as part of evidence collection and analysis.
Forensics
____ is the process of systematically examining information assets for evidentiary material that can provide insight into how an incident transpired.
Forensics analysis
____ refers to those actions taken to meet the psychological and emotional needs of various stakeholders.
Humanitarian assistance
A(n) ____ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization's information infrastructure for signs of an incident.
IR duty officer
In the event that a definite indicator is recognized, the corresponding ____ must be activated immediately.
IR plan
The ____ of an organization defines the roles and responsibilities for incident response for the CSIRT and others who will be mobilized in the activation of the plan.
IR policy
Known as ____, procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT's operations.
IR reaction strategies
The ____ Department of an organization needs to review the procedures of the CSIRT and understand the steps the CSIRT will perform to ensure it is within legal and ethical guidelines for the municipal, state, and federal jurisdictions.
Legal
____ disasters include acts of terrorism and acts of war.
Man-made
____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Mitigation
____ is the inclusion of action steps to minimize the damage associated with the disaster on the operations of the organization.
Mitigation of impact
The legal decision that establishes the start point for "warrantless" workplace searches is the Supreme Court's complex ruling in ____.
O'Connor v. Ortega
____ incident responses enables the organization to react to a detected incident quickly and effectively, without confusion or wasted time and effort.
Predefining
____ means making an organization ready for possible contingencies that can escalate to become disasters.
Preparation
____ uses a number of hard drives to store information across multiple drive units.
RAID
____ are those that occur suddenly, with little warning, taking the lives of people and destroying the means of production.
Rapid onset disasters
____ may be caused by earthquakes, floods, storm winds, tornadoes, or mud flows.
Rapid onset disasters
____ assigns a risk rating or score to each information asset. Although this number does not mean anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates the development of comparative ratings later in the risk control process.
Risk assessment
____ is the process of examining, documenting, and assessing the security posture of an organization's information technology and the risks it faces.
Risk identification
____ is the determination of the initial flaw or vulnerability that allowed an incident to occur.
Root cause analysis
Advances in cloud computing have opened a new field in application redundancy and backup. Because organizations that lease ____ are in effect using a preconfigured set of applications on someone else's systems, it is reasonable to ask that the service agreement include contingencies for recovery.
SaaS
____ occur over time and slowly deteriorate the organization's capacity to withstand their effects.
Slow onset disasters
The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.
Snort
Clifford Stoll's book, ____, provides an excellent story about a real-world incident that turned into an international tale of espionage and intrigue.
The Cuckoo's Egg
____ is a risk control approach that attempts to shift the risk to other assets, other processes, or other organizations.
Transference
A recent trend in corporate settings is to provide each employee with a disaster recovery identification card.
True
A recommended practice for implementation of a physical IR plan document is to attach copies of relevant documents such as service agreements for the ISP, telephone, water, gas, etc.
True
A weighted analysis table can be useful in resolving the issue of which business function is the most critical to the organization.
True
An asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or other tangible object.
True
As soon as the CSIRT is able to determine what exactly is happening, it is expected to report its preliminary finding to management.
True
Automated IR systems to facilitate IR documentation are available through a number of vendors.
True
BC is specifically designed to get the organization's most critical services up and running as quickly as possible in order to enable the continued operation of the organization and thereby ensure its existence and minimize the financial losses from the disruption.
True
Cross-training provides a mechanism to get everyone out of the crime scene and thus prevent contamination of possible evidentiary material.
True
Effective contingency planning begins with effective policy.
True
Ignorance of policy is a legal excuse for an employee.
True
In crisis management situations, it is most likely that an organization will interact with state agencies more frequently than with federal agencies.
True
In disaster recovery, most triggers occur in response to one or another natural event.
True
Intellectual property (IP) includes trade secrets, copyrights, trademarks, and patents.
True
Like DR planning, the identification of critical business functions and the resources to support them are the cornerstone of the process used to create the business continuity (BC) plan.
True
Many attacks come through ports and then attack legitimate processes to allow themselves access or to conduct subsequent attacks.
True
Many practitioners feel that a system, once compromised, can never be restored to a trusted state.
True
Network recovery teams may be used to replacing downed systems, but it is unlikely that they have experience in physically repairing damaged systems.
True
Once the CSIRT has been notified and arrives "on scene," whether physically or virtually, the first task that must occur is an assessment of the situation.
True
One real-time protection and data backup strategy is the use of mirroring.
True
Organizations typically respond to a crisis by focusing on technical issues and economic priorities, and overlook the steps needed to preserve the most critical assets of the organization: its people.
True
Over 90 percent of organizations that experienced disruption at a data center lasting 10 days or longer were forced into bankruptcy within one year.
True
RAID is an acronym for Redundant Array of Incident-Recovery Drives.
True
Some data is required by law to be retained and stored for years.
True
The CSIRT is also known as the IR Reaction Team.
True
The alert roster must be tested more frequently than other components of a disaster recovery plan because it is subject to continual change due to employee turnover.
True
The purpose of the disaster recovery program is to provide for the direction and guidance of all disaster recovery operations.
True
There are several national training programs that focus on incident response tools and techniques.
True
To analyze evidence, the original is obtained from storage, a copy of the evidence is made for analysis, and the original is returned to storage, because it is crucial that the analysis never takes place on the original evidence.
True
To help make the detection of actual incidents more reliable, there are three broad categories of incident indicators that have been identified: possible, probable, and definite.
True
Training focuses on the particular roles each individual is expected to execute during an actual disaster.
True
Using desk check, talk-throughs, walk-throughs, simulation, and other exercises on a regular basis helps prepare the organization for crises and, additionally, helps keep the CM plan up to date.
True
Within the private sector, the Supreme Court stated, "Every warrantless workplace search must be evaluated carefully on its facts. In general, however, law enforcement officers can conduct a warrantless search of private (i.e., nongovernment) workplaces only if the officers obtain the consent of either the employer or another employee with common authority over the area searched."
True
There are a number of professional IR agencies, such as ____, that can provide additional resources to help prevent and detect DoS incidents.
US-CERT
____ is a common indicator of a DoS attack.
User reports of system unavailability
____ is a tactic that deliberately permits an attack to continue while the entire event is observed and additional evidence is collected.
Watchful waiting
Once the incident has been contained, and all signs of the incident removed, the ____ phase begins.
actions after
The IR plan is usually ____ when an incident causes minimal damage with little or no disruption to business operations.
activated
Many private sector organizations require a formal statement, called a(n) ____, which provides search authorization and furnishes much of the same information usually found in a public sector search warrant.
affidavit
A(n) ____ is a detailed examination of the events that occurred, from first detection of an incident to final recovery.
after-action review
The ____ is a detailed examination of the events that occurred, from first detection to final recovery.
after-action review
The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place.
anomaly-based IDPS
The ____ team is responsible for recovering and reestablishing operations of critical business applications.
applications recovery
A key step in the ____ approach to incident response is to discover the identify of the intruder while documenting his or her activity.
apprehend and prosecute
The CSIRT may not wish to "tip off" attackers that they have been detected, especially if the organization is following a(n) ____ approach.
apprehend and prosecute
Information assets have ____ when authorized users - persons or computer systems - are able to access them in the specified format without interference or obstruction.
availability
Many malware attacks are ____ attacks, which involve more than one type of malware and/or more than one type of transmission method.
blended
The ____ is an investigation and assessment of the impact that various events or incidents can have on the organization.
business impact analysis
The ____ team is responsible for working with the remainder of the organization to assist in the recovery of nontechnology functions.
business interface
A CSIRT model in which a single CSIRT handles incidents throughout the organization is called a(n) ____.
central CSIRT
In a CPMT, a(n) ____ should be a high-level manager with influence and resources that can be used to support the project team, promote the objectives of the CP project, and endorse the results that come from the combined effort.
champion
The champion for the CSIRT may be the same person as the champion for the entire IR function—typically, the ____.
chief information officer
The responsibility for creating an organization's IR plan often falls to the ____.
chief information security officer
When the measured activity is outside the baseline parameters in a behavior-based IDPS, it is said to exceed the ____ (the level at which the IDPS triggers an alert to notify the administrator).
clipping level
The ____ is responsible for managing all communications among the CM team, management, employees, and the public, including the media and local and state governments.
communications coordinator
Within an organization, a(n) ____ is a group of individuals who are united by shared interests or values and who have a common goal of making the organization function to meet its objectives.
community of interest
When a second attack, using the means and methods of the first attack is undertaken while the first attack is still underway, this is considered a(n) ____ recurrence.
concurrent
A(n) ____ is used to anticipate, react to, and recover from events that threaten the security of information and information assets in an organization; it is also used to restore the organization to normal modes of business operations;
contingency plan
The elements required to begin the ____ process are a planning methodology; a policy environment to enable the planning process; an understanding of the causes and effects of core precursor activities, and access to financial and other resources.
contingency planning
The purpose of the ____ is to define the scope of the CP operations and establish managerial intent with regard to timetables for response to incidents, recovery from disasters, and reestablishment of operations for continuity.
contingency planning policy
A ____ is a small quantity of data kept by a Web site as a means of recording that a system has visited that Web site.
cookie
A(n) ____ is created to enable management to gain and maintain control of ongoing emergency situations, to provide oversight and control to designated first responders, and to marshal IR, DR, and DC plans and resources as needed.
crisis management team
One way to identify a particular digital item (collection of bits) is by means of a(n) ____.
cryptographic hash
The ____ team is responsible for providing the initial assessments of the extent of damage to equipment and systems on-site and/or for physically recovering the equipment to be transported to a location where the other teams can evaluate it.
damage assessment
The ____ team is primarily responsible for data restoration and recovery.
data management
In the absence of the assigned team manager, the ____ should assume authority for overseeing and evaluating a provided service.
deputy team manager
The first item of business for a disaster recovery team is to develop the ____.
disaster recovery policy
The primary vehicle for articulating the purpose of a disaster recovery program is the ____.
disaster recovery policy
A ____ is a description of the disasters that may befall an organization, along with information on their probability of occurrence, a brief description of the organization's actions to prepare for that disaster, and the best case, worst case, and most likely case outcomes of the disaster.
disaster scenario
RAID 0 creates one logical volume across several available hard disk drives and stores the data using ____, in which data segments are written in turn to each disk drive in the array.
disk striping
An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor, with a ____ backup strategy.
disk-to-disk-to-cloud
A CSIRT model that is effective for large organizations and for organizations with major computing resources at distant locations is the ____.
distributed CSIRT
A ____ attack is much more substantial than a DoS attack because of the use of multiple systems to simultaneously attack a single target.
distributed denial-of-service
The ____ is responsible for contacting and managing all interaction between the organization's management and staff and any needed emergency services, including utility services.
emergency services coordinator
In evidence handling, specifically designed ____ are helpful because they are very difficult to remove without breaking.
evidence seals
The ____ phase of forensic analysis involves the use of forensic tools to recover the content of files that were deleted, operating system artifacts (such as event data and logging of user actions), and other relevant facts.
examination
A search is constitutional if it does not violate a person's reasonable or legitimate____.
expectation of privacy
Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.
false positives
A forensics team typically uses two methods to document a scene as it exists at the time of arrival: photography and ____.
field notes
The functional part of forensics called ____ is about assessing the "scene," identifying the sources of relevant digital information, and preserving it for later analysis using sound processes.
first response
The committees of the CPMT follow a set of general stages to develop their subordinate plans. In the case of incident planning, the first stage is to ____.
form the IR planning committee
The plan maintenance schedule in a BC policy statement should address the ____ of reviews, along with who will be involved in each review.
frequency
When an organization completely outsources its IR work, typically to an on-site contractor, it is called a(n) ____ model.
fully outsourced
A(n) ____ is the process of accounting for all personnel—that is, determining each individual's whereabouts—during an emergency.
head count
The CSIRT should be available for contact by anyone who discovers or suspects that an incident involving the organization has occurred. Some organizations prefer that employees contact a ____, which then makes the determination as to whether to contact the CSIRT or not.
help desk
Unless an organization has contracted for a ____ or equivalent, office equipment such as desktop computers are not provided at BC alternate site.
hot site
In contrast to emergency response that focuses on the immediate safety of those affected, ____ addresses the services needed to get the organization and its stakeholders back to original levels of productivity or satisfaction.
humanitarian assistance
In contingency planning, an adverse event that threatens the security of an organization's information is called a(n) ____.
incident
The process of evaluating the circumstances around organizational events includes determining which adverse events are possible incidents, or ____.
incident candidates
A(n) ____ backup only archives the files that have been modified since the last backup.
incremental
A(n) ____ is a sign that an adverse event is underway and has a probability of becoming an incident.
indication
The ____ job functions and organizational roles focus on protecting the organization's information systems and stored information from attacks.
information security management and professionals
A CPMT should include _____ who can oversee the security planning of the project and provide information on threats, vulnerabilities, and recovery requirements needed in the planning process.
information security managers
The ____ job functions and organizational roles focus on costs of system creation and operation, ease of use for system users, timeliness of system creation, and transaction response time.
information technology management and professionals
Information assets have ____ when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states.
integrity
Most digital forensic teams have a prepacked field kit, also known as a(n) ____.
jump bag
Essential BC supplies needed at an alternate site include portable computers, software media, and ____.
licenses
A(n) ____ , a type of IDPS that is similar to the NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs.
log file monitor
The ____ team is responsible for providing any needed supplies, space, materials, food, services, or facilities needed at the primary site other than vendor-acquired technology and other material obtained by the vendor team.
logistics
According to the 2010/2011 Computer Crime and Security Survey, ____ is "the most commonly seen attack, with 67.1 percent of respondents reporting it."
malware infection
The CSIRT must have a clear and concise ____ statement that, in a few sentences, unambiguously articulates what it will do.
mission
The first major business impact analysis task is to analyze and prioritize the organization's business processes based on their relationships to the organization's ____.
mission
A backup plan using WAN/VLAN replication and a recovery strategy using a warm site is most suitable for information systems that have ____ priority within an organization.
moderate
The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.
monitoring port
The ____ team is responsible for reestablishing connectivity between systems and to the Internet.
network recovery
The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____.
noise
A DR plan addendum should include the trigger, the ____ method, and the response time associated with each disaster situation.
notification
The first step in building a CSIRT is to ____.
obtain management support and buy-in
Considered to be the traditional "lock and copy" approach to database backup, _____ require the database to be inaccessible while a backup is created to a local drive.
online backup applications
A BC subteam called the ____ is responsible for establishing the core business functions needed to sustain critical business operations.
operations team
Giving the IR team the responsibility for ____ is generally not recommended.
patch management
A ____ rootkit is one that becomes a part of the system bootstrap process and is loaded every time the system boots.
persistent
The organization must first understand what skills are needed to effectively respond to an incident. If necessary, management must determine if it is willing to acquire needed ____ to fill in the gaps.
personnel
The U.S. National Institute of Standards and Technology defines the incident response life cycle as having four main processes: 1) preparation; 2) detection and analysis; 3) containment, eradication, and recovery; and 4) ____.
post-incident activity
A(n) ____ is a sign that an activity now occurring may signal an incident that could occur in the future.
precursor
In the ____ phase of the BC plan, the organization specifies what type of relocation services are desired and what type of data management strategies are deployed to support relocation.
preparation for BC actions
Identifying measures, called ____, that reduce the effects of system disruptions can reduce continuity life-cycle costs.
preventive controls
A(n) ____ is an extension of an organization's intranet into cloud computing.
private cloud
Those services undertaken to prepare the organization or the CSIRT constituents to protect and secure systems in anticipation of problems, attacks, or other events are called ____.
proactive services
In a CPMT, a(n) ____ leads the project to make sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed.
project manager
Should an incident begin to escalate, the CSIRT team leader continues to add resources and skill sets as necessary to attempt to contain and terminate the incident. The resulting team is called the ____ for this particular incident.
reaction force
Those services performed in response to a request or a defined event such as a help desk alert are called ____.
reactive services
When an alert warns of new malicious code that targets software used by an organization, the first response should be to research the new virus to determine whether it is ____.
real
The ____ is the point in the past to which the recovered applications and data at the alternate infrastructure will be restored.
recovery point objective
The ____ is the point in time by which systems and data must be recovered after an outage as determined by the business unit.
recovery point objective
The ____ is the amount of time that a business can tolerate losing capabilities until alternate capabilities are available.
recovery time objective
The ____ is the period of time within which systems, applications, or functions must be recovered after an outage.
recovery time objective
Both data backups and archives should be based on a(n) ____ schedule that guides the frequency of replacement and the duration of storage.
retention
Some recovery strategies seek to improve the ____ of a server or system in addition to, or instead of, performing backups of data.
robustness
The ____ section of the business continuity policy identifies the roles and responsibilities of the key players in the business continuity operation.
roles and responsibilities
The ____ section of the business continuity policy identifies the organizational units and groups of employees to which the policy applies.
scope
The part of a disaster recovery policy that identifies the organizational units and groups of employees to which the policy applies is called the ____ section.
scope
The determination of what systems fall under the CSIRT 's responsibility is called its ____.
scope of operations
Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.
signature matching
A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
site policy
The ____ section of the business continuity policy provides an overview of the information storage and retrieval plans of the organization.
special considerations
The ____ team is responsible for the recovery of information and the reestablishment of operations in storage area networks or network attached storage.
storage recovery
A ____ is defined by the ICM as a disruption in the company's business that occurs without warning and is likely to generate news coverage and may adversely impact employees, investors, customers, suppliers, and other stakeholders.
sudden crisis
The ____ team is responsible for recovering and reestablishing operating systems (OSs).
systems recovery
The CM ____ is responsible for overseeing the actions of the crisis management team and coordinating all crisis management efforts in cooperation with disaster recovery and/or business continuity planning, on an as-needed basis.
team leader
A(n) ____ is an object, person, or other entity that is a potential risk of loss to an asset.
threat
Essentially a DoS attack, a ____ is a message aimed at causing organizational users to waste time reacting to a nonexistent malware threat.
tracking cookie
In the ____ section of the business continuity policy, the training requirements for the various employee groups are defined and highlighted.
training requirements
The term ____ refers to a broad category of electronic and human activities in which an unauthorized individual gains access to the information an organization is trying to protect.
trespass
In disaster recovery, the ____ is the point at which a management decision to react is made in reaction to a notice or other datum such as a weather report or an activity report from IT indicating the escalation of an incident.
trigger
The ____ flow of information needed from the CSIRT to organizational and IT/InfoSec management is a critical communication requirement.
upward
The ____ team is responsible for working with suppliers and vendors to replace damaged or destroyed equipment or services, as determined by the other teams.
vendor contact
The stability of information over time is called its ____.
volatility
A(n) ____ occurs when a situation results in service disruptions for weeks or months, requiring a government to declare a state of emergency.
worst-case scenario
