Exam1: Mid-Term
____ of risk is the choice to do nothing to protect an information asset and to accept the outcome of its potential exploitation.
Avoidance
____ hack systems to conduct terrorist activities through network or Internet pathways.
Cyberterrorists
In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on that network.
DNS cache poisoning
____ (sometimes referred to as avoidance) is the risk control strategy that attempts to prevent the exploitation of a vulnerability.
Defense
A ____ attack seeks to deny legitimate users access to services by either tying up a server's available resources or causing it to shut down.
DoS
____ is the process of systematically examining information assets for evidentiary material that can provide insight into how an incident transpired.
Forensics analysis
A(n) ____ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization's information infrastructure for signs of an incident.
IR duty officer
____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Mitigation
____ incident responses enables the organization to react to a detected incident quickly and effectively, without confusion or wasted time and effort.
Predefining
____ uses a number of hard drives to store information across multiple drive units.
RAID
____ assigns a risk rating or score to each information asset. Although this number does not mean anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates the development of comparative ratings later in the risk control process.
Risk assessment
____ is the process of examining, documenting, and assessing the security posture of an organization's information technology and the risks it faces.
Risk identification
Advances in cloud computing have opened a new field in application redundancy and backup. Because organizations that lease ____ are in effect using a preconfigured set of applications on someone else's systems, it is reasonable to ask that the service agreement include contingencies for recovery.
SaaS
The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.
Snort
____ is a risk control approach that attempts to shift the risk to other assets, other processes, or other organizations.
Transference
The IR plan is usually ____ when an incident causes minimal damage with little or no disruption to business operations.
activated
A(n) ____ is a detailed examination of the events that occurred, from first detection of an incident to final recovery.
after-action review
The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place.
anomaly-based IDPS
A key step in the ____ approach to incident response is to discover the identify of the intruder while documenting his or her activity.
apprehend and prosecute
The ____ is an investigation and assessment of the impact that various events or incidents can have on the organization.
business impact analysis
The responsibility for creating an organization's IR plan often falls to the ____.
chief information security officer
When the measured activity is outside the baseline parameters in a behavior-based IDPS, it is said to exceed the ____ (the level at which the IDPS triggers an alert to notify the administrator).
clipping level
A(n) ____ is used to anticipate, react to, and recover from events that threaten the security of information and information assets in an organization; it is also used to restore the organization to normal modes of business operations;
contingency plan
The elements required to begin the ____ process are a planning methodology; a policy environment to enable the planning process; an understanding of the causes and effects of core precursor activities, and access to financial and other resources.
contingency planning
The purpose of the ____ is to define the scope of the CP operations and establish managerial intent with regard to timetables for response to incidents, recovery from disasters, and reestablishment of operations for continuity.
contingency planning policy
In the absence of the assigned team manager, the ____ should assume authority for overseeing and evaluating a provided service.
deputy team manager
RAID 0 creates one logical volume across several available hard disk drives and stores the data using ____, in which data segments are written in turn to each disk drive in the array.
disk striping
A CSIRT model that is effective for large organizations and for organizations with major computing resources at distant locations is the ____.
distributed CSIRT
Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.
false positives
When an organization completely outsources its IR work, typically to an on-site contractor, it is called a(n) ____ model.
fully outsourced
A(n) ____ backup only archives the files that have been modified since the last backup.
incremental
The ____ job functions and organizational roles focus on costs of system creation and operation, ease of use for system users, timeliness of system creation, and transaction response time.
information technology management and professionals
A(n) ____ , a type of IDPS that is similar to the NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs.
log file monitor
The CSIRT must have a clear and concise ____ statement that, in a few sentences, unambiguously articulates what it will do.
mission
The first major business impact analysis task is to analyze and prioritize the organization's business processes based on their relationships to the organization's ____.
mission
The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.
monitoring port
The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____.
noise
Considered to be the traditional "lock and copy" approach to database backup, _____ require the database to be inaccessible while a backup is created to a local drive.
online backup applications
Giving the IR team the responsibility for ____ is generally not recommended.
patch management
Those services undertaken to prepare the organization or the CSIRT constituents to protect and secure systems in anticipation of problems, attacks, or other events are called ____.
proactive services
Should an incident begin to escalate, the CSIRT team leader continues to add resources and skill sets as necessary to attempt to contain and terminate the incident. The resulting team is called the ____ for this particular incident.
reaction force
Those services performed in response to a request or a defined event such as a help desk alert are called ____.
reactive services
The ____ is the point in time by which systems and data must be recovered after an outage as determined by the business unit.
recovery point objective
The ____ is the period of time within which systems, applications, or functions must be recovered after an outage.
recovery time objective
Some recovery strategies seek to improve the ____ of a server or system in addition to, or instead of, performing backups of data.
robustness
The determination of what systems fall under the CSIRT 's responsibility is called its ____.
scope of operations
Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.
signature matching
A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
site policy
The term ____ refers to a broad category of electronic and human activities in which an unauthorized individual gains access to the information an organization is trying to protect.
trespass
The ____ flow of information needed from the CSIRT to organizational and IT/InfoSec management is a critical communication requirement.
upward
