Section 5: Quiz 64 - Incident Response Management
Which of the following is a major concern in terms of disseminating a detailed description of incident threats to users? A. Information can be used to launch the attack. B. The loss of reputation C. High instances of security alerts D. Threats can be ignored
Answer: A. Information can be used to launch the attack. Explanation: As a practice, the CSIRT disseminates the roles and responsibilities of users to address the threats. However, detailed information pertaining to the threat may be used to launch the attack. Only the minimum amount of information required should be released. The other options are not as important as the use of information to launch the attack.
The effectiveness of the incident response process can be determined by: A. the business and financial impact of each security incident B. the number of new patch installations C. team size D. the number of assets included in a penetration test
Answer: A. The business and financial impact of each security incident. Explanation: The best way to determine the effectiveness of the performance of an incident response procedure is to evaluate the business and financial impact of each security incident. The number of patches and assets covered under penetration is not the responsibility of the incident response team. Instead, it is the responsibility of the security team.
The most important aspect while recovering from an attack is: A. to activate a business continuity plan B. to activate an incident response plan C. to activate an alternate site D. to hire expert investigators
Answer: B. Activating the incident response plan. Explanation: The first step is to activate the incident response plan. The main objective of the incident response plan is to reduce the impact of system outages on the business process. Through a well-defined incident management process, an organization can recover from the incident at the earliest possible juncture with a minimum business impact. The services of experts are obtained once the incident has been identified. Considering the nature of the incident, the next step may be to activate business continuity plans and alternate sites.
The primary objective of an incident response plan is: A. to ensure appropriate communication to management B. to reduce the impact of system outages and incidents on business C. to facilitate better public relations management D. to reduce the cost of incident handling
Answer: B. Activating the incident response plan. Explanation: The first step is to activate the incident response plan. The main objective of the incident response plan is to reduce the impact of system outages on the business process. Through a well-defined incident management process, an organization can recover from the incident at the earliest possible juncture with a minimum business impact. The services of experts are obtained once the incident has been identified. Considering the nature of the incident, the next step may be to activate business continuity plans and alternate sites.
A document that contains a plan to detect and recover from an attack is: A. a business continuity plan B. a disaster recovery plan C. an incident response plan D. an IT operating process
Answer: C. An incident response plan. Explanation: An incident response plan includes a process for identifying, managing, and recovering from an incident. Through a well-defined incident management process, an organization can recover from the incident at the earliest possible juncture with a minimum business impact. A business continuity plan includes a process for ensuring the continuity of critical business services. A disaster recovery policy and an IT operating process do not include a plan to detect and recover from an attack
The objective of synchronizing all computer clocks to a common time network is: A. to remove duplicate transactions B. to comply with audit requirements C. To support the incident investigation process. D. to have accurate timestamps on email messages
Answer: C. To support the incident investigation process. Explanation: If the timestamp is not the same on all devices, this will impact the process of investigating an incident. The audit trail may not be effective and reliable. The other options are not the objective of synchronized timings.
The most important factor in improving the incident response process is: A. a walkthrough of the incident response plan at regular intervals B. to train team members at regular intervals C. to document all incidents D. The simulated testing of the incident response plan at regular intervals.
Answer: D. The simulated testing of the incident response plan at regular intervals. Explanation: Simulation-based testing helps to understand the challenges of incident response plans in real-life scenarios. It helps to determine the weak areas and provides scope for improvement. The other options are not as important as simulated testing.
An auditor's first step when suspecting the occurrence of an incident should be: A. to switch off the system B. to do nothing and verify the effectiveness of the incident response team C. to conduct a detailed investigation of the incident D. to report the incident to management immediately
Answer: D. To report the incident to management immediately. Explanation: It is most important that the auditor should report the details of the incident to management immediately. Auditors should not switch off the system directly as this may impact the evidence. Let the IT expert work on the solution.