Cybersecurity Fundamentals - Incident Response and Recovery-#6
What is the term for the process of restarting/restoring data that has been lost, accidentally deleted, corrupted or made inaccessible for any reason?
Data recovery
Which NIST definition means any observable occurrence in a system or network - it is any change or interruption within an IT infrastructure? 1. Event; 2. Incident; 3. Emergency; 4. Disaster; 5. Crisis
Event
Which is the following an example of: system crash; disk error; user forgetting their password? [incident or event]
Event
What is the key difference between an incident and an event?
An incident implies a violation or imminent threat and and event does not
Which phase of response occurs after an incident has been identified and confirmed and the team conducts a detailed assessment and contacts the system owner or business manager of the affected information system. 1. Detection and analysis phase; 2. Containment; 3. Eradication; 4. Recovery; 5. Post-incident activity
Incident containment
Which phase occurs after containment measures have been deployed, it is time to determine the root cause of the incident and eradicate it-eradication can happen by restoring backups to achieve a clean slate of the system, removing the root cause, improving defenses and performing vulnerability analysis to find further potential damage from the same root cause. 1. Detection and analysis phase; 2. Containment; 3. Eradication; 4. Recovery; 5. Post-incident activity
Incident eradication
Which phase of response plan ensure that affected systems or services are restored to a condition specified in the service delivery objective (SDO) or business continuity plan (BCP). 1. Detection and analysis phase; 2. Containment; 3. Eradication; 4. Recovery; 5. Post-incident activity
Incident recovery
Which type of backup copies all files that have changed since the last backup was made, regardless of whether the last backup was a full or incremental backup; this is the fastest backup method but the slowest method for restoring data? 1. Full backups; 2. Incremental backups; 3. Differential backups
Incremental backups
Which of the following categories of cybersecurity incidents applies: unconfirmed incidents that are potentially malicious or anomalous activity. 1. Unauthorized access; 2 Denial of service (DoS); 3. Malicious code; 4. Improper Usage; 5. Scans/Probes/Attempted Access; 6. Investigation
Investigation
Which phase of incident response is where capability of identifying an adversary is required? 1. Detection and analysis phase; 2. Containment; 3. Eradication; 4. Recovery; 5. Post-incident activity
Investigation or containment
Which cybersecurity incident category does the following apply to; successful installation of malicious software-e.g. virus, worm, trojan horse, or other code-based malicious entity-that infects an operating system or application? 1. Unauthorized access; 2 Denial of service (DoS); 3. Malicious code; 4. Improper Usage; 5. Scans/Probes/Attempted Access; 6. Investigation
Malicious code
True or False: A Disaster Recovery Plan (DRP) is a set of human, physical, technical and procedural resources to recover, within a defined time and cost, and activity interrupted by an emergency or disaster?
True
True or False: A DoS or Denial of Service is an example of a security incident.
True
True or False: A business continuity plan (BCP) are the action plans you will put in effect when an incident occurs so that business operations are sustained, and the organization can recover sooner than later.
True
True or False: A business impact analysis (BIA) provides the basis for: recovery time objectives; service delivery objectives; recovery point objectives.
True
True or False: A cybersecurity incident is an adverse event that negatively impacts the confidentiality, integrity, and availability of data; they may be unintentional, such as someone forgetting to activate an access list in a router, or intentional, such as a targeted attack by a hacker.
True
True or False: A cybersecurity-related disaster may occur when a disruption in service is caused by system malfunction, accidental file deletions, untested application releases, loss of backup, network DoS attacks, intrusions or viruses.
True
True or False: All interruptions are not disasters, but a small incident not addressed in a timely or proper manner may lead to a disaster.
True
True or False: An incident meant there is a bigger problem that can occur-because incidents affect confidentiality, integrity, and availability, it is important to respond quickly to any security incident.
True
True or False: An incident response may include evacuation of a facility, initiating a disaster recovery plan (DRP), performing damage assessment, and any other measures necessary to bring an enterprise to a more stable status.
True
True or False: An organization's DRP or data recovery plan must provide the strategy for how data will be recovered and assign recovery responsibilities.
True
True or False: Assigning ownership and establishing chain of custody are part of the identification in incident response plan activity.
True
True or False: At the end of the incident response process a report should always be developed to share what occurred: 1. write incident report; 2. analyze issues encountered during incident response efforts; 3. propose improvements; 4. present report to relevant stakeholders.
True
True or False: Backup procedures are used to copy files to a second medium such as a disk, tape, or the cloud. Backup files should be kept in an offsite location.
True
True or False: Disasters are disruptions that cause critical information resources to be inoperative for a period of time, adversely impacting organizational operations; the disruptions could be a few minutes to several months depending on the extent of damage to the information resource.
True
True or False: Disasters require recovery efforts to restore operational status.
True
True or False: If an individual gains logical or physical access without permission to a network, system, application, data or other resource, the correct incident category this would fall under is unauthorized access.
True
True or False: In order for a business continuity plan (BCP) to be effective, it must be aligned with the strategy of the organization.
True
True or False: In order to prepare and identify an incident, organizations use a myriad of security tools such as vulnerability assessments, firewalls, and intrusion detection system (IDS) that collect a high volume of data.
True
True or False: Incident preparation involves the following activities: 1. establish approach to handling incidents; 2. establish policy and warning banners to deter intruders and allow information collection; 3. establish communication plan with stakeholders; 4. develop incident reporting criteria; 5. develop process to activate the incident management team; 6. establish secure location to execute the incident response plan; 7. ensure equipment needed is available.
True
True or False: Incident response is the name of a formal program that prepares an entity for an incident.
True
True or False: Log data overload can be mitigated by employing security event management (SEM).
True
True or False: Obtaining and preserving evidence, documenting action, and managing public communications are action associated with incident containment.
True
True or False: Once human safety plans are in place, the additional purpose of business continuity planning (BCP/disaster recovery planning/DRP) is to enable a business to continue offering critical services in the event of a disruption, and to survive a disastrous interruption to activities.
True
True or False: Physical incidents may include: social engineering and lost or stolen laptops or mobile devices.
True
True or False: Post incident activities typically include the following: communicating findings to key stakeholders; proposing improvements; and writing an incident report.
True
True or False: Recovery time objective (RTO) is the term for the amount of time allowed for the recovery of a business function or resource after a disaster occurs-it is usually determined based on the point where the ongoing cost of the loss is equal to the cost of recovery.
True
True or False: Security Event Management (SEM) automatically aggregates and correlates security event log data across multiple security devices allowing security analysts to focus on a manageable list of critical events.
True
True or False: Senior management is responsible for the business continuity plan because they are entrusted with safeguarding the assets and the viability of the organization.
True
True or False: Some disasters are natural calamities; earthquakes; floods; tornadoes; and fire. Humans, terrorists, hacker attacks, viruses, or human error.
True
True or False: Technical incidents include: viruses, malware, denial of service, and system failure.
True
True or False: Technical information security incidents may involve: viruses, malware, or denial of service (DoS).
True
True or False: The Information System BCP should be aligned with the strategy of the organization.
True
True or False: The Information System BCP/DRP is a major component of an organizations overall business continuity and disaster recovery strategy. If the IS plan is a separate plan, it must be consistent with and support the corporate BCP.
True
True or False: The business continuity plan (BCP) is generally followed by the business and supporting units to provide a reduced but sufficient level of functionality in the business operations immediately after encountering an interruption, while recovery is taking place.
True
True or False: The business impact analysis (BIA) should consider the following: potential vulnerabilities; efficiency and effectiveness of risk countermeasures; and probability of occurrence of threats.
True
True or False: The business impact analysis provides the basis for business continuity planning which determines recovery time objectives, recovery point objectives, maximum tolerable outages, and service delivery objectives.
True
True or False: The business impact analysis should answer what the different business processes are, the critical information resources related to an organizations critical business process, and the critical recovery time period for information resources before significant or unacceptable losses are suffered.
True
True or False: The most important objective of a business continuity plan (BCP) is: ensuring safety and security of human life.
True
True or False: When it comes to disaster recovery, the number one priority is ensuring the safety and security of human life; this includes plans for drills, evacuation plans and on-site shelters.
True
True or False; SEM or Security Event Management is an emerging solution used to address the problem that security teams have in analyzing and interpreting an overwhelming amount of data to prepare for and identify and incident-it is referred to as log data overload.
True
Which cybersecurity incident category does the following fall under: individual gains logical or physical access without permission to a network, system, application, data, or other resource? 1. Unauthorized access; 2 Denial of service (DoS); 3. Malicious code; 4. Improper Usage; 5. Scans/Probes/Attempted Access; 6. Investigation
Unauthorized access
What are the 3 types of backups?
1. Full backups; 2. Incremental backups; 3. Differential backups
What 4 activities are included as part of incident response?
1. Preparation; 2. Detection; 3. Recovery; 4. Post incident Activity
What are the 5 phases of incident response?
1. Detection and analysis phase; 2. Containment; 3. Eradication; 4. Recovery; 5. Post-incident activity
What is the hierarchy of potential damage from high to low 1-5?
1. Event; 2. Incident; 3. Emergency; 4. Disaster; 5. Crisis
What are the 5 categories of cybersecurity incidents?
1. Unauthorized access; 2 Denial of service (DoS); 3. Malicious code; 4. Improper Usage; 5. Scans/Probes/Attempted Access; 6. Investigation
How would these 9 business continuity tasks be placed in order: 1. audit the plan; 2. maintain plans; 3. prepare business impact analysis (BIA); 4. choose strategy to recover critical IS facilities; 5. develop business continuity plan; 6. train staff and test plans; 7. develop disaster recovery plan; 8. store plans for ease of access despite network failure; 9. identify and prioritize required resources.
1. prepare business impact analysis (BIA); 2. identify and prioritize required resources; 3. choose strategy to recover critical IS facilities; 4. develop disaster recovery plan; 5. develop business continuity plan; 6. train staff and test plans; 7. maintain plans; 8. store plans for ease of access despite network failure; 9. audit the plans
What is the term for any major incident which has grown out of control and increased in severity?
A crisis
What event must happen to involve fallback plans?
A disaster
Which of the following category of cybersecurity incidents does the following apply to: any activity that seeks to access or identify a computer, open ports, protocols, service or any combination of the above? 1. Unauthorized access; 2 Denial of service (DoS); 3. Malicious code; 4. Improper Usage; 5. Scans/Probes/Attempted Access; 6. Investigation
Attempted access
Which hierarchical level of potential damage is more serious and implies that a major incident is spiraling out of control and growing in severity; if this particular team decides to meet, it is a very serious situation? 1. Event; 2. Incident; 3. Emergency; 4. Disaster; 5. Crisis
Crisis
What is the term for a plan used by an enterprise to respond to disruption of critical business processes; depends on the contingency plan for restoration of critical systems?
Business Continuity Plan (BCP)
What is the term for a group of people integrated at the enterprise with clear lines of reporting and responsibilities for standby support in case of an information systems emergency; this group will act as an efficient corrective control, and should also act as a single point of contact for all incidents and issues related to information systems?
Computer Emergency Response Team (CERT)
What is the term for a team established within an enterprise to respond to computer security incidents?
Computer Security Incident Response Team (CSIRT)
Which of the following category of cybersecurity incident does the following apply to: an attack that successfully prevents or impairs normal authorized functionality of networks, systems, or applications by exhausting resources? 1. Unauthorized access; 2 Denial of service (DoS); 3. Malicious code; 4. Improper Usage; 5. Scans/Probes/Attempted Access; 6. Investigation
Denial of Service (DoS)
Which phase of incident response identifies incidents as early as possible and effectively assess the nature or the incident? 1. Detection and analysis phase; 2. Containment; 3. Eradication; 4. Recovery; 5. Post-incident activity
Detection and Analysis
Which type of backup copies only the files that have changed since the last full backup; the files grow until the next full backup is performed. 1. Full backups; 2. Incremental backups; 3. Differential backups
Differential backups
Which level of hierarchy of potential damage suggests a much larger level of impact or damage; declaring this often invokes fallback plans? 1. Event; 2. Incident; 3. Emergency; 4. Disaster; 5. Crisis
Disaster
Which level in the hierarchy of potential damage generally suggests a serious local incident, requiring management attention? 1. Event; 2. Incident; 3. Emergency; 4. Disaster; 5. Crisis
Emergency
Which of the following is not included as part of incident preparation: 1. Establish approach to handling incidents; 2. Develop incident reporting criteria; 3. Establish chain of custody; 4. Establish communication plan with stakeholders?
Establish chain of custody is not included.
Which type of backup provides a complete copy of every selected file on the system, regardless of whether it was backed up recently. It is the slowest backup method but the fastest method for restoring data. 1. Full backups; 2. Incremental backups; 3. Differential backups
Full backups
Which of the following category of cybersecurity incident applies: authenticates identity of sender and receiver to ensure privacy of message contents (including attachments): 1. Unauthorized access; 2 Denial of service (DoS); 3. Malicious code; 4. Improper Usage; 5. Scans/Probes/Attempted Access; 6. Investigation
Improper Usage
Which NIST definition means a violation or imminent threat to computer security policies, acceptable use policies, or standard security practices? 1. Event; 2. Incident; 3. Emergency; 4. Disaster; 5. Crisis
Incident
Which is the following an example of: multiple failed login attempts from an unfamiliar system; denial of service; or changes to hardware or software without owner's consent: [incident or event]?
Incident
Which incident response uses procedures to contain the incident, reduce losses, and return operations to normal? 1. Detection and analysis phase; 2. Containment; 3. Eradication; 4. Recovery; 5. Post-incident activity
Mitigation or recovery
Which incident response determines corrective action to prevent similar incidents in the future? 1. Detection and analysis phase; 2. Containment; 3. Eradication; 4. Recovery; 5. Post-incident activity
Post-incident activity
What is the term for the last known point of good data in a disaster recovery plan (DRP) and is the earliest point in time to which it is acceptable to recover data?
Recovery Point Objective
Who is responsible for business continuity planning (BCP)?
Senior management
What is the term directly related to the business needs, it is the levels of services to be reached during the alternate process mode until the normal situation is restored?
Service Delivery Objective (SDO)
True or False: A Business Continuity Plan (BCP) is a strategy used by an enterprise to respond to a disruption of critical business processes?
True