Cyber 342W Chapter 1-6 Quiz Question Practice

In contingency planning, a(n) _________ that threatens the security of the organization's information is called an _________. Adverse event; incident Incident; adverse event Hard time; adverse event Hard time; incident

Adverse event; incident

In an organization, unexpected events occur periodically; these are referred to as ___________. Hard times Adverse events Exploits Incidents

Adverse events

At the end of every test, exercise, or assessment function, the group should assume for an ______. Hotwash Debriefing Structured Review After Action Review

After Action Review

What is the rule of three? Never update all three of your servers simultaneously Three people should always be on call for every organization in case of emergency An organization should keep three levels of computer systems available An organization should keep three levels of computer systems unavailable

An organization should keep three levels of computer systems available

The _____ approach focuses on the identification and apprehension of the intruder with additional attention given to the collection and preservation of evidentiary materials that might support administrative or criminal prosecution. Apprehend and Prosecute Name and Shame Dox Protect and Forget

Apprehend and Prosecute

A ____ is a document that describes how, in the event of a disaster, critical business functions continue at an alternate location while the organization recovers its ability to function at the primary site. Business Continuity Plan Risk Assessment Plan Incident Response Plan Disaster Recovery Plan

Business Continuity Plan

A _______ is an investigation and assessment of the impact that various events or incidents can have on the organization. Business Impact Analysis Event Recovery Analysis Risk Assessment Vulnerability Assessment

Business Impact Analysis

A task performed by an organization or organizational subunit in support of the organization's overall mission. Recovery Process Recovery Operations Business Operations Business Process

Business Process

The ____ illustrates the most critical characteristics of information and has been the industry standard for computer security since the development of the mainframe. CIA Triangle Disaster Recovery Plan Strategic Plan Asset Clarification

CIA Triangle

In some organizations, the ______ may simply be a loose or informal association of IT and InfoSec staffers who are called up if an attack on the organization's information assets is detected. SOC Red Team CSIRT IRP Team

CSIRT

The CISO should select members from each community of interest to form the _______ that will execute the IR plan. SOC SIRT IRP Team CSIRT

CSIRT

_________ is a a set of people, policies, procedures, technologies, and information necessary detect, react, and recover from an incident that could potentially result in unwanted modification, damage, destruction, or disclosure of the organization's information. Red Team CSIRT IRP Team SOC

CSIRT

When the measured activity is outside the previously-known-good parameters in a behavior-based IDPS, it is said to exceed the ____ (the level at which the IDPS triggers an alert to notify the administrator). Baseline Level Footprint Level Clipping Level Root Level

Clipping Level

A(n) _____ is the collection of individuals responsible for the overall planning and development of the contingency planning process, including the organization of subordinate teams and oversight of subordinate plans. Contingency Planning Management Team Champion Management of Contingency Planning Team Senior Management Team

Contingency Planning Management Team

In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on that network. Denial of Service DNS Cache Poisoning Port Mirroring Evasion

DNS Cache Poisoning

____ are used for recovery from disasters that threaten on-site backups. Data Backups Data Archives RAID systems Electronic Vaulting Sites

Data Archives

____ __ sometimes referred to as avoidance) is the risk control strategy that attempts to prevent the exploitation of a vulnerability. Defense Acceptance Transference Mitigation

Defense

A ____ attack seeks to prevent legitimate users access to services by either tying up a server's available resources or causing it to shut down. Denial of service Trojan Horse Social Engineering Spyware

Denial of service

A(n) ____ backup only archives the files that have been modified since the last full backup. Copy Differential Incremental Daily

Differential

A valid attack is classified as an information security incident when it has all of the following: Directed against information assets owned or operated by the organization Realistic chance of success Threatens the confidentiality, integrity, or availability of information resources and assets Data exfiltration from the target network

Directed against information assets owned or operated by the organization Realistic chance of success Threatens the confidentiality, integrity, or availability of information resources and assets

A ____ deals with the preparation for and recovery from a disaster, whether natural or man-made. Disaster Recovery Plan Mitigation Plan Risk Management Plan Risk Assessment Plan

Disaster Recovery Plan

An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor, with a ____ backup strategy. Disk-to-Disk-to-Tape RAID Differential Disk-to-Disk-to-Cloud

Disk-to-Disk-to-Cloud

Which of the following is not part of the BIA? IT Application Logs Production Schedules Financial Reports Employees' Schedules

Employees' Schedules

Because CSIRT opportunities are typically ancillary to the CSIRT member's day-to-day job, managers don't need to worry about burnout. True False

False

Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____. System Crashes Unusual Definite Indicators Reported Attacks False Positives

False Positives

If an intruder can ____ a device, then no electronic protection can deter the loss of information. Packet Sniff Trap and Trace Log and Monitor Have Physically Access

Have Physically Access

____ are closely monitored network decoys serving that can distract adversaries from more valuable machines on a network; can provide early warning about new attack and exploitation trends; and can allow in-depth examination of adversaries during and after exploitation. Packet Exchangers Trap and Trace Systems Log File Monitors Honeypots

Honeypots

A ____ is a synonym for a virtualization application. Virtual Machine Host Platform Virtual Hardware Hypervisor

Hypervisor

When using virtualization, it is commonplace to use the term ____ to refer to the system that provides a virtualized environment in or on a host platform. Host Machine Hypervisor VMware Virtual Machine

Hypervisor

The ______ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization's information infrastructure for signs of an incident. IR Watch Officer Team leader CSIRT Overlord IR Duty Officer

IR Duty Officer

The two ways to evaluate CSIRT effectiveness are: IR plan tests and war games War games and annual reviews IR plan tests and CSIRT performance measures CSIRT performance measures and war games

IR plan tests and CSIRT performance measures

Effective Contingency Planning should contain all of the following except: Introductory statement of philosophical prospective Identification of key pieces of hardware to recover Statement of scope and purpose of the CP operations A call for periodic ri

Identification of key pieces of hardware to recover

A(n) ___________ is a detailed set of processes and procedures that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets. Incident Response Plan Business Continuity Plan Disaster Recovery Plan Continuity of Operations Plan

Incident Response Plan

_______ is a set of procedures that commence when an incident is detected. Incident detection Response to incidents Incident response Continuity of operations

Incident response

A(n) ____ is a sign that an adverse event is underway and has a probability of becoming an incident. Signal Indication Precursor Inactive System

Indication

What is the number one budgetary expense for disaster recovery? Hardware Insurance Secondary location Employee overtime

Insurance

Information assets have ____ when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states. Integrity Risk Assessment Availability Confidentiality

Integrity

Represents the total amount of time the system owner/authorizing official is willing to accept for a mission/business process outage or disruption and includes all impact considerations. Recovery Point Objective Minimum Tolerable Downtime Recovery Time Objective Maximum Tolerable Downtime

Maximum Tolerable Downtime

____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation. Mitigation Transference Avoidance Acceptance

Mitigation

A backup plan using WAN/VLAN replication and a recovery strategy using a warm site is most suitable for information systems that have ____ priority within an organization. Critical Low High Moderate

Moderate

The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device. IDPS Console TCP/IP Sensor Monitoring Port External Router

Monitoring Port

A ____ is commonly a single device or server that attaches to a network and uses TCP/IP-based protocols and communications methods to provide an online storage environment. Remote Journal Storage Area Network Network-Attached Storage Virtual Machine Monitor

Network-Attached Storage

The ____ is a federal law that creates a general prohibition on the real-time monitoring of traffic data relating to communications. Wiretap Act Electronic Communication Protection Act Pen/Trap Statue Fourth Amendment of the U.S. Constitution

Pen/Trap Statue

Which of the following is not part of IR Plan Testing? Walk Throughs Desk Checking Parallel Testing Penetration Testing

Penetration Testing

A ____ rootkit is one that becomes a part of the system bootstrap process and is loaded every time the system boots. User Mode Kernel Mode Memory Based Persistent

Persistent

A(n) ____ is a plan or course of action used by an organization to convey instructions from its senior management to those who make decisions, take actions, and perform other duties on behalf of the organization. Policy Self-Assessment Business Continuity Plan Residual Risk Mitigation Plan

Policy

A(n) ____ is an extension of an organization's intranet into cloud computing. Public Cloud Private Cloud Application Cloud Community Cloud

Private Cloud

In the ____ approach, the focus is on the defense of the data and the systems that house, use, and transmit it. Set and Forget Apprehend and Prosecute Hack Back Protect and Forget

Protect and Forget

There are multiple philosophies for incident response. On either end of the spectrum are: Protect and Forget; Apprehend and Prosecute Protect and Forget; Hack back Set and Forget; Hack Back Set and Forget; Apprehend and Prosecute

Protect and Forget; Apprehend and Prosecute

____ uses a number of hard drives to store information across multiple drive units. Virtualization Legacy Backups Continuous Database Protection RAID

RAID

The point in time to which lost systems and data can be recovered after an outage as determined by the business unit. Recovery Time Objective Recovery Point Objective Maximum Tolerable Downtime Maximum Recovery Time

Recovery Point Objective

The period of time within which systems, applications, or functions must be recovered after an outage. Minimum Tolerable Downtime Recovery Time Objective Maximum Tolerable Downtime Recovery Point Objective

Recovery Time Objective

A typical CSIRT needs experience in all of the following except: Cryptography Red teaming System administration Network administration

Red teaming

Both data backups and archives should be based on a(n) ____ schedule that guides the frequency of replacement and the duration of storage. Replication Business Resumption Incident Response Retention

Retention

The use of IDPS sensors and analysis systems can be quite complex. One very common applicatio is an open source software program called ____, which runs on a UNIX or Linux system that can be managed and queried from a desktop computer using a client interface. Snort Detector Match Sniff

Snort

A(n) ____ is an object, person, or other entity that is a potential risk of loss to an asset. Threat Payload Trojan Horse Data Repository

Threat

The term ____ refers to a broad category of electronic and human activities in which an unauthorized individual gains access to the information an organization is trying to protect. Trespass Theft Polymorphism Denial-of-Service

Trespass

The ____ is/are the circumstances that cause the IR team to be activated and the IR plan to be initiated. Trigger Vulnerability Hackers Threat

Trigger

According to NIST, ________ is an additional service that an IR team might offer. Hacking Desk Checking Vulnerability Assessment Penetration Testing

Vulnerability Assessment

A favorite pastime of information security professionals is ______, which is a simulation of attack and defense activities using realistic networks and information systems, with the exercise of IR plans being an important element. Credential Reuse Hacking Spear Phishing War Gaming

War Gaming