Domain 4: Incident Management
Which of the following should be the FIRST action to take when a fire spreads throughout the building? Check the facility access logs. Call together the crisis management team. Launch the disaster recovery plan. Launch the business continuity plan.
A is the correct answer. Justification Safety of people always comes first; therefore, verifying access logs of personnel to the facility should be the first action in order to ensure that all staff can be accounted for. Calling the crisis management team together should be done after the initial emergency response (i.e., evacuation of people). Launching the disaster recovery plan is not the first action. Launching the business continuity plan is not the first action.
Which of the following actions is the BEST to ensure that incident response activities are consistent with the requirements of business continuity? Develop a scenario and perform a structured walk-through. Draft and publish a clear practice for enterprise-level incident response. Establish a cross-departmental working group to share perspectives. Develop a project plan for end-to-end testing of disaster recovery.
A is the correct answer. Justification A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans. Publishing an enterprise-level incident response plan would be effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. Sharing perspectives is valuable, but a working group does not necessarily lead to action ensuring that the interface between plans is workable. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.
The PRIMARY reason for senior management review of information security incidents is to: ensure adequate corrective actions were implemented. demonstrate management commitment to the information security process. evaluate the incident response process for deficiencies. evaluate the ability of the security team.
A is the correct answer. Justification Although some corrective actions were taken by the security team and the incident response team, management review will establish whether any other corrective actions needed to be taken. Sometimes this will result in improvements to information security policies. Management will not review information security incidents merely to demonstrate management commitment. Management will not perform a review for fault findings such as examining the incident response process for deficiencies. Management will not perform a review for fault findings such as evaluating the ability of the security team
What is the MOST appropriate IT incident response management approach for an enterprise that has outsourced its IT and incident management function? A tested plan and a team to provide oversight An individual to serve as the liaison between the parties Clear notification and reporting channels A periodic audit of the provider's capabilitie
A is the correct answer. Justification An approved and tested plan will provide assurance of the provider's ability to address incidents within an acceptable recovery time, and an internal team's ability to provide oversight and liaison functions that ensure the response is executed according to plan. Identifying a liaison is not sufficient by itself to provide assurance of adequate incident response performance. Notification and reporting is not a sufficient assurance of suitable response activities and provides no capability for input, participation or addressing related issues in a timely manner. Audits provide a periodic snapshot of the sufficiency of the provider's plans and capabilities but are not adequate to manage collateral and consequential issues in the event of a significant incident.
Which of the following should be the FIRST step an incident response team should take when ransomware is identified on a number of workstations? Remove the affected systems from the network. Notify the system owners. Restore the affected workstations from backups. Review event logs to identify other infected systems.
A is the correct answer. Justification Because ransomware spreads quickly and could damage more systems, the most effective response is to contain the incident by removing affected systems from the network. This option represents the containment phase, which is the first step after confirming the incident. The information security manager has a responsibility to protect the enterprise, so containment would be the priority in this situation. The time taken to notify system owners would allow the ransomware infection to spread to other systems. Notification would occur after containing the incident. Attempting to restore from to backups could allow the backups to be infected and would destroy evidence needed to investigate the incident. The uncontained ransomware infection would spread to other systems as the logs were reviewed.
A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following? Invalid logon attempts Write access violations Concurrent logons Firewall logs
A is the correct answer. Justification Because the password for the shared administrative account was obtained through guessing, it is probable that there were multiple unsuccessful logon attempts before the correct password was deduced. Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity. Write access violations would not necessarily be observed because the information was merely copied and not altered. Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity; concurrent usage is common in this situation. Firewall logs would not necessarily contain information regarding logon attempts
Which of the following provides the BEST confirmation that the business continuity plan/disaster recovery plan (BCP/DRP) objectives have been achieved? The recovery time objective was not exceeded during testing. Objective testing of the BCP/DRP has been carried out consistently. The recovery point objective was proved inadequate by DRP testing. Information assets have been valued and assigned to owners according to the BCP/DRP.
A is the correct answer. Justification Consistent achievement of recovery time objectives during testing provides the most objective evidence that business continuity plan/disaster recovery plan (BCP/DRP) objectives have been achieved. Objective testing of the BCP/DRP will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning. If the recovery point objective is inadequate, the objectives of BCPs have not been achieved. Mere valuation and assignment of information assets to owners (according to the BCP/DRP) will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.
Addressing the root cause of an incident is one aspect of which of the following incident management processes? Eradication Recovery Lessons learned Containment
A is the correct answer. Justification Determining the root cause of an incident and eliminating it are key activities that occur as part of the eradication process. Recovery focuses on restoring systems or services to conditions specified in service delivery objectives (SDOs) or business continuity plans (BCPs). Lessons learned are documented at the end of the incident response process, after the root cause has been identified and remediated. Containment focuses on preventing the spread of damage associated with an incident, typically while the root cause either is still unknown or is known but cannot yet be remediated.
Which of the following is the PRIMARY focus of incident response following a data breach? Root cause analysis Restore systems to production Identify changes to security Prevent reoccurrence of the breach
A is the correct answer. Justification Following the eradication phase, the enterprise needs to understand the cause of the incident to ensure that it implements appropriate additional controls, fixes control lapses and is able to start the recovery process. Before systems are restored, the enterprise must first identify the cause. Before changes can be implemented, the cause of the incident must be understood. Preventing reoccurrence is an important part of the lessons learned phase. Analysis is needed before the enterprise can protect against future breaches.
Which of the following choices is a characteristic of security information and event management (SIEM) technology? SIEM promotes compliance with security policies. SIEM is primarily a means of managing residual risk. SIEM replaces the need to install a firewall. SIEM provides a full range of compensating controls.
A is the correct answer. Justification If properly deployed, configured and tuned, security information and event management (SIEM) can provide information on policy compliance, incident monitoring and other capabilities. SIEM is not used to manage residual risk. SIEM is an automated review of logs through aggregation and correlation and does not replace the need for firewalls. SIEM provides a series of detective controls, not compensating controls.
Which of the following MOST effectively reduces false-positive alerts generated by a security information and event management process? Building use cases Conducting a network traffic analysis Performing an asset-based risk assessment The quality of the logs
A is the correct answer. Justification Implementing a security information and event management (SIEM) process helps ensure that incidents are correctly identified and handled appropriately. Because an SIEM process depends on log analysis based on predefined rules, the most effective way to reduce false-positive alerts is to develop use cases for known threats to identified critical systems. The use cases would then inform development of appropriate rules for the SIEM solution. Although security monitoring requires traffic analysis, only properly defined use cases can ensure that the rules are accurately defined and that events are properly identified, thereby reducing false-positive alerts. A risk assessment will not reduce false positive alerts. The quality of the logs can affect alerts but is usually a minor consideration.
The PRIMARY purpose of involving third-party teams for carrying out post-incident reviews of information security incidents is to: enable independent and objective review of the root cause of the incidents. obtain support for enhancing the expertise of the third-party teams. identify lessons learned for further improving the information security management process. obtain better buy-in for the information security program.
A is the correct answer. Justification It is always desirable to avoid the conflict of interest involved in having the information security team carry out the post-incident review. Obtaining support for enhancing the expertise of the third-party teams is one of the advantages but is not the primary driver. Identifying lessons learned for further improving the information security management process is the general purpose of carrying out the post-incident review. Obtaining better buy-in for the information security program is a secondary reason for involving third-party teams.
Which of the following is the MOST important consideration for an enterprise interacting with the media during a disaster? Communicating specially drafted messages by an authorized person Refusing to comment until recovery Referring the media to the authorities Reporting the losses and recovery strategy to the media
A is the correct answer. Justification Proper messages need to be sent quickly through a specific identified person so that there are no rumors or statements made that may damage reputation. Refusing to comment until recovery is recommended until the message to be communicated is made clear and the spokesperson has spoken to the media. Referring the media to the authorities is not recommended. Reporting the losses and recovery strategy to the media is not recommended.
A security operations center detected an attempted structured query language injection but could not determine if it was successful. Which of the following resources should the information security manager approach to assess the possible impact? Application support team Business process owner Network management team System administrator
A is the correct answer. Justification Structured query language (SQL) injection is an application-based attack. Because the security operations center has detected an attempt of SQL injection and could not determine if it was successful, the information security manager should approach the application support group that has access to data in order to identify the impact. The business process owner may help the application support group determine the overall impact, after it has been determined if the attack has been successful. Because SQL injection is an application-based attack, the network management team is not the best resource to assess the possible impact. The system administrator is not the best resource to assess the possible impact but may assist the application support team and assist with incident response activities, should the attack have been successful.
The PRIMARY factor determining maximum tolerable outage is: available resources. operational capabilities. long haul network diversity. last mile protection.
A is the correct answer. Justification The main variable affecting the ability to operate in the recovery site is adequate resource availability, such as diesel fuel to operate generators. Although resources would be taken into account during initial calculation of the maximum tolerable outage (MTO), circumstances associated with disaster recovery frequently have unexpected impacts on availability of resources. As a result, the expectations may not be met during real-world events. The operational capabilities of the recovery site would have been predetermined and factored into the MTO. Long haul diversity does not affect MTO. Last mile protection does not affect MTO.
Which of the following practices would BEST ensure the adequacy of a disaster recovery plan? Regular reviews of recovery plan information Tabletop walkthrough of disaster recovery plans Regular recovery exercises using expert personnel Regular audits of disaster recovery facilities
A is the correct answer. Justification The most common failure of disaster recovery plans is lack of current essential operational information. Tabletop walkthroughs are useful only if the information about systems and versions is up-to-date. Recovery exercises are critical for testing plans and procedures. However, using expert personnel makes the recovery tests less useful because experts already have the knowledge to recover systems without using plans and written procedures, and there is no assurance that in a real disaster they would be available. Audits can be helpful, but they are typically infrequent and use sampling; therefore, they provide limited and only occasional assurance that information in recovery plans is up-to-date.
The triage phase of the incident response plan provides: a snapshot of the current status of all incident activity reported. a global, high-level view of the open incidents. a tactical review of an incident's progression and resolution. a comprehensive basis for changes to the enterprise architecture.
A is the correct answer. Justification Triage gives a snapshot based on both strategic and tactical reviews for the purposes of assigning limited resources to where they can be most effective. Triage addresses the tactical level of the incident to be able to determine the best path to resolution and does not focus exclusively on the high-level view. Triage provides a view of both the tactical and strategic levels and occurs prior to resolution. Triage occurs before root-cause analysis, so it does not provide a comprehensive basis for changes to the enterprise architecture.
When establishing effective incident escalation processes for the incident response team, it is PRIMARILY necessary to state how: long a member should wait for a response and what to do if no response occurs. critical the incident is and which business units are directly impacted. the incident is communicated to senior managers and other affected stakeholders. incident response team managers are informed quickly about high-risk incidents.
A is the correct answer. Justification When defining and establishing effective incident escalation processes, it is primarily relevant to state how long a team member should wait for an incident response and what to do if no response occurs. This is the necessary (initial) platform for all further steps of an effective escalation process. It is relevant to know how critical an incident is and which business units are impacted, but when establishing escalation processes, it is much more relevant to state how long a person should wait for a response and what to do if no response occurs. Communication to stakeholders is part of the incident response process, but it is more important to establish waiting times and alternative responses because time is of the essence. It is relevant to inform incident response team managers quickly, but initially it is more relevant to state how long a person should wait for a response and what to do if no response occurs.
Which of the following is MOST important when collecting evidence for forensic analysis? Ensure the assignment of qualified personnel. Request the IT department do an image copy. Disconnect from the network and isolate the affected devices. Ensure law enforcement personnel are present before the forensic analysis commences.
A is the correct answer. Justification Without the initial assignment of forensic expertise, the required levels of evidence may not be preserved properly. The IT department is unlikely to have the necessary level of expertise and should, therefore, be prevented from taking action. Disconnecting from the network may be a prudent step prior to collecting evidence but does not eliminate the requirement for properly qualified forensic personnel. Notifying law enforcement will likely occur after the forensic analysis has been completed.
Which of the following activities is MOST likely to be performed during the eradication of a confirmed and successful information security incident? Identify and prevent the incident from spreading across the network. Remove and clean up all incident components from affected systems. Recover and return the impacted systems to normal operations. Categorize and assign a priority to the incident.
B is the correct answer. Justification Containment includes finding what the incident has impacted and limiting the extent that it spreads across the network by isolating impacted systems or shutting them down after necessary evidence is collected. Eradicating the incident requires determining and eliminating the root cause so that it cannot cause further damage. Actions required to completely remove the incident threat from the network or systems include cleaning infected files, changing rules and configurations, and making backups in order to mitigate incident impacts. Restoring the system is simply returning the system to normal operations. This is accomplished after eradication and during recovery phase of incident. Identifying, confirming, categorizing and assigning a priority to an incident are performed during the detection phase of incident response.
Which of the following is the BEST way to protect evidence integrity on a device to make it admissible in a court of law? Create an image of the target device Install a write blocker on the device Scan for malicious software on the device Delete unnecessary files to reduce volume size
B is the correct answer. Justification Creating a forensic image of the device should be done only after ensuring the integrity of the device. A write blocker is used to maintain the integrity of the original storage media. It does so by preventing users from being able to write or modify information on the original storage media. Scanning a device for malicious software could modify the device, compromising its integrity. Modification of a device prior to creating a forensically sound image would compromise admissibility in a court of law.
When creating a forensic image of a hard drive, which of the following should be the FIRST step? Identify a recognized forensics software tool to create the image. Establish a chain of custody log. Connect the hard drive to a write blocker. Generate a cryptographic hash of the hard drive contents.
B is the correct answer. Justification Identifying a recognized forensics software tool to create the image is one of the important steps, but it should come after several of the other options. The first step in any investigation requiring the creation of a forensic image should always be to maintain the chain of custody. Connecting the hard drive to a write blocker is an important step, but it must be done after the chain of custody has been established. Generating a cryptographic hash of the hard drive contents is another important subsequent step.
The PRIMARY way in which incident management adds value to an enterprise is by: reducing the overall threat level. optimizing risk management efforts. eliminating redundant recovery plans. streamlining the reporting structure.
B is the correct answer. Justification Incident management focuses on prevention, containment and restoration activities and does not reduce the threat level. Incident management is a component of risk management that can provide an optimal balance between prevention, containment and restoration. Recovery plans are created by business and process owners. Incident management should ideally be integrated with continuity and recovery plans, but an enterprise does not seek to evaluate these plans for redundancy. Reporting structures are typically created for business reasons. Incident management may play a role in clarifying or modifying the structures used for reporting incidents in particular, but streamlining the reporting structure is not the primary way in which incident management adds value to an enterprise.
The typical requirement for security incidents to be resolved quickly and service restored is: always the best option for an enterprise. often in conflict with effective problem management. the basis for enterprise risk management activities. a component of forensics training.
B is the correct answer. Justification Quickly restoring service will not always be the best option, such as in cases of criminal activity, which require preservation of evidence precluding use of the systems involved. Problem management is focused on investigating and uncovering the root cause of incidents, which will often be a problem when restoring service compromises the evidence needed. Managing risk goes beyond the quick restoration of services (e.g., if doing so would increase some other risk disproportionately). Forensics is concerned with legally adequate collection and preservation of evidence, not with service continuity.
Which of the following choices is the PRIMARY purpose of maintaining an information security incident history? To provide evidence for forensic analysis To record progress and document exceptions To determine a severity classification of incidents To track errors to assign accountability
B is the correct answer. Justification Recording incidents helps in providing evidence of forensic analysis in case legal action is required. Providing evidence for forensic analysis may or may not be the primary requirement for all incidents. Recording information security incidents helps in maintaining a record of events from detection of the incident to closure of the incident. This helps the incident management teams to ensure that all related aspects required for resolving, closing and preventing reocurrence of incidents are covered. Recording incidents helps in identifying all required parameters for determining a severity classification; however, incident management is focused on containment, prevention and recovery. Tracking errors to assign accountability is not the primary purpose for recording details of information security incidents. Process improvement is the primary purpose.
Malware has spread through multiple departments in an enterprise after an employee installed software from a universal serial bus (USB) drive. Which of the following is the MOST crucial to successful containment of the incident? Restoring servers Protecting evidence Training employees Updating management
B is the correct answer. Justification Restoring servers is important; however, it is not related to containment and usually occurs after containment. There is a delicate balance between protecting evidence from an incident and containing an incident to prevent further impact. If evidence is destroyed, it may be difficult to determine the root cause and prosecute the attacker. Training employees is important; however, it is not related to containment and usually occurs as a protective measure. Updating management is important; however, it is not related to containment.
Which of the following should be performed FIRST in the aftermath of a denial-of-service (DoS) attack? Restore servers from backup media stored offsite. Conduct an assessment to determine system status. Perform an impact analysis of the outage. Isolate the screened subnet.
B is the correct answer. Justification Servers may not have been affected, so it is not necessary at this point to rebuild any servers. An assessment should be conducted to determine the overall system status and whether any permanent damage occurred. An impact analysis of the outage will not provide any immediate benefit. Isolating the screened subnet is after the fact and will not provide any benefit.
Which of the following should be determined FIRST when establishing a business continuity program? Cost to rebuild information processing facilities Incremental daily cost of the unavailability of systems Location and cost of offsite recovery facilities Composition and mission of individual recovery teams
B is the correct answer. Justification The cost to rebuild information processing facilities would not be the first thing to determine. Prior to creating a detailed business continuity plan, it is important to determine the incremental daily cost of losing different systems. This will allow recovery time objectives to be determined. Location and cost of a recovery facility cannot be addressed until the potential losses are calculated, which will determine the type of recovery site that is needed—and this will affect cost. Individual recovery team requirements will occur after the requirements for business continuity are determined.
Forensic investigators can determine what is currently happening on a system by examining: a bit-by-bit copy. isolated systems. volatile data. the original media.
C is the correct answer. Justification A bit-by-bit copy of the data is an imaging activity, and imaging of the volatile memory is not possible using this method. Both isolated and live systems can be forensically analyzed. Volatile data are only present while the computer is running. During an investigation, volatile data can contain critical information that would be lost if not first collected. For example, many types of malware are designed to be present in the computer's memory when it is operating and to disappear when the computer is turned off, leaving no trace. Forensic analysis should never be done on original media and it will not provide information regarding volatile memory.
Major security events with serious legal implications should be communicated to: appropriate civil authorities when there has been a crime committed. management after the incident has been verified and the severity determined. all affected stakeholders, including legal and the insurance carrier. only to human resources and the legal department for appropriate action.
B is the correct answer. Justification There are few, if any, circumstances in which the information security manager should contact external authorities directly. Communication regarding security events, particularly ones that have legal implications, is a business decision that is the responsibility of management. It is the decision of management to determine which stakeholders and external entities should be informed. This process should be detailed in the enterprise's incident response communication plan. Human resources and legal would not be the only departments to engage in communications in this situation.
If an enterprise has a requirement for continuous operations, which of the following approaches would be BEST to test response and recovery? A full interruption test A simulation test A parallel test A structured walk-through
C is the correct answer. Justification A full interruption test, in which operations are shut down at the primary site and shifted to the recovery site, is the most stringent form of response and recovery testing, but it is potentially disruptive. Even though the enterprise in this scenario might accept the cost of such a test, the need for continuous operations makes it inappropriate. Simulation testing addresses people and processes but does not address startup recovery-site operations; therefore, it provides a lower level of assurance than a parallel test would provide. The enterprise in this scenario requires continuous operations. A parallel test, in which operations are brought online at the recovery site alongside primary-site operations, is the closest an enterprise can come to full testing without risking a business impact; therefore, it is the best fit for the requirement. Structured walk-throughs are pen-and-paper activities. A walk-through may help identify constraints, deficiencies and opportunities for enhancement, but the level of assurance it provides is low relative to a parallel test.
Which of the following is MOST important in determining whether a disaster recovery test is successful? Only business data files from offsite storage are used. IT staff fully recovers the processing infrastructure. Critical business processes are duplicated. All systems are restored within recovery time objectives.
C is the correct answer. Justification Although ensuring that only materials taken from offsite storage are used in the test is important, it is not as critical in determining a test's success. While full recovery of the processing infrastructure is a key recovery milestone, it does not ensure the success of a test. To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions were successfully recovered and duplicated. Achieving recovery time objectives is an important milestone, but it does not necessarily prove that the critical business functions can be conducted, due to interdependencies with other applications and key elements such as data, staff, manual processes, materials and accessories, etc.
An enterprise decides its old recovery facility is no longer adequate because it is not capable of operation for an extended period. The enterprise decides to build a new facility in another location that would address the major shortcomings of the old site and provide more space for possible future expansion. Until the new facility is completed, which of the following objectives for recovery will have to be changed? Maximum tolerable outage Recovery point objective Service delivery objective Allowable interruption window
C is the correct answer. Justification Although the current recovery facility cannot satisfy the maximum tolerable outage (MTO), that does not change the MTO. The enterprise should document an inability to meet the MTO and continue developing a new facility that will satisfy the objective. The recovery point objective (RPO) is not affected by the stated deficiencies in the current recovery facility. The service delivery objective (SDO) reflects a commitment to internal customers to meet certain performance standards. To be realistic, the objective must be changed to reflect the operating capabilities of the current recovery facility. The MTO must be at least as great as the allowable interruption window (AIW). Therefore, it is possible that exceeding the MTO will result in not being able to meet the AIW, which will result in unacceptable damage to the enterprise. However, as with the MTO, the inability to meet the AIW does not make the associated damage acceptable, so changing the AIW would not be appropriate.
What is the PRIMARY benefit of having an updated communication plan when an incident occurs? It provides guidance on how and what to communicate to regulatory authorities. It guides the staff on when to invoke the business continuity plan. It enables the staff to know what should be communicated to stakeholders. It provides the necessary templates for incident communication.
C is the correct answer. Justification Detailed guidance on communicating to regulatory authorities is just one of the many relevant types of information documented in the communication plan. If it is unclear who should communicate what to whom and how, the plan is inefficient. Whether to invoke the enterprise's business continuity plan (BCP) may or may not be documented in the communication plan. One of the primary objectives of a communication plan is to inform staff members about their roles and responsibilities, including whom to contact and how to communicate with them during an incident. Keeping the communication plan updated will ensure that this information is current should an incident occur. Templates for incident communication are just one of the many relevant pieces of information documented in the communication plan. However, they are not of use if it is unclear who should use the templates and when.
The BEST time to determine who should notify external entities of an information security breach involving customer privacy data is: after the incident has been detected and confirmed. after the approval of the incident by senior management. during the development of the incident response plan. dependent on applicable laws and regulations.
C is the correct answer. Justification Determining roles and responsibilities during an incident is counterproductive and causes confusion. Senior management does not approve incidents; incident response teams confirm them. Responsibilities, including who should communicate what and how, should be established when the incident response plan is developed. This ensures that teams know their roles and responsibilities prior to an incident occurring. Laws and regulations and requirements are part of the foundation of an incident response plan.
The recovery time objective is reached at which of the following milestones? Disaster declaration Recovery of the backups Restoration of the system Return to business as usual processing
C is the correct answer. Justification Disaster declaration occurs at the beginning of this period. Recovery of the backups occurs shortly after the beginning of this period. The recovery time objective (RTO) is based on the amount of time required to restore a system. Return to business as usual processing occurs significantly later than the RTO. RTO is an objective, and full restoration may or may not coincide with the RTO. RTO can be the minimum acceptable operational level, far short of normal operations.
An information security manager is investigating an internal cybersecurity incident and has been directed to preserve potential evidence. After creating an image copy of the hard drive of suspected systems with a commonly used tool and making copies on which to perform analysis, which of the following should the information security manager do NEXT? Encrypt the primary and backup hard drive images. Use an alternative tool to make an image copy of the hard drive. Generate hashes for the primary and backup hard drive images. Document the process used to make an image copy of the hard drive.
C is the correct answer. Justification Ensuring the confidentiality of the memory dumps is not a primary concern during forensic analysis. Encrypted memory dumps cannot be analyzed. If a memory dump made with an alternative tool is desired, it should be made only after the existing primary and backup dumps have been hashed, so that their authenticity can be established if necessary. Generating hashes for the primary and backup memory dumps provides a means of demonstrating that the dump used for analysis is identical to the one stored for reference. It is essential that this step be performed before anything might happen to corrupt the original memory source, so it should be done as soon as possible. Documentation of the process should exist as part of the incident response procedures, but if it does not, the middle of an incident is not the best time to create it.
Which of the following is the BEST control to limit the impact of a successful ransomware attack? Incident response plan User awareness Air-gapped backups Disaster recovery plan
C is the correct answer. Justification Incident response plans are reactive corrective controls and will not directly address the loss associated with a successful ransomware attack. User awareness will help reduce the possibility of a successful attack but will not help limit damage from a successful attack. Air-gapped backups are the best control to limit the damage because they are offline backups and would not be infected with the ransomware. These backups would allow the enterprise to recover data based on the recovery point objective. Disaster recovery plans are corrective controls and will not directly address the loss associated with a successful ransomware attack.
Which of the following would the information security manager MOST likely recommend to maintain business resiliency when an enterprise has several factories located in remote areas? Execute standard operating procedures Introduce a business staff rotation program Delegate authority to local management Encourage a partnership with the local community
C is the correct answer. Justification It is a good practice to have a set of standard operating procedures. However, in the case of a business disruption, processes may not work as expected, so the standard operating procedure on its own is not the best option. Staff rotation is a good practice; however, it is not primarily designed for a business continuity program. In the event of a business disruption, the centralized chain of command may become disabled. To prepare for this situation, it may be effective to delegate authority to local management to ensure the continuity of operations. It makes sense for an enterprise to establish a partnership with the local community. However, it is usually carried out from a social responsibility perspective rather than the interest of an enterprise (i.e., business continuity in each region).
Which of the following choices is the MOST important incident response resource for timely identification of an information security incident? A fully updated intrusion detection system Multiple channels for distribution of information A well-defined and structured communication plan A regular schedule for review of network device logs
C is the correct answer. Justification Not all information security incidents originate from the network; an intrusion detection system will provide no detection value for a variety of incident types. Diversifying the means of communication increases the odds that information reaches the people to whom it is sent, but it does nothing to ensure that the correct people receive the correct information at the correct time. An incident is not identified within an enterprise until it is declared, which is a business responsibility beyond the scope of the technical staff. A well-defined and structured communication plan ensures that information flows from the technical staff to decision makers in a timely fashion, allowing incidents to be recognized, declared and appropriately addressed. Reviewing logs provides an opportunity to identify irregular traffic patterns that may indicate an information security incident, but these logs provide insight into only a subset of attack vectors (e.g., external penetration would generally be covered, but insider threats may not). Additionally, if analysts who identify potentially revealing information do not have mechanisms in place to share those revelations with others in the enterprise, an effective response is less likely.
Which of the following procedures would provide the BEST protection if an intruder or malicious program gained super user (e.g., root) access to a system? Prevent the system administrators from accessing the system pending investigation of the incident. Inspect the system and intrusion detection output to identify all changes and then undo them. Rebuild the system using original media. Change all passwords, then resume normal operations.
C is the correct answer. Justification Preventing access by system administrators provides no protection and does nothing to restore the system. Root access makes it possible to initiate changes that are difficult or impossible to locate, so undoing all changes is not an acceptable choice to resolve the issue. If someone, or a malicious program, gains superuser privileges to a system without authorization, the enterprise never knows what the perpetrator or program has done to the system. The only way to assure the integrity of the system is to wipe it clean by either performing a low-level format on the hard disk or replacing it with a new one (usually after making a bit copy backup for the purpose of further analysis and to prevent the destruction of data that may not exist elsewhere) and then starting over again by reinstalling the operating system and applications using original media. Changing passwords provides no protection against any malicious changes made to the system.
When a large enterprise discovers that it is the subject of a network probe, which of the following actions should be taken? Reboot the router connecting the demilitarized zone (DMZ) to the firewall. Power down all servers located on the DMZ segment. Monitor the probe and isolate the affected segment. Enable server trace logging on the affected segment.
C is the correct answer. Justification Rebooting the router is not warranted. Powering down the demilitarized zone servers is not warranted. In the case of a probe, the situation should be monitored and the affected network segment isolated. Enabling server trace routing is not warranted.
To ensure the timely identification of security incidents, the BEST course of action is to: document a business impact analysis. review a risk analysis. implement incident detection. apply preventive and detective controls.
C is the correct answer. Justification The business impact analysis identifies and analyzes business processes and activities with the objective of understanding the impact of downtime, which drives the assignment of recovery objectives and prioritization. Downtime is a variable bound with the availability requirement in the information security scope. Risk analysis does not ensure the timely identification of information security incidents. The incident process performance deals with timely operations. Risk analysis is mainly concerned with calculating the probability and impact of a potential risk. Incident detection provides timely notification of an incident and could ensure the timely triggering and identification of incidents. Subsequently, implementing incident detection ensures proper incident response, reducing impacts to within acceptable levels. Incident management is built on reactive controls because it must handle effects not manageable with preventive controls. Detective controls represent a wide range of countermeasures and do not ensure timely identification and handling of incidents.
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a hot site operated by a third party? Cost to rebuild information processing facilities Incremental daily cost of losing different systems Location and cost of commercial recovery facilities Estimated annual loss expectancy from key risk
C is the correct answer. Justification The cost of rebuilding the primary processing facility is not a factor in choosing an alternate recovery site. The daily cost of losing systems is the same whether the alternate site is built or rented. The decision whether to build an alternate facility or rent hot site facilities from a third party should be based entirely on business decisions of cost and ensuring the location is not susceptible to the same environmental risk as the primary facility. Annual loss expectancy is not a factor in choosing to build or rent an alternate site.
In a business impact analysis, the value of an information system should be based on the overall: cost of recovery. cost to recreate. opportunity cost. cost of emergency operations.
C is the correct answer. Justification The cost of recovering the system is not the basis for determining the value of the system to the enterprise. The primary basis is loss of revenues or other costs. The cost to recreate is not a basis for valuing the system; the cost to the enterprise of the loss of the function is the basis. Opportunity cost reflects the cost to the enterprise resulting from the loss of a function. Cost of emergency operations is unrelated to the value of an information system.
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs? Database server Domain name server Time server Proxy server
C is the correct answer. Justification The database server would not assist in the correlation and review of the logs. The domain name server would not assist in the correlation and review of the logs. To accurately reconstruct the course of events, a time reference is needed, and that is provided by the time server. The proxy server would not assist in the correlation and review of the logs.
Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (2300 hours)? Most new viruses' signatures are identified over weekends. Technical personnel are not available to support the operation. Systems are vulnerable to new viruses during the intervening week. The update's success or failure is not known until Monday.
C is the correct answer. Justification The fact that most new viruses' signatures are identified over weekends is secondary to leaving systems vulnerable during the intervening week. The fact that technical personnel are not available is secondary to leaving systems vulnerable during the intervening week. Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released during the week; far more frequent updating is essential. The fact that success or failure is not known until Monday is secondary to leaving systems vulnerable during the intervening week.
When the computer incident response team finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify: the information security steering committee. customers who may be impacted. data owners who may be impacted. regulatory agencies overseeing privacy.
C is the correct answer. Justification The information security steering committee will be notified later, as required by corporate policy requirements. Customers will be notified later, as required by corporate policy and regulatory requirements. The data owners should be notified first, so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team. Regulatory agencies will be notified later, as required by corporate policy and regulatory requirements.
After a service interruption of a critical system, the incident response team finds that it needs to activate the warm recovery site. Discovering that throughput is only half of the primary site, the team nevertheless notifies management that it has restored the critical system. This is MOST likely because it has achieved the: recovery point objective. recovery time objective. service delivery objective. maximum tolerable outage.
C is the correct answer. Justification The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The recovery time objective is the target time to restore services to either the service delivery objective (SDO) or normal operations. The SDO is the agreed-on level of service required to resume acceptable operations. Maximum tolerable outage is the maximum length of time that the enterprise can operate at the recovery site.
What is the PRIMARY factor that should be taken into consideration when designing the technical solution for a disaster recovery site? Service delivery objective Recovery time objective Allowable interruption window Maximum tolerable outage
C is the correct answer. Justification The service delivery objective is the required level of functionality that must be supported during the alternate process mode until the normal situation is restored, which is directly related to business needs. The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal or acceptable operations defined by the service level objective. The RTO must be shorter than the allowable interruption window (AIW). The length of the AIW is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services and applications. AIW is generally based on the downtime before the enterprise suffers major financial damage. The technical implementation of the disaster recovery site will be based on this constraint, especially the choice between a mirrored, hot, warm or cold site. Maximum tolerable outage is the amount of time the enterprise can operate in alternate mode based on various factors such as accessibility and performance levels.
Which of the following BEST contributes to the design of data restoration plans? Transaction turnaround time Mean time between failures Service delivery objectives The duration of the data restoration job
C is the correct answer. Justification Transaction turnaround time may be a concern when the effectiveness of an application system is evaluated. Normally it is not the main agenda in the restoration stage. Mean time between failures (MTBF) is the predicted elapsed time between inherent failures of a system during operation. MTBF is not a factor in determining restoration of data. The service delivery objective (SDO) relates directly to the business needs; SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. The duration of a data restoration job may be of secondary importance. The strategic importance of data should be considered first.
Which of the following would be MOST appropriate for collecting and preserving evidence? Encrypted hard drives Generic audit software Proven forensic processes Log correlation software
C is the correct answer. Justification Whether hard drives are encrypted is not relevant to collecting and preserving evidence. Audit software is not useful for collecting and preserving evidence. When collecting evidence about a security incident, it is very important to follow appropriate forensic procedures to handle electronic evidence using a method approved by local jurisdictions. Log correlation software may help when collecting data about an incident; however, these data might not be accepted as evidence in a court of law if they are not collected using a method approved by local jurisdictions.
Which of the following is the PRIMARY function of an endpoint detection and response system? To analyze security alerts generated by network devices To review activity data and logs from end points and systems to indicate a threat To block and remove viruses from the end points To use forensics and analysis tools to research identified threats and suspicious activities
D is the correct answer. Justification A network monitoring system provides analysis of security alerts generated by network devices. A security information and event management system monitors activity data and log from endpoints and systems that could indicate a threat. Endpoint detection and response (EDR) not only includes antiviruses but also contains security tools like firewall, whitelisting tools, monitoring tools, etc., to provide comprehensive protection against digital threats. However, this is not its primary function. An EDR system, in addition to providing analysis and prevention, has forensic capabilities that facilitate post-incident investigation and security research.
Which of the following techniques would PRIMARILY include the methods and practices aimed to unveil the intention and extent of a cyberattack against an enterprise? Vulnerability assessment Red team exercise Post-incident review Forensic analysis
D is the correct answer. Justification A vulnerability assessment identifies system weaknesses, not the intention and extent of an incident. A red team exercise is a replication of an attack in a controlled setting. However, it would not help to determine the impact of an attack in progress. Post-incident review is the last step in an incident response and is more likely to reveal lessons learned than to unveil the intention and extent of a cyberattack. Forensic analysis plays a vital role in investigation of a cyberattack. It includes analyzing the intrusion and summarizing the findings. Other options, such as vulnerability assessment, post-incident review and red team exercises, help in preventing a cyberattack but are not useful in the aftermath.
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability? Exclusive use of the hot site is limited to six weeks. The hot site may have to be shared with other customers. The time of declaration determines site access priority. The provider services all major companies in the area.
D is the correct answer. Justification Access to a hot site is not indefinite; the recovery plan should address a long-term outage. Sharing a hot site facility is common practice and sometimes necessary in the case of a major disaster, and it is not a significant weakness. First come, first served is a standard practice in hosted facilities and does not constitute a major weakness. In case of a disaster affecting a localized geographical area, the vendor's facility and capabilities could be insufficient for all its clients, which will be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally.
Which of the following is the MOST important reason to develop a communication plan regarding security incidents as part of an incident management program? To increase security awareness To comply with regulatory requirements To identify communication flows to stakeholders To improve incident response
D is the correct answer. Justification Although a communication plan helps increase awareness, it is not the most important reason. Meeting compliance requirements may be a requirement in some cases, but it is not the most important reason for communication regarding incidents. Communication flows are part of the communication plan to improve the resolution of the incident. The overall goal of the communication plan is to improve incident response. Effective communication helps stakeholders respond to the incident.
Which of the following activities is MOST likely to increase the difficulty of totally eradicating malicious code that is not immediately detected? Applying patches Changing access rules Upgrading hardware Backing up files
D is the correct answer. Justification Applying patches does not significantly increase the level of difficulty. Changing access rules has no effect on eradication of malicious code. Upgrading hardware does not significantly increase the level of difficulty. If malicious code is not immediately detected, it will most likely be backed up as part of the normal tape backup process. When later discovered, the code may be eradicated from the device but still remain undetected on a backup tape. Any subsequent restores using that tape may reintroduce the malicious code.
While defining incident response procedures, an information security manager must PRIMARILY focus on: closing incident tickets in a predetermined time frame. reducing the number of incidents. minimizing operational interruptions. meeting service delivery objectives.
D is the correct answer. Justification Closing tickets is not a priority of incident response. Reducing the number of incidents is the focus of overall incident management. Minimizing the impact on operations is not necessarily the primary focus. Some disruption in operations may be within acceptable limits. The primary focus of incident response is to ensure that business-defined service delivery objectives are met.
In a forensic investigation, which of the following would be the MOST important factor? Operation of a robust incident management process Identification of areas of responsibility Involvement of law enforcement Expertise of resources
D is the correct answer. Justification Operation of a robust incident management process should occur prior to an investigation. The identification of areas of responsibility should occur prior to an investigation. Involvement of law enforcement is dependent upon the nature of the investigation. The most important factor in a forensic investigation is the expertise of the resources participating in the project, due to the inherent complexity.
In order to contain an incident, which of the following would be the MOST effective to ensure that the proper tools, technologies and subject matter experts are engaged? process team plan strategy
D is the correct answer. Justification Processes will be developed based on the strategy. Once processes are developed, teams are defined by the strategy. Unless a strategy is defined, a plan cannot be developed. A strategy is the most effective, as it defines the overall goal of the incident response.
Which of the following poses the GREATEST challenge to establishing effective security incident management processes? Security technologies are not kept up to date. Stakeholders are not defined within security policies. Incidents are not controlled by process owners. Escalation paths are insufficiently defined.
D is the correct answer. Justification Security technologies are not typically the cause of substantial challenges in building effective security processes. Security policies rarely define all stakeholders and notification to stakeholders is typically outside the scope of initial incident management, making the definition of escalation paths a greater concern. Escalation processes are typically procedures. Control of incidents by process owners is not a primary requirement of effective security incident management. Inadequately defined escalation paths may result in lack of adequate authority, substantial delays, lack of notification of the appropriate individuals, and other significant negative impacts.
What is the PRIMARY basis for a detailed business continuity plan? Consideration of different alternatives The solution that is least expensive Strategies that cover all applications Strategies validated by senior management
D is the correct answer. Justification Senior management should select the most appropriate strategy from the alternatives provided. All recovery strategies have associated costs, including costs of preparing for disruptions and putting them to use in the event of a disruption. The latter can be insured against, but not the former. The best recovery option need not be the least expensive. The selection of strategy depends on criticality of the business process and applications supporting the processes. It need not cover all applications. A recovery strategy identifies the best way to recover a system in case of disaster and provides guidance based on detailed recovery procedures that can be developed. Different strategies should be developed and all alternatives presented to senior management. Senior management should select the most appropriate strategy from the alternatives provided. The selected strategy should be used for further development of the detailed business continuity plan.
Which of the following would be the BEST course of action when an alert indicates a large volume of outgoing traffic from a critical enterprise server? Notify senior management about the incident. Monitor traffic from the server. Compare traffic log files from previous days. Initiate the incident response process.
D is the correct answer. Justification Senior management would be notified after confirmation of the incident. Monitoring traffic from the server could be initiated as part of the incident response process. Comparing the log files could be initiated as part of the incident response process. For a critical enterprise server, the incident management process should be started as soon as possible, which would be when an alert warns of unusual traffic.
The MOST important factor in planning for the long-term retention of electronically stored business records is to take into account potential changes in: storage capacity and shelf life. regulatory and legal requirements. business strategy and direction. application systems and media.
D is the correct answer. Justification Storage capacity and shelf life are important but secondary issues. Legal and regulatory requirements do not generally apply to long-term retention of electronically stored business records. Business strategy and direction do not generally apply to long-term retention of electronically stored business records. Long-term retention of business records may be severely impacted by changes in application systems and media. For example, data stored in nonstandard formats that can only be read and interpreted by previously decommissioned applications may be difficult, if not impossible, to recover.
The MOST important purpose of implementing an incident response plan is to: prevent the occurrence of incidents. ensure business continuity. train users on resolution of incidents. promote business resiliency.
D is the correct answer. Justification The incident response plan is a means to respond to an event but does not prevent the occurrence. Business continuity plans, not incident response plans, are designed to restore business operations after a disaster; they cannot assure the actual outcome. The incident management plan may address training users, but the incident response plan does not. Business resilience refers to the ability of the business to withstand disruption. An effective incident response plan minimizes the impact of an incident to the level that it ideally is transparent to end users and business partners.
Which of the following benefits that the enterprise receives from employing a systematic incident management program with a formal methodology is MOST important? A formal methodology makes incident management more flexible. A formal methodology is more reliant on business continuity activities. Each incident responder is able to get broad-based experience. Evidence of due diligence supports legal and liability claims.
D is the correct answer. Justification The more formalized that something becomes, the less flexible it is. A formal methodology is actually able to more easily operate as a stand-alone function, with less reliance on business continuity activities. Having a formal methodology means that duties are generally assigned based on competence and availability of time. Legal and liability claims are most credible when the mechanisms used to collect them are formally documented, repeatable and regularly practiced.
The factor that is MOST likely to result in identification of security incidents is: effective communication and reporting processes. clear policies detailing incident severity levels. intrusion detection system capabilities. security awareness training.
D is the correct answer. Justification Timely communication and reporting is only useful after identification of an incident has occurred. Understanding how to establish severity levels is important, but it is not the essential element for ensuring that the information security manager is aware of anomalous events that might signal an incident. Intrusion detection systems are useful for detecting IT-related incidents but are not useful for identifying other types of incidents such as social engineering or physical intrusion. Ensuring that employees have the knowledge to recognize and report a suspected incident is most likely to result in identification of security incidents.
In a large enterprise, effective management of security incidents will be MOST dependent on: clear policies detailing incident severity levels. broadly dispersed intrusion detection capabilities. training employees to recognize security incidents. effective communication and reporting processes.
D is the correct answer. Justification Understanding severity levels is important but, on its own, is not sufficient to ensure that the information security manager is able to manage the incident effectively. Intrusion detection is a useful tool for detecting potential network security incidents, but without robust communication and reporting processes, it is less effective. Conducting awareness training so individuals can recognize potential incidents is important, but it is not effective unless the information is communicated to the right people in a timely manner. Timely communication and reporting are most likely to ensure that the information security manager receives the information necessary to effectively manage a security incident. Effective communication will also help ensure that the correct resources are engaged at the appropriate time.
When a computer hacking attack has been crafted carefully, perpetrators may not leave a trace in transaction logs. If such an attack is anticipated, which of the following will be the MOST vital information source from a forensic perspective? Reconciliation results against external statements Reviews of approval steps executed by business managers Interviews collected from operation staff Volatile data remaining in the computer resources
D is the correct answer. Justification When hacking is carefully completed, it can be difficult to find any observable trace evidence of the attack. Hence, reconciliation against external statements or logs may not be effective, as there may be no traces of the attack. Hacking most likely is conducted from the back end. Hence, business approval procedures may not provide vital information from a forensic perspective. Interviews are subjective and, therefore, are weak evidence from a forensic perspective. Attackers make sure to hide evidence of infiltration, such as erasing logs, editing control reports, etc. From a forensic perspective, it is equally important to capture volatile data, such as open ports, active processes, RAM data, etc., for further investigation.
What task should be performed after a security incident has been verified? Identify the incident. Contain the incident. Determine the root cause of the incident. Perform a vulnerability assessment.
b
