IT462 - Chapter 3, 18, 19 Review

7. What are the primary reasons attackers engage in thrill attacks (Choose all that apply.) A. Bragging rights B. Money from the sale of stolen documents C. Pride of conquering a secure system D. Retaliation against a person or organization

A, C. Thrill attacks have no reward other than providing a boost to pride and ego. The thrill of launching the attack comes from the act of participating in the attack (and not getting caught).

19. What combination of backup strategies provides the fastest backup restoration time? A. Full backups and differential backups B. Partial backups and incremental backups C. Full backups and incremental backups D. Incremental backups and differential backups

A. Any backup strategy must include full backups at some point in the process. If a combination of full and differential backups is used, a maximum of two backups must be restored. If a combination of full and incremental backups is chosen, the number of required restorations may be unlimited.

3. What type of attack targets proprietary information stored on a civilian organization's system? A. Business attack B. Denial-of-service attack C. Financial attack D. Military and intelligence attack

A. Confidential information that is not related to the military or intelligence agencies is the target of business attacks. The ultimate goal could be destruction, alteration, or disclosure of confidential information.

17. What type of backup involves always storing copies of all files modified since the most recent full backup? A. Differential backups B. Partial backup C. Incremental backups D. Database backup

A. Differential backups involve always storing copies of all files modified since the most recent full backup regardless of any incremental or differential backups created during the intervening time period.

16. Why should you avoid deleting log files on a daily basis? A. An incident may not be discovered for several days and valuable evidence could be lost. B. Disk space is cheap, and log files are used frequently. C. Log files are protected and cannot be altered. D. Any information in a log file is useless after it is several hours old.

A. Log files contain a large volume of generally useless information. However, when you are trying to track down a problem or an incident, they can be invaluable. Even if an incident is discovered as it is happening, it may have been preceded by other incidents. Log files provide valuable clues and should be protected and archived.

13. What step of the Electronic Discovery Reference Model ensures that information that may be subject to discovery is not altered? A. Preservation B. Production C. Processing D. Presentation

A. Preservation ensures that potentially discoverable information is protected against alteration or deletion.

15. What type of document will help public relations specialists and other individuals who need a high-level summary of disaster recovery efforts while they are under way? A. Executive summary B. Technical guides C. Department-specific plans D. Checklists

A. The executive summary provides a high-level view of the entire organization's disaster recovery efforts. This document is useful for the managers and leaders of the firm as well as public relations personnel who need a nontechnical perspective on this complex effort.

5. What unit of measurement should be used to assign quantitative values to assets in the priority identification phase of the business impact assessment? A. Monetary B. Utility C. Importance D. Time

A. The quantitative portion of the priority identification should assign asset values in monetary units.

19. What is the formula used to compute the single loss expectancy for a risk scenario? A. SLE = AV × EF B. SLE = RO × EF C. SLE = AV × ARO D. SLE = EF × ARO

A. The single loss expectancy (SLE) is computed as the product of the asset value (AV) and the exposure factor (EF). The other formulas displayed here do not accurately reflect this calculation.

10. You are concerned about the risk that a hurricane poses to your corporate headquarters in South Florida. The building itself is valued at $15 million. After consulting with the National Weather Service, you determine that there is a 10 percent likelihood that a hurricane will strike over the course of a year. You hired a team of architects and engineers who determined that the average hurricane would destroy approximately 50 percent of the building. What is the annualized loss expectancy (ALE)? A. $750,000 B. $1.5 million C. $7.5 million D. $15 million

A. This problem requires you to compute the ALE, which is the product of the SLE and ARO. From the scenario, you know that the ARO is 0.10 (or 10 percent). From the scenario presented, you know that the SLE is $7.5 million. This yields an SLE of $750,000.

10. Hacktivists are motivated by which of the following factors? (Choose all that apply.) A. Financial gain B. Thrill C. Skill D. Political beliefs

B, D. Hacktivists (the word is a combination of hacker and activist) often combine political motivations with the thrill of hacking. They organize themselves loosely into groups with names like Anonymous and Lolzsec and use tools like the Low Orbit Ion Cannon to create large-scale denial-of-service attacks with little knowledge required.

4. What goal is not a purpose of a financial attack? A. Access services you have not purchased B. Disclose confidential personal employee information C. Transfer funds from an unapproved source into your account D. Steal money from another organization

B. A financial attack focuses primarily on obtaining services and funds illegally.

2. What is the main purpose of a military and intelligence attack? A. To attack the availability of military systems B. To obtain secret and restricted information from military or law enforcement sources C. To utilize military or intelligence agency systems to attack other nonmilitary sites D. To compromise military systems for use in attacks against other systems

B. A military and intelligence attack is targeted at the classified data that resides on the system. To the attacker, the value of the information justifies the risk associated with such an attack. The information extracted from this type of attack is often used to plan subsequent attacks.

5. Which one of the following attacks is most indicative of a terrorist attack? A. Altering sensitive trade secret documents B. Damaging the ability to communicate and respond to a physical attack C. Stealing unclassified information D. Transferring funds to other countries

B. A terrorist attack is launched to interfere with a way of life by creating an atmosphere of fear. A computer terrorist attack can reach this goal by reducing the ability to respond to a simultaneous physical attack.

4. Which one of the following disaster types is not usually covered by standard business or homeowner's insurance? A. Earthquake B. Flood C. Fire D. Theft

B. Most general business insurance and homeowner's insurance policies do not provide any protection against the risk of flooding or flash floods. If floods pose a risk to your organization, you should consider purchasing supplemental flood insurance under FEMA's National Flood Insurance Program.

10. What business continuity planning technique can help you prepare the business unit prioritization task of disaster recovery planning? A. Vulnerability analysis B. Business impact assessment C. Risk management D. Continuity planning

B. During the business impact assessment phase, you must identify the business priorities of your organization to assist with the allocation of BCP resources. You can use this same information to drive the DRP business unit prioritization.

15. If you need to confiscate a PC from a suspected attacker who does not work for your organization, what legal avenue is most appropriate? A. Consent agreement signed by employees. B. Search warrant. C. No legal avenue is necessary. D. Voluntary consent.

B. In this case, you need a search warrant to confiscate equipment without giving the suspect time to destroy evidence. If the suspect worked for your organization and you had all employees sign consent agreements, you could simply confiscate the equipment.

20. What type of disaster recovery plan test fully evaluates operations at the backup facility but does not shift primary operations responsibility from the main site? A. Structured walk-through B. Parallel test C. Full-interruption test D. Simulation test

B. Parallel tests involve moving personnel to the recovery site and gearing up operations, but responsibility for conducting day-to-day operations of the business remains at the primary operations center.

20. Which of the following actions are considered unacceptable and unethical according to RFC 1087, "Ethics and the Internet"? A. Actions that compromise the privacy of classified information B. Actions that compromise the privacy of users C. Actions that disrupt organizational activities D. Actions in which a computer is used in a manner inconsistent with a stated security policy

B. RFC 1087 does not specifically address the statements in A, C, or D. Although each type of activity listed is unacceptable, only "actions that compromise the privacy of users" are explicitly identified in RFC 1087.

5. Which one of the following controls provides fault tolerance for storage devices? A. Load balancing B. RAID C. Clustering D. HA pairs

B. Redundant arrays of inexpensive disks (RAID) are fault tolerance controls that allow an organization's storage service to withstand the loss of one or more individual disks. Load balancing, clustering, and HA pairs are all fault tolerance services designed for servers, not storage.

12. During an operational investigation, what type of analysis might an organization undertake to prevent similar incidents in the future? A. Forensic analysis B. Root-cause analysis C. Network traffic analysis D. Fagan analysis

B. Root-cause analysis seeks to identify the reason that an operational issue occurred. The root-cause analysis often highlights issues that require remediation to prevent similar incidents in the future.

14. Gary is a system administrator and is testifying in court about a cybercrime incident. He brings server logs to support his testimony. What type of evidence are the server logs? A. Real evidence B. Documentary evidence C. Parole evidence D. Testimonial evidence

B. Server logs are an example of documentary evidence. Gary may ask that they be introduced in court and will then be asked to offer testimonial evidence about how he collected and preserved the evidence. This testimonial evidence authenticates the documentary evidence.

8. You are concerned about the risk that an avalanche poses to your $3 million shipping facility. Based on expert opinion, you determine that there is a 5 percent chance that an avalanche will occur each year. Experts advise you that an avalanche would completely destroy your building and require you to rebuild on the same land. Ninety percent of the $3 million value of the facility is attributed to the building, and 10 percent is attributed to the land itself. What is the single loss expectancy of your shipping facility to avalanches? A. $3,000,000 B. $2,700,000 C. $270,000 D. $135,000

B. The SLE is the product of the AV and the EF. From the scenario, you know that the AV is $3,000,000 and the EF is 90 percent, based on the fact that the same land can be used to rebuild the facility. This yields an SLE of $2,700,000.

1. What is the first step that individuals responsible for the development of a business continuity plan should perform? A. BCP team selection B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment

B. The business organization analysis helps the initial planners select appropriate BCP team members and then guides the overall BCP process.

2. Once the BCP team is selected, what should be the first item placed on the team's agenda? A. Business impact assessment B. Business organization analysis C. Resource requirements analysis D. Legal and regulatory assessment

B. The first task of the BCP team should be the review and validation of the business organization analysis initially performed by those individuals responsible for spearheading the BCP effort. This ensures that the initial effort, undertaken by a small group of individuals, reflects the beliefs of the entire BCP team.

19. According to the (ISC)2 Code of Ethics, how are CISSPs expected to act? A. Honestly, diligently, responsibly, and legally B. Honorably, honestly, justly, responsibly, and legally C. Upholding the security policy and protecting the organization D. Trustworthy, loyally, friendly, courteously

B. The second canon of the (ISC)2 Code of Ethics states how a CISSP should act, which is honorably, honestly, justly, responsibly, and legally.

14. Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the single loss expectancy for this scenario? A. 0.01 B. $10,000,000 C. $100,000 D. 0.10

B. The single loss expectancy (SLE) is the amount of damage that would be caused by a single occurrence of the risk. In this case, the SLE is $10 million, the expected damage from one tornado. The fact that a tornado occurs only once every 100 years is not reflected in the SLE but would be reflected in the annualized loss expectancy (ALE).

7. What does the term "100-year flood plain" mean to emergency preparedness officials? A. The last flood of any kind to hit the area was more than 100 years ago. B. The odds of a flood at this level are 1 in 100 in any given year. C. The area is expected to be safe from flooding for at least 100 years. D. The last significant flood to hit the area was more than 100 years ago.

B. The term 100-year flood plain is used to describe an area where flooding is expected once every 100 years. It is, however, more mathematically correct to say that this label indicates a 1 percent probability of flooding in any given year.

1. What is a computer crime? A. Any attack specifically listed in your security policy B. Any illegal attack that compromises a protected computer C. Any violation of a law or regulation that involves a computer D. Failure to practice due diligence in computer security

C. A crime is any violation of a law or regulation. The violation stipulation defines the action as a crime. It is a computer crime if the violation involves a computer either as the target or as a tool.

3. What is the term used to describe the responsibility of a firm's officers and directors to ensure that adequate measures are in place to minimize the effect of a disaster on the organization's continued viability? A. Corporate responsibility B. Disaster requirement C. Due diligence D. Going concern responsibility

C. A firm's officers and directors are legally bound to exercise due diligence in conducting their activities. This concept creates a fiduciary responsibility on their part to ensure that adequate business continuity plans are in place.

2. Which one of the following is an example of a man-made disaster? A. Tsunami B. Earthquake C. Power outage D. Lightning strike

C. A power outage is an example of a man-made disaster. The other events listed—tsunamis, earthquakes, and lightning strikes—are all naturally occurring events.

8. What is the most important rule to follow when collecting evidence? A. Do not turn off a computer until you photograph the screen. B. List all people present while collecting evidence. C. Never modify evidence during the collection process. D. Transfer all equipment to a secure storage location.

C. Although the other options have some merit in individual cases, the most important rule is to never modify, or taint, evidence. If you modify evidence, it becomes inadmissible in court.

18. What combination of backup strategies provides the fastest backup creation time? A. Full backups and differential backups B. Partial backups and incremental backups C. Full backups and incremental backups D. Incremental backups and differential backups

C. Any backup strategy must include full backups at some point in the process. Incremental backups are created faster than differential backups because of the number of files it is necessary to back up each time.

6. Which one of the following storage locations provides a good option when the organization does not know where it will be when it tries to recover operations? A. Primary data center B. Field office C. Cloud computing D. IT manager's home

C. Cloud computing services provide an excellent location for backup storage because they are accessible from any location.

11. Which one of the following investigation types has the highest standard of evidence? A. Administrative B. Civil C. Criminal D. Regulatory

C. Criminal investigations may result in the imprisonment of individuals and, therefore, have the highest standard of evidence to protect the rights of the accused.

18. What type of plan addresses the technical controls associated with alternate processing facilities, backups, and fault tolerance? A. Business continuity plan B. Business impact assessment C. Disaster recovery plan D. Vulnerability assessment

C. Disaster recovery plans pick up where business continuity plans leave off. After a disaster strikes and the business is interrupted, the disaster recovery plan guides response teams in their efforts to quickly restore business operations to normal levels.

16. In which business continuity planning task would you actually design procedures and mechanisms to mitigate risks deemed unacceptable by the BCP team? A. Strategy development B. Business impact assessment C. Provisions and processes D. Resource prioritization

C. In the provisions and processes phase, the BCP team actually designs the procedures and mechanisms to mitigate risks that were deemed unacceptable during the strategy development phase.

13. Which one of the following concerns is not suitable for quantitative measurement during the business impact assessment? A. Loss of a plant B. Damage to a vehicle C. Negative publicity D. Power outage

C. It is difficult to put a dollar figure on the business lost because of negative publicity. Therefore, this type of concern is better evaluated through a qualitative analysis.

1. What is the end goal of disaster recovery planning? A. Preventing business interruption B. Setting up temporary business operations C. Restoring normal business activity D. Minimizing the impact of a disaster

C. Once a disaster interrupts the business operations, the goal of DRP is to restore regular business activity as quickly as possible. Thus, disaster recovery planning picks up where business continuity planning leaves off.

9. What disaster recovery principle best protects your organization against hardware failure? A. Consistency B. Efficiency C. Redundancy D. Primacy

C. Redundant systems/components provide protection against the failure of one particular piece of hardware.

15. Lighter Than Air Industries expects that it would lose $10 million if a tornado struck its aircraft operations facility. It expects that a tornado might strike the facility once every 100 years. What is the annualized loss expectancy? A. 0.01 B. $10,000,000 C. $100,000 D. 0.10

C. The annualized loss expectancy (ALE) is computed by taking the product of the single loss expectancy (SLE), which was $10 million in this scenario, and the annualized rate of occurrence (ARO), which was 0.01 in this example. These figures yield an ALE of $100,000.

6. Which one of the following BIA terms identifies the amount of money a business expects to lose to a given risk each year? A. ARO B. SLE C. ALE D. EF

C. The annualized loss expectancy (ALE) represents the amount of money a business expects to lose to a given risk each year. This figure is quite useful when performing a quantitative prioritization of business continuity resource allocation.

11. Which one of the following alternative processing sites takes the longest time to activate? A. Hot site B. Mobile site C. Cold site D. Warm site

C. The cold site contains none of the equipment necessary to restore operations. All of the equipment must be brought in and configured and data must be restored to it before operations can commence. This often takes weeks.

7. What BIA metric can be used to express the longest time a business function can be unavailable without causing irreparable harm to the organization? A. SLE B. EF C. MTD D. ARO

C. The maximum tolerable downtime (MTD) represents the longest period a business function can be unavailable before causing irreparable harm to the business. This figure is useful when determining the level of business continuity resources to assign to a particular function.

11. Which task of BCP bridges the gap between the business impact assessment and the continuity planning phases? A. Resource prioritization B. Likelihood assessment C. Strategy development D. Provisions and processes

C. The strategy development task bridges the gap between business impact assessment and continuity planning by analyzing the prioritized list of risks developed during the BIA and determining which risks will be addressed by the BCP.

12. What is the typical time estimate to activate a warm site from the time a disaster is declared? A. 1 hour B. 6 hours C. 12 hours D. 24 hours

C. Warm sites typically take about 12 hours to activate from the time a disaster is declared. This is compared to the relatively instantaneous activation of a hot site and the lengthy time (at least a week) required to bring a cold site to operational status.

20. Of the individuals listed, who would provide the best endorsement for a business continuity plan's statement of importance? A. Vice president of business operations B. Chief information officer C. Chief executive officer D. Business continuity manager

C. You should strive to have the highest-ranking person possible sign the BCP's statement of importance. Of the choices given, the chief executive officer is the highest ranking.

6. Which of the following would not be a primary goal of a grudge attack? A. Disclosing embarrassing personal information B. Launching a virus on an organization's system C. Sending inappropriate email with a spoofed origination address of the victim organization D. Using automated tools to scan the organization's systems for vulnerable ports

D. Any action that can harm a person or organization, either directly or through embarrassment, would be a valid goal of a grudge attack. The purpose of such an attack is to "get back" at someone.

4. What will be the major resource consumed by the BCP process during the BCP phase? A. Hardware B. Software C. Processing time D. Personnel

D. During the planning phase, the most significant resource utilization will be the time dedicated by members of the BCP team to the planning process. This represents a significant use of business resources and is another reason that buy-in from senior management is essential.

18. What are ethics? A. Mandatory actions required to fulfill job requirements B. Laws of professional conduct C. Regulations set forth by a professional organization D. Rules of personal behavior

D. Ethics are simply rules of personal behavior. Many professional organizations establish formal codes of ethics to govern their members, but ethics are personal rules individuals use to guide their lives.

3. According to the Federal Emergency Management Agency, approximately what percentage of U.S. states is rated with at least a moderate risk of seismic activity? A. 20 percent B. 40 percent C. 60 percent D. 80 percent

D. Forty-one of the 50 U.S. states are considered to have a moderate, high, or very high risk of seismic activity. This rounds to 80 percent to provide the value given in option D.

14. What type of database backup strategy involves maintenance of a live backup server at the remote site? A. Transaction logging B. Remote journaling C. Electronic vaulting D. Remote mirroring

D. Remote mirroring is the only backup option in which a live backup server at a remote site maintains a bit-for-bit copy of the contents of the primary server, synchronized as closely as the latency in the link between primary and remote systems will allow.

17. What phase of the Electronic Discovery Reference Model examines information to remove information subject to attorney-client privilege? A. Identification B. Collection C. Processing D. Review

D. Review examines the information resulting from the processing phase to determine what information is responsive to the request and remove any information protected by attorney-client privilege.

16. What disaster recovery planning tool can be used to protect an organization against the failure of a critical software firm to provide appropriate support for their products? A. Differential backups B. Business impact assessment C. Incremental backups D. Software escrow agreement

D. Software escrow agreements place the application source code in the hands of an independent third party, thus providing firms with a "safety net" in the event a developer goes out of business or fails to honor the terms of a service agreement.

9. What would be a valid argument for not immediately removing power from a machine when an incident is discovered? A. All of the damage has been done. Turning the machine off would not stop additional damage. B. There is no other system that can replace this one if it is turned off. C. Too many users are logged in and using the system. D. Valuable evidence in memory will be lost.

D. The most compelling reason for not removing power from a machine is that you will lose the contents of memory. Carefully consider the pros and cons of removing power. After all is considered, it may be the best choice.

12. Which resource should you protect first when designing continuity plan provisions and processes? A. Physical plant B. Infrastructure C. Financial resources D. People

D. The safety of human life must always be the paramount concern in business continuity planning. Be sure that your plan reflects this priority, especially in the written documentation that is disseminated to your organization's employees!

17. What type of mitigation provision is utilized when redundant communications links are installed? A. Hardening systems B. Defining systems C. Reducing systems D. Alternative systems

D. This is an example of alternative systems. Redundant communications circuits provide backup links that may be used when the primary circuits are unavailable.

9. Referring to the scenario in question 8, what is the annualized loss expectancy? A. $3,000,000 B. $2,700,000 C. $270,000 D. $135,000

D. This problem requires you to compute the ALE, which is the product of the SLE and the ARO. From the scenario, you know that the ARO is 0.05 (or 5 percent). From question 8, you know that the SLE is $2,700,000. This yields an SLE of $135,000.

13. Which one of the following items is a characteristic of hot sites but not a characteristic of warm sites? A. Communications circuits B. Workstations C. Servers D. Current data

D. Warm sites and hot sites both contain workstations, servers, and the communications circuits necessary to achieve operational status. The main difference between the two alternatives is the fact that hot sites contain near-real-time copies of the operational data and warm sites require the restoration of data from backup.

8. In which one of the following database recovery techniques is an exact, up-to-date copy of the database maintained at an alternative location? A. Transaction logging B. Remote journaling C. Electronic vaulting D. Remote mirroring

D. When you use remote mirroring, an exact copy of the database is maintained at an alternative location. You keep the remote copy up-to-date by executing all transactions on both the primary and remote site at the same time.