Developing & Testing an Incident Response Plan
B is the correct answer. Justification A disaster recovery plan does not include impact of system loss. A business impact analysis must be completed prior to disaster recovery planning. A business impact analysis is used to establish the escalation of loss over time in addition to other elements. Site proximity is a consideration during disaster recovery planning for locating your recovery site. Where the site is located does not indicate the business impact. Full interruption testing is used to validate disaster recovery plans. A business impact analysis must be completed prior to disaster recovery planning.
An organization determined that if its email system failed for three days, the cost to the organization would be eight times greater than if it could be recovered in one day. This determination MOST likely was the result of: disaster recovery planning. business impact analysis. site proximity analysis. full interruption testing.
A is the correct answer. Justification Because the original recovery time objective (RTO) cannot be met due to the time required to restore data, the RTO could be increased. Decreasing the service delivery objective (SDO) would increase the problem and is not a solution. Adjusting the maximum tolerable outage (MTO) will not have any effect on the situation. Increasing the allowable interruption window (AIW) is based on the maximum time the organization can be down before major financial impacts occur.
An organization determined that in a worst case situation it was not feasible to recreate all of the data lost in a system crash in the time available. Various constraints prevent increasing the frequency of backups. What other solutions to this issue could the information security manager suggest? Increase the recovery time objective Decrease the service delivery objective Adjust the maximum tolerable outage Increase the allowable interruption window
D is the correct answer. Justification A walk-through of all necessary recovery tasks is part of both tests. Only a full interruption test includes interruption of primary site operations. Both parallel tests and simulation tests rely on fictitious scenarios. A parallel recovery test includes the test of the operational capabilities of the recovery site, while a simulation test focuses on role-playing.
Different types of tests exist for testing the effectiveness of recovery plans. Which of the following choices occurs during a parallel test that does not occur during a simulation test? The team members step through the individual recovery tasks. The primary site operations are interrupted. A fictitious scenario is used for the test. The recovery site is brought to operational readiness.
A is the correct answer. Justification In order to correct the vulnerabilities, the system owner needs to be notified quickly before an incident can take place. Sending the incident response team to investigate is not correct because the incident has not taken place and notification could delay implementation of the fix. Data owners would be notified only if the vulnerability could have compromised data. The development team may be called upon by the system owner to resolve the vulnerability.
When a major vulnerability in the security of a critical web server is discovered, immediate notification should be made to the: system owner to take corrective action. incident response team to investigate. data owners to mitigate damage. development team to remediate.
A is the correct answer. Justification If all of the plans exist only in electronic form, this presents a serious weakness if the electronic version is dependent on restoration of the intranet or other systems that are no longer available. Versioning control is actually easier with an automated system. Broken hyperlinks are a concern, but less serious than plan accessibility. Tracking changes in personnel and plan assets is actually easier with an automated system.
When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern? Ensuring accessibility should a disaster occur Versioning control as plans are modified Broken hyperlinks to resources stored elsewhere Tracking changes in personnel and plan assets
A is the correct answer. Justification Formal training is a good choice when everyone is new because it does not assume any prior knowledge and ensures that everyone covers the same material. Mentoring is most effective when senior members of an established team can be paired with new members. It does not work well when everyone is new. On-the-job training is a suitable choice when the material to be learned is part of the participants' everyday duties. For an incident management team comprised of part-time members, there will be limited opportunities to train in the course of regular, day-to-day activities. Induction provides a basic overview of incident management team activities and serves as a basis for further training. By itself, it is not an effective means of training.
When establishing a new incident management team whose members will serve on a part-time basis, which of the following means of training is MOST effective? Formal training Mentoring On-the-job training Induction
A is the correct answer. Justification Security information and event monitoring (SIEM) can provide information on policy compliance as well as incident monitoring and other capabilities, if properly deployed, configured and tuned. SIEM is not used to manage residual risk. SIEM is an automated review of logs through aggregation and correlation, and does not replace the need for firewalls. SIEM provides a series of detective controls, not compensating controls.
Which of the following choices is a characteristic of security information and event monitoring (SIEM) technology? SIEM promotes compliance with security policies. SIEM is primarily a means of managing residual risk. SIEM replaces the need to install a firewall. SIEM provides a full range of compensating controls.
B is the correct answer. Justification Risk management deals primarily with controls and is not a viable basis for the definition of escalation guidelines. A risk and impact analysis will be a basis for determining what authority levels are needed to respond to particular incidents. Assurance review reports and results are primarily suited for the monitoring of stakeholder communication such as the description of the assessment of reporting effectiveness. The effectiveness of resources belongs to the description of reporting and communication and is not a viable basis for the definition of escalation guidelines.
Which of the following choices is the BEST input for the definition of escalation guidelines? Risk management issues A risk and impact analysis Assurance review reports The effectiveness of resources
C is the correct answer. Justification Containment is the next step in the incident response cycle. Deleting the file could be part of the containment process after it has been determined that it is safe to do so. The first step in incident response is to verify whether the file is malicious. Reporting to management would be a later step in the incident handling cycle and will vary based on policy, but it would not come before verification or general containment.
An employee has found a suspicious file on a server. The employee thinks the file is a virus and contacts the information security manager. What is the FIRST step to take? Contain the file. Delete the file. Verify whether the file is malicious. Report the suspicious file to management.
D is the correct answer. Justification A summary of security logs would be too technical to report to the CIO. An analysis of the impact of similar attacks would be helpful but is not the most important item to report. A business case for implementing stronger controls would be helpful to report to management, but it is not the most important item to report and would be subsequent to reporting impact and corrective actions. The actual impact to the organization and corrective actions taken would be the most important item to share with the chief information officer (CIO).
After a significant security breach has occurred, what is the MOST important item to report to the chief information officer? A summary of the security logs that illustrates the sequence of events An analysis of the impact of similar attacks at other organizations A business case for implementing stronger logical access controls The impact of the incident and corrective actions taken
D is the correct answer. Justification Access to a hot site is not indefinite; the recovery plan should address a long-term outage. Sharing a hot site facility is common practice and sometimes necessary in the case of a major disaster and not a significant weakness. First come, first served is a standard practice in hosted facilities and does not constitute a major weakness. In case of a disaster affecting a localized geographical area, the vendor's facility and capabilities could be insufficient for all of its clients, which will all be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally.
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability? Exclusive use of the hot site is limited to six weeks The hot site may have to be shared with other customers The time of declaration determines site access priority The provider services all major companies in the area
A is the correct answer. Justification Validating that the condition is a true security incident is the necessary first step in determining the correct response. Notifying senior management could be part of the incident response process that takes place after confirming an incident. The containment stage would follow confirming the incident. Notifying law enforcement by the appropriate party could be part of the incident response process that takes place after confirming an incident.
A customer credit card database has been reported as being breached by hackers. What is the FIRST step in dealing with this attack? Confirm the incident. Notify senior management. Start containment. Notify law enforcement.
A is the correct answer. Justification Because the password for the shared administrative account was obtained through guessing, it is probable that there were multiple unsuccessful logon attempts before the correct password was deduced. Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity. Write access violations would not necessarily be observed because the information was merely copied and not altered. Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity because concurrent usage is common in this situation. Firewall logs would not necessarily contain information regarding logon attempts.
A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following? Invalid logon attempts Write access violations Concurrent logons Firewall logs
B is the correct answer. Justification There is no indication of infection and quarantining all picture files is unnecessary. Until signature files can be updated, incoming email containing picture file attachments should be blocked. Quarantine of all mail servers is unnecessary because only those emails containing attached picture files are in question. Blocking all incoming mail is unnecessary as long as picture files are blocked.
A new email virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat? Quarantine all picture files stored on file servers Block all emails containing picture file attachments Quarantine all mail servers connected to the Internet Block incoming Internet mail, but permit outgoing mail
C is the correct answer. Justification Ensuring that all operating system patches are up to date is a good practice, in general, but it will not necessarily address the reported vulnerability. Blocking inbound traffic may not be practical or effective from a business perspective. The best source of information is the firewall manufacturer because the manufacturer may have a patch to fix the vulnerability or a work-around solution. Commissioning a penetration test will take too much time and will not necessarily provide a solution for corrective actions.
A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager? Ensure that all operating system patches are up to date. Block inbound traffic until a suitable solution is found. Obtain guidance from the firewall manufacturer. Commission a penetration test.
D is the correct answer. Justification Rebuilding from the last known verified backup poses the risk that the verified backup may have been compromised by the super-user at a different time. Placing the web server in quarantine should have already occurred in the forensic process. The step of shutting down in an organized manner is out of sequence and no longer a problem. The forensic process is already finished and evidence has already been acquired. The original media should be used because one could never find and eliminate all the changes a super-user may have made or the time lines in which these changes were made.
A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. What is the most appropriate next step? Rebuild the server from the last verified backup. Place the web server in quarantine. Shut down the server in an organized manner. Rebuild the server with original media and relevant patches.
C is the correct answer. Justification The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The recovery time objective is the target time to restore services to either the SDO or normal operations. The service delivery objective (SDO) is the agreed-on level of service required to resume acceptable operations. Maximum tolerable outage is the maximum length of time that the organization can operate at the recovery site.
After a service interruption of a critical system, the incident response team finds that it needs to activate the warm recovery site. Discovering that throughput is only half of the primary site, the team nevertheless notifies management that it has restored the critical system. This is MOST likely because it has achieved the: recovery point objective. recovery time objective. service delivery objective. maximum tolerable outage.
D is the correct answer. Justification Requiring the use of strong passwords will not be sufficiently effective against an internal network-based attack. Assigning Internet Protocol (IP) addresses would not be effective since these can be spoofed. Implementing centralized logging software will not necessarily provide information on the source of the attack. Installing an intrusion detection system (IDS) will allow the information security manager to better pinpoint the source of the attack so that countermeasures may then be taken. An IDS is not limited to detection of attacks originating externally. Proper placement of agents on the internal network can be effectively used to detect an internally based attack.
An organization has been experiencing a number of network-based security attacks that all appear to originate internally. What is the BEST course of action? Require the use of strong passwords. Assign static Internet Protocol addresses. Implement centralized logging software. Install an intrusion detection system.
B is the correct answer. Justification Storing backup media offsite improves the odds that they will be available to use for recovery activities, but it also increases the amount of time needed to complete the recovery. In a situation where the primary concern is the financial impact of downtime, an offsite media storage contract is not helpful. Business interruption insurance does not help restore operations, but it does compensate a business for the financial impact associated with interruption. In this scenario, the financial impact of downtime is the primary concern, so insurance is an appropriate compensating control. An architecture that provides for real-time failover prevents financial impact from downtime, but it does so at significant cost. An organization that is primarily concerned with financial impact (rather than operational efficiency or other concerns) is unlikely to accept this higher cost because the other benefits associated with real-time failover are not seen as justified. A disaster recovery plan aids an organization in performing the steps needed to return to normal operations after a disaster, but even a clearly drafted and tested plan does not compensate for the financial impact of downtime, and many information security incidents have impacts that do not meet the disaster threshold.
An organization is primarily concerned with the financial impact of downtime associated with an information security incident. Which of the following items would be the MOST appropriate compensating control to have in place? An offsite media storage contract Business interruption insurance A real-time failover architecture A disaster recovery plan
A is the correct answer. Justification For security and privacy reasons, all organizational data and software should be erased prior to departure. Evaluations can occur back at the office after everyone is rested. An assessment of the hot site provider should be included in the post-mortem. Results of the test are a part of the post-mortem.
At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor's hot site facility? Erase data and software from devices Conduct a meeting to evaluate the test Complete an assessment of the hot site provider Evaluate the results from all test scripts
C is the correct answer. Justification Copying sample files as evidence is not advisable because it breaches confidentiality requirements on the file. Removing access privileges to the folder containing the data should be done by the data owner or by the security manager in consultation with the data owner—frequently the security manager would not have this right; regardless, this would be done only after formally reporting the incident. The data owner should be notified prior to any action being taken. Training the human resources team on properly controlling file permissions is the method to prevent such incidents in the future, but this should take place after the incident reporting and investigation activities are completed.
During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. What is the FIRST step the security manager should perform? Copy sample files as evidence. Remove access privileges to the folder containing the data. Report this situation to the data owner. Train the HR team on properly controlling file permissions.
C is the correct answer. Justification A full interruption test, in which operations are shut down at the primary site and shifted to the recovery site, is the most stringent form of response and recovery testing, but it is potentially disruptive. Even though the organization in this scenario might accept the cost of such a test, the need for continuous operations makes it inappropriate. Simulation testing tests people and processes, but does not go so far as to start up recovery-site operations, so it provides a lower level of assurance than what would be provided by a parallel test. The organization in this scenario requires continuous operations. A parallel test, in which operations are brought online at the recovery site alongside primary-site operations, is the closest that an organization can come to full testing without risking a business impact, so it is the best fit for the requirement. Structured walk-throughs are pen-and-paper activities. A walk-through may help identify constraints, deficiencies and opportunities for enhancement, but the level of assurance that it provides is low relative to a parallel test.
If an organization has a requirement for continuous operations, which of the following approaches would be BEST to test response and recovery? A full interruption test A simulation test A parallel test A structured walk-through
C is the correct answer. Justification To make a copy, the target hard disk does not necessarily have to be the one to maintain the same specification as the original disk; therefore, this is not the best option. It is a good practice to make a dual backup; however, it does not prove that data are not modified by anyone. In order to prove that data are not modified before and after the copy, it is best to keep a digital hash from both hard disks. The hashes alone are not adequate to meet the standards of evidence admissibility, but these will support other aspects of integrity in the context of data forensics. It is a good practice to perform a restoration test. This is to ensure availability rather than to maintain evidential capability.
In following up on a security incident, the system administrator is to copy data from one hard disk to another. From a forensic perspective, which of the following tasks must be ensured? Copy to the same disk model as the original. Make a dual backup of the original disk. Keep the digital hash from both hard disks. Perform a restoration test after replication.
B is the correct answer. Justification There are few, if any, circumstances where the information security manager should contact external authorities directly. Communication regarding security events, particularly ones that have legal implications, is a business decision that is the responsibility of management. It is the decision of management to determine which stakeholders and external entities should be informed. This process should be detailed in the enterprise's incident response communication plan. Human resources and legal would not be the only departments communicated with in this situation.
Major security events with serious legal implications should be communicated to: appropriate civil authorities when there has been a crime committed. management after the incident has been verified and the severity determined. all affected stakeholders, including legal and the insurance carrier. only to human resources and the legal department for appropriate action.
A is the correct answer. Justification Continuous monitoring helps an organization identify adverse events in a timely manner. The reduced lag time to take steps to contain damage results in minimizing the impact. Aligning the security program with IT goals is a derived benefit of continuous monitoring rather than the primary objective. Identifying critical information assets is a prerequisite for implementing continuous monitoring. Reduction of policy exceptions is not a direct benefit of continuous monitoring.
The PRIMARY objective of continuous monitoring is to: minimize the magnitude of impact. align the security program with IT goals. identify critical information assets. reduce the number of policy exceptions.
A is the correct answer. Justification Although some corrective actions are being taken by the security team and the incident response team, management review will ensure whether there are any other corrective actions that need to be taken. Sometimes this will result in improvements to information security policies. Management will not review information security incidents merely to demonstrate management commitment. Management will not perform a review for fault findings such as examining the incident response process for deficiencies. Management will not perform a review for fault findings such as evaluating the ability of the security team.
The PRIMARY reason for senior management review of information security incidents is to: ensure adequate corrective actions were implemented. demonstrate management commitment to the information security process. evaluate the incident response process for deficiencies. evaluate the ability of the security team.
C is the correct answer. Justification Rebooting the router is not warranted. Powering down the demilitarized zone servers is not warranted. In the case of a probe, the situation should be monitored and the affected network segment isolated. Enabling server trace routing is not warranted.
When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken? Reboot the router connecting the DMZ to the firewall Power down all servers located on the DMZ segment Monitor the probe and isolate the affected segment Enable server trace logging on the affected segment
D is the correct answer. Justification The incident response plan is a means to respond to an event, but does not prevent the occurrence. Business continuity plans, not incident response plans, are designed to restore business operations after a disaster; they cannot assure the actual outcome. The incident management plan may address training users, but the incident response plan does not. Business resilience refers to the ability of the business to withstand disruption. An effective incident response plan minimizes the impact of an incident to the level that it ideally is transparent to end users and business partners.
The MOST important purpose of implementing an incident response plan is to: prevent the occurrence of incidents. ensure business continuity. train users on resolution of incidents. promote business resiliency.
A is the correct answer. Justification The goal of incident response is to resolve incidents within agreed-on time limits. The number of change requests related to infrastructure changes simply indicates that there have been required changes to the internal architecture. Those change requests may or may not have anything to do with found vulnerabilities or reported incidents. The end of the month is an arbitrary time, unrelated to agreed-on time limits for incident resolution. The source of incidents does not provide input concerning the effectiveness of incident management.
The effectiveness of an incident response team is BEST measured by the: percentage of incidents resolved within previously agreed-on time limits. number of change requests submitted as a result of reported incidents. percentage of unresolved events still open at the end of any given month. number of incidents originating from external sources.
D is the correct answer. Justification Timely communication and reporting is only useful after identification of an incident has occurred. Understanding how to establish severity levels is important, but it is not the essential element of ensuring that the information security manager is aware of anomalous events that might signal an incident. Intrusion detection systems are useful for detecting IT-related incidents but not useful in identifying other types of incidents such as social engineering or physical intrusion. Ensuring that employees have the knowledge to recognize and report a suspected incident is most likely to result in identification of security incidents.
The factor that is MOST likely to result in identification of security incidents is: effective communication and reporting processes. clear policies detailing incident severity levels. intrusion detection system capabilities. security awareness training.
D is the correct answer. Justification The assessment of business impact of past incidents would need to be completed to articulate the benefits. Having an independent review benefits the incident management process. The need for constant improvement on the security level is a benefit to the organization. Business benefits from incident impact reduction would be the most important goal for establishing an incident management team.
To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective? Assessment of business impact of past incidents Need of an independent review of incident causes Need for constant improvement on the security level Possible business benefits from incident impact reduction
A is the correct answer. Justification Security incident response plans should be tested to find any deficiencies and improve existing processes. Testing the intrusion detection system is a good practice but would not have prevented this situation. All personnel need to go through formal training to ensure that they understand the process, tools and methodology involved in handling security incidents. However, testing of the actual plans is more effective in ensuring that the process works as intended. Reviewing the response procedures is not enough; the security response plan needs to be tested on a regular basis.
The systems administrator forgot to immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by: periodically testing the incident response plans. regularly testing the intrusion detection system. establishing mandatory training of all personnel. periodically reviewing incident response procedures.
A is the correct answer. Justification Triage gives a snapshot based on both strategic and tactical reviews for the purposes of assigning limited resources to where they can be most effective. Triage addresses the tactical level of the incident to be able to determine the best path to resolution and does not focus exclusively on the high-level view. Triage provides a view on both the tactical and strategic levels and occurs prior to resolution. Triage occurs before root-cause analysis, so it does not provide a comprehensive basis for changes to the enterprise architecture.
The triage phase of the incident response plan provides: a snapshot of the current status of all incident activity reported. a global, high-level view of the open incidents. a tactical review of incident's progression and resolution. a comprehensive basis for changes to the enterprise architecture.
C is the correct answer. Justification The database server would not assist in the correlation and review of the logs. The domain name server would not assist in the correlation and review of the logs. To accurately reconstruct the course of events, a time reference is needed, and that is provided by the time server. The proxy server would not assist in the correlation and review of the logs.
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs? Database server Domain name server Time server Proxy server
C is the correct answer. Justification While up-to-date contact information is important, it is no more important in an untested plan than would be true for a tested plan. Whether a risk is acceptable or not is a business determination and is not a function of testing. A response plan may prove unworkable upon testing despite appearing to cover all areas as written. Whether a plan has or has not been tested is not quickly apparent from inspection.
Untested response plans: depend on up-to-date contact information. pose an unacceptable risk to the organization. pose a risk that the plan will not work when needed. are quickly distinguished from tested plans.
B is the correct answer. Justification Every unsuccessful action simply wastes time; escalate and move on. Because the investigation process must have time constraints, if the initial team cannot find resolution in the plan time allotted, they should escalate the resolution to the next level and move on to system recovery. The activity in an incident response event should not stop until the root cause has been determined, but other teams may need to be called in to divide the work and complete the response plan. A disaster should not be declared until the event root cause has been determined or senior management has determined that the resolution will take longer than acceptable for a system outage.
What action should an incident response team take if the investigation of an incident response event cannot be completed in the time allocated? Continue to work the current action. Escalate to the next level for resolution. Skip on to the next action in the plan. Declare a disaster.
B is the correct answer. Justification Notification to law enforcement or senior management may occur in tandem with other activities, but preventing contamination of evidence takes priority. In many organizations, the decision to notify law enforcement is made by senior management. If criminal charges may be filed, preventing contamination of evidence is the foremost concern to facilitate prosecution. Activation of the incident response team must be delayed until after steps have been taken to prevent contamination of evidence in situations where criminal charges may be filed. Containment is part of an effective incident response strategy, but preventing contamination of evidence takes priority over containment in situation where criminal charges may be filed.
What is the FIRST step in investigating an information security incident for which the organization may want to file criminal charges? Notify law enforcement and senior management Prevent contamination of evidence Activate the incident response team Contain the scope of impact
B is the correct answer. Justification Although line capacity is important from a mirroring perspective, this is secondary to having the necessary capacity to restore critical systems. If data centers are operating at or near capacity, it may prove difficult to recover critical operations at an alternate data center. Differences in logical security is a much easier issue to overcome and is, therefore, of less concern. Synchronization of system software releases is a much easier issue to overcome and is, therefore, of less concern.
What is the MOST important concern when an organization with multiple data centers designates one of its own facilities as the recovery site? Communication line capacity between data centers Current processing capacity loads at data centers Differences in logical security at each center Synchronization of system software release versions
A is the correct answer. Justification Incident management identifies and assesses incidents as they happen. Then it implements improvements to prevent future occurrences. Detecting and documenting incidents is only part of the process; future occurrences need to be addressed and prevented. Risk management occurs outside of the incident management program. Objectives are set based on business need and capabilities are built to meet those objectives.
What makes an incident management program effective? It identifies, assesses and prevents reoccurrence of incidents. It detects and documents incidents. It includes a risk management strategy. It reflects the capabilities of the organization.
B is the correct answer. Justification Identifying the incident means verifying whether an incident has occurred and finding out more details about the incident. After an incident has been confirmed (identified), the incident management team should limit further exposure. Determining the root cause takes place after the incident has been contained. Performing a vulnerability assessment takes place after the root cause of an incident has been determined to determine if the vulnerability has been addressed.
What task should be performed once a security incident has been verified? Identify the incident. Contain the incident. Determine the root cause of the incident. Perform a vulnerability assessment.
A is the correct answer. Justification When defining and establishing effective incident escalation processes, it is primarily relevant to state how long a team member should wait for an incident response and what to do if no such response occurs. This is the necessary (initial) platform for all further steps of an effective escalation process. It is relevant to know how critical an incident is and which business units are impacted, but when establishing escalation processes, it is much more relevant to state how long a person should wait for a response and what to do if no response occurs. Communication to stakeholders is part of the incident response process, but it is more important to establish waiting times and alternative responses because time is of the essence. It is relevant to inform incident response team managers quickly, but as an initial aspect, it is more relevant in this connection to state how long a person should wait for a response and what to do if no response occurs.
When establishing effective incident escalation processes for the incident response team, it is PRIMARILY necessary to state how: long a member should wait for a response and what to do if no response occurs. critical the incident is and which business units are directly impacted. the incident is communicated to senior managers and other affected stakeholders. incident response team managers are informed quickly about high-risk incidents.
C is the correct answer. Justification The information security steering committee will be notified later as required by corporate policy requirements. Customers will be notified later as required by corporate policy and regulatory requirements. The data owners should be notified first so they can take steps to determine the extent of the damage and coordinate a plan for corrective action with the computer incident response team. Regulatory agencies will be notified later as required by corporate policy and regulatory requirements.
When the computer incident response team finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should FIRST notify: the information security steering committee. customers who may be impacted. data owners who may be impacted. regulatory agencies overseeing privacy.
A is the correct answer. Justification Implementing a security information and event management (SIEM) process helps ensure that incidents are correctly identified and handled appropriately. Because an SIEM process depends on log analysis based on predefined rules, the most effective way to reduce false-positive alerts is to develop use cases for known threats to identified critical systems. The use cases would then be used to develop appropriate rules for the SIEM solution. Although security monitoring requires traffic analysis, only properly defined use cases can ensure that the rules are accurately defined and that events are properly identified, thereby reducing false-positive alerts. A risk assessment will not reduce false positive alerts. The quality of the logs can affect alerts but is usually a minor consideration.
Which of the following MOST effectively reduces false-positive alerts generated by a security information and event management process? Building use cases Conducting a network traffic analysis Performing an asset-based risk assessment The quality of the logs
A is the correct answer. Justification A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans. Publishing an enterprise-level incident response plan would be effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. Sharing perspectives is valuable, but a working group does not necessarily lead to action ensuring that the interface between plans is workable. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.
Which of the following actions is the BEST to ensure that incident response activities are consistent with the requirements of business continuity? Develop a scenario and perform a structured walk-through. Draft and publish a clear practice for enterprise-level incident response. Establish a cross-departmental working group to share perspectives. Develop a project plan for end-to-end testing of disaster recovery.
B is the correct answer. Justification Rebooting the router would not be relevant. Information security should check the intrusion detection system (IDS) logs and continue to monitor the situation. It would be inappropriate to take any action beyond that. Updating the IDS could create a temporary exposure until the new version can be properly tuned. Enabling server trace routing is of no use.
Which of the following actions should be taken when an information security manager discovers that a hacker is footprinting the network perimeter? Reboot the border router connected to the firewall Check intrusion detection system logs and monitor for any active attacks Update IDS software to the latest available version Enable server trace logging on the demilitarized zone segment
A is the correct answer. Justification Before performing analysis of impact, notification or isolation of an incident, it must be validated as a real security incident. Before performing analysis of the impact of an incident, it must be validated as a real security incident. Before notification of stakeholders, it must be validated as a real security incident. Before isolation of an incident, it must be validated as a real security incident.
Which of the following actions should take place immediately after a security breach is reported to an information security manager? Confirm the incident Determine impact Notify affected stakeholders Isolate the incident
A is the correct answer. Justification A demonstrated ability to restore data is the best way to ensure that data can be restored after a disaster, and data drive the majority of business processes. If an organization is unable to restore its data, it will be of little value to have other considerations in place. On the other hand, if data can be restored, the organization can likely find work-arounds for other challenges that it may face. Having a "warm site" speeds up the process of disaster recovery by providing the facilities and equipment where data can be restored and operations reconstituted. However, if the data themselves cannot be restored, having the facilities and equipment will not be nearly as useful. Performing data backups on a daily or other periodic basis is a best practice, but it is not until recovery is attempted that an organization gains knowledge of whether these backups are effective. Should the organization diligently perform backups for months or years and then discover that it cannot restore the data, all of the time and expense of the backup program will have been wasted. Recovery procedures are documented in the disaster recovery plan rather than in the incident response plan.
Which of the following activities MOST increases the probability that an organization will be able to resume operations after a disaster? Restoration testing Establishment of a "warm site" Daily data backups An incident response plan
C is the correct answer. Justification Not all information security incidents originate from the network; an intrusion detection system may provide no detection value for a variety of incident types. Diversifying the means of communication increases the odds that information reaches the people to whom it is sent, but it does nothing to ensure that the correct people receive the correct information at the correct time. An incident is not identified within an organization until it is declared, which is a business responsibility beyond the scope of the technical staff. A well-defined and structured communication plan ensures that information flows from the technical staff to decision makers in a timely fashion, allowing incidents to be recognized, declared, and appropriately addressed. Reviewing logs provides an opportunity to identify irregular traffic patterns that may indicate an information security incident, but these logs provide insight into only a subset of attack vectors (e.g., external penetration would generally be covered, but insider threats may not). Additionally, if analysts who identify potentially revealing information do not have mechanisms in place to share those revelations with others in the organization, an effective response is less likely.
Which of the following choices is the MOST important incident response resource for timely identification of an information security incident? A fully updated intrusion detection system Multiple channels for distribution of information A well-defined and structured communication plan A regular schedule for review of network device logs
B is the correct answer. Justification Knowing about security policies and procedures may be important. However, this knowledge is not a "must" item for an incident response team to work efficiently. Incident response team members need to work in a disrupted environment; therefore, it is essential that they be clearly aware of roles and responsibility prior to engagement. There could be an instance when a digital forensic analyst is needed. In such a case, assigning a qualified professional may be the best solution rather than having the response team learn the skills. The reporting structure is a mandatory component for a team to operate. However, in the case of incident response, team size is usually small and the reporting line may be flat. Thus, it may not be a major contributor to efficiency.
Which of the following contributes MOST to incident response team efficiency? Security policies and procedures Defined roles and responsibilities Digital forensic analysis skills Reporting line structure
D is the correct answer. Justification The governance function will determine the strategy and policies that will set the scope and charter for incident management and response capabilities. While response is a component of managing risk, the basis for risk management is determined by governance and strategy requirements. Compliance would not be directly related to this activity, although this function may have representation on the incident response team. The information security manager, or designated manager for incident response, should select the team members required to ensure that all required disciplines are represented on the team.
Which of the following functions is responsible for determining the members of the enterprise's response teams? Governance Risk management Compliance Information security
C is the correct answer. Justification A checklist test does not provide more assurance than a full interruption test. Checklist tests are a preliminary step to a real test. Recovery checklists are distributed to all members of a recovery team to review and ensure that the checklist is current. A tabletop exercise does not provide more assurance than a full interruption test. Table-top exercises may consist of virtual walk-throughs of the DRP plans or they may involve virtual walk-throughs of the DRP plans, based on different scenarios. A full interruption test gives the organization the best assurance because it is the closest test to an actual disaster. It generally involves shutting down operations at the primary site and shifting them to the recovery site in accordance with the recovery plan; this is the most rigorous form of testing. A simulation test does not provide more assurance than a full interruption test. During simulation testing, the recovery team role plays a prepared disaster scenario without activating processing at the recovery site.
Which of the following gives the MOST assurance of the effectiveness of an organization's disaster recovery plan? Checklist test Tabletop exercise Full interruption test Simulation test
C is the correct answer. Justification Although ensuring that only materials taken from offsite storage are used in the test is important, this is not as critical in determining a test's success. While full recovery of the processing infrastructure is a key recovery milestone, it does not ensure the success of a test. To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions were successfully recovered and duplicated. Achieving the recovery time objectives is an important milestone, but it does not necessarily prove that the critical business functions can be conducted, due to interdependencies with other applications and key elements such as data, staff, manual processes, materials and accessories, etc.
Which of the following is MOST important in determining whether a disaster recovery test is successful? Only business data files from offsite storage are used. IT staff fully recovers the processing infrastructure. Critical business processes are duplicated. All systems are restored within recovery time objectives.
B is the correct answer. Justification The fact that threats can materialize into an incident requires the presence of system vulnerabilities. It is the vulnerabilities that should be the focus of analysis when considering incident management procedures. Periodic testing and updates to incorporate lessons learned will ensure that implementation of the incident management response plan is aligned and kept current with the business priorities set by business management. All of the members of the incident management response team do not need to have IS skills. Members who take charge of implementing the incident management response plan should be able to utilize different skills to ensure alignment with the organization's procedures and policies. It is important that someone take ownership of implementing the incident management plan; for instance, to formally declare that such a plan needs to be put into place after an incident. A nonhierarchical structure can introduce ambiguity as to who is responsible for what aspects of the incident management response plan.
Which of the following is MOST likely to improve the effectiveness of the incident response team? Briefing team members on the nature of new threats to information systems (IS) security Periodic testing and updates to incorporate lessons learned Ensuring that all members have a good understanding of IS technology A nonhierarchical structure to ensure that team members can share ideas
A is the correct answer. Justification A tested business continuity plan/disaster recovery plan is the best indicator that operational risk is managed effectively in the enterprise. Reporting incidents by employees is an indicator but not the best choice because it is dependent upon the knowledge of the employees. Extent of risk management education is not correct because this may not necessarily indicate that risk is effectively managed in the enterprise. A high level of risk management education would help but would not necessarily mean that risk is managed effectively. Regular review of risk by senior management is not correct because this may not necessarily indicate that risk is effectively managed in the enterprise. Top management involvement would greatly help but would not necessarily mean that risk is managed effectively.
Which of the following is the BEST indicator that operational risks are effectively managed in an enterprise? A tested business continuity/disaster recovery plan An increase in timely reporting of incidents by employees Extent of risk management education Regular review of risks by senior management
C is the correct answer. Justification Auditing business process changes will not necessarily enable maintenance of DRP. Maintenance of the latest configuration will not show how current the process is, which is vital for disaster recovery planning. When a DRP is properly tested, the results of the tests will reveal shortcomings and opportunities for improvement. The maintenance of the personnel contact list is an indication of the personnel to be involved in the DRP. Although indicative of how current the DRP is, the DRP also should include the suppliers, customers and vendors needed for its success.
Which of the following is the BEST way to confirm that disaster recovery planning is current? Audits of the business process changes Maintenance of the latest configurations Regular testing of the disaster recovery plan Maintenance of the personnel contact list
B is the correct answer. Justification The type and severity of the attack should be studied once it is concluded that the incident is valid. An administrator conducting regular maintenance activities may trigger a false-positive alarm from the intrusion detection system. One must validate a real incident before taking any action. Damage should be contained and risk minimized after confirming a valid incident, thus discovering the type and severity of the attack. One of the goals of incident response is to minimize the disruption of computer resources.
Which of the following is the FIRST step after the intrusion detection system sends out an alert about a possible attack? Assess the type and severity of the attack. Determine whether it is an actual incident. Contain the damage to minimize the risk. Minimize the disruption of computer resources.
D is the correct answer. Justification Testing on weekends can be advantageous, but this is not the most important choice. Because vendor-provided hot sites are in a state of constant change, it is not always possible to have network addresses defined in advance. Although it would be ideal to provide for identical equipment at the hot site, this is not always practical because multiple customers must be served and equipment specifications will vary. Disaster recovery testing requires the allocation of sufficient resources to be successful. Without the support of management, these resources will not be available, and testing will suffer as a result.
Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site? Tests are scheduled on weekends. Network Internet Protocol addresses are predefined. Equipment at the hot site is identical. Business management actively participates.
A is the correct answer. Justification In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business knowledge can be lost. It is, therefore, critical to maintain an updated copy of the detailed recovery plan at an offsite location. In a disaster situation, without the detailed technical plan, business recovery will be seriously impaired. Continuity of the business requires adequate network redundancy. Ideally, the business continuity program addresses this satisfactorily. Continuity of the business requires hot site infrastructure that is certified as compatible and clear criteria. Ideally, the business continuity program addresses this satisfactorily. Continuity of the business requires clear criteria for declaring a disaster. Ideally, the business continuity program addresses this satisfactorily.
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster? Detailed technical recovery plans are maintained offsite Network redundancy is maintained through separate providers Hot site equipment needs are recertified on a regular basis Appropriate declaration criteria have been established
C is the correct answer. Justification The fact that most new viruses' signatures are identified over weekends is secondary to leaving systems vulnerable during the intervening week. The fact that technical personnel are not available is secondary to leaving systems vulnerable during the intervening week. Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released during the week; far more frequent updating is essential. The fact that success or failure is not known until Monday is secondary to leaving systems vulnerable during the intervening week.
Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (2300 hrs.)? Most new viruses' signatures are identified over weekends. Technical personnel are not available to support the operation. Systems are vulnerable to new viruses during the intervening week. The update's success or failure is not known until Monday.
D is the correct answer. Justification The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster. The RTO is not a factor in determining the RPO. The RPO would have already taken cost into consideration. The service delivery level is directly related to the business needs. It is the level of services to be reached during the alternate process mode until the normal situation is restored. The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption.
Which of the following items is MOST important to determine the recovery point objective for a critical process in an enterprise? The number of hours of acceptable downtime The total cost of recovering critical systems The acceptable reduction in the level of service The extent of data loss that is acceptable
B is the correct answer. Justification The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs. The statement did not mention the time for the restoration to be concluded. The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The statement allows for the loss of current day's data. Directly related to the business needs, the service delivery objective (SDO) is the level of services to be reached during the alternate process mode until the normal situation is restored. The SDO is the acceptable level of service within the RTO. The maximum tolerable outage is the maximum time that an enterprise can support processing in alternate mode.
Which of the following measurements is integrated into the incident response plan by the statement "If the database is corrupted by an incident, the backup at the close of work on the previous day should be restored."? The recovery time objective The recovery point objective The service delivery objective The maximum tolerable outage
D is the correct answer. Justification Security technologies are not typically the cause of substantial challenges in building effective security processes. Security policies rarely define all stakeholders and notification to stakeholders is typically outside the scope of initial incident management, making the definition of escalation paths a greater concern. Escalations processes are typically procedures. Control of incidents by process owners is not a primary requirement of effective security incident management. Inadequately defined escalation paths may result lack of adequate authority, substantial delays, lack of notification of the appropriate individuals, and other significant negative impacts.
Which of the following poses the GREATEST challenge to establishing effective security incident management processes? Security technologies are not kept up to date. Stakeholders are not defined within security policies. Incidents are not controlled by process owners. Escalation paths are insufficiently defined.
B is the correct answer. Justification Intrusion detection systems can detect and notify of a potential attack but provide no information on subsequent breaches, making these systems less effective at identifying persistent threats than SIEM systems. System information and event management (SIEM) systems can identify incidents or potential incidents, prioritize according to potential impact, track incidents until they are closed and provide substantial trend analysis over time. Vulnerability scanning tools identify weaknesses in systems and networks that correspond to known paradigms. In general, advanced persistent threats (APTs) involve exploits that are outside the scope of published vulnerabilities, making vulnerability scanning a limited countermeasure with regards to the APTs. Integrated network management typically provides a limited subset of the capabilities of fully implemented SIEM.
Which of the following technologies is likely to be the MOST useful in countering advanced persistent threats? Anomaly-based intrusion detection system Security information and event management system Automated vulnerability scanning tools Integrated network management system
B is the correct answer. Justification With checklist tests, copies of the business continuity plan are distributed to various persons for review. In these tests, people do not exercise a plan. Business continuity coordinators come together to practice executing a plan based on a specific scenario. This does not interrupt normal operations and provides the most assurance of the given nonintrusive methods. In walk-through tests, representatives come together to go over the plan (one or more scenarios) and ensure the plan's accuracy. The plan itself is not executed. Full operational tests are the most intrusive to regular operations and business productivity. The original site is actually shut down and processing is performed at another site, thus providing the most assurance, but interrupting normal business productivity.
Which of the following tests gives the MOST assurance that a business continuity plan works, without potentially impacting business operations? Checklist tests Simulation tests Walk-through tests Full operational tests
C is the correct answer. Justification The time to detect is a measure of detection capability, which is typically provided by automated controls. Time between detection and determining severity is a part of response. Readiness is the time it takes from detection to initiate a response. The first time that the incident response team typically becomes aware of an event is when an alert is provided by monitoring mechanisms. Time between incident and resolution is a function of response capability.
Which of the following would be the BEST indicator of the readiness of the incident response team in the context of the overall incident management program? Amount of time for incident detection Time between incident detection and severity determination Time between detection and response Amount of time between incident occurrence and its resolution
D is the correct answer. Justification The maximum tolerable outage, the amount of time the organization can operate in alternate mode, would normally exceed the AIW. While a difference in operating system versions might cause a delay, it would probably be minor. Service delivery objectives (SDOs) are directly related to the business needs. The SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. Not meeting SDOs on some systems might be a concern, but would not necessarily lead to the conclusion that the test was a failure. Exceeding the acceptable interruption window (AIW) would cause the organization significant damage and must be avoided. The acceptable interruption window is the maximum period of time that a system can be unavailable before compromising the achievement of the enterprise's business objectives.
While a disaster recovery exercise in the organization's hot site successfully restored all essential services, the test was deemed a failure. Which of the following circumstances would be the MOST likely cause? The maximum tolerable outage exceeded the acceptable interruption window (AIW). The recovery plans specified outdated operating system versions. Some restored systems exceeded service delivery objectives. Aggregate recovery activities exceeded the acceptable interruption window.
A is the correct answer. Justification "Slack space" is the unused space between where the file data end and the end of the cluster the data occupy. Login information is not typically stored in the slack space. Encryption for the slack space is no different from the rest of the file system. Slack space is not a viable means of storage during an investigation.
Why is "slack space" of value to an information security manager as part of an incident investigation? Hidden data may be stored there. The slack space contains login information. Slack space is encrypted. It provides flexible space for the investigation.
