Domain 4 - Information Security Incident Management

When a significant security breach occurs, what should be reported first to senior management?

An explanations of the incident and corrective action taken

The information security manager identifies a vulnerability in a publicly exposed business application during risk assessment activities. The NEXT step he/she should take is: 1) Containment 2) Eradication 3) Analysis 4) Recovery

Analysis

What is the FIRST priority when responding to a major security incident? 1) Documentation 2) Monitoring 3) Restoration 4) Containment

Containment

In addition to back up data, what is the MOST important to store offsite in the event of a disaster?

Copies of the business continuity plan

Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site? 1) Cost to build a redundant processing facility and location 2) Daily cost of losing critical systems and recovery time objectives 3) Infrastructure complexity and system sensitivity 4) Critically results from business impact analysis

Cost to build a redundant processing facility and location

in the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. What is the first course of action in the investigative process?

Create a bit-by-bit image of the original media source onto new media

Which of the following choices should be assessed after the likelihood of a loss event has been determined? 1) The magnitude of impact 2) Risk tolerance 3) The replacement cost of assets 4) The book value of assets

The magnitude of impact

Different types of tests exist for testing the effectiveness of recovery plans. What occurs during a parallel test that does not occur during a simulation test? ***Read book***

The recovery sites brought to operational readiness

What is best confirming that the BCP/DRP objectives have been achieved?

The recovery time objectives was not exceed during testing

Which of the following is the MOST important element to ensure the successful recovery business during a disaster? 1) Detailed technical recovery plans are maintained 2) Network redundancy is maintained 3) Hot site equipment need are re certified on a regular basis 4) Appropriate declaration criteria have been established

Detailed technical recovery plans are maintained

What capabilities is most important for an effective incident management process? the organization's capability to:

Detect the incident

What is the best method of determining the impact of DDoS attack on a business?

Determine the criticality of the affected services

An organization has verified that it's customer information was recently exposed. What is the first step a sec manager should take?

Determine the extent of the compromise

Which of the following is MOST closely associated with a business continuity program? 1) Confirming that detailed technical recovery plan exist 2) Periodically testing network redundancy 3) Updating the hot site equipment configuration every quarter 4) Developing recovery time objectives for critical functions

Developing recovery time objectives for critical functions

The best time to determine who should be responsible for declaring a disaster is:

During the establishment of the plan

What is the BEST method for mitigating against network DoS attacks?

Employ packet filtering to drop suspect packets

The primary purpose of involving third-party for carrying out postincident reviews of information security incident is to:

Enable independent and objective review of the root cause of the incidents

What is the most important to verify to ensure the availability of key business processes at alternate site?

End-to-end transaction flow

The primary reason for senior management review of information security incidents is to:

Ensure adequate corrective actions were implemented

Which of the following is MOST important when collecting evidence for forensics analysis?

Ensure the assignment of qualified personnel

When an organization is using an automated tool to manage and house its business continuity plans, Which of the following is the PRIMARY concern? 1) Ensuring accessibility should a disaster occur 2) Versioning control as plans are modified 3) Broken hyperlinks to resources stored elsewhere 4) Tracking changes in personnel and plan assets

Ensuring accessibility should a disaster occur

At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor's hot site facility? 1) Erase data and software from devices 2) Conduct a meeting to evaluate the test 3) Complete an assessment of the hot site provider 4) Evaluate the results from all test scripts

Erase data and software from devices

Which of the following is a key component of an incident response policy? 1) Updated call trees 2) Escalation criteria 3) Press release templates 4) Critical backup files inventory

Escalation criteria Escalation criteria , indicating the circumstances under which specific actions are to be undertaken, should be contained within an incident response policy.

When creating a forensic image of a hard drive, what should be the first step?

Establish a chain of custody log

What is the most important factor in a forensic investigation?

Expertise of resources

Why is "slack space" of value to an information security manager as part of an incident investigation?

Hidden data may be stored there Note: Slack space is the unused space between where the file data end and the end of the cluster the data occupy.

The postincident review of a security incident revealed that there was a process that was not monitored. As a result monitoring functionality has been implemented. which of the following may BEST be expected from this remediation?

Improvement in identification

When properly tested, what would MOST effectively support an information security manager in handling a security breach?

Incident response plan

Which of the following should be determined FIRST when establishing a business continuity program? 1) Cost to rebuild information processing facilities 2) Incremental daily cost of the unavailability of systems 3) Location and cost of offsite recovery facilities 4) Composition and mission of individual recovery teams

Incremental daily cost of the unavailability of systems

Which functions is responsible for determining the members of the enterprise's response teams?

Information security

What is the FIRST action an information security manager should take when a company laptop is reported stolen?

Initiate (آغازکردن) appropriate incident response procedures

An organization has been experience a number of network-based security attacks that all appear to originate internally. What is the best course of action?

Install an intrusion detection system

A database was compromised by guessing the password for a shared administrative account and confidential customer was stolen. The information security manager was able to detect this breach by analyzing what?

Invalid logon attempts

What is most useful to an incident response team determining the severity level of reported security incidents?

Involving managers from affected operational areas

Which of the following actions should be taken when an online trading company discovers a network attack in progress? 1) Shut off all network access points 2) Dump all event logs to removable media 3) Isolate the affected network segment 4) Enable trace logging on all events

Isolate the affected network segment

what is MOST important when a server is infected with a virus?

Isolate the infected servers from the network

Which of the following represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was:

Kept in the tape library pending further investigation

When electronically stored information is requested during a fraud investigation, what should be the first priority?

Locating the data and preserving the integrity of the data

Recovery point objectives can be used to determined:

Maximum tolerable period of data loss

A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager? 1) Ensure that all operating system patches are up to date 2) Block inbound traffic until a suitable solution is found 3) Obtain guidance from the firewall manufacture 4) Commission a penetration test

Obtain guidance from the firewall manufacture

The typical requirement for security incidents to be resolved quickly and service restored is:

Often in conflict with effective problem management

The PRIMARY way in which incident management adds value to an organization is by:

Optimizing risk management efforts

The effectiveness of an incident response team is best measured by the:

Percentage of incident resolved within previously agreed-on time limits

Although control effectiveness has recently been tested, a serious compromise occurred. What is the FIRST action that the information security manager should take? 1) Evaluate control objectives 2) Develop more stringent controls 3) Perform a root cause analysis 4) Repeat the control test

Perform a root cause analysis

The systems administrator forgot to immediately notify the security officer about a malicious attack. An information security manager could prevent this situation by:

Periodically testing the incident response plans

To justify the establishment of an incident management team, an information security manager would find which of the following to be the most effective?

Possible business benefits from incident impact reduction

What is the primary focus if an organization considers taking legal action on a security incident?

Preserving the integrity of the evidence

What is the most appropriate for collecting and preserving evidence?

Proven forensic process

Which of the following would a security manager establish to determine the target for restoration of normal processing? 1) RTO 2) Maximum tolerable outage 3) RPO 4) Service delivery objectives

RTO

Read Book

Read Book

A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic process have been followed. What is the most appropriate next step?

Rebuild the server with original media and relevant patches

The main mail server of a financial institution has been compromised at the superuser level; the only way to ensure that the system is secure would be:

Rebuild the system from the original installation medium

Which of the following recovery strategies has the greatest chance of failure? 1) Hot site 2) Redundant site 3) Reciprocal arrangement 4) Cold site

Reciprocal arrangement Note: Read book's answere

What is the primary factor to be taken into account when designing a backup strategy that will be consistent with a disaster recovery strategy?

Recovery point objective Note: Read book

During the security review of organization it found that confidential HR data was accessible to all user. What is the FIRS step?

Report this situation to data owner

The recovery time objective is reached at which milestone?

Restoration of the system

What has the highest priority when defining an emergency response plan?

Safety of personnel

The factor that is most likely to result in identification of security incidents is:

Security Awareness training

Name of the greatest risk to information security?

Security incident are investigated in five business days

The acceptability of a partial system recovery after a security incident is most likely to be based on the:

Service level objective Note: A prior determination of acceptable levels of operation in the event of an outage is the SDO

A computer incident response team manual PRIMARY contain which of the following documents? 1) Risk assessment result 2) Severity criteria (شدت) 3) Emergency call tree directory 4) Table of critical backup files

Severity criteria (شدت)

Which tests gives the most assurance that a business continuity plan works, without potentially impacting business operations?

Simulation test

A password hacking tool was used to capture detailed bank account information and personal identification numbers. Upon confirming the incident, the nest step is to:

Start containment

What is the PRIMARY basis for a detailed business continuity plan?

Strategies validated by senior management

Which of the following is the MOST serious of automatically updating virus signature files on every desktop each Friday 11:pm? 1) Most new virus's signatures are identified over weekends 2) Technical personnel are not available to support the operation 3) Systems are vulnerable to new viruses during the intervening week 4) The update's success or failure is not known until Monday

Systems are vulnerable to new viruses during the intervening week

A root kit was used to capture detailed accounts receivable information. What is the next step to ensure admissibility of evidence from legal standpoint., once the incident has been identified and server isolated? 1) Document how the attack occurred 2) Notify law enforcement 3) Take an image copy of the media 4) Close the accounts receivable systems

Take an image copy of the media

The primary selection criterion for an offsite media storage facility is:

That the primary and offsite facilities are not subject to the same environment disasters

A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a ho site. Which of the following would be the greatest weakness in recovery capability? 1) Exclusive use of the hot site is limited to six weeks 2) The hot site may have to be shared with other customers 3) The time of declaration determines site access priority 4) The provider services all major companies in the area

The provider services all major companies in the area

How does a security information and event management (SIEM) solution MOST likely detect the existence of an advanced persistent threat in its in infrastructure? 1) Through analysis of the network traffic history 2) Through stateful isnpection of firewall packets 3) Through identification of zero-day attacks 4) Through vulnerability assessment

Through analysis of the network traffic history

To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?

Time server

An organization has just experienced a major incident that has caused interruption to critical business processes. What is the PRIMARY reason to conduct a post-incident review?

To determine the root cause of the crisis and take steps to prevent re-occurrence

Why should an incident management team conduct a post incident review? 1) To identify relevant electronic evidence 2) To identify lesson learned 3) To identify the hacker 4) To identify affected areas

To identify lesson learned

What is the PRIMARY objective of a postincident review in incident response?

To improve the response process (Find any weakness in current process and improve it.)

What is the primary purpose of maintaining an information security incident history ?

To record progress and document exceptions

An employee has found a suspicious file in a server. The employee thinks the file is a virus and contacts the information security manager. What is the first step to take?

Verify whether the file is malicious

A virus incident has been reported and eradicated. The info sec manager is MOST interested in knowing the: 1) Intrusion detection system configuration 2)Type and payload of the virus 3) Virus entry path 4) Origin of the virus

Virus entry path

Observations made by staff during a disaster recovery test are primarily reviewed to:

determine lessons learned

While defining incident response procedures, an information security manager must primarily focus on:

meeting service delivery objectives

The primary objectives of incident response is to:

minimize business disruption

When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken? 1) Reboot the router connecting the DMZ to the firewall 2) Power down all servers located on the dmz 3) monitor the probe and isolate the affected segment 4) Enable server trace logging on the affected segment

monitor the probe and isolate the affected segment

When a major vulnerability in the security of a critical web server is discovered, immediate notification should be made to the:

system owner to take corrective action

Which of the following situations would be of the MOST concern to a security manager? 1) Audit log are not enabled on a production server 2) The logon ID for a terminated systems analyst still exist on the system 3) The help desk has received numerous results of users receiving phishing mails 4) A Trojan was found to be installed on a system administrator's laptop

A Trojan was found to be installed on a system administrator's laptop

Evidence form a compromised server must be acquired (بدست اوردن). what would be the best source?

A bit-level copy of the hard drive

What is the primary basis for making a decision to establish an alternate site for disaster recovery?

A business impact analysis, Which identifies for requirements for availability of critical business process

Which of the following choices is the best input for the definition of escalation guidelines?

A risk and impact analysis Note: A risk and impact analysis will be a basis for determining what authority levels are needed to respond to particular incident

The triage phase of the incident response plan provides: 1) A snapshot of the current status of all incident activity reported 2) A global, high-level view of the open incidents 3) A tactical review of incident's progression and resolution 4) A comprehensive basis for changes to the enterprise architecture

A snapshot of the current status of all incident activity reported

What is the best indicator that operational risk is effectively managed in an enterprise?

A tested business continuity plan/disaster recovery plan

What is the primary factor that should be taken into consideration when designing the technical solution for a disaster recovery site?

Allowable interruption window (AIW) Note: Read book

The primary factor determining maximum tolerable outage is:

Available resources

The recovery point objectives requires which of the following? 1) Disaster declaration 2) Before-image restoration 3) System restoration 4) After-image processing

Before-image restoration

A new email virus that uses an attachment disguised as a picture file is spreading rapidly over the internet. Which of the following should be performed FIRST in response to this threat? 1) Quarantine all picture files stored on file servers 2) Block all emails containing picture file attachments 3) Quarantine all mails severs connected to the internet 4) Block incoming internet mail but permit outgoing mail

Block all emails containing picture file attachments

Book

Book

Prioritization of incident response activities is driven primarily by a:

Business impact analysis

Which of the following processes is critical for deciding prioritizing of actions in a business continuity plan? 1) Business impact analysis 2) Risk assessment 3) Vulnerability assessment 4) Business process mapping

Business impact analysis Note: Business process mapping is translating business prioritization to IT prioritization

An organization determined that if its email system failed for three days, the cost to the organization would be eight times greater than if it could be recovered in one day. This determination MOST likely was the result of: 1) Disaster recovery plan 2) Business impact analysis 3) Site proximity analysis 4) Full interruption testing

Business impact analysis Note: - Site proximity analysis: is a consideration during disaster recovery planning for locating your recovery site. - Full interruption testing : is used to validate disaster recovery plan

Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site? 1) Tests are schedule on weekends 2) Network internet protocol addresses are predefined 3) Equipment at the hot site is identical 4) Business management actively participates

Business management actively participates

When performing a business impact analysis, which of the following should calculate the recovery time and cost estimates? 1) Business continuity coordinator 2) Information security manager 3) Business process owners 4) IT management

Business process owners

What is the primary consideration when defining recovery time objectives for information assets?

Business requirements

What is the most important objectives of a postincident review?

Capture lessons learned to improve the process

What is the most critical consideration when collecting and preserving admissible evidence during an incident response?

Chain of custody

What is the most important aspect of forensic investigations that will potentially involve legal action?

Chain of custody

Which of the following should be taken when an information security manager discovers the network perimeter? 1) Reboot the border router connected to the firewalls 2) Check intrusion detection system logs and monitor for any active attacks 3) Update IDS software to the latest available version 4) Enable server trace routing on the DMZ segment

Check intrusion detection system logs and monitor for any active attacks

What is the first action to take when a fire spreads throughout the bullring?

Check the facility access logs

Who would be in the best potion to determine the recovery point objectives for business jollifications?

Chief Operations Officer

Which of the following is the MOST important consideration for an organization interacting with the media during of a disaster? 1) Communication specially drafted messages by an authorized person 2) Refusing to comment until recovery 3) Referring the media to the authorities 4) Reporting the losses and recovery strategy to the media

Communication specially drafted messages by an authorized person

Which of the following should be performed FIRST in the aftermath of DoS attack? 1) Restore servers from backup media stored offsite 2) Conduct an assessment to determine system status 3) Perform an impact analysis of the outage 4) Isolate the screened subnet

Conduct an assessment to determine system status

During a business continuity plan test, one department discovered that its new software application was not going to be restored soon enough to meet the needs of the business. This situation can be avoided in the future by:

Conducting a periodic and event-driven business impact analysis to determine the needs of the business during a recovery

A customer credit card database has been reported as being breached by hackers. What is the FIRST step in dealing with this attack?

Confirm the incident

what action should take place immediately after a security breach is reported to an information security manager?

Confirm the incident

What task should be performed after a security incident has been verified?

Contain then incident

Which of the following is MOST important in determining whether a disaster recovery test is successful? 1) Only business data files form offsite storage are used 2) IT staff recovers the processing infrastructure 3) Critical business process are duplicated 4) All systems are restored within recovery time objectives

Critical business process are duplicated

What is the MOST important concern when an organization with multiple data centers designates one of its own facilities? 1) Communication line capacity between data centers 2) Current processing capacity loads at data centers 3) Differences in logical security at each center 4) Synchronization of system software release versions

Current processing capacity loads at data centers Note: Communication line capacity between data centers is secondary concern.

When the computer incident response team finds clear evidence that a hacker has penetrated the corporate network and modified customer information, an information security manager should first notify?

Data owner who may be impacted