Final review CP
In a CPMT, the _________ should be a high-level manager with influence and resources that can be used to support the project team, promote the objectives of the CP project, and endorse the results that come from the combined effort .
champion
Companies may want to consider budgeting for contributions to employee loss expenses (such as funerals) as well as for counseling services for employees and loved ones as part of
crisis management budgeting
An organization aggregates all local backups to a central repository and then backs up that repository to an online vendor with a _________ backup strategy.
disk-to-disk-to-cloud
From the detailed scenarios they create, the BIA planning team must estimate the cost of the best, worst, and most likely outcomes by preparing an attack scenario __________.
end case
A CP project should have a ramrod, an executive or a high-level manager with influence and resources that can be used to support the project team, promote the objectives of the CP project, and endorse the results that come from the effort. true or false
false
A blue pill is a software program or module of code that enables ongoing privileged access to a computer while actively hiding its presence from the system kernel as well as human administrators. true or false
false
A denial of service is a malware payload that provides access to a system by bypassing normal access controls. true or false
false
A disaster recovery plan (DR plan) deals with identifying, classifying, responding to, and recovering from an incident. true or false
false
A hacker is an information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems. true or false
false
A simulation is the CP testing strategy in which copies of the appropriate plans are distributed to all individuals who will be assigned roles during an actual incident or disaster; each individual reviews the plan and validates its components true or false
false
A system stability verifier is an application that reviews monitored files to detect unauthorized creation, modification, and deletion. true or false
false
A worm is a type of malware that is attached to other executable programs. true or false
false
An active sensor is a software or hardware monitor that is placed in the flow of network traffic in order to review the traffic and report back to a management application. true or false
false
An event is an adverse event that violates the security of an organization and represents a potential risk of loss of the confidentiality, integrity, or availability of its assets and ongoing operations. true or false
false
Disk mirroring is a RAID implementation in which one logical volume is created by storing data across several available hard drives in segments.true or false
false
Establishing the scope and responsibilities of the CSIRT is one of the last tasks the IRPT performs when forming the CSIRT. true or false
false
For recovery from an incident (as opposed to a disaster), archives are used as the most common solution. true or false
false
In computer-based training, trainees attend a seminar presentation at their computers. true or false
false
In many situations, businesses can recover from a disaster by using the cloud and automation tools to automate the forensics process. true or false
false
Incident footprinting is the process of evaluating the circumstances around organizational events, determining which events are possible incidents, and determining whether a particular event constitutes an actual incident. true or false
false
Individuals with the authorization and privileges to manage information within the organization have the lowest opportunity to cause harm or damage by accident. true or false
false
Like any major project or process within an organization, the CP process will fail without the clear and formal commitment of junior executive management. true or false
false
Platform as a Service is a service model in which entire computer systems, including OS and application resources, are made available for whatever the organization wants to implement. true or false
false
Pretexting is when an attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information. true or false
false
RAID is an acronym for Redundant Array of Incident-Recovery Drives. true or false
false
Regardless of which IR model an organization chooses, multiple employees should be in charge of incident response. true or false
false
Risk analysis is the probability that a specific vulnerability within an organization will be attacked by a threat. true or false
false
Scoring utilities are tools used to identify which computers are active on a network as well as which ports and services are active on the computers, what function or role the machines may be fulfilling, and so on. true or false
false
The emergence of cloud computing technologies and practices has had little or no effect on the world of contingency planning and operations. true or false
false
The failure of an IDPS to react to an actual attack event is called residual response. true or false
false
The final step in the development of the CSIRT involves obtaining management support and buy-in. true or false
false
The phrase "right-of-bang" refers to events and actions before the incident is contained. true or false
false
The primary budgetary expense for DR is hardware. true or false
false
To help make the detection of actual incidents more reliable, there are three broad categories of incident indicators that have been identified: possible, unlikely, and definite. true or false
false
Tweaking is the process of adjusting an IDPS to maximize its efficiency in detecting true positives while minimizing both false positives and false negatives. true or false
false
An understanding of the potential consequences of a successful attack on an information asset by a threat is known in the risk analysis process as __________.
impact
The _________ is the total amount of time the system owner or authorizing official is willing to accept for a business process outage or disruption.
maximum tolerable downtime
While a security operations center is designed to __________, a CSIRT focuses on __________.
monitor all security operations; responding to incidents
Which of the following terms refers to an information security professional with authorization to attempt to gain system access in an effort to identify and recommend resolutions for vulnerabilities in those systems?
penetration tester
Which of the following is not a "probable indicator" of an incident?
presence or execution of unknown programs or processes
The entire program of planning for and managing risk to information assets in the organization is referred to as __________.
risk management
A(n) _________ is often included in legal documents to ensure that a vendor is not liable for actions taken by a client.
statement of indemnification
A daily backup backs up only files that were modified on that day—a date-specific incremental backup. true or false
true
A rainbow table is a list of hash values and their corresponding plaintext values that can be used to look up password values if an attacker is able to steal a system's encrypted password file. true or false
true
An intrusion detection and prevention system is like a network burglar alarm. true or false
true
Apprehend and prosecute is an organizational CP philosophy for incident response and digital forensics that focuses on the collection and preservation of potential evidence when responding to and recovering from an incident, with the expectation of possibly finding and prosecuting the attacker. true or false
true
Effective contingency planning begins with effective policy. true or false
true
Event correlation involves examining logs from multiple systems and identifying trends or indicators of attacks across those multiple systems. true or false
true
In contingency planning, an adverse event that actually threatens the security of the organization's information assets is called an incident. true or false
true
Integrity is an attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems. true or false
true
Intellectual property (IP) includes trade secrets, copyrights, trademarks, and patents. true or false
true
It is the responsibility of InfoSec personnel to deter and, where possible, prevent unethical and illegal acts. true or false
true
Noise is the ongoing activity from alarm events that are accurate and noteworthy but not necessarily as significant as potentially successful attacks. true or false
true
Policies are living documents that must be nurtured, given that they are constantly changing and growing. true or false
true
Some experts argue that the two components of business resumption planning—disaster recovery planning and business continuity planning (BCP)—are so closely linked that they are indistinguishable true or false
true
The C.I.A. triad is the industry standard for computer security since the development of the mainframe and is based on three characteristics that describe the utility of information. true or false
true
The combination of the IP address and the port is usually called a socket. true or false
true
The first stage of a tape-based backup and recovery process is the scheduling of the backups, coupled with arranging the storage of the media. true or false
true
The transference risk treatment strategy attempts to shift risk to other assets, other processes, or other organizations. true or false
true
When the IR process cannot contain and resolve an incident, the company turns to the disaster recovery and business continuity plans to help restore normal operations quickly. true or false
true
While the SOC is designed to monitor all security operations, the CSIRT focuses on responding to incidents. true or false
true
The process of adjusting a technical control to maximize its efficiency in detecting true positives while minimizing false positives and false negatives is called _________.
tuning
Electronic vaulting
Bulk transfer of data in batches to an off-site facility
One of the primary responsibilities of the IRP team is to ensure that the _________ is prepared to respond to each incident it may face.
CSIRT
After-action review
Can serve as a training case for future staff
Bare metal recovery
Allows you to reboot a system from a CD-ROM device
Indicator
An activity that may signal an adverse event is underway
Precursor
An activity that may signal an incident could occur in the future
Incident candidate
An adverse event that is a possible incident
False positive
An alert or alarm that occurs in the absence of an actual attack
Attack scenario end case
An estimate of the likelihood and impact of the best, worst, and most likely outcomes of an attack
Noise
An event that does not rise to the level of an incident
Software as a Service (SaaS)
Applications that are made available to users over the Internet
IR policy
Defines roles and responsibilities for information security
Platform as a Service (PaaS)
Development platforms that are made available to developers over the Internet
A _________ attack seeks to deny legitimate users access to services by either tying up a server's available resources or causing it to shut down.
DoS
'protect and forget'
Focuses is on the defense of the data and the systems that house, use, and transmit it
_________ incident responses enables the organization to react to a detected incident quickly and effectively, without confusion or wasted time and effort.
Predefining
_________ uses a number of hard drives to store information across multiple drive units.
RAID
CSIRT measures used to compare current versus past performance might include all of the following EXCEPT:
Text of comments from users
Simulation
The organization conducts a role-playing exercise as if an actual incident or disaster had occurred
Footprinting
The organized research and investigation of Internet addresses owned or controlled by a target organization
Incident classification
The process of evaluating the circumstances of a reported event
Fingerprinting
The process of gathering information about the organization and its network activities
A key step in the _________ approach to incident response is to discover the identity of the intruder while documenting their activity.
apprehend and prosecute
The final component to the CPMT planning process is to deal with _________.
budgeting for contingency operations
Storage as a service
A cloud computing capability for data backup and archiving
Data as a service
A cloud computing capability for data sets and databases
Trigger
A review of an unusual pattern of entries in a system log
Cyber kill
A series of steps that document the stages of a cyberattack
Formal class
A single trainer works with multiple trainees in a formal setting
Organization charts
A source of information for developing IR policy
The __________ resides on a particular computer or server, known as the host, and monitors activity only on that system.
HIDPS
Public cloud
Implementation in which a service provider makes computing resources available over the Internet
community cloud
Implementation in which several organizations share computing resources
Disk mirroring
Implementation of RAID level 1
Full-interruption testing
Too risky for most businesses
Distance learning
Trainees receive a seminar presentation at their computers
Storage area network
Uses fiber-channel direct connections between systems and storage devices
IR plan
Usually activated when an incident is first detected
