SEC 210 - Intrusion Detection - 2016FA FTCC
help desk
The CSIRT should be available for contact by anyone who discovers or suspects that an incident involving the organization has occurred. Some organizations prefer that employees contact a ____, which then makes the determination as to whether to contact the CSIRT or not.
war gaming
A favorite pastime of information security professionals is ____, which is a simulation of attack and defense activities using realistic networks and information systems.
time-share
A potential disadvantage of a ____ site-resumption strategy is that more than one organization might need the facility simultaneously.
True
A recommended practice for implementation of a physical IR plan document is to attach copies of relevant documents such as service agreements for the ISP, telephone, water, gas, etc.
"during attack"
A recommended practice for the implementation of the physical IR plan document is to organize the contents so that the first page contains the ____ actions.
red
A recommended practice for the implementation of the physical IR plan is to select a ____ binder.
hot site
A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment's notice.
log file monitor
A(n) ____ , a type of IDPS that is similar to the NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs.
nondisclosure agreement
A(n) ____ covers the confidentiality of information from everyone unless disclosure is mandated by the courts.
IR duty officer
A(n) ____ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization's information infrastructure for signs of an incident.
after-action review
A(n) ____ is a detailed examination of the events that occurred, from first detection of an incident to final recovery.
precursor
A(n) ____ is a sign that an activity now occurring may signal an incident that could occur in the future.
covenant not to compete
A(n) ____ is an agreement in which the client agrees not to use the vendor's services to compete directly with the vendor, and for the client not to use vendor information to gain a better deal with another vendor.
private cloud
A(n) ____ is an extension of an organization's intranet into cloud computing.
threat
A(n) ____ is an object, person, or other entity that is a potential risk of loss to an asset.
incident
A(n) ____ is any clearly identified attack on the organization's information assets that would threaten the assets' confidentiality, integrity, or availability.
honeytoken
A(n) ____ is any system resource that is placed onto a functional system but has no normal use for that system. If it attracts attention, it is from unauthorized access and will trigger a notification or response.
statement of indemnification
A(n) ____ is often included in legal documents to ensure that a vendor is not liable for actions taken by a client.
site policy
A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
False
According the to NIST definition of an event as "any observable occurrence in a system or network," all events are computer or network oriented.
SaaS
Advances in cloud computing have opened a new field in application redundancy and backup. Because organizations that lease ____ are in effect using a preconfigured set of applications on someone else's systems, it is reasonable to ask that the service agreement include contingencies for recovery.
True
As soon as the CSIRT is able to determine what exactly is happening, it is expected to report its preliminary finding to management.
legacy backup applications
Considered to be the traditional "lock and copy" approach to database backup, _____ require the database to be inaccessible while a backup is created to a local drive.
False
Database shadowing techniques are generally used in organizations that do not need immediate data recovery after an incident or disaster.
False
E-mail spoofing attacks require an immediate response, typically no more than 30 minutes to one hour.
DNS cache poisoning
In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on that network.
False
In computer-based training settings, trainees receive a seminar presentation at their computers.
incident
In contingency planning, an adverse event that threatens the security of an organization's information is called a(n) ____.
critical assets
Incident analysis resources include network diagrams and lists of ____, such as database servers.
availability
Information assets have ____ when authorized users - persons or computer systems - are able to access them in the specified format without interference or obstruction.
integrity
Information assets have ____ when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states.
reaction force
Should an incident begin to escalate, the CSIRT team leader continues to add resources and skill sets as necessary to attempt to contain and terminate the incident. The resulting team is called the ____ for this particular incident.
True
Some data is required by law to be retained and stored for years.
robustness
Some recovery strategies seek to improve the ____ of a server or system in addition to, or instead of, performing backups of data.
True
The CSIRT is also known as the IR Reaction Team.
mission
The CSIRT must have a clear and concise ____ statement that, in a few sentences, unambiguously articulates what it will do.
central CSIRT
A CSIRT model in which a single CSIRT handles incidents throughout the organization is called a(n) ____.
distributed CSIRT
A CSIRT model that is effective for large organizations and for organizations with major computing resources at distant locations is the ____.
DoS
A ____ attack seeks to deny legitimate users access to services by either tying up a server's available resources or causing it to shut down.
disaster recovery plan
A ____ deals with the preparation for and recovery from a disaster, whether natural or man-made.
service agreement
A ____ is a contractual document guaranteeing certain minimal levels of service provided by a vendor.
business continuity plan
A ____ is a document that describes how, in the event of a disaster, critical business functions continue at an alternate location while the organization recovers its ability to function at the primary site.
service bureau
A ____ is an agency that provides physical facilities in the event of a disaster for a fee.
network-attached storage
A ____ is commonly a single device or server that attaches to a network and uses TCP/IP-based protocols and communications methods to provide an online storage environment.
retention
Both data backups and archives should be based on a(n) ____ schedule that guides the frequency of replacement and the duration of storage.
https://www.dropbox.com/s/5toa4ljjcyjkvlj/Principles_Of_Incident_Response_Disaster_Recovery_2nd_Ed.pdf?dl=0
Full Book
password
General users require training on the technical details of how to do their jobs securely, including good security practices, ____ management, specialized access controls, and violation reporting.
patch management
Giving the IR team the responsibility for ____ is generally not recommended.
physically access
If an intruder can ____ a device, then no electronic protection can deter the loss of information.
True
Many attacks come through ports and then attack legitimate processes to allow themselves access or to conduct subsequent attacks.
false positives
Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.
trap and trace
New systems can respond to an incident threat autonomously, based on preconfigured options that go beyond simple defensive actions usually associated with IDPS and IPS systems. These systems, referred to as ____, use a combination of resources to detect an intrusion and then to trace the intrusion back to its source.
False
One of the first signals that an organization is making progress in the development of its IR program, specifically in the development of its CSIRT, is a dramatic drop in the number of identified incidents.
CSIRT
One of the primary responsibilities of the IRP team is to ensure that the ____ is prepared to respond to each incident it may face.
True
One real-time protection and data backup strategy is the use of mirroring.
scenarios
One way to build and maintain staff skills is to develop incident-handling ____ and have the team members discuss how they would handle them.
disk striping
RAID 0 creates one logical volume across several available hard disk drives and stores the data using ____, in which data segments are written in turn to each disk drive in the array.
False
RAID is an acronym for Redundant Array of Incident-Recovery Drives.
False
Regardless of which IR model an organization chooses, multiple employees should be in charge of incident response.
defensive
The Southeast Collegiate Cyber Defense Competition is unique in that it focuses on the operational aspect of managing and protecting an existing network infrastructure. Unlike "capture-the-flag " exercises, this competition is exclusively a real-world ____ competition.
anonymously
The U.S. National Institute of Standards and Technology recommends a set of tools for the CSIRT including incident reporting mechanisms with which users can report suspected incidents. At least one of these mechanisms should permit people to report incidents ____.
False
The Windows Task Manager can be used to seek out Trojan programs on Microsoft Windows computers.
Legal
The ____ Department of an organization needs to review the procedures of the CSIRT and understand the steps the CSIRT will perform to ensure it is within legal and ethical guidelines for the municipal, state, and federal jurisdictions.
anomaly-based IDPS
The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place.
upward
The ____ flow of information needed from the CSIRT to organizational and IT/InfoSec management is a critical communication requirement.
Pen/Trap Statute
The ____ is a federal law that creates a general prohibition on the realtime monitoring of traffic data relating to communications.
monitoring port
The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.
IR policy
The ____ of an organization defines the roles and responsibilities for incident response for the CSIRT and others who will be mobilized in the activation of the plan.
contact methods and numbers
The announcement of an operational CSIRT should minimally include ____.
chief information officer
The champion for the CSIRT may be the same person as the champion for the entire IR function—typically, the ____.
scope of operations
The determination of what systems fall under the CSIRT 's responsibility is called its ____.
champion
The first group to communicate the CSIRT's vision and operational plan is the managerial team or individual serving as the ____.
obtain management support and buy-in
The first step in building a CSIRT is to ____.
after action review
The focus during a(n) ____ is on learning what worked, what didn't, and where communications and response procedures may have failed.
False
The involvement of the CSIRT in incident response typically starts with prevention.
personnel
The organization must first understand what skills are needed to effectively respond to an incident. If necessary, management must determine if it is willing to acquire needed ____ to fill in the gaps.
incident candidates
The process of evaluating the circumstances around organizational events includes determining which adverse events are possible incidents, or ____.
HIDPS
The task of monitoring file systems for unauthorized change is best performed by using a(n) ____.
self-study (noncomputerized)
The training delivery method with the lowest cost to the organization is ____.
snort
The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.
False
The vision of an organization is a written statement of an organization's purpose.
True
There are several national training programs that focus on incident response tools and techniques.
reactive services
Those services performed in response to a request or a defined event such as a help desk alert are called ____.
proactive services
Those services undertaken to prepare the organization or the CSIRT constituents to protect and secure systems in anticipation of problems, attacks, or other events are called ____.
True
To help make the detection of actual incidents more reliable, there are three broad categories of incident indicators that have been identified: possible, probable, and definite.
signature matching
Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.
fully outsourced
When an organization completely outsources its IR work, typically to an on-site contractor, it is called a(n) ____ model.
virtual machine
When using virtualization, it is commonplace to use the term ____ to refer to a virtualized environment operating in or on a host platform.
Honeypots
____ are closely monitored network decoys serving that can distract adversaries from more valuable machines on a network; can provide early warning about new attack and exploitation trends; and can allow in-depth examination of adversaries during and after exploitation.
Data archives
____ are used for recovery from disasters that threaten on-site backups.
Risk assessment
____ assigns a risk rating or score to each information asset. Although this number does not mean anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates the development of comparative ratings later in the risk control process.
Confidentiality
____ ensures that only those with the rights and privileges to access information are able to do so.
Cyberterrorists
____ hack systems to conduct terrorist activities through network or Internet pathways.
NIST
____ is a valuable resource for additional information on building and staffing CSIRTs.
Risk identification
____ is the process of examining, documenting, and assessing the security posture of an organization's information technology and the risks it faces.
Strategic planning
____ is the process of moving an organization toward its vision.
Forensics analysis
____ is the process of systematically examining information assets for evidentiary material that can provide insight into how an incident transpired.
Mitigation
____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Acceptance
____ of risk is the choice to do nothing to protect an information asset and to accept the outcome of its potential exploitation.
RAID
____ uses a number of hard drives to store information across multiple drive units.