Chapter 11
Incident Response Phases
-Preparation -Detection and Analysis -Containment, Eradication, and Recovery -Post-Incident Activity (Postmortem)
19. Which of the following terms best describes the substantive or corroborating evidence that an incident may have occurred or may be occurring now?
A. Indicator of compromise
4. Which of the following aim to protect their citizens by providing security vulnerability information, security awareness training, best practices, and other information?
A. National CERTs
23. HIPAA/HITECH requires ______________ within 60 days of the discovery of a breach.
A. notification be sent to affected parties
3. Which of the following CVSS score groups represents the intrinsic characteristics of a vulnerability that are constant over time and do not depend on a user-specific environment?
B. Base
events
An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt.
7. Which of the following is the most widely adopted standard to calculate the severity of a given security vulnerability?
B. CVSS
16. Which of the following terms best describes the process of taking steps to prevent the incident from spreading?
B. Containment
1. Which of the following statements best defines incident management? A. Incident management is risk minimization. B. Incident management is a consistent approach to responding to and resolving issues. C. Incident management is problem resolution. D. Incident management is forensic containment.
B. Incident management is a consistent approach to responding to and resolving issues.
2. Which of the following statements is true of security-related incidents? A. Over time, security-related incidents have become less prevalent and less damaging. B. Over time, security-related incidents have become more prevalent and more disruptive. C. Over time, security-related incidents have become less prevalent and more damaging. D. Over time, security-related incidents have become more numerous and less disruptive.
B. Over time, security-related incidents have become more prevalent and more disruptive.
10. Which of the following statements is true when a cybersecurity-related incident occurs at a business partner or vendor that hosts or processes legally protected data on behalf of an organization?
B. The organization must be notified and respond accordingly.
21. Documentation of the transfer of evidence is known as a ____________.
B. chain of custody
12. A celebrity is admitted to the hospital. If an employee accesses the celebrity's patient record just out of curiosity, the action is referred to as __________.
B. unauthorized access
incident response team (IRT)
a carefully selected and well-trained team of professionals that provides services throughout the incident life cycle.
15. Which of the following terms best describes a signal or warning that an incident may occur in the future?
C. An indicator
8. The CVSS base score defines Exploitability metrics that measure how a vulnerability can be exploited as well as Impact metrics that measure the impact on which of the following? A. Repudiation B. Nonrepudiation C. Confidentiality D. Integrity E. Availability
C. Confidentiality, D. Integrity, E. Availability
18. Which of the following terms best describes the eliminating of the components of the incident?
C. Eradication
20. Which of the following is not generally an incident response team responsibility?
C. Incident plan auditing
22. Data breach notification laws pertain to which of the following?
C. PII
11. Which of the following can be beneficial to further test incident response capabilities?
C. Tabletop exercises
6. Which of the following is an example of a coordination center?
C. The CERT/CC division of the Software Engineering Institute (SEI)
5. Which of the following is the team that handles the investigation, resolution, and disclosure of security vulnerabilities in vendor products and services?
C. USIRP
9. Which of the following is true about cybersecurity incidents? A. Compromise business security B. Disrupt operations C. Impact customer trust D. All of the above
D. All of the above
14. Which of the following statements is true of an incident response plan? A. An incident response plan should be updated and authorized annually. B. An incident response plan should be documented. C. An incident response plan should be stress-tested. D. All of the above.
D. All of the above.
13. Which of the following is true when employees report cybersecurity incidents? A. Prepared to respond to the incident B. Praised for their actions C. Provided compensation D. None of the above
D. None of the above
17. Which of the following terms best describes the addressing of the vulnerabilities related to the exploit or compromise and restoring normal operations?
D. Recovery
cybersecurity incident
an adverse event that threatens business security and/or disrupts service.
personal health record
an electronic record of "identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual."
incident response program
policies, plans, procedures, and people. Incident response policies codify management directives.
Designated incident handlers (DIHs)
senior-level personnel who have the crisis management and communication skills, experience, knowledge, and stamina to manage an incident.
incident response coordinator (IRC)
the central point of contact for all incidents. Incident reports are directed to the IRC.