Operating System Security - Chp 13
Which of the following statements is NOT true regarding the chain of custody?
A court cannot throw out evidence because of an issue with the chain of custody.
During the investigation stage, which of the following is NOT one of the three main attributes of an incident that direct subsequent action?
Discovery
A solid incident response plan is not standardized, predictable, or repeatable.
False
All activity in a computing environment is made up of individual incidents.
False
An event is the same thing as an incident.
False
Documentary evidence is documentation that provides details of every move and access of evidence.
False
Incident response tools are designed to take the place of clear investigation goals.
False
Once an incident response plan has been created, it should not be reviewed or revised.
False
Recovery and restore activity is necessary for every incident.
False
Securing computers and network devices is better than dealing with security incidents even when the cost of the controls is more than the loss you would incur if an incident did happen.
False
Simulating incidents to test an incident response plan should not be attempted because of the risk of causing an actual incident.
False
The first and most important step in properly handling incidents is containment of the damage.
False
The incident lead member of the security incident response team (SIRT) is the individual who has the authority to create and fund a SIRT.
False
Which of the following refers to a team of representatives from IT, management, legal, and public relations that is organized to respond to incidents?
Security incident response team
Which of the following statements is NOT true regarding incident response plans?
The plan should be considered public information and available to all users.
A security policy is a collection of rules that define appropriate and inappropriate behavior.
True
A security policy is a description of how an organization defines a secure computing environment.
True
It is wise to treat each investigation as if it will end up in court.
True
Just by planning for incidents, you may discover existing vulnerabilities or find problems that you can address.
True
Microsoft recommends creating a security incident response team (SIRT) to respond to incidents.
True
One way to develop an incident response plan is to consider all types of incidents and prioritize the incidents that are most likely to occur and would have the greatest impact on your organization.
True
The eradication step does not remove an incident's effects—it just removes the vulnerabilities that allowed the incident.
True
The final step in handling an incident is to document the lessons learned, review how the incident was handled, and make any changes necessary to the response plan.
True
The quality of your organization's response to incidents directly relates to the quality of its planning.
True
Any observable occurrence within a computer or network is referred to as:
an event.
Any event that results in violating your security policy, or poses an imminent threat to your security policy is considered:
an incident.
Real evidence is:
any physical object that you can touch, hold, and directly observe.
The documentation that supplies details of every move and access of evidence is called the:
chain of custody.
In responding to a security incident, the main purpose of identification is to:
decide the next course of action.
Any written evidence, such as printed reports or data in log files is referred to as:
documentary evidence.
A user logging on, an application server connecting to a database server, an authentication server rejecting a password, or an antivirus scanner reporting a suspected virus are all examples of:
events.
SANS Investigative Forensic Toolkit (SIFT), PlainSight Open Source Computer Forensics, The Sleuth Kit, and ProDiscover Incident Response are all:
incident data collection and management tools.
In responding to a security incident, the main purpose of containment is to:
keep the incident's scope from expanding.
Any physical object that you can bring into court is referred to as:
real evidence.
In responding to a security incident, eradication is performed to:
remove the vulnerability that allowed the incident to occur in the first place.
In responding to a security incident, the main purpose of recovery is to:
return the affected computers or devices to a fully operational state.
The roles of team lead, incident lead, IT liaison, legal representative, public relations representative, management, and subject matter expert are all part of a(n):
security incident response team.
Process management tools are available to help with all of the following SIRT responsibilities EXCEPT:
selecting SIRT team members.
Once users suspect that an incident has occurred, they should do all of the following EXCEPT:
shut down or reboot the computer.
Two basic types of incident handling and management tools for Microsoft Windows and applications are:
those that help manage the SIRT's activities regarding the incident response process and those that collect information about the incident itself.