3.0 Cyber Incident Response Flashcards

1
Q

what does the acronym MTD denote?

A

maximum tolerable downtime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what is MTBF?

A

the estimated amount of time a device will operate before a failure occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

what are the four types of personally identifiable information (PII)?

A

personal characteristics - such as full name, DoB, height, ethnicity, place of birth, mother’s maiden name, and biometric characteristicsa unique set of numbers assigned to an individual - such as government ID number, telephone number, driver’s license number, and PINdescriptions of events or points in time - such as arrest records, employment records, and medical recordsdescription of locations or places - such as GPS tracking information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

what does the acronym RTO denote?

A

recovery time objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

what does the acronym MTBF denote?

A

mean time between failures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what does the acronym RPO denote?

A

recovery point objective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

which two factors should contribute to incident severity and prioritization?

A

impact scope and the type of data affected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

which attack is one discovered in live environments for which no current fix or patch exists?

A

zero-day attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what is RTO?

A

the shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

which impact scope factor refers to the amount of data corrupted or altered during the incident?

A

data integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what does the acronym PHI denote?

A

personal health information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what is meant by economic factor of an incident?

A

the cost of the incident to the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

which impact scope factor refers to the amount of time taken to recover from the incident?

A

recovery time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

which attack type targets a specific entity and is carried out over a long period of time?

A

advanced persistent threat (APT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

which impact scope factor refers to the amount of time access to resource were interrupted?

A

downtime

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

what is MTD?

A

the maximum amount of time that an organization can tolerate a single resource or function being down

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

what does the acronym PII denote?

A

personally identifiable information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

what is RPO?

A

the point in time to which the disrupted resource or function must be returned

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

what is the best method to preserve evidence on a computer: bit stream backup or standard backup?

A

bit stream backup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

what is the order of volatility from most volatile to least volatile?

A

registers, cacheswap spacerouting table, ARP cache, process table, kernel statistics, and memorytemporary file systemsdiskremote logging and monitoring data that is relevant to the system in question

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what are the FOUR documents/forms that should be part of forensic kit?

A

chain of custody form, incident response plan, incident form, call list/escalation list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

what is a write blocker?

A

a tool that permits read-only access to data storage devices without compromising the integrity of the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

what is the purpose of imaging utilities included in a forensic kit?

A

to create a bit-level copy of drives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

what are the NINE components that should be included in a forensic kit?

A
  1. digital forensics workstation2. write blockers3. cables4. drive adaptors5. wiped removable media6. camera7. crime tape8. tamper-proof seals9. documentation/forms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
what is the purpose of the chain of custody form?
it will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence
26
which condition must be true of the hash values of a file to prove the file is unaltered?
the hash values must remain the same
27
what is a SCADA device?
a system operating with coded signals over communication channels that provides control of remote equipment
28
what is the purpose of tamper-proof seals?
to ensure that the chain of custody is maintained
29
what is the purpose of hashing utilities included in a forensic kit?
to create a hash value of files so that you can prove that certain evidence has not been altered during your possession of the evidence
30
what is the proper life cycle of evidence steps?
collection, analysis, storage, court presentation, and return to owner
31
what is a digital forensics workstation?
a dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive
32
what is the purpose of an incident form?
it is used to describe the incident in detail
33
why should the proper chain of custody be ensured?
so that evidence will be admissible in court
34
what is the purpose of the analysis utilities included in a forensic kit?
to analyze the bit-level copy that is created for that purpose
35
what are the three basic questions answered by the chain of custody?
who controlled the evidencewho secured the evidencewho obtained the evidence
36
when evidence is seized, which principle should be emphasized?
chain of custody
37
what is indicated when the hash values on a file are different?
the file has been altered
38
which stakeholder in the incident response process communicates the importance of the incident response plan to all parts of the organization, creates agreements detailing the authority of the IR team to take over business systems if necessary, and creates decision systems for determining when key systems must be removed from the network?
upper management
39
which stakeholder in the incident response process creates newsletters and other educational materials to be used in employee response training and coordinates with the legal team to prepare media responses and internal communications regarding incidents before they occur?
marketing
40
what are the FOUR main stakeholder groups for the incident response process?
HR, Legal, Marketing, Management
41
which stakeholder in the incident response process reviews the NDA to ensure legal support for incident response efforts, develops the wording of documents used to contact sites and organizations possibly affected by an incident that originated with your company's software, hardware, or services, and assesses site liability for illegal computer activity?
Legal
42
what is the role of law enforcement in the incident response process?
to assist the investigation and in some cases take over the investigation when a crime has been committed
43
which stakeholder in the incident response process develops job descriptions for those persons who will be hired for positions involved in incident response and creates policies and procedures that support the removal of employees found to be engaging in improper or illegal activity?
HR
44
what is the role of the technical IT staff in the incident response process?
to recognize, identify, and react to incidents, and to provide support in analyzing those incidents when an incident has occurred
45
what are the FOUR main purposes of the incident response communication process?
limit communication to trusted partiesdisclosure based on regulatory/legislative requirementsprevent inadvertent release of informationuse secure method of communication
46
what is data exfiltration?
the unauthorized copying, transfer or retrieval of data from a computer or server
47
what should you do if you discover rogue devices on the network?
locate and remove them
48
what happens in vertical privilege escalation?
the attacker obtains higher privileges by performing operations that allow the attacker to run unauthorized code
49
what are the SIX network-related symptoms of incidents?
bandwidth consumptionbeaconingirregular peer-to-peer communicationrogue devices on the networkscan sweepsunusual traffic spikes
50
what is meant by anomalous activity?
activity that is outside the norms
51
when does an escalation of privileges attack occur?
when an attacker has used a design flaw in an application to obtain unauthorized access to the application
52
what are scan sweeps?
an attempt by an unauthorized entity to map your network
53
what happens in horizontal privilege escalation?
the attacker obtains the same level of permissions as he already has but uses a different user account to do so
54
what are the eight host-related symptoms of an incident?
processor consumptionmemory consumptiondrive capacity consumptionunauthorized softwaremalicious processesunauthorized changes
55
what is beaconing?
when malware attempts to remotely connect to a command and control host or network
56
what are the SIX application-related symptoms of incidents?
anomalous activityintroduction of new accountsunexpected outputunexpected outbound communicationservice interruptionmemory overflows
57
what is the best way to determine the attack vector used by a hacker?
reverse engineering
58
why should a first responder be familiar with the incident response plan?
to ensure that the appropriate procedures are followed
59
which eradication technique reinstalling the operating system, applying all system updates, reinstalling the anti-malware software, and implementing any organizational security settings?
reconstruction or re-imaging
60
what are the FOUR validation techniques?
patching, verifying permissions, scanning, verifying logging/communication to security monitoring
61
what is the name of the security process that involves recognition, verification, classification, containment, and analysis?
incident response
62
what are the THREE eradication techniques?
sanitization, reconstruction or re-image, secure disposal
63
what are the FOUR containment techniques?
segmentation, isolation, removal, reverse engineering
64
which containment techniques involves limiting the scope of the incident by leveraging existing segments of the network as barriers to prevent the spread of the incident to other segments?
segmentation
65
which containment technique involves retracing the steps in the incident as seen from the logs in the affected devices or in logs of infrastructure devices that may have been involved?
reverse engineering
66
what is the name of the group of people appointed to respond to security incidents?
incident response team
67
which type of review should be completed last as part of incident response?
a post-mortem review
68
which containment technique involves either by blocking all traffic to and from the device or devices or shutting down the device or devices' interfaces?
isolation
69
what are the SEVEN steps in a FORENSIC INVESTIGATION?
1. identification2. preservation3. collection4. examination5. analysis6. presentation
70
which eradication technique removes all tracers of the threat by overwriting the drive multiple times to ensure all data is destroyed?
sanitization
71
in which location should all changes made to your organization's network and computers be listed?
in the change management system
72
what are the FIVE steps in the INCIDENT RESPONSE PROCESS?
contain, eradicate, validate, corrective action, reporting
73
what is incident management?
the activities of an organization to identify, analyze, and correct risks as they are identified