3.0 Cyber Incident Response

Question 1

what does the acronym MTD denote?

Answer 1

maximum tolerable downtime

Question 2

what is MTBF?

Answer 2

the estimated amount of time a device will operate before a failure occurs

Question 3

what are the four types of personally identifiable information (PII)?

Answer 3

personal characteristics - such as full name, DoB, height, ethnicity, place of birth, mother’s maiden name, and biometric characteristicsa unique set of numbers assigned to an individual - such as government ID number, telephone number, driver’s license number, and PINdescriptions of events or points in time - such as arrest records, employment records, and medical recordsdescription of locations or places - such as GPS tracking information

Question 4

what does the acronym RTO denote?

Answer 4

recovery time objective

Question 5

what does the acronym MTBF denote?

Answer 5

mean time between failures

Question 6

what does the acronym RPO denote?

Answer 6

recovery point objective

Question 7

which two factors should contribute to incident severity and prioritization?

Answer 7

impact scope and the type of data affected

Question 8

which attack is one discovered in live environments for which no current fix or patch exists?

Answer 8

zero-day attack

Question 9

what is RTO?

Answer 9

the shortest time period after a disaster or disruptive event within which a resource or function must be restored to avoid unacceptable consequences

Question 10

which impact scope factor refers to the amount of data corrupted or altered during the incident?

Answer 10

data integrity

Question 11

what does the acronym PHI denote?

Answer 11

personal health information

Question 12

what is meant by economic factor of an incident?

Answer 12

the cost of the incident to the organization

Question 13

which impact scope factor refers to the amount of time taken to recover from the incident?

Answer 13

recovery time

Question 14

which attack type targets a specific entity and is carried out over a long period of time?

Answer 14

advanced persistent threat (APT)

Question 15

which impact scope factor refers to the amount of time access to resource were interrupted?

Answer 15

downtime

Question 16

what is MTD?

Answer 16

the maximum amount of time that an organization can tolerate a single resource or function being down

Question 17

what does the acronym PII denote?

Answer 17

personally identifiable information

Question 18

what is RPO?

Answer 18

the point in time to which the disrupted resource or function must be returned

Question 19

what is the best method to preserve evidence on a computer: bit stream backup or standard backup?

Answer 19

bit stream backup

Question 20

what is the order of volatility from most volatile to least volatile?

Answer 20

registers, cacheswap spacerouting table, ARP cache, process table, kernel statistics, and memorytemporary file systemsdiskremote logging and monitoring data that is relevant to the system in question

Question 21

what are the FOUR documents/forms that should be part of forensic kit?

Answer 21

chain of custody form, incident response plan, incident form, call list/escalation list

Question 22

what is a write blocker?

Answer 22

a tool that permits read-only access to data storage devices without compromising the integrity of the data

Question 23

what is the purpose of imaging utilities included in a forensic kit?

Answer 23

to create a bit-level copy of drives

Question 24

what are the NINE components that should be included in a forensic kit?

Answer 24

1. digital forensics workstation2. write blockers3. cables4. drive adaptors5. wiped removable media6. camera7. crime tape8. tamper-proof seals9. documentation/forms

Question 25

what is the purpose of the chain of custody form?

Answer 25

it will indicate who has handled the evidence, when they handled it, and the order in which the handler was in possession of the evidence

Question 26

which condition must be true of the hash values of a file to prove the file is unaltered?

Answer 26

the hash values must remain the same

Question 27

what is a SCADA device?

Answer 27

a system operating with coded signals over communication channels that provides control of remote equipment

Question 28

what is the purpose of tamper-proof seals?

Answer 28

to ensure that the chain of custody is maintained

Question 29

what is the purpose of hashing utilities included in a forensic kit?

Answer 29

to create a hash value of files so that you can prove that certain evidence has not been altered during your possession of the evidence

Question 30

what is the proper life cycle of evidence steps?

Answer 30

collection, analysis, storage, court presentation, and return to owner

Question 31

what is a digital forensics workstation?

Answer 31

a dedicated workstation for processing an investigation that includes special tools and utilities that make the process easier and more productive

Question 32

what is the purpose of an incident form?

Answer 32

it is used to describe the incident in detail

Question 33

why should the proper chain of custody be ensured?

Answer 33

so that evidence will be admissible in court

Question 34

what is the purpose of the analysis utilities included in a forensic kit?

Answer 34

to analyze the bit-level copy that is created for that purpose

Question 35

what are the three basic questions answered by the chain of custody?

Answer 35

who controlled the evidencewho secured the evidencewho obtained the evidence

Question 36

when evidence is seized, which principle should be emphasized?

Answer 36

chain of custody

Question 37

what is indicated when the hash values on a file are different?

Answer 37

the file has been altered

Question 38

which stakeholder in the incident response process communicates the importance of the incident response plan to all parts of the organization, creates agreements detailing the authority of the IR team to take over business systems if necessary, and creates decision systems for determining when key systems must be removed from the network?

Answer 38

upper management

Question 39

which stakeholder in the incident response process creates newsletters and other educational materials to be used in employee response training and coordinates with the legal team to prepare media responses and internal communications regarding incidents before they occur?

Answer 39

marketing

Question 40

what are the FOUR main stakeholder groups for the incident response process?

Answer 40

HR, Legal, Marketing, Management

Question 41

which stakeholder in the incident response process reviews the NDA to ensure legal support for incident response efforts, develops the wording of documents used to contact sites and organizations possibly affected by an incident that originated with your company’s software, hardware, or services, and assesses site liability for illegal computer activity?

Answer 41

Legal

Question 42

what is the role of law enforcement in the incident response process?

Answer 42

to assist the investigation and in some cases take over the investigation when a crime has been committed

Question 43

which stakeholder in the incident response process develops job descriptions for those persons who will be hired for positions involved in incident response and creates policies and procedures that support the removal of employees found to be engaging in improper or illegal activity?

Answer 43

HR

Question 44

what is the role of the technical IT staff in the incident response process?

Answer 44

to recognize, identify, and react to incidents, and to provide support in analyzing those incidents when an incident has occurred

Question 45

what are the FOUR main purposes of the incident response communication process?

Answer 45

limit communication to trusted partiesdisclosure based on regulatory/legislative requirementsprevent inadvertent release of informationuse secure method of communication

Question 46

what is data exfiltration?

Answer 46

the unauthorized copying, transfer or retrieval of data from a computer or server

Question 47

what should you do if you discover rogue devices on the network?

Answer 47

locate and remove them

Question 48

what happens in vertical privilege escalation?

Answer 48

the attacker obtains higher privileges by performing operations that allow the attacker to run unauthorized code

Question 49

what are the SIX network-related symptoms of incidents?

Answer 49

bandwidth consumptionbeaconingirregular peer-to-peer communicationrogue devices on the networkscan sweepsunusual traffic spikes

Question 50

what is meant by anomalous activity?

Answer 50

activity that is outside the norms

Question 51

when does an escalation of privileges attack occur?

Answer 51

when an attacker has used a design flaw in an application to obtain unauthorized access to the application

Question 52

what are scan sweeps?

Answer 52

an attempt by an unauthorized entity to map your network

Question 53

what happens in horizontal privilege escalation?

Answer 53

the attacker obtains the same level of permissions as he already has but uses a different user account to do so

Question 54

what are the eight host-related symptoms of an incident?

Answer 54

processor consumptionmemory consumptiondrive capacity consumptionunauthorized softwaremalicious processesunauthorized changes

Question 55

what is beaconing?

Answer 55

when malware attempts to remotely connect to a command and control host or network

Question 56

what are the SIX application-related symptoms of incidents?

Answer 56

anomalous activityintroduction of new accountsunexpected outputunexpected outbound communicationservice interruptionmemory overflows

Question 57

what is the best way to determine the attack vector used by a hacker?

Answer 57

reverse engineering

Question 58

why should a first responder be familiar with the incident response plan?

Answer 58

to ensure that the appropriate procedures are followed

Question 59

which eradication technique reinstalling the operating system, applying all system updates, reinstalling the anti-malware software, and implementing any organizational security settings?

Answer 59

reconstruction or re-imaging

Question 60

what are the FOUR validation techniques?

Answer 60

patching, verifying permissions, scanning, verifying logging/communication to security monitoring

Question 61

what is the name of the security process that involves recognition, verification, classification, containment, and analysis?

Answer 61

incident response

Question 62

what are the THREE eradication techniques?

Answer 62

sanitization, reconstruction or re-image, secure disposal

Question 63

what are the FOUR containment techniques?

Answer 63

segmentation, isolation, removal, reverse engineering

Question 64

which containment techniques involves limiting the scope of the incident by leveraging existing segments of the network as barriers to prevent the spread of the incident to other segments?

Answer 64

segmentation

Question 65

which containment technique involves retracing the steps in the incident as seen from the logs in the affected devices or in logs of infrastructure devices that may have been involved?

Answer 65

reverse engineering

Question 66

what is the name of the group of people appointed to respond to security incidents?

Answer 66

incident response team

Question 67

which type of review should be completed last as part of incident response?

Answer 67

a post-mortem review

Question 68

which containment technique involves either by blocking all traffic to and from the device or devices or shutting down the device or devices’ interfaces?

Answer 68

isolation

Question 69

what are the SEVEN steps in a FORENSIC INVESTIGATION?

Answer 69

1. identification2. preservation3. collection4. examination5. analysis6. presentation

Question 70

which eradication technique removes all tracers of the threat by overwriting the drive multiple times to ensure all data is destroyed?

Answer 70

sanitization

Question 71

in which location should all changes made to your organization’s network and computers be listed?

Answer 71

in the change management system

Question 72

what are the FIVE steps in the INCIDENT RESPONSE PROCESS?

Answer 72

contain, eradicate, validate, corrective action, reporting

Question 73

what is incident management?

Answer 73

the activities of an organization to identify, analyze, and correct risks as they are identified