Building an Incident Response Program Flashcards
Which one of the following is an example of a computer security incident?
A. User accesses a secure file
B. Administrator changes a file’s permission settings
C. Intruder breaks into a building
D. Former employee crashes a server
Answer:
D. A former employee crashing a server is an example of a computer security incident because it is an actual violation of the availability of that system. An intruder breaking into a building may be a security event, but it is not necessarily a computer security event unless they perform some action affecting a computer system. A user accessing a secure file and an administrator changing file permission settings are examples of security events but are not security incidents.
During what phase of the incident response process would an organization implement defenses designed to reduce the likelihood of a security incident?
A. Preparation
B. Detection and analysis
C. Containment, eradication, and recovery
D. Postincident activity
Answer:
A. Organizations should build solid, defense-in-depth approaches to cybersecurity during the preparation phase of the incident response process. The controls built during this phase serve to reduce the likelihood and impact of future incidents.
Alan is responsible for developing his organization’s detection and analysis capabilities. He would like to purchase a system that can combine log records from multiple sources to detect potential security incidents. What type of system is best suited to meet Alan’s security objective?
A. IPS
B. IDS
C. SIEM
D. Firewall
Answer:
C. A security information and event management (SIEM) system correlates log entries from multiple sources and attempts to identify potential security incidents.
Ben is working to classify the functional impact of an incident. The incident has disabled email service for approximately 30 percent of his organization’s staff. How should Ben classify the functional impact of this incident according to the NIST scale?
A. None
B. Low
C. Medium
D. High
Answer:
C. The definition of a medium functional impact is that the organization has lost the ability to provide a critical service to a subset of system users. That accurately describes the situation that Ben finds himself in. Assigning a low functional impact is only done when the organization can provide all critical services to all users at diminished efficiency. Assigning a high functional impact is only done if a critical service is not available to all users.
What phase of the incident response process would include measures designed to limit the damage caused by an ongoing breach?
A. Preparation
B. Detection and analysis
C. Containment, eradication, and recovery
D. Postincident activity
Answer:
C. The containment protocols contained in the containment, eradication, and recovery phases are designed to limit the damage caused by an ongoing security incident.
Grace is the CSIRT team leader for a business unit within NASA, a federal agency. What is the minimum amount of time that Grace must retain incident handling records?
A. Six months
B. One year
C. Two years
D. Three years
Answer:
D. The National Archives General Records Schedule requires that all federal agencies retain incident handling records for at least three years.
Karen is responding to a security incident that resulted from an intruder stealing files from a government agency. Those files contained unencrypted information about protected critical infrastructure. How should Karen rate the information impact of this loss?
A. None
B. Privacy breach
C. Proprietary breach
D. Integrity loss
Answer:
C. In a proprietary breach, unclassified proprietary information is accessed or exfiltrated. Protected critical infrastructure information (PCII) is an example of unclassified proprietary information.
Matt is concerned about the fact that log records from his organization contain conflicting timestamps due to unsynchronized clocks. What protocol can he use to synchronize clocks throughout the enterprise?
A. NTP
B. FTP
C. ARP
D. SSH
Answer:
A. The Network Time Protocol (NTP) provides a common source of time information that allows the synchronizing of clocks throughout an enterprise.
Which one of the following document types would outline the authority of a CSIRT responding to a security incident?
A. Policy
B. Procedure
C. Playbook
D. Baseline
Answer:
A. An organization’s incident response policy should contain a clear description of the authority assigned to the CSIRT while responding to an active security incident.
A cross-site scripting attack is an example of what type of threat vector?
A. Impersonation
B. Email
C. Attrition
D. Web
Answer:
D. A web attack is an attack executed from a website or web-based application—for example, a cross-site scripting attack used to steal credentials or redirect to a site that exploits a browser vulnerability and installs malware.
Which one of the following parties is not commonly the target of external communications during an incident?
A. The perpetrator
B. Law enforcement
C. Vendors
D. Information sharing partners
Answer:
A. CSIRT members do not normally communicate directly with the perpetrator of a cybersecurity incident.
Robert is finishing a draft of a proposed incident response policy for his organization. Who would be the most appropriate person to sign the policy?
A. CEO
B. Director of security
C. CIO
D. CSIRT leader
Answer:
A. The incident response policy provides the CSIRT with the authority needed to do their job. Therefore, it should be approved by the highest possible level of authority within the organization, preferably the CEO.
Which one of the following is not an objective of the containment, eradication, and recovery phase of incident response?
A. Detect an incident in progress
B. Implement a containment strategy
C. Identify the attackers
D. Eradicate the effects of the incident
Answer:
A. Detection of a potential incident occurs during the detection and analysis phase of incident response. The other activities listed are all objectives of the containment, eradication, and recovery phase.
Renee is responding to a security incident that resulted in the unavailability of a website critical to her company’s operations. She is unsure of the amount of time and effort that it will take to recover the website. How should Renee classify the recoverability effort?
A. Regular
B. Supplemented
C. Extended
D. Not recoverable
Answer:
C. Extended recoverability effort occurs when the time to recovery is unpredictable. In those cases, additional resources and outside help are typically needed.
Which one of the following is an example of an attrition attack?
A. SQL injection
B. Theft of a laptop
C. User installs file sharing software
D. Brute-force password attack
Answer:
D. An attrition attack employs brute-force methods to compromise, degrade, or destroy systems, networks, or services—for example, a DDoS attack intended to impair or deny access to a service or application or a brute-force attack against an authentication mechanism.