CISM Practice B Topic 5 Flashcards
Which of the following should be determined FIRST when establishing a business continuity program?
Cost to rebuild information processing facilities
Incremental daily cost of the unavailability of systems
Location and cost of offsite recovery facilities
Composition and mission of individual recovery teams
Incremental daily cost of the unavailability of systems
A desktop computer that was involved in a computer security incident should be secured as evidence by:
- disconnecting the computer from all power sources.
- disabling all local user accounts except for one administrator.
- encrypting local files and uploading exact copies to a secure server.
- copying all files using the operating system (OS) to write-once media.
disconnecting the computer from all power sources.
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability?
Exclusive use of the hot site is limited to six weeks
The hot site may have to be shared with other customers
The time of declaration determines site access priority
The provider services all major companies in the area
The provider services all major companies in the area
Which of the following actions should be taken when an online trading company discovers a network attack in progress?
Shut off all network access points
Dump all event logs to removable media
Isolate the affected network segment
Enable trace logging on all events
Isolate the affected network segment
The BEST method for detecting and monitoring a hacker’s activities without exposing information assets to unnecessary risk is to utilize:
firewalls.
bastion hosts.
decoy files.
screened subnets.
decoy files.
The FIRST priority when responding to a major security incident is:
documentation.
monitoring.
restoration.
containment.
containment
Which of the following is the MOST important to ensure a successful recovery?
Backup media is stored offsite
Recovery location is secure and accessible
More than one hot site is available
Network alternate links are regularly tested
Backup media is stored offsite
Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site?
Tests are scheduled on weekends
Network IP addresses are predefined
Equipment at the hot site is identical
Business management actively participates
Business management actively participates
At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor’s hot site facility?
Erase data and software from devices
Conduct a meeting to evaluate the test
Complete an assessment of the hot site provider
Evaluate the results from all test scripts
Erase data and software from devices
An incident response policy must contain:
updated call trees.
escalation criteria.
press release templates.
critical backup files inventory.
escalation criteria.
The BEST approach in managing a security incident involving a successful penetration should be to:
allow business processes to continue during the response.
allow the security team to assess the attack profile.
permit the incident to continue to trace the source.
examine the incident response process for deficiencies.
allow business processes to continue during the response.
A post-incident review should be conducted by an incident management team to determine:
relevant electronic evidence.
lessons learned.
hacker’s identity.
areas affected.
lessons learned.
An organization with multiple data centers has designated one of its own facilities as the recovery site. The MOST important concern is the:
communication line capacity between data centers.
current processing capacity loads at data centers.
differences in logical security at each center.
synchronization of system software release versions.
current processing capacity loads at data centers.
Which of the following is MOST important in determining whether a disaster recovery test is successful?
Only business data files from offsite storage are used
IT staff fully recovers the processing infrastructure
Critical business processes are duplicated
All systems are restored within recovery time objectives (RTOs)
Critical business processes are duplicated
Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site?
Cost to build a redundant processing facility and invocation
Daily cost of losing critical systems and recovery time objectives (RTOs)
Infrastructure complexity and system sensitivity
Criticality results from the business impact analysis (BIA)
Infrastructure complexity and system sensitivity
A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat?
Quarantine all picture files stored on file servers
Block all e-mails containing picture file attachments
Quarantine all mail servers connected to the Internet
Block incoming Internet mail, but permit outgoing mail
Block all e-mails containing picture file attachments
When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken?
Reboot the router connecting the DMZ to the firewall
Power down all servers located on the DMZ segment
Monitor the probe and isolate the affected segment
Enable server trace logging on the affected segment
Monitor the probe and isolate the affected segment
Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?
A hot site facility will be shared in multiple disaster declarations
All equipment is provided “at time of disaster, not on floor”
The facility is subject to a “first-come, first-served” policy
Equipment may be substituted with equivalent model
All equipment is provided “at time of disaster, not on floor”
Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?
Restore servers from backup media stored offsite
Conduct an assessment to determine system status
Perform an impact analysis of the outage
Isolate the screened subnet
Conduct an assessment to determine system status
Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?
Detailed technical recovery plans are maintained offsite
Network redundancy is maintained through separate providers
Hot site equipment needs are recertified on a regular basis
Appropriate declaration criteria have been established
Detailed technical recovery plans are maintained offsite
The business continuity policy should contain which of the following?
Emergency call trees
Recovery criteria
Business impact assessment (BIA)
Critical backups inventory
Recovery criteria
The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:
weaknesses in network security.
patterns of suspicious access.
how an attack was launched on the network.
potential attacks on the internal network.
potential attacks on the internal network.
When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?
Ensuring accessibility should a disaster occur
Versioning control as plans are modified
Broken hyperlinks to resources stored elsewhere
Tracking changes in personnel and plan assets
Ensuring accessibility should a disaster occur
Which of the following is the BEST way to verify that all critical production servers are utilizing up-to-date virus signature files?
Verify the date that signature files were last pushed out
Use a recently identified benign virus to test if it is quarantined
Research the most recent signature file and compare to the console
Check a sample of servers that the signature files are current
Check a sample of servers that the signature files are current
Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter?
Reboot the border router connected to the firewall
Check IDS logs and monitor for any active attacks
Update IDS software to the latest available version
Enable server trace logging on the DMZ segment
Check IDS logs and monitor for any active attacks
Which of the following are the MOST important criteria when selecting virus protection software?
Product market share and annualized cost
Ability to interface with intrusion detection system (IDS) software and firewalls
Alert notifications and impact assessments for new viruses
Ease of maintenance and frequency of updates
Ease of maintenance and frequency of updates
Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23:00 hrs.)?
Most new viruses’ signatures are identified over weekends
Technical personnel are not available to support the operation
Systems are vulnerable to new viruses during the intervening week
The update’s success or failure is not known until Monday
Systems are vulnerable to new viruses during the intervening week
When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates?
Business continuity coordinator
Information security manager
Business process owners
Industry averages benchmarks
Business process owners
Which of the following is MOST closely associated with a business continuity program?
Confirming that detailed technical recovery plans exist
Periodically testing network redundancy
Updating the hot site equipment configuration every quarter
Developing recovery time objectives (RTOs) for critical functions
Developing recovery time objectives (RTOs) for critical functions
Which of the following application systems should have the shortest recovery time objective (RTO)?
Contractor payroll
Change management
E-commerce web site
Fixed asset system
E-commerce web site
A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?
Risk assessment results
Severity criteria
Emergency call tree directory
Table of critical backup files
Severity criteria
The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:
weaknesses in network and server security.
ways to improve the incident response process.
potential attack vectors on the network perimeter.
the optimum response to internal hacker attacks.
weaknesses in network and server security.
Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was:
removed into the custody of law enforcement investigators.
kept in the tape library pending further analysis.
sealed in a signed envelope and locked in a safe under dual control.
handed over to authorized independent investigators.
kept in the tape library pending further analysis.
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
Business continuity plan
Disaster recovery plan
Incident response plan
Vulnerability management plan
Incident response plan
Isolation and containment measures for a compromised computer have been taken and information security management is now investigating. What is the MOST appropriate next step?
Run a forensics tool on the machine to gather evidence
Reboot the machine to break remote connections
Make a copy of the whole system’s memory
Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/ UDP) ports
Make a copy of the whole system’s memory
Why is “slack space” of value to an information security manager as part of an incident investigation?
Hidden data may be stored there
The slack space contains login information
Slack space is encrypted
It provides flexible space for the investigation
Hidden data may be stored there
What is the PRIMARY objective of a post-event review in incident response?
Adjust budget provisioning
Preserve forensic data
Improve the response process
Ensure the incident is fully documented
Improve the response process
Detailed business continuity plans should be based PRIMARILY on:
consideration of different alternatives.
the solution that is least expensive.
strategies that cover all applications.
strategies validated by senior management.
strategies validated by senior management.
A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:
rebuild the server from the last verified backup.
place the web server in quarantine.
shut down the server in an organized manner.
rebuild the server with original media and relevant patches.
rebuild the server with original media and relevant patches.
Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?
A bit-level copy of all hard drive data
The last verified backup stored offsite
Data from volatile memory
Backup servers
A bit-level copy of all hard drive data
In the course of responding to an information security incident, the BEST way to treat evidence for possible legal action is defined by:
international standards.
local regulations.
generally accepted best practices.
organizational security policies.
local regulations.
Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and:
determining the extent of property damage.
preserving environmental conditions.
ensuring orderly plan activation.
reducing the extent of operational damage.
reducing the extent of operational damage.
Which of the following actions should lake place immediately after a security breach is reported to an information security manager?
Confirm the incident
Determine impact
Notify affected stakeholders
Isolate the incident
Confirm the incident
When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the:
services delivery objective.
recovery time objective (RTO).
recovery window.
maximum tolerable outage (MTO).
recovery window.
In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the:
volume of sensitive data.
recovery point objective (RPO).
recovery time objective (RTO).
interruption window.
recovery point objective (RPO).
An intrusion detection system (IDS) should:
- run continuously
- ignore anomalies
- require a stable, rarely changed environment
- be located on the network
run continuously
The PRIORITY action to be taken when a server is infected with a virus is to:
isolate the infected server(s) from the network.
identify all potential damage caused by the infection.
ensure that the virus database files are current.
establish security weaknesses in the firewall.
isolate the infected server(s) from the network.
Which of the following provides the BEST confirmation that the business continuity/disaster recovery plan objectives have been achieved?
The recovery time objective (RTO) was not exceeded during testing
Objective testing of the business continuity/disaster recovery plan has been carried out consistently
The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing
Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan
The recovery time objective (RTO) was not exceeded during testing
Which of the following situations would be the MOST concern to a security manager?
Audit logs are not enabled on a production server
The logon ID for a terminated systems analyst still exists on the system
The help desk has received numerous results of users receiving phishing e-mails
A Trojan was found to be installed on a system administrator’s laptop
A Trojan was found to be installed on a system administrator’s laptop
A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to:
confirm the incident.
notify senior management.
start containment.
notify law enforcement.
confirm the incident.
A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:
document how the attack occurred.
notify law enforcement.
take an image copy of the media.
close the accounts receivable system.
take an image copy of the media.
When collecting evidence for forensic analysis, it is important to:
ensure the assignment of qualified personnel.
request the IT department do an image copy.
disconnect from the network and isolate the affected devices.
ensure law enforcement personnel are present before the forensic analysis commences.
ensure the assignment of qualified personnel.
What is the BEST method for mitigating against network denial of service (DoS) attacks?
Ensure all servers are up-to-date on OS patches
Employ packet filtering to drop suspect packets
Implement network address translation to make internal addresses non-routable
Implement load balancing for Internet facing devices
Employ packet filtering to drop suspect packets
To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?
Assessment of business impact of past incidents
Need of an independent review of incident causes
Need for constant improvement on the security level
Possible business benefits from incident impact reduction
Possible business benefits from incident impact reduction
A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?
Invalid logon attempts
Write access violations
Concurrent logons
Firewall logs
Invalid logon attempts
Which of the following is an example of a corrective control?
Diverting incoming traffic upon responding to the denial of service (DoS) attack
Filtering network traffic before entering an internal network from outside
Examining inbound network traffic for viruses
Logging inbound network traffic
Diverting incoming traffic upon responding to the denial of service (DoS) attack
To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?
Database server
Domain name server (DNS)
Time server
Proxy server
Time server
An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:
require the use of strong passwords.
assign static IP addresses.
implement centralized logging software.
install an intrusion detection system (IDS).
install an intrusion detection system (IDS),
A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager?
Ensure that all OS patches are up-to-date
Block inbound traffic until a suitable solution is found
Obtain guidance from the firewall manufacturer
Commission a penetration test
Obtain guidance from the firewall manufacturer
An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:
use the test equipment in the warm site facility to read the tapes.
retrieve the tapes from the warm site and test them.
have duplicate equipment available at the warm site.
inspect the facility and inventory the tapes on a quarterly basis.
retrieve the tapes from the warm site and test them.
Which of the following processes is critical for deciding prioritization of actions in a business continuity plan?
Business impact analysis (BIA)
Risk assessment
Vulnerability assessment
Business process mapping
Business impact analysis (BIA)
In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?
Copies of critical contracts and service level agreements (SLAs)
Copies of the business continuity plan
Key software escrow agreements for the purchased systems
List of emergency numbers of service providers
Copies of the business continuity plan
An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:
assess the likelihood of incidents from the reported cause.
discontinue the use of the vulnerable technology.
report to senior management that the organization is not affected.
remind staff that no similar security breaches have taken place.
assess the likelihood of incidents from the reported cause.
Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?
Communicating specially drafted messages by an authorized person
Refusing to comment until recovery
Referring the media to the authorities
Reporting the losses and recovery strategy to the media
Communicating specially drafted messages by an authorized person
During the security review of organizational servers it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should:
copy sample files as evidence.
remove access privileges to the folder containing the data.
report this situation to the data owner.
train the HR team on properly controlling file permissions.
report this situation to the data owner.
If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:
obtaining evidence as soon as possible.
preserving the integrity of the evidence.
disconnecting all IT equipment involved.
reconstructing the sequence of events.
preserving the integrity of the evidence.
Which of the following has the highest priority when defining an emergency response plan?
Critical data
Critical infrastructure
Safety of personnel
Vital records
Safety of personnel
The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to:
enable independent and objective review of the root cause of the incidents.
obtain support for enhancing the expertise of the third-party teams.
identify lessons learned for further improving the information security management process.
obtain better buy-in for the information security program.
enable independent and objective review of the root cause of the incidents.
The MOST important objective of a post incident review is to:
capture lessons learned to improve the process.
develop a process for continuous improvement.
develop a business case for the security program budget.
identify new incident management tools.
capture lessons learned to improve the process.
Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?
Incident response metrics
Periodic auditing of the incident response process
Action recording and review
Post incident review
Post incident review
The FIRST step in an incident response plan is to:
notify the appropriate individuals.
contain the effects of the incident to limit damage.
develop response strategies for systematic attacks.
validate the incident.
validate the incident.
An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?
Inform senior management.
Determine the extent of the compromise.
Report the incident to the authorities.
Communicate with the affected customers
Determine the extent of the compromise.
The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:
regulatory requirements.
business requirements.
financial value.
IT resource availability.
business requirements.
What task should be performed once a security incident has been verified:
Identify the incident.
Contain the incident.
Determine the root cause of the incident.
Perform a vulnerability assessment.
Contain the incident.
An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?
Ensure that critical data on the server are backed up.
Shut down the compromised server.
Initiate the incident response process.
Shut down the network.
Initiate the incident response process.
An unauthorized user gained access to a merchant’s database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?
Shut down and power off the server.
Duplicate the hard disk of the server immediately.
Isolate the server from the network.
Copy the database log file to a protected server.
Isolate the server from the network.
Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)?
Setting up a backup site
Maintaining redundant systems
Aligning with recovery time objectives (RTOs)
Data backup frequency
Aligning with recovery time objectives (RTOs)
Which of the following would be MOST appropriate for collecting and preserving evidence?
Encrypted hard drives
Generic audit software
Proven forensic processes
Log correlation software
Proven forensic processes
Of the following, which is the MOST important aspect of forensic investigations?
The independence of the investigator
Timely intervention
Identifying the perpetrator
Chain of custody
Chain of custody
In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process?
Perform a backup of the suspect media to new media.
Perform a bit-by-bit image of the original media source onto new media.
Make a copy of all files that are relevant to the investigation.
Run an error-checking program on all logical drives to ensure that there are no disk errors.
Perform a bit-by-bit image of the original media source onto new media.
Which of the following recovery strategies has the GREATEST chance of failure?
Hot site
Redundant site
Reciprocal arrangement
Cold site
Reciprocal arrangement
Recovery point objectives (RPOs) can be used to determine which of the following?
Maximum tolerable period of data loss
Maximum tolerable downtime
Baseline for operational resiliency
Time to restore backups
Maximum tolerable period of data loss
Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan?
Preparedness tests
Paper tests
Full operational tests
Actual service disruption
Preparedness tests
When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?
Assigning responsibility for acquiring the data
Locating the data and preserving the integrity of the data
Creating a forensically sound image
Issuing a litigation hold to all affected parties
Locating the data and preserving the integrity of the data
When creating a forensic image of a hard drive, which of the following should be the FIRST step?
Identify a recognized forensics software tool to create the image.
Establish a chain of custody log.
Connect the hard drive to a write blocker.
Generate a cryptographic hash of the hard drive contents.
Establish a chain of custody log.
