CNS PreFinals Flashcards

1
Q

is an unexpected event occurring when an attack, whether natural or human-made, affects information resources and/or assets, causing actual damage or disruption to a business’s assets.

A

incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

is a detailed set of processes that anticipate, detect, and mitigate the effects of an unexpected event that might compromise information resources and assets.

A

incident response plan (IRP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

the set of procedures, policies, and guidelines that commence at the detection of an incident

A

incident response (IR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  • It is important to point out that an IRP is one of three major components of ____.
A

contingency plan (CP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

three major components of contingency plan (CP).

A

Incident Response
Disaster Recovery
Business Continuity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Personnel and Plan Preparation

  • In a large business or organization the delegation of tasks is essential to maintaining effective operations. When looking at the makeup of an IRP, a __ assumes responsibility for the creation of it.
A

company’s CISO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

With the aid of other managers and systems administrators on the contingency planning (CP) team, the __ should select members from each community of interest to form an independent IR team, which executes the IRP.

A

CISO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  • __ should follow this six-step process when creating each of the three CP components [_, _, and _]:
A

Contingency planners

IRP, DRP, and BCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

six-step process when creating each of the three CP components [IRP, DRP, and BCP]:

A
  1. Identify the mission-or business-critical functions
  2. Identify the resources that support the critical functions
  3. Anticipate potential contingencies or disasters
  4. Select contingency planning strategies
  5. Implement the selected strategy
  6. Test and revise contingency plans
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Select contingency planning strategies
    In regards to step four, for every incident, the CP team creates three sets of incident-handling procedures:
A
  1. During the incident
  2. After the incident
  3. Before the incident
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. __: The planners develop and document the procedures that must be performed during the incident.
A

During the incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. _: Once the procedures for handling an incident are drafted, the planners develop and document the procedures that must be performed immediately after the incident has ceased.
A

After the incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  • _, _, or _, or s may be hard to distinguish from an actual incident.
A

Incident Detection

Overloaded networks, computers, or servers, misbehaving computers systems or software packages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. _: The planners draft a third set of procedures which are tasks that must be performed to prepare for the incident.
A

Before the incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  • It is the responsibility of the IR team to determine if an incident is a valid incident or is just the product of “normal” system use.
A

Incident Detection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  • Incident candidates can be detected and tracked by end-users through several means; _
A

Incident Detection

; intrusion detection systems (IDS), host- and network-based virus detection software, and systems administrators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  • Therefore, managers must ensure IT professionals receive training to detect __
A

Incident Detection

possible, probable, and definite indicators.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  • Possible Indicators:
A
  • Presence of unfamiliar files
  • Presence or execution of unknown programs or processes
    Unusual consumption of computing resources
  • Unusual system crashes
  • Activities at unexpected times
  • Presence of new accounts
  • Reported attacks
  • Notification from a host- or network-based
    intrusion detection system (IDS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  • Definite Indicators:
A
  • Use of dormant accounts
  • Changes to logs
  • Presence of hacker tools
  • Notifications by business partner
  • Notification by hacker
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  • Once an actual incident has been confirmed and properly classified, the __ needs to be directed to move from the detection phase to the reaction phase.
A

Incident Response

_IR team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

is designed to first stop the incident (if still continuing), mitigate its effects, and provide information for the recovery from the incident.

A

Incident Response

_IR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Incident Response

  • Three key steps include:
A

❑ Notification of Key personnel
❑ Documentation of an Incident
❑ Incident Containment strategies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Notification of key Personnel.

A

Incident Response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

document of contact information -sequential or hierarchical roster

A

Alert Roster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

scripted description of incident and what components of IRP to implement

A

Alert message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
  • Who, What, When, Where, Why, and How
A

Documenting an Incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
  • Serves as a case study
    • improvements in IR and IRP
    • provide legal protection
    • future training simulations
A

Documenting an Incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q
  • Disabling compromised user accounts
  • Reconfiguring a firewall to block the problem traffic
  • Temporarily disabling the compromised process or service
  • Taking down the conduit application or server—for example, the e-mail server
  • Stopping all computers and network devices
A

❑Incident Containment Strategies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

The immediate determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets

A

Incident Recovery

  • Incident damage assessment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Incident damage assessment

A
  • System logs
  • Intrusion detection logs
  • Configuration logs
  • Documentation from the actual incident
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
  • The recovery process includes the following steps:
A

Identify and resolve vulnerabilities that allowed the incident to occur and spread.

Address the safeguards that failed to stop or limit the incident – install, replace, or upgrade them.

Evaluate monitoring capabilities – improve detection and reporting methods, or install new monitoring capabilities

Restore systems backups

Restore the services and processes in use – compromised services and processes must be examined, cleaned, then restored.

Continuously monitor the system to prevent incident from happening again. -Don’t allow your system to become the hackers playground.

Restore confidence in member’s of the organization by ensuring them appropriate measures have been taken to resolve the matter.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q
  • Finally, before an organization can return to routine duties it is management’s responsibility to see that an __ is conducted.
  • Detailed examination of events from detection to final recovery.
  • All parties involved give input on positives and negatives of the entire IR process.
  • Management should give a summary to bring the IR team’s actions to a close.
A

after-action review (AAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Threat Statistics

A

*47% of browser attacks – Microsoft, Google
*Average 6110 DoS attacks per day
*28 days average vulnerability exposure
*86% of all attacks are against home user
*54% of DoS attacks world-wide against US
*69% of vulnerabilities against Web
applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

*__ attacks – Microsoft, Google

A

47% of browser

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

*__ attacks per day

A

Average 6110 DoS

36
Q

*__ average vulnerability exposure

37
Q

*__ of all attacks are against home user

38
Q

*___ world-wide against US

A

54% of DoS attacks

39
Q

*__ against Web
applications

A

69% of vulnerabilities

40
Q

Threats to the Enterprise

A
  • Virus, worms, Trojan horses
  • Web site hacking
  • Hackers and crackers
  • Terrorist attacks
  • Cyber crime and information warfare
  • Effects of emerging standards and technologies
41
Q
  • Virus, worms, Trojan horses
A

Threats to the Enterprise

42
Q
  • Web site hacking
A

Threats to the Enterprise

43
Q
  • Hackers and crackers
A

Threats to the Enterprise

43
Q
  • Cyber crime and information warfare
A

Threats to the Enterprise

44
Q
  • Terrorist attacks
A

Threats to the Enterprise

45
Q

Security Challenges

A

*ID and prioritize opportunities to improve security effectiveness and efficiency
*Manage security in dynamic threat
environment with limited budget
*Courts and government policy expectations
*Securing Web services
*Managing identity and access privileges

45
Q
  • Effects of emerging standards and technologies
A

Threats to the Enterprise

46
Q

*ID and prioritize opportunities to improve security effectiveness and efficiency

A

Security Challenges

47
Q

*Manage security in dynamic threat
environment with limited budget

A

Security Challenges

48
Q

*Courts and government policy expectations

A

Security Challenges

49
Q

*Securing Web services

A

Security Challenges

50
Q

*Managing identity and access privileges

A

Security Challenges

51
Q

Six Step Process

A
  1. Inventory
  2. Risk Assessment
  3. ID Needs
  4. Support
  5. Execute
  6. Review
52
Q

Inventory Environment
“The first thing we need to do is to actually__ on our computing system and understand what the relationship of each asset is to our
business process”

  • Prioritize assets
  • Ensure critical systems are protected
  • Use Enterprise Architecture
A

draft out all of the assets that run

understand what the relationship of each asset

53
Q

Inventory Environment

A
  • Prioritize assets
  • Ensure critical systems are protected
  • Use Enterprise Architecture
54
Q

Risk Assessment - Portfolio

A
  • Look at all assets
  • Best Practices
  • Service Levels

Risks and Costs

55
Q

Risks

A
  • Threats
  • Loss of Data
56
Q

Costs

A
  • Prevention
  • Data Recovery
57
Q

ID Needs and Write Plan

A
  • Define, align, and prioritize opportunities
    *Vulnerability vs largest risks
    *ID and define security goals
  • Determine costs and ROI –
    Key is Impact!
58
Q

ID/Define Organizational Goals

A

*Protect sensitive and critical information
*Prevent unauthorized access to the
network
*Avoid embarrassing publicity
*Maintain uninterrupted operations
*Protect privacy
*Set a “zero-incident” culture
*Comply with federal and state regulations

59
Q

Obtain Support and Approval

A
  1. Need executive champion
    – CIO
  2. Know top management priorities
  3. Know what the competition is doing
  4. Projects in line with market’s thinking
  5. Use federal mandates and audit findings
60
Q

CIO

A

Chief Information Officer

61
Q

Cost Planning and Portfolio Management

A

Zero-based Budget
Management Review
ID Problems Early
Track Initiatives

62
Q

Answers …
* How am I doing?
* Am I on time?
* Within budget?
* Are there any problems or issues

A

Balance Scorecard

63
Q

Plan Maintenance
* Review annually
* Compare against best practices
* Adjust as necessary

64
Q

Your organization experiences a sudden system crash. What should the IR team do first?

a. Restart the system immediately
b. Check for possible incident indicators
c. Ignore the crash
d. Call the software vendor

A

b. Check for possible incident indicators

65
Q

An employee reports an unfamiliar file appearing on their desktop. What is the best response?

a. Delete the File ‘
b. Report to the IT security team for investigation
c. Open the file to check its contents
d. ignore it

A

b. Report to the IT security team for investigation

66
Q

Your IDS detects unusual activity at midnight. What should you do?

a. Assume its a false alarm
b. Notify the IR team immediately
c. Restart the system
d. ignore it

A

b. Notify the IR team immediately

67
Q

A hacker claims to have access to your company’s database. What is the first step?

a. Verify the claim and check system logs
b. Pay the ransom
c. Announce the breach publicly
d. Shut down all systems permanently

A

a. Verify the claim and check system logs

68
Q

Your company experiences a ransomware attack that encrypts critical files. What should you do first?

a. Pay the ransom to recover das
b. Disconnect affected systems from the network
c. Notify all employees to stop working
d. Restore from backups immediately

A

b. Disconnect affected systems from the network

69
Q

A server handling financial transactions is running unusually slow. What is the best action?

a. Restart the server
b. Check for potential security breaches
c. Upgrade the hardware
d. Ignore the issue if transactions still process

A

b. Check for potential security breaches

70
Q

A phishing email is reported by on employee. What is the best response?

a. Instruct all employees to delete similar emalis
b. Report the email to the security team for analysis
c. Click the link to check if it’s harmful
d. Do nothing unless someone gets affected

A

b. Report the email to the security team for analysis

71
Q
  1. An employee leaves their workstation unlocked, and someone Installs unauthorized
    software, What should the IR team do?

a. Remove the software and warn the employee
b. Format the workstation immediately
c. Suspend the employee
d. Ignore it unless data is stolen

A

a. Remove the software and warn the employee

73
Q
  1. A company detects malware spreading across multiple devices. What is the best course of action?

a. Isolate Infected devices and analyze the malware
b. Reboot all machines to stop the malware
c. Continue normal operations until it affects critical data
d. Shut down the internet connection permanently

A

a. Isolate Infected devices and analyze the malware

74
Q

A network administrator discovers unauthorized access from a foreign IP address. What should they do?

a. Block the IP and check logs for further signs of compromise
b. Wait to see if further attacks happen
c. Notify employees to change their passwords immediately
d. Announce the breach on social media

A

a. Block the IP and check logs for further signs of compromise

75
Q

After a security breach, employees are concerned about their personal data. What should management do?

a. Be transparent and provide guidance on protective measures
b. Deny any data breach happened
c. Offer compensation immediately
d. Ignore employee concerns

A

a. Be transparent and provide guidance on protective measures

76
Q
  1. What is the purpose of incident containment strategies?

a. To completely eliminate all cyber threats
b. To prevent the incident from spreading
c. To notify law enforcement
d. To test new security software

A

b. To prevent the incident from spreading

77
Q
  1. What is the first step in the recovery process?

a. Restore system backups
b. Identify vulnerabilities
c. Evaluate monitoring capabilities
d. Restore services

A

b. Identify vulnerabilities

78
Q
  1. What does an After-Action Review (AAR) include?

a. Examination of events
b. Evaluation of IR process
c. Summary report
d. All of the above

A

d. All of the above

79
Q
  1. What should be done after restoring services post-incident?

a. Remove all system logs
b. Conduct system monitoring
c. Disable all security measures
d. Ignore user feedback

A

b. Conduct system monitoring

80
Q
  1. What is the potential method for incident containment?

a. Allowing unauthorized access
b. Disabling compromised accounts
c. Ignoring minor threats
d. Removing firewall restrictions

A

b. Disabling compromised accounts

81
Q
  1. Which of the following is an example of incident recovery?

a. Installing new monitoring tools
b. Disabling user accounts
c. Blocking network access
d. Deleting backup files

A

a. Installing new monitoring tools

82
Q
  1. What does incident damage assessment evaluate?
    
    a. Financial impact only
    b. Scope of confidentiality, integrity, and availability breach
    c. Legal consequences only
    d. Only hardware damage
A

b. Scope of confidentiality, integrity, and availability breach

83
Q
  1. What should be the final step after handling an incident?

a. Conducting an After-Action Review
b. Ignoring the past incident
c. Shutting down the affected systems permanently
d. Upgrading all company software immediately