IS3340 CHAPTER 13 Flashcards
Documentation that provides details of every move and access of evidence is called ___?
CHAIN OF CUSTODY
A team of representatives from IT, management, legal, and public relations that is organized to respond to incidents is called ___?
COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)
Any written evidence, such as printed reports or data in log files is called ___?
DOCUMENTARY EVIDENCE
Any observable occurrence within computer or network is called ___?
EVENT
An event that results in violation your security policy, or poses an imminent threat to your security policy is called ___?
INCIDENT
Any physical object that you can bring into court that you can touch, hold, and irately observe is called ___?
REAL EVIDENCE
- To ensure a secure computing environment, investigate each reported event.
TRUE OR FALSE
FALSE
- Many incidents go unreported because they are never recognized.
TRUE OR FALSE
TRUE
- Which of the following is the best description of the CSIRT’s initial responsibility for incidents?
- Recognize incidents
- Validate that an incident has occurred
- Initiate the incident investigation
- Contain the incident damage
Validate that an incident has occurred
- The ___ step of handling incidents should always occur before an incident happens.
Preparation
- Which incident handling step might include disconnecting a computer from the network?
- Identification
- Eradication
- Containment
- Recovery
Containment
- The ___ step to handling incidents is the most important step to continuously improving your incident response plan.
lessons learned
- IT investigators (SMEs) are all CSIRT team members.
TRUE OR FALSE
FALSE
- Which incident classification would apply to a situation where you find that your user account is locked due to too many logon tries using an incorrect password?
- Unauthorized access of a limited account
- AUP violation
- Failed attempt to access any account
- Unauthorized scan of one or more systems
Failed attempt to access any account
- Which incident security level would be appropriate after discovering that several of your workstations are infected with worms that will launch a coordinated DoS attack against your Web servers in 12 hours?
- Severe
- High
- Moderate
- Low
High