IS3340 CHAPTER 13

Question 1

Documentation that provides details of every move and access of evidence is called ___?

Answer 1

CHAIN OF CUSTODY

Question 2

A team of representatives from IT, management, legal, and public relations that is organized to respond to incidents is called ___?

Answer 2

COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

Question 3

Any written evidence, such as printed reports or data in log files is called ___?

Answer 3

DOCUMENTARY EVIDENCE

Question 4

Any observable occurrence within computer or network is called ___?

Answer 4

EVENT

Question 5

An event that results in violation your security policy, or poses an imminent threat to your security policy is called ___?

Answer 5

INCIDENT

Question 6

Any physical object that you can bring into court that you can touch, hold, and irately observe is called ___?

Answer 6

REAL EVIDENCE

Question 7

1. To ensure a secure computing environment, investigate each reported event.
   TRUE OR FALSE

Answer 7

FALSE

Question 8

2. Many incidents go unreported because they are never recognized.
   TRUE OR FALSE

Answer 8

TRUE

Question 9

3. Which of the following is the best description of the CSIRT’s initial responsibility for incidents?
4. Recognize incidents
5. Validate that an incident has occurred
6. Initiate the incident investigation
7. Contain the incident damage

Answer 9

Validate that an incident has occurred

Question 10

4. The ___ step of handling incidents should always occur before an incident happens.

Answer 10

Preparation

Question 11

5. Which incident handling step might include disconnecting a computer from the network?
6. Identification
7. Eradication
8. Containment
9. Recovery

Answer 11

Containment

Question 12

6. The ___ step to handling incidents is the most important step to continuously improving your incident response plan.

Answer 12

lessons learned

Question 13

7. IT investigators (SMEs) are all CSIRT team members.

TRUE OR FALSE

Answer 13

FALSE

Question 14

8. Which incident classification would apply to a situation where you find that your user account is locked due to too many logon tries using an incorrect password?
9. Unauthorized access of a limited account
10. AUP violation
11. Failed attempt to access any account
12. Unauthorized scan of one or more systems

Answer 14

Failed attempt to access any account

Question 15

9. Which incident security level would be appropriate after discovering that several of your workstations are infected with worms that will launch a coordinated DoS attack against your Web servers in 12 hours?
10. Severe
11. High
12. Moderate
13. Low

Answer 15

High

Question 16

10. Which incident handling step might include scanning a computer for malware?
11. Identification
12. Containment
13. Eradication
14. Recovery

Answer 16

Identification

Question 17

11. Which incident handling step might include removing a virus from a computer?
12. Identification
13. Containment
14. Eradication
15. Recovery

Answer 17

Eradication

Question 18

12. The contents of log files are which type of evidence?
13. Real evidence
14. Documentary evidence
15. Testimonial evidence
16. Demonstrative evidence

Answer 18

Documentary evidence

Question 19

13. The documentation that provides details of every move and access of evidence is called the ___?

Answer 19

Chain of custody log

Question 20

14. You should treat every incident as if it might end up in court.
    TRUE OR FALSE

Answer 20

TRUE

Question 21

15. Any small change to evidence data may render that evidence unusable to your case.
    TRUE OR FALSE

Answer 21

TRUE