IS4550 CHAPTER 12

Question 1

An individual who understands the organization’s capability to restore the system, application, network, or data. Also has access to call lists to contact anyone in the organization during off hours is called ___.

Answer 1

BUSINESS CONTINUITY REPRESENTATIVE

Question 2

A legal term referring to how evidence is documented and protected. Evidence must be documented and protected from the time it’s obtained to the time it’s presented in court is called ___.

Answer 2

CHAIN OF CUSTODY

Question 3

A legal term that refers to effort made to avoid harm to another party. It essentially refers to the care that a person would reasonably be expected to see under particular circumstances is called ___.

Answer 3

DUE CARE

Question 4

An individual who is an expert on HR policies and disciplinary proceedings or employee counseling is called ___.

Answer 4

HUMAN RESOURCES REPRESENTATIVE

Question 5

An event that violate an organizations security policies is called ___.

Answer 5

INCIDENT

Question 6

A specialized group of people whose purpose is to respond to major incidents is called ___.

Answer 6

INCIDENT RESPONSE TEAM (IRT)

Question 7

In the context of an IRT team, this position provides risk management and analytical skills. They may also have specialized forensic skills for collecting and analyzing evidence and is called ___.

Answer 7

INFORMATION SECURITY REPRESENTATIVE

Question 8

An individual who has intimate knowledge of the systems and configurations of an organization. This individual is typically a developer, system administrator or network administrator. They have the needed technical skills to make critical recommendations on how to top an attack and is called ___.

Answer 8

INFORMATION TECHNOLOGY SUBJECT MATTER EXPERTS

Question 9

The person who keeps track of all the activity of the IRT during an incident. They act ad the official scribe of the team.. All activity flows through this person and they record who is doing what. This person is called ___.

Answer 9

IRT COORDINATOR

Question 10

This person is the IRT leader. This individual makes all the final calls on how to respond to and incident. They are the interface with management and is called ___.

Answer 10

IRT MANAGER

Question 11

An individual who has an understanding of laws and regulatory compliance is called ___.

Answer 11

LEGAL REPRESENTATIVE

Question 12

An attack using viruses, worms,Trojan horses, and scripts and is called ___.

Answer 12

MALICIOUS CODE ATTACK

Question 13

A software tools that runs a series of network commands to determine security weakness is called ___.

Answer 13

NETWORK RECONNAISSANCE PROBE

Question 14

In the context of the IRT team, this individual can advise on how to communicate to the public and customers that mights be impacted by the incident. This person is valuable in ensuring that accurate information gets out and damaging misconceptions are prevented and is called ___.

Answer 14

PUBLIC RELATIONS REPRESENTATIVE

Question 15

1. All incidents regardless of how small should be handled by an incident response team.
   TRUE OR FALSE

Answer 15

FALSE

Question 16

2. Which of the following should not be in an information response team charter?
3. Mission
4. Organization structure
5. Detailed line budget
6. Roles and responsibilities

Answer 16

Detailed line budget

Question 17

3. Which of the following IRT members should be consulted before communication to the public about an incident?
4. Management
5. Public relations
6. IRT manager
7. All the above

Answer 17

Management
Public relations
IRT manager

Question 18

4. As defined by this chapter, what is NOT a step in responding to an incident?
5. Discovering an incident
6. Reporting an incident
7. Containing an incident
8. Creating a budget to compare options
9. Analyzing an incident response

Answer 18

Creating a budget to compare options

Question 19

5. A method outlined in this chapter to determine if an incident is major or minor is to classify an incident with a ___ rating.

Answer 19

SEVERITY

Question 20

6. When containing an incident, you should always apply a long-term preventive solution.
   TRUE OR FALSE

Answer 20

FALSE

Question 21

7. The IRT starts recording events once an ___.

Answer 21

Incident is declared

Question 22

8. During the containment step, you should also gather as much evidence as reasonably possible about the incident.
   TRUE OR FALSE

Answer 22

TRUE

Question 23

9. During the containment step, you should also gather as much evidence as reasonably possible about the incident.
   TRUE OR FALSE

Answer 23

FALSE

Question 24

10. What value does a forensic tool bring?
11. Gathers evidence
12. Helps evidence to be accepted by the court
13. Can take a bit image of a machine
14. All the above

Answer 24

Gathers evidence
Helps evidence to be accepted by the court
Can take a bit image of a machine

Question 25

11. How important is it to identify the attacker before issuing a final IRT report?
12. Critically important: do not issue the report without it
13. Moderately important: nice to have but issue the report if not available
14. Not important: focus on the incident and do not include identity of attacker even if you have it
15. Important: but allow law enforcement to brief management about attacker’s identity

Answer 25

Moderately important: nice to have but issue the report if not available

Question 26

12. When analyzing an incident, you must try to determine which of the following?
13. The tool used to attack
14. The vulnerability that was exploited
15. The result of the attack
16. All the above

Answer 26

The tool used to attack
The vulnerability that was exploited
The result of the attack

Question 27

13. Which IRT member is responsible for handling the media?

Answer 27

Public relations

Question 28

14. It is best practice to test the IRT capability at least once a year.
    TRUE OR FALSE

Answer 28

TRUE

Question 29

15. A federal agency is not required by law to report a security incident.
    TRUE OR FALSE

Answer 29

FALSE