Module 39 - Incident Response - Q&A Flashcards
All of the following are considered incidents, except. A. Hacking attacks B. Fires C. Equipment theft D. Increase in network traffic
D. An increase in network traffic doesn’t necessarily mean that an incident has occurred.
Which of the following is the first phase of the NIST incident response life cycle? A. Preparation B. Eradication C. Containment D. Reconstitution
A. Preparation is the first phase of the NIST incident response life cycle.
Which of the following should the incident response policy cover?
A. Response team notification procedures
B. Procedures for restoring a server in the event of an attack
C. Roles and responsibilities
D. List of response equipment and supplies
C. The organization’s incident response policy should cover key roles and responsibilities.
You are recommending personnel for incident response team lead positions. You have several candidates from which to choose and are recommending personnel based upon key characteristics. On which of the following characteristics should you base your recommendations? (Choose two.) A. Certifications B. Seniority C. Training D. Experience
C, D. Training and experience are key characteristics to consider when recommending personnel for incident response team lead positions.
All of the following should be included in the incident response strategy, except.
A. Defined types of events
B. Procedures for isolating a compromised workstation
C. Levels of impact for events requiring escalation
D. Conditions requiring activation of the incident response team
B. Procedures for isolating a compromised workstation are more detailed and should not be included in the overall incident response strategy.
Which of the following are considered part of executing an incident response? (Choose two.) A. Detection and Analysis B. Preparation C. Containment and Eradication D. Reporting
A, C. Detection, analysis, containment, and eradication are all steps performed when executing an incident response.
Which of the following are ways to isolate an incident during a response? (Choose all that apply.)
A. Quarantining a system
B. Removing a device from the network
C. Shutting down a system
D. Connecting the system to the demilitarized zone (DMZ) on the network perimeter
A, B, C. All of these are ways of isolating an incident. Connecting the system to the demilitarized zone (DMZ) on the network perimeter does not isolate it; it may actually expose it to further attack or disruption.
Which of the following results of an incident may require public disclosure and informing individuals, by law? A. Prohibited use of a company computer B. Data breach C. Web site defacement D. Equipment theft
B. A data breach, by law, may require public disclosure and informing individuals whose data has been compromised.
Which of the following would be considered non-technical damage to a business after a serious computer security-related incident?
A. Corruption of system files on a server, requiring a reload
B. A firmware compromise on a router
C. Loss of business due to lower consumer confidence
D. Data theft due to broken encryption keys by an insider
C. Loss of business due to lower consumer confidence is considered nontechnical damage to an organization that can result from a serious incident.
Recovery and reconstitution operations will be most likely focused on
A. installing new perimeter security devices
B. systems and data damaged from the particular incident
C. redesigning the network infrastructure
D. installing new systems not containing the vulnerability that may have led to the incident
B. Recovery and reconstitution operations will most likely be focused on systems and data damaged from the particular incident.