Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ECIH > Practice Questions > Flashcards

Practice Questions Flashcards

1
Q

Risk is defined as the probability of the occurrence of an incident. Risk formulation generally begins with the likeliness of an event’s occurrence, the harm it may cause, and is usually denoted as:

Significances
Probability
Magnitudes
Consequences

A

Consequences

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following refers to the process of identifying, labeling, recording, and acquiring data from all possible sources?

a. Collection
b. Preservation
c. Examination
d. Analysis

A

Collection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which among the following incidents refer to a person gaining access to system and network resources which he/she was not authorized to have?

a. Handling Inappropriate Usage Incidents
b. Unauthorized Access Incident
c. Handling Multiple Component Incidents
d. Authorized Access Incident

A

Unauthorized Access Incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the purpose of proactive services offered by a CERT?

a. To find the cost of fixing a problem
b. To develop the infrastructure and security processes
c. To provide services to the constituency
d. None of the above

A

To develop the infrastructure and security processes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which one of the following CSIRT services include alerts and warnings, incident handling, vulnerability handling, and artifact handling activities?

a. Reactive Services
b. Proactive Services
c. Security Quality Management Services
d. Vulnerability Management Services

A

Reactive Services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is defined as the existence of a weakness in the design or implementation error that can lead to an unexpected, undesirable event compromising the security of the system?

a. Vulnerability
b. Patch
c. Attack
d. Accident

A

Vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which one of the following is the intangible cost for an incident?

a. Lost productivity hours
b. Investigation and recovery efforts
c. Loss of business
d. Loss of reputation

A

Loss of reputation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following document contains logs, records, documents, and any other information that is found on a system?

a. Incident preparation report
b. Incident response report
c. Host-based evidence report
d. Network-based evidence report

A

Host-based evidence report

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which among the following malware pretends to be a program that offers useful applications, but acquires the information of the computer and sends it to a remote attacker?

a. Spyware
b. Worm
c. Virus
d. Rootkit

A

Spyware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Rob, an incident manager, was informed about an incident where a suspicious application was found residing in the active memory of multiple systems on a network. Upon investigation, he found that the application was self-replicating and degrading the systems’ performance, but it did not affect the files in those systems.

What is your inference from the above scenario?

a. The application is a Worm
b. The application is a Virus
c. The application is a Trojan
d. The application is a Backdoor

A

The application is a Worm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Identify the malicious program that is masked as a genuine harmless program, and gives the attacker unrestricted access to the user’s information and system. These programs may unleash dangerous programs that may erase the unsuspecting user’s disk, and send the victim’s credit card numbers and passwords to a stranger.

Cookie tracker
Worm
Virus
Trojan

A

Trojan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which policy recommends controls for securing and tracking organizational resources?

Access control policy
Administrative security policy
Acceptable use policy
Asset control policy

A

Asset control policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following terms may be defined as “a measure of possible inability to achieve a goal, objective, or target within a defined security, cost, plan, and technical limitations that adversely affects the organization’s operations and revenues?”

Incident Response
Threat
Vulnerability
Risk

A

Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The goal of incident response is to handle the incidents in a way that minimizes damage and reduces recovery time and costs. Which of the following does not constitute a goal of incident response?

Dealing properly with legal issues that may arise during incidents
Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data
Helping personnel to recover quickly and efficiently from security incidents, minimizing loss or theft of information and disruption of services
Dealing with human resource department and various employee conflict behaviors

A

Dealing with human resource department and various employee conflict behaviors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Organizations, or incident response teams, need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. Evidence protection is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage?

Chain-of-Custody
Chain-of-Precedence
Forensic analysis report
Network and Host log records

A

Chain-of-Custody

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, an application, or user activities. Which of the following statements is not true for an audit trail policy?

It helps in reconstructing the events after a problem has occurred
It helps in calculating intangible losses to the organization due to an incident
It helps in compliance to various regulatory laws, rules, and guidelines
It helps in tracking individual actions and allows users to be personally accountable for their actions

A

It helps in calculating intangible losses to the organization due to an incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following risk mitigation strategy make an organization absorb minor risks while preparing to respond to major ones?

a. Risk avoidance
b. Risk limitation
c. Risk assumption
d. Risk planning

A

Risk assumption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which among the following CERTs is an Internet provider to higher education institutions and various other research institutes in the Netherlands, and deals with all cases related to computer security incidents in which a customer is involved, either as a victim or as a suspect?

Funet CERT
SURFnet-CERT
NET-CERT
DFN-CERT

A

SURFnet-CERT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following is defined as an organized approach to address and manage the aftermath of a security breach or attack?

a. Threat
b. Risk Assessment
c. Vulnerability assessment
d. Incident response

A

Incident response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following is an indication of unauthorized usage of the standard user account?

a. Usage of secret account
b. Alert of network and host IDS
c. Misplaced hardware parts
d. Increase in the usage of resource

A

Usage of secret account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A file or an object found on the system that might involve attacking systems and networks is known as an “artifact”. Handling an artifact involves receiving information about the artifacts that are used in intruder attacks, investigation, and other unauthorized activities causing distortions. Identify the CSIRT service category that artifact handling belongs to?

Reactive services
Proactive services
Incident tracking and reporting systems services
Security quality management services

A

Reactive services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which of the following is a process that ensures systems and major applications adhere to formal and established security requirements that are well documented and authorized?

a. Penetration testing
b. Computer forensics
c. Certification and Accreditation (C&A)
d. Incident handling

A

Certification and Accreditation (C&A)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Mysoft, a major software developer located out of New Jersey, realized that sensitive information from folders shared across its network is being accessed by unauthorized people and leaked to third parties, which could result in huge financial losses for the organization. In this context, which of the following statements most appropriately defines “computer security incident”?

Events related to physical security incidents and trouble- shooting issues in corporate networks
Any real or suspected adverse event in relation to the security of computer systems or networks
Policies guaranteeing access to information system resources
Rectifying the loss of information that may affect the investment of the organization in different business activities

A

Any real or suspected adverse event in relation to the security of computer systems or networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A Distributed Denial-of-Service (DDoS) attack is a more common type of DoS attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:

a. Spyware
b. Zombies
c. Worms
d. Trojans

A

Zombies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Signs of an Incident are categorized into one of two categories: Precursor or Indication. Precursor indicates the possibility of a security incident occurrence, and Indication implies that an incident has probably occurred or is in progress. Identify which of the following is a precursor to an incident?

The network administrator notices an unusual deviation from the typical network traffic flows
A user approaches the help desk to report of abusing/threatening email
Warning from an antivirus program or scanner that threat(s) from virus/worm is identified on the user’s system.
A new found vulnerability in the organization server, in case the vendor makes an announcement of the same

A

A new found vulnerability in the organization server, in case the vendor makes an announcement of the same

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

The type of relationship between CSIRT and its constituency have an impact on the services provided by the CSIRT. Identify the level of authority that enables the members of CSIRT to undertake any necessary actions on behalf of their constituency?

Half-level authority
Shared-level authority
Mid-level authority
Full-level authority

A

Full-level authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which policy recommends controls for securing and tracking organizational resources?

Administrative security policy
Access control policy
Asset control policy
Acceptable use policy

A

Asset control policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How will you define quantitative risk analysis?

a. Probability of loss x value of loss
b. Value of loss/Probability of loss
c. Probability of loss + value of loss
d. Probability of loss - value of loss

A

Probability of loss x value of loss

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

An access control policy authorizes a group of users to perform a set of actions on a set of resources. Access to resources is based on necessity and if a particular job role requires the use of those resources. Which of the following is not a fundamental element of an access control policy?

Action group: Group of actions performed by the user on resources
Development group: Group of persons who develop the policy
Access group: Group of users to which the policy applies
Resource group: Resources controlled by the policy

A

Development group: Group of persons who develop the policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?

Links the appropriate technology to the incident to ensure that the foundation’s offices are returned to normal operations as quickly as possible
Links the groups that are affected by the incidents, such as legal, human resources, different business areas, and management
Applies the appropriate technology and tries to eradicate and recover from the incident
Focuses on the incident and handles it from management and technical point of view

A

Links the groups that are affected by the incidents, such as legal, human resources, different business areas, and management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

One of the goals of CSIRT is to manage security problems by taking a certain approach towards the customers’ security vulnerabilities, and by responding effectively to potential information security incidents. Identify the incident response approach that focuses on developing the infrastructure and security processes before the occurrence or detection of an event or any incident.

Interactive approach
Qualitative approach
Proactive approach
Interactive approach

A

Proactive approach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

An incident is analyzed for its nature, intensity, and its effects on the network and systems. Which stage of the incident response and handling process involves auditing the system and network log files?

Identification
Containment
Incident recording
Reporting

A

Identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

US-CERT and federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 federal agency category?

a. Weekly
b. Monthly
c. Within two (2) hours of discovery/detection
d. Within four (4) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity

A

Weekly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which one of the following is an appropriate flow of steps in computer forensics process?

a. Preparation -> Collection -> Examination -> Analysis -> Reporting
b. Examination -> Analysis -> Preparation -> Collection -> Reporting
c. Analysis -> Preparation -> Collection -> Reporting -> Examination
d. Preparation -> Analysis -> Collection -> Examination -> Reporting

A

Preparation -> Collection -> Examination -> Analysis -> Reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with a high volume of traffic that consumes all existing network resources.

SQL injection
URL manipulation
XSS attack
Denial-of-Service
A

Denial-of-Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

The data on affected systems must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigation of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?

Containment
Incident recording
Incident investigation
Eradication

A

Containment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Hexagon, a leading IT company in the USA, have received a lot of malformed TCP/IP packets, which lead the main server’s operating system to crash and thereby restricted the employees from accessing their resources. Which attack did the adversary use in the above situation?

a. DoS attack
b. Session Hijacking
c. Man-in-the-Middle
d. Cross-Site-Scripting

A

DoS attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Which of the following determines the level of risk and the resulting security requirements for each system?

a. Risk assessment
b. Contingency planning
c. Risk mitigation
d. Residual risk

A

Risk assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which one of the following is the correct flow of the stages in an incident response?

a. Eradication –> Containment –> Identification –> Preparation –> Recovery –> Follow-up
b. Identification –> Preparation –> Containment –> Recovery –> Follow-up - -> Eradication
c. Containment –> Identification –> Preparation –> Recovery –> Follow-up –> Eradication
d. Preparation –> Identification –> Containment –> Eradication –> Recovery –> Follow-up

A

Preparation –> Identification –> Containment –> Eradication –> Recovery –> Follow-up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Information gathering is an integral part of information warfare. Which of the following activities is a part of passive information gathering?

Obtaining details of the target organization by scanning their network
Obtaining details of the target organization by taking services of underground hacking forums
Obtaining details of the target organization that are freely available on the Internet, and through various other techniques without coming into direct contact with the organization
Obtaining details of the target organization that are freely available on the Internet, and through various other techniques by coming into direct contact with the organization

A

Obtaining details of the target organization that are freely available on the Internet, and through various other techniques without coming into direct contact with the organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

An information system processes data into useful information to achieve specified organizational or individual goals. It accepts, processes, and stores data in the form of records in a computer system, and automates some of the information processing activities of the organization. Who is responsible for implementing and controlling the security measures of an information system?

Information Custodian
Information Owner
Information Implementer
Information Consultant

A

Information Custodian

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A computer forensic investigator must perform a proper investigation to protect digital evidence. During the investigation, an investigator needs to process large amounts of data using a combination of automated and manual methods. Identify the computer forensic process involved.

Preparation
Collection
Reporting
Examination

A

Examination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/services that are not required. Which service listed below, if blocked, can help in preventing Denial of Service attack?

SMTP service
SAM service
POP3 service
Echo service

A

Echo service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

In the DoS containment strategy, at what point you will ask your ISP to implement filtering?

a. After correcting the vulnerability or weakness that is being exploited
b. After relocating the affected target
c. After determining the method of attack
d. After identifying the attackers

A

After determining the method of attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

In which of the steps of NIST’s risk assessment methodology are the boundaries of the IT system, along with the resources and the information that constitute the system, identified?

a. Control Recommendations
b. Control Analysis
c. System Characterization
d. Likelihood Determination

A

System Characterization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which one of the following is an appropriate flow of the incident recovery steps?

System Restoration –> System Validation –> System Operations –> System Monitoring
System Validation –> System Operations –> System Restoration –> System Monitoring
System Operations –> System Restoration –> System Validation –> System Monitoring
System Restoration –> System Monitoring –> System Validation –> System Operations

A

System Restoration –> System Validation –> System Operations –> System Monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures. Which of the following policies authorizes a group of users to perform a set of actions on a set of resources?

Documentation policy
Audit Trail Policy
Logging Policy
Access Control Policy

A

Access Control Policy

48
Q

Identify a standard national process which establishes a set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site.

NIASAP
NIACAP
NIAAAP
NIPACP

A

NIACAP

49
Q

Which of the following is a methodology to create and validate a plan for maintaining continuous business operations before, during, and after incidents and disruptive events?

a. Incident response plan
b. Incident recovery plan
c. Business continuity planning
d. Business impact analysis

A

Business continuity planning

50
Q

Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness, or unexplained absenteeism. Select the technique that helps in detecting insider threats.

a. Categorizing information according to its sensitivity and access rights
b. Protecting computer systems by implementing proper controls
c. Making it compulsory for employees to sign a nondisclosure agreement
d. Correlating known patterns of suspicious and malicious behavior

A

Correlating known patterns of suspicious and malicious behavior

51
Q

The insider’s incident response plan helps the organization to minimize or limit the damage caused due to malicious insiders. Organizations should ensure that the insider perpetrators are not included in the response team or are not aware of the progress. Which of the following statements is not true about the incident response plan?

The organization should regularly update the employee on different forms of external and internal attacks through training program
The employees should also be trained on how to report suspicious behaviors of the insiders
The organization should share or provide the details of the insider’s incident response plan with all employees
Persons responsible for handling insiders incidents should be trained on the contents and execution of the response plan

A

The organization should share or provide the details of the insider’s incident response plan with all employees

52
Q

Host based evidence is the evidence gathered and available on a computer system. It may include logs, records, documents, and any other information stored in a computer system. Network-based evidence is the information gathered from the network resources. Which of the following is Host-Based evidence?

Wiretaps
IDS logs
Router logs
State of network interface

A

State of network interface

53
Q

Which one of the following personnel in incident response team focuses on the incident and handles it from management and technical point of view?

a. Incident Manager (IM)
b. Incident Coordinator (IC)
c. Incident Analyst (IA)
d. Technical Expert

A

Incident Manager (IM)

54
Q

Incident handling and response steps help you to detect, identify, respond, and manage an incident. Which of the following helps in recognizing and separating the infected hosts from the information system?

a. Configuring firewall to default settings
b. Browsing particular government websites
c. Inspecting the processes running on the system
d. Sending mails to only group of friends

A

Inspecting the processes running on the system

55
Q

Which one of the following is an appropriate flow of the incident recovery steps?

System Restoration –> System Monitoring –> System Validation –> System Operations
System Operations –> System Restoration –> System Validation –> System Monitoring
System Validation –> System Operations –> System Restoration –> System Monitoring
System Restoration –> System Validation –> System Operations –> System Monitoring

A

System Restoration –> System Validation –> System Operations –> System Monitoring

56
Q

Which one of the following is a technical threat?

a. Incorrect data entry
b. Shoulder surfing
c. Sniffing and scanning of the network traffic
d. Password guessing

A

Sniffing and scanning of the network traffic

57
Q

When an employee is terminated from his/her job, what should be the next immediate step taken by an organization?

The access requests granted to an employee should be documented and vetted by a supervisor
All access rights of the employee to physical locations, networks, systems, applications, and data should be disabled
The organization should enforce separation of duties
The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information

A

All access rights of the employee to physical locations, networks, systems, applications, and data should be disabled

58
Q

Roy is a software employee working in a Nexawave, a leading IT firm. One day he has downloaded few files from the internet and referred them for his current project. While developing the project document, Roy observed that his word application is crashing uninterruptedly. What could be the reason for the above situation?

a. Roy’s system has infected by boot-record infectors
b. Roy’s system has infected by Macro virus
c. Roy’s system has infected by Micro virus
d. Roy’s system has infected through phishing

A

Roy’s system has infected by Macro virus

59
Q

In which Risk Assessment Methodology step do you identify the boundaries of the IT system and characterize it, in order to establish the scope of the risk assessment effort.

a. Threats Identification
b. Threat Characterization
c. System Identification
d. System Characterization

A

System Characterization

60
Q

Which of the following strategy focuses on minimizing the probability of risks and losses by searching vulnerabilities in the system and appropriate controls?

a. Risk planning
b. Research and acknowledgment
c. Risk avoidance
d. Risk limitation

A

Research and acknowledgment

61
Q

In which attack does an attacker(s) infect multiple systems called zombies, and them to attack a particular target?

a. Denial of Service
b. Distributed denial of service
c. Identity Spoofing
d. Man-in-the-Middle

A

Distributed denial of service

62
Q

Identify the reasons that make the organizations not report computer crimes to law enforcement.

I. Fear of negative publicity

II. Lack of awareness of the attack

III. Capability to handle incidents internally

IV. Potential loss of customers

a. I, II, II and IV
b. I and II
c. I, II, and III
d. I, II, and IV

A

I, II, and IV

63
Q

The insiders risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:

If the insiders’ technical literacy and process knowledge is high, the risk posed by the threat will be high
If the insiders’ technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant
If the insiders’ technical literacy is high and process knowledge is low, the risk posed by the threat will be high
If the insiders’ technical literacy and process knowledge are high, the risk posed by the threat will be insignificant

A

If the insiders’ technical literacy and process knowledge is high, the risk posed by the threat will be high

64
Q

An organization faced an information security incident, where a disgruntled employee passed sensitive access control information to a competitor. The organization’s incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incidents?

High level incident
Middle level incident
Ultra-high level incident
Low level incident

A

Middle level incident

65
Q

Computer forensics is the branch of forensic science in which legal evidence is found in any computer or on any digital media devices. Of the following, who is responsible for examining the evidence acquired and separating the useful evidence?

Evidence Manager
Evidence Examiner/Investigator
Evidence Documenter
Evidence Supervisory

A

Evidence Examiner/Investigator

66
Q

Which of the following activity involves all the processes, logistics, communications, coordination, and planning to respond and overcome an incident efficiently?

a. Incident recovery
b. Incident handling
c. Incident reporting

A

Incident handling

67
Q

Which one of the following malware takes advantage of file or information transport features on the system to propagate across systems and networks without any human interactions?

a. Worms
b. Virus
c. Trojan
d. Spyware

A

Worms

68
Q

Multiple component incidents consist of a combination of two or more attacks in a system. Which of the following is not a multiple component incident?

An insider intentionally deleting files from a workstation
An attacker using email with malicious code to infect internal work station
An attacker redirecting user to a malicious website and infects his system with Trojan
An attacker infecting a machine to launch a DDoS attack

A

An insider intentionally deleting files from a workstation

69
Q

Computer forensics is a methodical series of techniques and procedures for gathering evidence from computing equipment, various storage devices and/or digital media that can be presented in a court of law in a coherent and meaningful format. Which one of the following is an appropriate flow of steps in the computer forensics process?

Examination> Analysis> Preparation> Collection> Reporting
Analysis> Preparation> Collection> Reporting> Examination
Preparation> Collection> Examination> Analysis> Reporting
Preparation> Analysis> Collection> Examination> Reporting

A

Preparation> Collection> Examination> Analysis> Reporting

70
Q

Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan; namely supporting information, notification/activation, recovery, and reconstitution and plan appendices. What is the main purpose of a reconstitution plan?

To restore the original site, tests systems to prevent the incident, and terminates operations
To provide the introduction and detailed concept of the contingency plan
To provide a sequence of recovery activities with the help of recovery procedures
To define the notification procedures, damage assessments, and offers the plan activation

A

To restore the original site, tests systems to prevent the incident, and terminates operations

71
Q

Which of the following type of risk is defined by the formula (threats x vulnerability)?]

a. Residual risk
b. Qualitative risk
c. Inherent risk
d. Quantitative risk

A

Inherent risk

72
Q

Which of the following is the practice of identifying the infected systems by looking for evidence of the recent infections?

a. Forensic identification
b. Active identification
c. UManual identification
d. Passive identification

A

Forensic identification

73
Q

Which one of the following is an appropriate flow of the incident recovery steps?

a. System restoration -> System validation -> System operations -> System monitoring
b. System operations -> System restoration -> System validation -> System monitoring
c. System validation -> System operations -> System monitoring -> System restoration
d. System operations -> System validation -> System monitoring -> System restoration

A

System restoration -> System validation -> System operations -> System monitoring

74
Q

Which of the following policy controls the access to the facilities and computers?

a. Information Security Policy
b. Personnel Security Policy
c. Physical Security Policy
d. Evidence Collection Policy

A

Physical Security Policy

75
Q

Which category of unauthorized access is associated with changes in system status?

a. Physical Intruder
b. Unauthorized Data Access
c. Unauthorized Usage of Standard User Account
d. Unauthorized Data Modification

A

Physical Intruder

76
Q

Which among the following steps do you implement as a part of DoS attack prevention?

a. Disable Intrusion Detection Systems
b. Enable Remote Desktop Connection
c. Install and run packet sniffer on the workstation
d. Block traffic from unassigned IP address ranges

A

Block traffic from unassigned IP address ranges

77
Q

In a qualitative risk analysis, risk is calculated in terms of:

(Attack Success + Criticality) – (Countermeasures)
Probability of Loss X Loss
(Countermeasures + Magnitude of Impact)- (Reports from prior risk assessments)
Asset criticality assessment –(Risks and Associated Risk Levels)

A

(Attack Success + Criticality) – (Countermeasures)

78
Q

Which of the following incident recovery testing methods works by creating a mock disaster, like a fire, toidentify the reaction of the procedures that are implemented to handle such situations?

a. Scenario testing
b. Procedure testing
c. Facility testing
d. Live Walk Through testing

A

Scenario testing

79
Q

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focuses on limiting the scope and extent of an incident?

a. Identification
b. Data Collection
c. Containment
d. Eradication

A

Containment

80
Q

Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy. Identify the plan which is a mandatory part of a business continuity plan?

New business strategy plan
Business recovery plan
Forensics procedure plan
Sales and marketing plan

A

Business recovery plan

81
Q

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focuses on limiting the scope and extent of an incident?

Identification
Eradication
Data Collection
Containment

A

Containment

82
Q

Which one of the following is the correct flow of the stages in an incident response?

a. Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up
b. Identification -> Preparation -> Containment -> Recovery -> Follow-up -> Eradication
c. Containment -> Identification -> Preparation -> Recovery -> Follow-up -> Eradication
d. Eradication -> Containment -> Identification -> Preparation -> Recovery -> Follow-up

A

Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up

83
Q

Sam, an employee from a multinational company, uses his company’s account to send e-mails to a third party with their spoofed mail address. How can you categorize this type of account?

Denial-of-Service incident
Network intrusion incident
Unauthorized access incident
Inappropriate usage incident

A

Inappropriate usage incident

84
Q

Smith is managing a web server that runs a PHP-based web service. He was escalated an incident where users were not able to access the service. During the investigation, he discovered that the web server is live and there is no alert from the anti-malware system. However, in the Task Manager, he discovered a large number of php-cgi processes that were consuming up to ninety-nine percent of the CPU. What can Smith infer from the above observation?

a. It indicates a DoS attack
b. It indicates an unauthorized access attack
c. It indicates a Trojan attack
d. It indicates a php-cgi injection attack

A

It indicates a DoS attack

85
Q

Which of the following activities identifies the effects of uncontrolled and non-specific events in the business process?

a. Business impact analysis
b. Support plan analysis
c. Temporary plan analysis
d. Threat Analysis

A

Business impact analysis

86
Q

One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure. According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms?

a. Detection
b. Triage
c. Protection
d. Preparation

A

Protection

87
Q

“Information warfare” is conflict that uses Information/Information systems as weapons. “Offensive” and “defensive” are two types of information warfare. Which of the following is an example of defensive information warfare?

Disabling SSID broadcasts so that unauthorized users cannot detect the presence of a wireless network
Hijacking television and radio transmissions for generating disinformation
Spoofing or disabling the communication networks of a competitor or an enemy
Jamming radio transmissions

A

Disabling SSID broadcasts so that unauthorized users cannot detect the presence of a wireless network

88
Q

Which of the following techniques do you implement to respond to an insider attack?

a. Place all the users in quarantine network
b. Place malicious users in quarantine network
c. Allow malicious users to access sensitive information
d. Leave the insider’s computer open in the network

A

Place malicious users in quarantine network

89
Q

Identifying and analyzing an incident is a very critical part of the incident response procedure. Which of the following signs do not indicate a computer security incident?

System crashes or poor system performance
Failed logon attempts and creation of new user accounts
A system alarm or similar indication from an intrusion-detection
Smoke emitting from the system

A

Smoke emitting from the system

90
Q

Risk management consist of three processes; risk assessment, risk mitigation and evaluation and assessment. Risk assessment determines the extent of the potential threat and the risk associated with an IT system throughout its SDLC. How many primary steps does NIST’s risk assessment methodology involve?

a. Nine
b. Twelve
c. Four
d. Six

A

Nine

91
Q

Chris is a forensic expert and was hired by a major financial company to use his services in the incidents and crimes that involve the use of computers. Being a forensic expert, he has to perform many duties day-to-day. Choose the duties that Chris has to perform being a forensic expert from the list below:

I. The reason for the incident that was happened

II. Determine the nature of the system by analyzing it

III. Establishing the secure network measures to avoid the incident from happening

IV. Preserver, analyze and submit in the court

A

I II and IV

92
Q

A threat source does not present a risk if there is no vulnerability that can be exercised for a particular threat source. Identify the step in which different threats and threat sources are determined?

Threat identification
System characterization
Identification Vulnerabilities
Control Analysis

A

Threat identification

93
Q

Which of the following is a set of specific strategies, guidelines, and processes to recover from an incident resulting due to a problem or emergency?

a. Contingency plan
b. Incident recovery testing
c. Business impact analysis
d. Temporary plan analysis

A

Contingency plan

94
Q

Incident reporting and assessment, assigning event identity and severity level, assigning incident task force members are part of which phase of incident response?

a. Incident Classification
b. Containment
c. Data collection
d. Identification

A

Identification

95
Q

Riya got the following email:

Dear user, 
Due to an unexpected software glitch, we have lost all our customer details and left with only email IDs. In order to continue our services, we request you provide your username and password in the below fields and revert back. If not, your balance amount will be lost and account will be deleted permanently.
Username: \_\_\_\_\_\_\_\_\_\_\_\_\_ 
Password: \_\_\_\_\_\_\_\_\_\_\_\_\_\_ 
Click reply and send. 
Note: Please Forward this mail to all the HDBC users you know. Sorry for the inconvenience. 
Thank you for your cooperation 
HDBC Bank Admin 
Copyright © 2017 
Service Providers administrator 
All rights reserved. 
On seeing the message, Riya got startled and immediately responded the sender with her username and password. Later she came to know that her account has been hacked.

Which trick did the attacker use to trap Riya?

a. Attacker used phishing
b. Attacker used sniffing technique
c. Attacker used Pharming technique
d. Attacker used keylogger technique

A

Attacker used phishing

96
Q

A computer virus hoax is a message warning the recipient of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipient to forward it to everyone they know. Which of the following is not a symptom of virus hoax message?

The message warns to delete certain files if the user does not take appropriate action
The message prompts the user to install Anti-virus
The message from a known email id is caught by SPAM filters due to change in filter settings
The message prompts the end user to forward it to his/her email contact list and gain monetary benefits in doing so

A

The message from a known email id is caught by SPAM filters due to change in filter settings

97
Q

Which of the following incident refers to a user performing actions that violate the acceptable computing use policies?

a. Inappropriate usage incident
b. Unauthorized access incident
c. Multiple Component incident
d. Distributed Denial-of-Service (DDoS) incident

A

Inappropriate usage incident

98
Q

Risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. An organization that absorbs minor risks while preparing to respond to major risks relates to which risk mitigation strategy?

Risk limitation
Risk avoidance
Risk absorption
Risk assumption

A

Risk absorption

99
Q

Risk analysis involves the process of defining and evaluating dangers. The numerical determination of the probability of an adverse event, and the extent of the losses due to the event, refers to which approach of risk determination?

a. Descriptive risk analysis
b. Analytical risk analysis
c. Quantitative risk analysis
d. Qualitative risk analysis

A

Quantitative risk analysis

100
Q

Quantitative risk is the numerical determination of the probability of an adverse event, and the extent of the losses due to the event. Quantitative risk is calculated as:

Significant Risks x Probability of Loss X Loss
(Probability of Loss) / (Loss)
(Loss) / (Probability of Loss)
(Probability of Loss) X (Loss)

A

(Probability of Loss) X (Loss)

101
Q

How will you define Qualitative risk analysis?

a. (Attack Success + Criticality) – (Countermeasures)
b. (Countermeasures) + (Criticality – Attack Success)
c. (Attack Success + Countermeasures) – (Criticality)
d. (Attack Success) + (Criticality – Countermeasures)

A

(Attack Success + Criticality) – (Countermeasures)

102
Q

Which of the following incident response action focuses on limiting the scope and extent of an incident?

a. Identification
b. Containment
c. Eradication
d. Formulating a response strategy

A

Containment

103
Q

Smith is a forensic expert in a reputed organization based in New York. As a part of his task, he sniffed the data packets that are trying to communicate with the server of the organization, he recorded and then analyzed the event logs. Which type of the forensic analysis did Smith perform?

a. Network Forensics
b. Data Forensics
c. Internet Forensics
d. Source-code forensics

A

Network Forensics

104
Q

A risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. Identify the risk mitigation strategy that focuses on minimizing the probability of risks and losses by searching for vulnerabilities in the system and appropriate controls.

Research and acknowledgment
Risk limitation
Risk absorption
Risk assumption

A

Research and acknowledgment

105
Q

Which of the following tools is a stand-alone utility used to detect and remove specific viruses? It is not a substitute for full anti-virus but assists administrators and users while dealing with an infected system, and utilizes next generation scan engine technology that includes process scanning, digitally signed DAT files and scan performance optimizations.

Site Advisor
Tripwire Enterprise
HijackThis
Stinger

A

Stinger

106
Q

What is a residual risk?

a. Risk remaining after implementation of all the possible controls
b. Risk caused due to a threat exercising vulnerability
c. Risk resolved with the implementation of possible controls
d. Risk within the acceptable level of threshold

A

Risk remaining after implementation of all the possible controls

107
Q

An incident recovery plan is a statement of actions that should be taken before, during, or after an incident.Identify which of the following is not an objective of the incident recovery plan?

Creating new business processes to maintain profitability after incident
Providing a standard for testing the recovery plan
Avoiding the legal liabilities arising due to incident
Providing assurance that systems are reliable

A

Creating new business processes to maintain profitability after incident

108
Q

Which among the following is a process of rebuilding and restoring the computer systems affected by an incident to the normal operational stage?

a. Incident reporting
b. Incident handling
c. Incident recovery
d. Incident preparation

A

Incident recovery

109
Q

A security policy will take the form of a document or a collection of documents, depending on the situation or usage. It can also become a point of reference in case a violation occurs that results in a dismissal or other penalty. Which of the following is NOT true for a good security policy?

It must be approved by a court of law after verification of stated terms and facts
It must clearly define the areas of responsibility for the users, administrators, and management
It must be enforceable with security tools where appropriate, and with sanctions, where actual prevention is not technically feasible
It must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods

A

It must be approved by a court of law after verification of stated terms and facts

110
Q

A Computer Risk policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is not part of the computer risk policy?

Provisions for continuing support if there is an interruption in the system or if the system crashes
Procedures for the ongoing training of employees authorized to access the system
Procedure to identify security funds to hedge risk
Procedures to monitor the efficiency of the security controls

A

Procedures to monitor the efficiency of the security controls

111
Q

Which of the following statement defines a risk policy

a. Estimating the damage caused due to occurrence of a disaster
b. Finding the level of the risk
c. Set of ideas implemented to overcome risks
d. Defined probability of the occurrence of an incident

A

Set of ideas implemented to overcome risks

112
Q

In the Control Analysis stage of the NIST’s risk assessment methodology, technical and nontechnical control methods are classified into two categories. What are these two control categories?

Preventive and Detective controls
Predictive and Detective controls
Detective and Disguised controls
Preventive and Predictive controls

A

Preventive and Detective controls

113
Q

The incident management team provides support to all users in the organization that are affected by the threat or attack. The organization’s internal auditor is part of the incident response team. Identify one of the responsibilities of the internal auditor as a part of the incident response team.

Perform necessary action required to block the network traffic from the suspected intruder
Coordinate incident containment activities with the information security officer
Configure information security controls
Identify and report security loopholes to the management for necessary actions

A

Identify and report security loopholes to the management for necessary actions

114
Q

HDBC’s online banking website was knocked offline, and its customers were unable to login, and make online transactions. After few hours the bank authorities identified that some attacker had kept their server busy by establishing simultaneous login sessions which restricted their customer from logging into the bank website. Identify the attack that the invader has used to draw the bank server offline.

a. DoS attack
b. Session Hijacking
c. Man-in-the-Middle
d. Cross-Site-Scripting

A

DoS attack

115
Q

A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency’s reporting timeframe guidelines, this incident should be reported within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which incident category of US Federal Agency does this incident belong to?

CAT 5
CAT 2
CAT 1
CAT 6

A

CAT 2

116
Q

An incident response plan consists of a set of instructions to detect and respond to an incident. It defines the areas of responsibility, and creates procedures for handling various computer security incidents. Which of the following is an essential pre-requisite for an Incident response plan?

a. Availability of forensic experts
b. An approval from court of law
c. Incident analysis report
d. Company’s financial support

A

Company’s financial support

ECIH (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions