Practice Questions Flashcards
Risk is defined as the probability of the occurrence of an incident. Risk formulation generally begins with the likeliness of an event’s occurrence, the harm it may cause, and is usually denoted as:
Significances
Probability
Magnitudes
Consequences
Consequences
Which of the following refers to the process of identifying, labeling, recording, and acquiring data from all possible sources?
a. Collection
b. Preservation
c. Examination
d. Analysis
Collection
Which among the following incidents refer to a person gaining access to system and network resources which he/she was not authorized to have?
a. Handling Inappropriate Usage Incidents
b. Unauthorized Access Incident
c. Handling Multiple Component Incidents
d. Authorized Access Incident
Unauthorized Access Incident
What is the purpose of proactive services offered by a CERT?
a. To find the cost of fixing a problem
b. To develop the infrastructure and security processes
c. To provide services to the constituency
d. None of the above
To develop the infrastructure and security processes
Which one of the following CSIRT services include alerts and warnings, incident handling, vulnerability handling, and artifact handling activities?
a. Reactive Services
b. Proactive Services
c. Security Quality Management Services
d. Vulnerability Management Services
Reactive Services
Which of the following is defined as the existence of a weakness in the design or implementation error that can lead to an unexpected, undesirable event compromising the security of the system?
a. Vulnerability
b. Patch
c. Attack
d. Accident
Vulnerability
Which one of the following is the intangible cost for an incident?
a. Lost productivity hours
b. Investigation and recovery efforts
c. Loss of business
d. Loss of reputation
Loss of reputation
Which of the following document contains logs, records, documents, and any other information that is found on a system?
a. Incident preparation report
b. Incident response report
c. Host-based evidence report
d. Network-based evidence report
Host-based evidence report
Which among the following malware pretends to be a program that offers useful applications, but acquires the information of the computer and sends it to a remote attacker?
a. Spyware
b. Worm
c. Virus
d. Rootkit
Spyware
Rob, an incident manager, was informed about an incident where a suspicious application was found residing in the active memory of multiple systems on a network. Upon investigation, he found that the application was self-replicating and degrading the systems’ performance, but it did not affect the files in those systems.
What is your inference from the above scenario?
a. The application is a Worm
b. The application is a Virus
c. The application is a Trojan
d. The application is a Backdoor
The application is a Worm
Identify the malicious program that is masked as a genuine harmless program, and gives the attacker unrestricted access to the user’s information and system. These programs may unleash dangerous programs that may erase the unsuspecting user’s disk, and send the victim’s credit card numbers and passwords to a stranger.
Cookie tracker
Worm
Virus
Trojan
Trojan
Which policy recommends controls for securing and tracking organizational resources?
Access control policy
Administrative security policy
Acceptable use policy
Asset control policy
Asset control policy
Which of the following terms may be defined as “a measure of possible inability to achieve a goal, objective, or target within a defined security, cost, plan, and technical limitations that adversely affects the organization’s operations and revenues?”
Incident Response
Threat
Vulnerability
Risk
Risk
The goal of incident response is to handle the incidents in a way that minimizes damage and reduces recovery time and costs. Which of the following does not constitute a goal of incident response?
Dealing properly with legal issues that may arise during incidents
Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data
Helping personnel to recover quickly and efficiently from security incidents, minimizing loss or theft of information and disruption of services
Dealing with human resource department and various employee conflict behaviors
Dealing with human resource department and various employee conflict behaviors
Organizations, or incident response teams, need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. Evidence protection is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage?
Chain-of-Custody
Chain-of-Precedence
Forensic analysis report
Network and Host log records
Chain-of-Custody
An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, an application, or user activities. Which of the following statements is not true for an audit trail policy?
It helps in reconstructing the events after a problem has occurred
It helps in calculating intangible losses to the organization due to an incident
It helps in compliance to various regulatory laws, rules, and guidelines
It helps in tracking individual actions and allows users to be personally accountable for their actions
It helps in calculating intangible losses to the organization due to an incident
Which of the following risk mitigation strategy make an organization absorb minor risks while preparing to respond to major ones?
a. Risk avoidance
b. Risk limitation
c. Risk assumption
d. Risk planning
Risk assumption
Which among the following CERTs is an Internet provider to higher education institutions and various other research institutes in the Netherlands, and deals with all cases related to computer security incidents in which a customer is involved, either as a victim or as a suspect?
Funet CERT
SURFnet-CERT
NET-CERT
DFN-CERT
SURFnet-CERT
Which of the following is defined as an organized approach to address and manage the aftermath of a security breach or attack?
a. Threat
b. Risk Assessment
c. Vulnerability assessment
d. Incident response
Incident response
Which of the following is an indication of unauthorized usage of the standard user account?
a. Usage of secret account
b. Alert of network and host IDS
c. Misplaced hardware parts
d. Increase in the usage of resource
Usage of secret account
A file or an object found on the system that might involve attacking systems and networks is known as an “artifact”. Handling an artifact involves receiving information about the artifacts that are used in intruder attacks, investigation, and other unauthorized activities causing distortions. Identify the CSIRT service category that artifact handling belongs to?
Reactive services
Proactive services
Incident tracking and reporting systems services
Security quality management services
Reactive services
Which of the following is a process that ensures systems and major applications adhere to formal and established security requirements that are well documented and authorized?
a. Penetration testing
b. Computer forensics
c. Certification and Accreditation (C&A)
d. Incident handling
Certification and Accreditation (C&A)
Mysoft, a major software developer located out of New Jersey, realized that sensitive information from folders shared across its network is being accessed by unauthorized people and leaked to third parties, which could result in huge financial losses for the organization. In this context, which of the following statements most appropriately defines “computer security incident”?
Events related to physical security incidents and trouble- shooting issues in corporate networks
Any real or suspected adverse event in relation to the security of computer systems or networks
Policies guaranteeing access to information system resources
Rectifying the loss of information that may affect the investment of the organization in different business activities
Any real or suspected adverse event in relation to the security of computer systems or networks
A Distributed Denial-of-Service (DDoS) attack is a more common type of DoS attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:
a. Spyware
b. Zombies
c. Worms
d. Trojans
Zombies
Signs of an Incident are categorized into one of two categories: Precursor or Indication. Precursor indicates the possibility of a security incident occurrence, and Indication implies that an incident has probably occurred or is in progress. Identify which of the following is a precursor to an incident?
The network administrator notices an unusual deviation from the typical network traffic flows
A user approaches the help desk to report of abusing/threatening email
Warning from an antivirus program or scanner that threat(s) from virus/worm is identified on the user’s system.
A new found vulnerability in the organization server, in case the vendor makes an announcement of the same
A new found vulnerability in the organization server, in case the vendor makes an announcement of the same
The type of relationship between CSIRT and its constituency have an impact on the services provided by the CSIRT. Identify the level of authority that enables the members of CSIRT to undertake any necessary actions on behalf of their constituency?
Half-level authority
Shared-level authority
Mid-level authority
Full-level authority
Full-level authority
Which policy recommends controls for securing and tracking organizational resources?
Administrative security policy
Access control policy
Asset control policy
Acceptable use policy
Asset control policy
How will you define quantitative risk analysis?
a. Probability of loss x value of loss
b. Value of loss/Probability of loss
c. Probability of loss + value of loss
d. Probability of loss - value of loss
Probability of loss x value of loss
An access control policy authorizes a group of users to perform a set of actions on a set of resources. Access to resources is based on necessity and if a particular job role requires the use of those resources. Which of the following is not a fundamental element of an access control policy?
Action group: Group of actions performed by the user on resources
Development group: Group of persons who develop the policy
Access group: Group of users to which the policy applies
Resource group: Resources controlled by the policy
Development group: Group of persons who develop the policy
Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?
Links the appropriate technology to the incident to ensure that the foundation’s offices are returned to normal operations as quickly as possible
Links the groups that are affected by the incidents, such as legal, human resources, different business areas, and management
Applies the appropriate technology and tries to eradicate and recover from the incident
Focuses on the incident and handles it from management and technical point of view
Links the groups that are affected by the incidents, such as legal, human resources, different business areas, and management
One of the goals of CSIRT is to manage security problems by taking a certain approach towards the customers’ security vulnerabilities, and by responding effectively to potential information security incidents. Identify the incident response approach that focuses on developing the infrastructure and security processes before the occurrence or detection of an event or any incident.
Interactive approach
Qualitative approach
Proactive approach
Interactive approach
Proactive approach
An incident is analyzed for its nature, intensity, and its effects on the network and systems. Which stage of the incident response and handling process involves auditing the system and network log files?
Identification
Containment
Incident recording
Reporting
Identification
US-CERT and federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 federal agency category?
a. Weekly
b. Monthly
c. Within two (2) hours of discovery/detection
d. Within four (4) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity
Weekly
Which one of the following is an appropriate flow of steps in computer forensics process?
a. Preparation -> Collection -> Examination -> Analysis -> Reporting
b. Examination -> Analysis -> Preparation -> Collection -> Reporting
c. Analysis -> Preparation -> Collection -> Reporting -> Examination
d. Preparation -> Analysis -> Collection -> Examination -> Reporting
Preparation -> Collection -> Examination -> Analysis -> Reporting
Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with a high volume of traffic that consumes all existing network resources.
SQL injection URL manipulation XSS attack Denial-of-Service
Denial-of-Service
The data on affected systems must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigation of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?
Containment
Incident recording
Incident investigation
Eradication
Containment
Hexagon, a leading IT company in the USA, have received a lot of malformed TCP/IP packets, which lead the main server’s operating system to crash and thereby restricted the employees from accessing their resources. Which attack did the adversary use in the above situation?
a. DoS attack
b. Session Hijacking
c. Man-in-the-Middle
d. Cross-Site-Scripting
DoS attack
Which of the following determines the level of risk and the resulting security requirements for each system?
a. Risk assessment
b. Contingency planning
c. Risk mitigation
d. Residual risk
Risk assessment
Which one of the following is the correct flow of the stages in an incident response?
a. Eradication –> Containment –> Identification –> Preparation –> Recovery –> Follow-up
b. Identification –> Preparation –> Containment –> Recovery –> Follow-up - -> Eradication
c. Containment –> Identification –> Preparation –> Recovery –> Follow-up –> Eradication
d. Preparation –> Identification –> Containment –> Eradication –> Recovery –> Follow-up
Preparation –> Identification –> Containment –> Eradication –> Recovery –> Follow-up
Information gathering is an integral part of information warfare. Which of the following activities is a part of passive information gathering?
Obtaining details of the target organization by scanning their network
Obtaining details of the target organization by taking services of underground hacking forums
Obtaining details of the target organization that are freely available on the Internet, and through various other techniques without coming into direct contact with the organization
Obtaining details of the target organization that are freely available on the Internet, and through various other techniques by coming into direct contact with the organization
Obtaining details of the target organization that are freely available on the Internet, and through various other techniques without coming into direct contact with the organization
An information system processes data into useful information to achieve specified organizational or individual goals. It accepts, processes, and stores data in the form of records in a computer system, and automates some of the information processing activities of the organization. Who is responsible for implementing and controlling the security measures of an information system?
Information Custodian
Information Owner
Information Implementer
Information Consultant
Information Custodian
A computer forensic investigator must perform a proper investigation to protect digital evidence. During the investigation, an investigator needs to process large amounts of data using a combination of automated and manual methods. Identify the computer forensic process involved.
Preparation
Collection
Reporting
Examination
Examination
The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/services that are not required. Which service listed below, if blocked, can help in preventing Denial of Service attack?
SMTP service
SAM service
POP3 service
Echo service
Echo service
In the DoS containment strategy, at what point you will ask your ISP to implement filtering?
a. After correcting the vulnerability or weakness that is being exploited
b. After relocating the affected target
c. After determining the method of attack
d. After identifying the attackers
After determining the method of attack
In which of the steps of NIST’s risk assessment methodology are the boundaries of the IT system, along with the resources and the information that constitute the system, identified?
a. Control Recommendations
b. Control Analysis
c. System Characterization
d. Likelihood Determination
System Characterization
Which one of the following is an appropriate flow of the incident recovery steps?
System Restoration –> System Validation –> System Operations –> System Monitoring
System Validation –> System Operations –> System Restoration –> System Monitoring
System Operations –> System Restoration –> System Validation –> System Monitoring
System Restoration –> System Monitoring –> System Validation –> System Operations
System Restoration –> System Validation –> System Operations –> System Monitoring
Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures. Which of the following policies authorizes a group of users to perform a set of actions on a set of resources?
Documentation policy
Audit Trail Policy
Logging Policy
Access Control Policy
Access Control Policy
Identify a standard national process which establishes a set of activities, general tasks, and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site.
NIASAP
NIACAP
NIAAAP
NIPACP
NIACAP
Which of the following is a methodology to create and validate a plan for maintaining continuous business operations before, during, and after incidents and disruptive events?
a. Incident response plan
b. Incident recovery plan
c. Business continuity planning
d. Business impact analysis
Business continuity planning
Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness, or unexplained absenteeism. Select the technique that helps in detecting insider threats.
a. Categorizing information according to its sensitivity and access rights
b. Protecting computer systems by implementing proper controls
c. Making it compulsory for employees to sign a nondisclosure agreement
d. Correlating known patterns of suspicious and malicious behavior
Correlating known patterns of suspicious and malicious behavior
The insider’s incident response plan helps the organization to minimize or limit the damage caused due to malicious insiders. Organizations should ensure that the insider perpetrators are not included in the response team or are not aware of the progress. Which of the following statements is not true about the incident response plan?
The organization should regularly update the employee on different forms of external and internal attacks through training program
The employees should also be trained on how to report suspicious behaviors of the insiders
The organization should share or provide the details of the insider’s incident response plan with all employees
Persons responsible for handling insiders incidents should be trained on the contents and execution of the response plan
The organization should share or provide the details of the insider’s incident response plan with all employees
Host based evidence is the evidence gathered and available on a computer system. It may include logs, records, documents, and any other information stored in a computer system. Network-based evidence is the information gathered from the network resources. Which of the following is Host-Based evidence?
Wiretaps
IDS logs
Router logs
State of network interface
State of network interface
Which one of the following personnel in incident response team focuses on the incident and handles it from management and technical point of view?
a. Incident Manager (IM)
b. Incident Coordinator (IC)
c. Incident Analyst (IA)
d. Technical Expert
Incident Manager (IM)
Incident handling and response steps help you to detect, identify, respond, and manage an incident. Which of the following helps in recognizing and separating the infected hosts from the information system?
a. Configuring firewall to default settings
b. Browsing particular government websites
c. Inspecting the processes running on the system
d. Sending mails to only group of friends
Inspecting the processes running on the system
Which one of the following is an appropriate flow of the incident recovery steps?
System Restoration –> System Monitoring –> System Validation –> System Operations
System Operations –> System Restoration –> System Validation –> System Monitoring
System Validation –> System Operations –> System Restoration –> System Monitoring
System Restoration –> System Validation –> System Operations –> System Monitoring
System Restoration –> System Validation –> System Operations –> System Monitoring
Which one of the following is a technical threat?
a. Incorrect data entry
b. Shoulder surfing
c. Sniffing and scanning of the network traffic
d. Password guessing
Sniffing and scanning of the network traffic
When an employee is terminated from his/her job, what should be the next immediate step taken by an organization?
The access requests granted to an employee should be documented and vetted by a supervisor
All access rights of the employee to physical locations, networks, systems, applications, and data should be disabled
The organization should enforce separation of duties
The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information
All access rights of the employee to physical locations, networks, systems, applications, and data should be disabled
Roy is a software employee working in a Nexawave, a leading IT firm. One day he has downloaded few files from the internet and referred them for his current project. While developing the project document, Roy observed that his word application is crashing uninterruptedly. What could be the reason for the above situation?
a. Roy’s system has infected by boot-record infectors
b. Roy’s system has infected by Macro virus
c. Roy’s system has infected by Micro virus
d. Roy’s system has infected through phishing
Roy’s system has infected by Macro virus
In which Risk Assessment Methodology step do you identify the boundaries of the IT system and characterize it, in order to establish the scope of the risk assessment effort.
a. Threats Identification
b. Threat Characterization
c. System Identification
d. System Characterization
System Characterization
Which of the following strategy focuses on minimizing the probability of risks and losses by searching vulnerabilities in the system and appropriate controls?
a. Risk planning
b. Research and acknowledgment
c. Risk avoidance
d. Risk limitation
Research and acknowledgment
In which attack does an attacker(s) infect multiple systems called zombies, and them to attack a particular target?
a. Denial of Service
b. Distributed denial of service
c. Identity Spoofing
d. Man-in-the-Middle
Distributed denial of service
Identify the reasons that make the organizations not report computer crimes to law enforcement.
I. Fear of negative publicity
II. Lack of awareness of the attack
III. Capability to handle incidents internally
IV. Potential loss of customers
a. I, II, II and IV
b. I and II
c. I, II, and III
d. I, II, and IV
I, II, and IV
The insiders risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:
If the insiders’ technical literacy and process knowledge is high, the risk posed by the threat will be high
If the insiders’ technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant
If the insiders’ technical literacy is high and process knowledge is low, the risk posed by the threat will be high
If the insiders’ technical literacy and process knowledge are high, the risk posed by the threat will be insignificant
If the insiders’ technical literacy and process knowledge is high, the risk posed by the threat will be high
An organization faced an information security incident, where a disgruntled employee passed sensitive access control information to a competitor. The organization’s incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incidents?
High level incident
Middle level incident
Ultra-high level incident
Low level incident
Middle level incident
Computer forensics is the branch of forensic science in which legal evidence is found in any computer or on any digital media devices. Of the following, who is responsible for examining the evidence acquired and separating the useful evidence?
Evidence Manager
Evidence Examiner/Investigator
Evidence Documenter
Evidence Supervisory
Evidence Examiner/Investigator
Which of the following activity involves all the processes, logistics, communications, coordination, and planning to respond and overcome an incident efficiently?
a. Incident recovery
b. Incident handling
c. Incident reporting
Incident handling
Which one of the following malware takes advantage of file or information transport features on the system to propagate across systems and networks without any human interactions?
a. Worms
b. Virus
c. Trojan
d. Spyware
Worms
Multiple component incidents consist of a combination of two or more attacks in a system. Which of the following is not a multiple component incident?
An insider intentionally deleting files from a workstation
An attacker using email with malicious code to infect internal work station
An attacker redirecting user to a malicious website and infects his system with Trojan
An attacker infecting a machine to launch a DDoS attack
An insider intentionally deleting files from a workstation
Computer forensics is a methodical series of techniques and procedures for gathering evidence from computing equipment, various storage devices and/or digital media that can be presented in a court of law in a coherent and meaningful format. Which one of the following is an appropriate flow of steps in the computer forensics process?
Examination> Analysis> Preparation> Collection> Reporting
Analysis> Preparation> Collection> Reporting> Examination
Preparation> Collection> Examination> Analysis> Reporting
Preparation> Analysis> Collection> Examination> Reporting
Preparation> Collection> Examination> Analysis> Reporting
Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan; namely supporting information, notification/activation, recovery, and reconstitution and plan appendices. What is the main purpose of a reconstitution plan?
To restore the original site, tests systems to prevent the incident, and terminates operations
To provide the introduction and detailed concept of the contingency plan
To provide a sequence of recovery activities with the help of recovery procedures
To define the notification procedures, damage assessments, and offers the plan activation
To restore the original site, tests systems to prevent the incident, and terminates operations
Which of the following type of risk is defined by the formula (threats x vulnerability)?]
a. Residual risk
b. Qualitative risk
c. Inherent risk
d. Quantitative risk
Inherent risk
Which of the following is the practice of identifying the infected systems by looking for evidence of the recent infections?
a. Forensic identification
b. Active identification
c. UManual identification
d. Passive identification
Forensic identification
Which one of the following is an appropriate flow of the incident recovery steps?
a. System restoration -> System validation -> System operations -> System monitoring
b. System operations -> System restoration -> System validation -> System monitoring
c. System validation -> System operations -> System monitoring -> System restoration
d. System operations -> System validation -> System monitoring -> System restoration
System restoration -> System validation -> System operations -> System monitoring
Which of the following policy controls the access to the facilities and computers?
a. Information Security Policy
b. Personnel Security Policy
c. Physical Security Policy
d. Evidence Collection Policy
Physical Security Policy
Which category of unauthorized access is associated with changes in system status?
a. Physical Intruder
b. Unauthorized Data Access
c. Unauthorized Usage of Standard User Account
d. Unauthorized Data Modification
Physical Intruder
Which among the following steps do you implement as a part of DoS attack prevention?
a. Disable Intrusion Detection Systems
b. Enable Remote Desktop Connection
c. Install and run packet sniffer on the workstation
d. Block traffic from unassigned IP address ranges
Block traffic from unassigned IP address ranges
In a qualitative risk analysis, risk is calculated in terms of:
(Attack Success + Criticality) – (Countermeasures)
Probability of Loss X Loss
(Countermeasures + Magnitude of Impact)- (Reports from prior risk assessments)
Asset criticality assessment –(Risks and Associated Risk Levels)
(Attack Success + Criticality) – (Countermeasures)
Which of the following incident recovery testing methods works by creating a mock disaster, like a fire, toidentify the reaction of the procedures that are implemented to handle such situations?
a. Scenario testing
b. Procedure testing
c. Facility testing
d. Live Walk Through testing
Scenario testing
Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focuses on limiting the scope and extent of an incident?
a. Identification
b. Data Collection
c. Containment
d. Eradication
Containment
Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy. Identify the plan which is a mandatory part of a business continuity plan?
New business strategy plan
Business recovery plan
Forensics procedure plan
Sales and marketing plan
Business recovery plan
Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focuses on limiting the scope and extent of an incident?
Identification
Eradication
Data Collection
Containment
Containment
Which one of the following is the correct flow of the stages in an incident response?
a. Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up
b. Identification -> Preparation -> Containment -> Recovery -> Follow-up -> Eradication
c. Containment -> Identification -> Preparation -> Recovery -> Follow-up -> Eradication
d. Eradication -> Containment -> Identification -> Preparation -> Recovery -> Follow-up
Preparation -> Identification -> Containment -> Eradication -> Recovery -> Follow-up
Sam, an employee from a multinational company, uses his company’s account to send e-mails to a third party with their spoofed mail address. How can you categorize this type of account?
Denial-of-Service incident
Network intrusion incident
Unauthorized access incident
Inappropriate usage incident
Inappropriate usage incident
Smith is managing a web server that runs a PHP-based web service. He was escalated an incident where users were not able to access the service. During the investigation, he discovered that the web server is live and there is no alert from the anti-malware system. However, in the Task Manager, he discovered a large number of php-cgi processes that were consuming up to ninety-nine percent of the CPU. What can Smith infer from the above observation?
a. It indicates a DoS attack
b. It indicates an unauthorized access attack
c. It indicates a Trojan attack
d. It indicates a php-cgi injection attack
It indicates a DoS attack
Which of the following activities identifies the effects of uncontrolled and non-specific events in the business process?
a. Business impact analysis
b. Support plan analysis
c. Temporary plan analysis
d. Threat Analysis
Business impact analysis
One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure. According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms?
a. Detection
b. Triage
c. Protection
d. Preparation
Protection
“Information warfare” is conflict that uses Information/Information systems as weapons. “Offensive” and “defensive” are two types of information warfare. Which of the following is an example of defensive information warfare?
Disabling SSID broadcasts so that unauthorized users cannot detect the presence of a wireless network
Hijacking television and radio transmissions for generating disinformation
Spoofing or disabling the communication networks of a competitor or an enemy
Jamming radio transmissions
Disabling SSID broadcasts so that unauthorized users cannot detect the presence of a wireless network
Which of the following techniques do you implement to respond to an insider attack?
a. Place all the users in quarantine network
b. Place malicious users in quarantine network
c. Allow malicious users to access sensitive information
d. Leave the insider’s computer open in the network
Place malicious users in quarantine network
Identifying and analyzing an incident is a very critical part of the incident response procedure. Which of the following signs do not indicate a computer security incident?
System crashes or poor system performance
Failed logon attempts and creation of new user accounts
A system alarm or similar indication from an intrusion-detection
Smoke emitting from the system
Smoke emitting from the system
Risk management consist of three processes; risk assessment, risk mitigation and evaluation and assessment. Risk assessment determines the extent of the potential threat and the risk associated with an IT system throughout its SDLC. How many primary steps does NIST’s risk assessment methodology involve?
a. Nine
b. Twelve
c. Four
d. Six
Nine
Chris is a forensic expert and was hired by a major financial company to use his services in the incidents and crimes that involve the use of computers. Being a forensic expert, he has to perform many duties day-to-day. Choose the duties that Chris has to perform being a forensic expert from the list below:
I. The reason for the incident that was happened
II. Determine the nature of the system by analyzing it
III. Establishing the secure network measures to avoid the incident from happening
IV. Preserver, analyze and submit in the court
I II and IV
A threat source does not present a risk if there is no vulnerability that can be exercised for a particular threat source. Identify the step in which different threats and threat sources are determined?
Threat identification
System characterization
Identification Vulnerabilities
Control Analysis
Threat identification
Which of the following is a set of specific strategies, guidelines, and processes to recover from an incident resulting due to a problem or emergency?
a. Contingency plan
b. Incident recovery testing
c. Business impact analysis
d. Temporary plan analysis
Contingency plan
Incident reporting and assessment, assigning event identity and severity level, assigning incident task force members are part of which phase of incident response?
a. Incident Classification
b. Containment
c. Data collection
d. Identification
Identification
Riya got the following email:
Dear user, Due to an unexpected software glitch, we have lost all our customer details and left with only email IDs. In order to continue our services, we request you provide your username and password in the below fields and revert back. If not, your balance amount will be lost and account will be deleted permanently. Username: \_\_\_\_\_\_\_\_\_\_\_\_\_ Password: \_\_\_\_\_\_\_\_\_\_\_\_\_\_ Click reply and send. Note: Please Forward this mail to all the HDBC users you know. Sorry for the inconvenience. Thank you for your cooperation HDBC Bank Admin Copyright © 2017 Service Providers administrator All rights reserved. On seeing the message, Riya got startled and immediately responded the sender with her username and password. Later she came to know that her account has been hacked.
Which trick did the attacker use to trap Riya?
a. Attacker used phishing
b. Attacker used sniffing technique
c. Attacker used Pharming technique
d. Attacker used keylogger technique
Attacker used phishing
A computer virus hoax is a message warning the recipient of a non-existent computer virus threat. The message is usually a chain e-mail that tells the recipient to forward it to everyone they know. Which of the following is not a symptom of virus hoax message?
The message warns to delete certain files if the user does not take appropriate action
The message prompts the user to install Anti-virus
The message from a known email id is caught by SPAM filters due to change in filter settings
The message prompts the end user to forward it to his/her email contact list and gain monetary benefits in doing so
The message from a known email id is caught by SPAM filters due to change in filter settings
Which of the following incident refers to a user performing actions that violate the acceptable computing use policies?
a. Inappropriate usage incident
b. Unauthorized access incident
c. Multiple Component incident
d. Distributed Denial-of-Service (DDoS) incident
Inappropriate usage incident
Risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. An organization that absorbs minor risks while preparing to respond to major risks relates to which risk mitigation strategy?
Risk limitation
Risk avoidance
Risk absorption
Risk assumption
Risk absorption
Risk analysis involves the process of defining and evaluating dangers. The numerical determination of the probability of an adverse event, and the extent of the losses due to the event, refers to which approach of risk determination?
a. Descriptive risk analysis
b. Analytical risk analysis
c. Quantitative risk analysis
d. Qualitative risk analysis
Quantitative risk analysis
Quantitative risk is the numerical determination of the probability of an adverse event, and the extent of the losses due to the event. Quantitative risk is calculated as:
Significant Risks x Probability of Loss X Loss
(Probability of Loss) / (Loss)
(Loss) / (Probability of Loss)
(Probability of Loss) X (Loss)
(Probability of Loss) X (Loss)
How will you define Qualitative risk analysis?
a. (Attack Success + Criticality) – (Countermeasures)
b. (Countermeasures) + (Criticality – Attack Success)
c. (Attack Success + Countermeasures) – (Criticality)
d. (Attack Success) + (Criticality – Countermeasures)
(Attack Success + Criticality) – (Countermeasures)
Which of the following incident response action focuses on limiting the scope and extent of an incident?
a. Identification
b. Containment
c. Eradication
d. Formulating a response strategy
Containment
Smith is a forensic expert in a reputed organization based in New York. As a part of his task, he sniffed the data packets that are trying to communicate with the server of the organization, he recorded and then analyzed the event logs. Which type of the forensic analysis did Smith perform?
a. Network Forensics
b. Data Forensics
c. Internet Forensics
d. Source-code forensics
Network Forensics
A risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. Identify the risk mitigation strategy that focuses on minimizing the probability of risks and losses by searching for vulnerabilities in the system and appropriate controls.
Research and acknowledgment
Risk limitation
Risk absorption
Risk assumption
Research and acknowledgment
Which of the following tools is a stand-alone utility used to detect and remove specific viruses? It is not a substitute for full anti-virus but assists administrators and users while dealing with an infected system, and utilizes next generation scan engine technology that includes process scanning, digitally signed DAT files and scan performance optimizations.
Site Advisor
Tripwire Enterprise
HijackThis
Stinger
Stinger
What is a residual risk?
a. Risk remaining after implementation of all the possible controls
b. Risk caused due to a threat exercising vulnerability
c. Risk resolved with the implementation of possible controls
d. Risk within the acceptable level of threshold
Risk remaining after implementation of all the possible controls
An incident recovery plan is a statement of actions that should be taken before, during, or after an incident.Identify which of the following is not an objective of the incident recovery plan?
Creating new business processes to maintain profitability after incident
Providing a standard for testing the recovery plan
Avoiding the legal liabilities arising due to incident
Providing assurance that systems are reliable
Creating new business processes to maintain profitability after incident
Which among the following is a process of rebuilding and restoring the computer systems affected by an incident to the normal operational stage?
a. Incident reporting
b. Incident handling
c. Incident recovery
d. Incident preparation
Incident recovery
A security policy will take the form of a document or a collection of documents, depending on the situation or usage. It can also become a point of reference in case a violation occurs that results in a dismissal or other penalty. Which of the following is NOT true for a good security policy?
It must be approved by a court of law after verification of stated terms and facts
It must clearly define the areas of responsibility for the users, administrators, and management
It must be enforceable with security tools where appropriate, and with sanctions, where actual prevention is not technically feasible
It must be implementable through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods
It must be approved by a court of law after verification of stated terms and facts
A Computer Risk policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is not part of the computer risk policy?
Provisions for continuing support if there is an interruption in the system or if the system crashes
Procedures for the ongoing training of employees authorized to access the system
Procedure to identify security funds to hedge risk
Procedures to monitor the efficiency of the security controls
Procedures to monitor the efficiency of the security controls
Which of the following statement defines a risk policy
a. Estimating the damage caused due to occurrence of a disaster
b. Finding the level of the risk
c. Set of ideas implemented to overcome risks
d. Defined probability of the occurrence of an incident
Set of ideas implemented to overcome risks
In the Control Analysis stage of the NIST’s risk assessment methodology, technical and nontechnical control methods are classified into two categories. What are these two control categories?
Preventive and Detective controls
Predictive and Detective controls
Detective and Disguised controls
Preventive and Predictive controls
Preventive and Detective controls
The incident management team provides support to all users in the organization that are affected by the threat or attack. The organization’s internal auditor is part of the incident response team. Identify one of the responsibilities of the internal auditor as a part of the incident response team.
Perform necessary action required to block the network traffic from the suspected intruder
Coordinate incident containment activities with the information security officer
Configure information security controls
Identify and report security loopholes to the management for necessary actions
Identify and report security loopholes to the management for necessary actions
HDBC’s online banking website was knocked offline, and its customers were unable to login, and make online transactions. After few hours the bank authorities identified that some attacker had kept their server busy by establishing simultaneous login sessions which restricted their customer from logging into the bank website. Identify the attack that the invader has used to draw the bank server offline.
a. DoS attack
b. Session Hijacking
c. Man-in-the-Middle
d. Cross-Site-Scripting
DoS attack
A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency’s reporting timeframe guidelines, this incident should be reported within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which incident category of US Federal Agency does this incident belong to?
CAT 5
CAT 2
CAT 1
CAT 6
CAT 2
An incident response plan consists of a set of instructions to detect and respond to an incident. It defines the areas of responsibility, and creates procedures for handling various computer security incidents. Which of the following is an essential pre-requisite for an Incident response plan?
a. Availability of forensic experts
b. An approval from court of law
c. Incident analysis report
d. Company’s financial support
Company’s financial support
