Term
| In determining scope and characteristics, the cyber incident response team should examine logs and alerts, as well as look for ________. |
|
Definition
a. The intruder who initiated the event
b. Cause and effect <--NOT
c. Missing logs and alerts
d. Anything suspicious |
|
|
Term
| What is an incident precursor? |
|
Definition
a. A sign that an incident may occur in the future <--
b. A sign that an incident is occurring now
c. A sign that an incident may have occurred
d. A symptom of an imminent shutdown |
|
|
Term
| In regard to IT system components, event monitoring and detection are applied to networks, operating systems, and ________. |
|
Definition
a. Applications <--
b. Computer operators
c. Browsers
d. Search engines |
|
|
Term
| To what components of an overall IT system are event monitoring and detection applied? (Choose the BEST answer) |
|
Definition
a. Server and client operating systems
b. Local and wide area network components
c. Databases and web servers
d. Networks, operating systems, and application software <-- |
|
|
Term
| Types of cyber event false alarms and non-security alerts would include which of the following? |
|
Definition
a. Inaccurate reports <--
b. Detection
c. Both inaccurate reports and detection
d. None of the above |
|
|
Term
| Escalation time periods, as a function of criticality, are often represented in the form of what type of agreement? |
|
Definition
a. MOU
b. SLA <--
c. MOA
d. ISA |
|
|
Term
| Regarding a suspected incident, information should be collected about the reporter (caller), the event(s), the ________, and the systems involved. |
|
Definition
a. Security Information and Event Management (SIEM) records
b. Risk scenarios
c. Diagnostic matrix
d. Actions taken so far <-- |
|
|
Term
| A cyber incident response SLA matrix sets escalation times in relation to ________ and ________. |
|
Definition
a. Incident type / number of users
b. Response times / incident type <--NOT
c. Impacts / number of users
d. Impact / criticality |
|
|
Term
| What are the two types of cyber event log management tools? |
|
Definition
a. Network and operating system
b. Automated log management, and security information and event management (SIEM) <--
c. System software and application software
d. Batch and real time |
|
|
Term
Which law or regulation requires financial institutions to protect their customers' information via cyber log management?
Question text
Which law or regulation requires financial institutions to protect their customers' information via cyber log management? |
|
Definition
a. GLBA
b. FISMA
c. HIPPA
d. PCI <-- NOT |
|
|
Term
| Which of the following activities is NOT part of the investigation activities for incident analysis? |
|
Definition
a. Synchronizing server clocks <--
b. Performing event correlation
c. Using packet sniffers on networks
d. Using Internet search engines for research |
|
|
Term
| Event ________ is used to relate events reported by different subsystems and possibly occurring at different times and on different systems. |
|
Definition
a. Discovery
b. Correlation <--
c. Containment
d. Mitigation |
|
|
Term
| Which of the following is NOT involved with a security incident's overall effect? |
|
Definition
a. Current technical effect
b. The criticality of the system(s) <-- NOT
c. Which resources are affected
d. Future technical effect |
|
|
Term
| Agentless SIEM tools hold the following advantage over Agent-based SIEM tools: |
|
Definition
a. The lack of filtering and aggregation at the individual server level causes larger amounts of data to be transferred over networks.
b. They analyze the data from different log sources, correlate events, identify and prioritize significant events, and initiate responses to events. <-- NOT
c. All logs go to a common format such as syslog.
d. Installation and configuration control on the clients is not an issue. |
|
|
Term
| Which one of the following is NOT a typical automation method for cyber incident management? |
|
Definition
a. Software tools installed and managed by the organization
b. Removable hard drive units <--
c. Managed security service providers
d. Problem resolution services |
|
|
Term
| Cyber event false alarms and non-security alerts could include which of the following? |
|
Definition
a. Human or operational errors <--
b. Detection
c. Testing
d. All of the above |
|
|
Term
| Profiling systems involves _________. |
|
Definition
a. Packet sniffing
b. File integrity checksums
c. Reviewing logs
d. Synchronizing host clocks <-- NOT |
|
|
Term
| Which of the following are primary sources for cyber logs and alerts? |
|
Definition
a. Intrusion detection devices, operating systems, application programs, anti-malware software, and networking equipment <--
b. Modems and other communication devices
c. Disk backup systems
d. Accounting software |
|
|
Term
| "Criticality" is considered ________ in a system that is mission critical to multiple agencies or critical infrastructure. |
|
Definition
a. Medium
b. Low
c. Critical
d. High <-- |
|
|
Term
| Initial incident data should be obtained by the organization's ________ and ________. |
|
Definition
a. IT and MIS
b. Director and VP
c. Help desk and FIRE
d. Help desk and CSIRT <-- |
|
|
Term
| What type of service represents an outsourcing of the CSIRT function? |
|
Definition
a. Business continuity provider
b. Managed security provider <--
c. Internet service provider
d. Application service provider |
|
|
