Term
| One category of containment actions is disabling ________. |
|
Definition
a. Ports
b. Firewalls
c. Users <--NOT
d. Connectivity |
|
|
Term
| To prevent attackers from listening in on wireless networks, ________ should be used. |
|
Definition
a. WEP
b. WPA <--
c. NAC
d. ISP |
|
|
Term
| The main containment method for Denial of Service attacks (DoS) is to ________ if possible. |
|
Definition
a. Suspend the affected services on the hosts involved
b. Remove hosts form the network
c. Block traffic from the IP sources <--
d. Run anti-malware checks on the affected hosts |
|
|
Term
| For malware incidents, infected hosts should be ________ as an initial containment measure. |
|
Definition
a. Turned off
b. Relocated
c. Assigned a different IP address
d. Disconnected from the network <-- |
|
|
Term
| What are the categories of containment actions? |
|
Definition
a. User Participation, Automated Detection, Disabling Services, Disabling Connectivity <--
b. Vendor Participation, Automated Connectivity, Disabling Services, Disabling Detection
c. User Participation, Automated Recovery, Disabling Services, Disabling Detection
d. User Participation, Automated Services, Disabling Detection, Disabling Ports |
|
|
Term
| One of the methods used to identify attackers is to monitor possible attacker ________. |
|
Definition
a. Communication channels <--
b. Active services
c. Host ports
d. ISPs |
|
|
Term
| The purpose of cyber incident eradication is to remove ________ from systems. |
|
Definition
a. Rootkits
b. Viruses <-- NOT
c. Users
d. Attack artifacts |
|
|
Term
| Restoring systems to normal operation is the main purpose of cyber incident ________. |
|
Definition
a. Recovery <--
b. Identification
c. Eradication
d. Containment |
|
|
Term
| The purpose of cyber incident host identification is to determine which hosts have been ________. |
|
Definition
a. Compromised <--
b. Infected
c. Lost
d. Eradicated |
|
|
Term
| What is the purpose of cyber incident containment? |
|
Definition
a. To limit damage to as few systems and networks as possible <--
b. To remove malware or other attack artifacts from systems
c. To determine which hosts have been compromised
d. To restore systems to normal operation |
|
|
Term
| What is the purpose of cyber incident identification? |
|
Definition
a. To limit damage to as few systems and networks as possible
b. To remove malware or other attack artifacts from systems
c. To determine which hosts have been compromised <--
d. To restore systems to normal operation |
|
|
Term
| What are the priorities for incident containment, in order? |
|
Definition
a. Protecting human life, protecting classified and sensitive data, protecting other data, protecting hardware and software, minimizing disruptions <--
b. Protecting human life, protecting corporate data, maintaining quota and deadlines, protecting hardware and software, minimizing disruptions
c. Minimizing disruptions, protecting hardware and software, protecting other data, protecting classified and sensitive data, protecting human life
d. Protecting human life, minimizing disruptions, protecting hardware and software, protecting classified and sensitive data, maintaining quota and deadlines |
|
|
Term
| Which one of the following is NOT a method used for attacker identification? |
|
Definition
a. Validating the Attacker's IP Address
b. Using a sinkhole router
c. Scanning the attacker's system <--NOT
d. Monitoring possible attacker communication channels |
|
|
Term
| What is the purpose of cyber incident eradication? |
|
Definition
a. To restore systems to normal operation
b. To remove malware or other attack artifacts from systems <--
c. To determine which hosts have been compromised
d. To limit damage to as few systems and networks as possible |
|
|
Term
| One criterion for containment decisions is the need to ________. |
|
Definition
a. Preserve evidence
b. Remove malware <--
c. Limit cost
d. Identify the attacker(s) |
|
|
Term
| To prevent employees/users from copying sensitive data to removable media, an organization can use ________. |
|
Definition
a. USB lockdown software <--
b. Anti-malware software
c. Intrusion detection software
d. Network access control software |
|
|
Term
| ________ is NOT an example of inappropriate cyber usage. |
|
Definition
a. Viewing pornography on a business workstation
b. Emailing a co-worker for help on an assignment <--
c. Downloading hacking tools to one's workstation in a business
d. Copying organizational info to a USB drive and giving it to an outside party |
|
|
Term
| Which one of the following is NOT an activity used in cyber incident host identification? |
|
Definition
a. Review cyber asset lists for new systems placed into service.
b. Review security and system logs.
c. Examine key access control groups for unauthorized entries.
d. Search for sensitive data that might have been moved or hidden. <--NOT |
|
|
Term
| With ________ identification, one identifies affected hosts by looking for evidence of past infections. |
|
Definition
a. Inactive
b. Active
c. Forensic <--
d. Manual |
|
|
Term
| How to protect against a type of attack in the future should be a part of full cyber incident eradication and ________. |
|
Definition
a. Containment
b. Identification
c. Triage
d. Recovery <-- |
|
|
Term
| If system files were replaced by a Trojan horse, then recovery should involve ________ the system. |
|
Definition
a. Replacing
b. Rebooting
c. Rebuilding
d. Restoring <--NOT |
|
|
Term
| Two indirect activities required for full recovery are: determining how to protect against the particular type of attack in the future, and notifying others about such matters; what is another indirect activity needed? |
|
Definition
a. Cutting outside network connections, such as to ISPs
b. Removing network segments from the overall network
c. Adding all knowledge gained to the CSIRT's knowledge base <--
d. Limit outbound connections that use encrypted protocols |
|
|
Term
| Of the following choices, which one is NOT a condition upon which a system should be fully rebuilt? |
|
Definition
a. The system is unstable or does not function properly after eradication
b. User e-mail contained phishing attempts <--
c. Attackers have gained administrator level access
d. System files were replaced by a Trojan horse, rootkit, etc |
|
|
Term
| Protecting human life, protecting classified and sensitive data, protecting other data, protecting hardware and software, minimizing disruptions are (in order) priorities for ________ actions. |
|
Definition
a. Eradication
b. Containment <--
c. Recovery
d. Authentication |
|
|
Term
| Potential damage to resources; need to preserve evidence; time and resources to resolve incident; and effectiveness of containment options are some of the criteria for ________ decisions. |
|
Definition
a. Eradication <--?
b. Containment
c. Authentication
d. Confidentiality |
|
|
Term
| Which one of the following is NOT a containment procedure for Denial of Service (DoS) attacks? |
|
Definition
a. Relocate the target
b. Use anti-malware software <--
c. Block traffic from the IP sources
d. Attack the attackers |
|
|
Term
| Which one of the following is NOT a containment or eradication method for malware attacks? |
|
Definition
a. Disable infected or participating services
b. Block traffic from the IP sources <--?
c. Utilize anti-malware software
d. Remove infected hosts from the network |
|
|
Term
| Besides eradication of attack artifacts and restoration of normal operations, there are several other activities that full eradication and recovery should include; name one. |
|
Definition
a. Establishing procedures for disaster evacuation
b. Maintaining a help desk for updates
c. Adding information gained about this type of attack to the knowledge base <--
d. None of the above |
|
|
Term
| One category of containment actions is disabling ________. |
|
Definition
a. Intrusion detection devices
b. Firewalls <--
c. Malware
d. Services |
|
|
Term
| One of the activities for cyber incident host identification is to examine key ________ control groups for unauthorized entries. |
|
Definition
a. Access <--
b. User
c. Remote
d. Port |
|
|
Term
| Eradication of malware typically involves ________. |
|
Definition
a. Suspending affected services
b. Recovering damaged files
c. Rebuilding systems
d. Running anti-malware software <-- |
|
|
Term
| The process of host incident ________ involves the determination of which hosts have been compromised. |
|
Definition
a. Containment
b. Recovery
c. Eradication
d. Identification <--? |
|
|
Term
| A(n) ________ system can be a replacement for passwords; this type of system provides for better confidentially than a password system, and is more difficult to compromise since it is based on an intrinsic characteristic of the user. |
|
Definition
a. DMZ
b. SSL
c. Anti-malware software
d. Biometric authentication <-- |
|
|
Term
| The main purpose of cyber incident recovery is to restore system to ________. |
|
Definition
a. Graceful degradation
b. Normal operation <--
c. Full performance
d. Original configuration |
|
|
Term
| Which one of the following is NOT a general method for cyber incident host identification? |
|
Definition
a. Active identification
b. Manual identification
c. Forensic identification
d. Inactive identification <--? |
|
|
Term
| Which one of the following is NOT an activity used in cyber incident host identification? |
|
Definition
a. Reviewing security and system logs
b. Reviewing cyber asset lists for new systems placed into service <--?
c. Searching for sensitive data that might have been moved or hidden
d. Examining key access control groups for unauthorized entries |
|
|
Term
| WPA should be used to prevent attackers from ________. |
|
Definition
a. Launching a DoD attack
b. Launching a zero-day attack
c. Listening in on wireless networks <--
d. Performing a social engineering exploit |
|
|
Term
| The purpose of cyber incident ________ is to limit damage to systems and networks. |
|
Definition
a. Recovery
b. Eradication
c. Exposure
d. Containment <-- |
|
|
Term
| The main prevention technique for inappropriate cyber usage is in the form of ________. |
|
Definition
a. Use of WAP and SSL data communication
b. Installation of anti-malware
c. Firewall installation
d. Organizational policies <-- |
|
|
Term
| With forensic identification one identifies affected hosts by looking for evidence of ________ infections. |
|
Definition
a. Current
b. Past <--
c. Critical
d. Active |
|
|
Term
| One of the methods used to identify attackers is to ________ the attacker's IP address. |
|
Definition
a. Trace <--
b. Validate
c. Ping
d. Change |
|
|
