1. Which law or regulation requires government agencies and other organizations that operate systems on behalf of government agencies to create an incident response plan?
Ans : FISMA (Federal Information Security Management Act of 2002)
2. You are working as a cybersecurity analyst in a Security Operations Center. You received an alert from your SIEM that a workstation might be infected with a piece of malware. Which phase of the incident response lifecycle would you be in when this occurs?
Ans : Detection and Analysis
3. Which of the following NIST Special Publications is titled as the Computer Security Incident Handling Guide?
Ans : SP 800-61
4. Which of these is included in a policy?
Ans : objectives
5. Which of these is included in a plan?
Ans : measurements and metrics
6. Which of these is included in a procedure?
Ans : forms
7. Which structure would allow an organization to hire a managed security service provider (MSSP) to conduct their 24/7 monitoring but would still rely on the organization’s own employees to conduct an incident response if a serious breach was detected?
Ans : a partially outsourced model
8. Which role is responsible for the overall success or failure of the technical portions of an incident response?
Ans : team leader
9. Which incident response team member is primarily focused on the creation of an event timeline to show what occurred leading up to the incident?
Ans: forensic analyst
10. Which organization type require an incident responder to send an information request through their manager prior to sending it to an analyst in the human resources department?
Ans : a vertical organization
11. One of your incident response team members is planning to attend the BlackHat information security conference next month and wants to exchange some of the lessons learned from your organization’s latest incident response efforts with a forensic analyst they know at another company. Which type of coordinating relationship best describes this information exchange?
Ans : team to team
12. Which of these is not considered an indicator that could be used during your technical analysis?
Ans : news articles about an incident
13. Which of these is a consideration when asking contract personnel to come in after working hours for an incident, but is not a major consideration when dealing with your own organizational employees?
Ans : incurring additional labor coverages and costs
14. Which type of technical resource could be used to identify if a Windows system file has been modified?
Ans : cryptographic hash
15. Which of these is not considered a method of preventing future incidents?
Ans : Remove a Remote Access Trojan from the organization’s server.
16. Which attack vector would be used to properly categorize a password spraying attack?
Ans : attrition-based
17. Which type of indicator of compromise would best represent the vulnerability and exploit data contained within the Common Vulnerabilities and Exposures database?
Ans : public information
18. Which of these is a prioritization category that is used to measure the effect on the confidentiality, integrity, or availability of an organization’s network or servers?
Ans : information impact
19. Which containment strategy involves disconnecting an infected host from the network to prevent the spread of malware?
Ans : isolation
20. Based on the order of volatility, which type of evidence should be collected first?
Ans : swap files
21. Which of these is not considered a recovery action during an incident response?
Ans : Collect evidence from the affected system.
22. When creating your evidence retention policy, which factor would prevent you from retaining data and evidence for an indefinite amount of time?
Ans : the size of the organization’s budget for data retention
23. What is the most important thing to do during a "Lessons Learned" workshop to get valuable feedback from everyone?
Ans : Avoid assigning blame to anyone.
24. Which of these is not a typical measure or metric collected by the incident handling and incident response team?
Ans : average salary of your incident responders
No comments:
Post a Comment