Question 1

________ of response is critical.&#10;A) Accuracy&#10;B) Speed&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

Both accuracy and speed of response are critical, as a timely and precise response is necessary for effective communication and decision-making.

Question 2

With good planning and protection, a company can eliminate security incidents.

Accepted Answer

While good planning and protection measures can greatly reduce the likelihood of security incidents, it is impossible to completely eliminate them. Threats and vulnerabilities can always arise, and even the strongest security measures can be bypassed by determined attackers or insider threats. Therefore, it is important for companies to have incident response plans in place and to continually assess and update their security measures to minimize the risk of incidents and mitigate their impact when they do occur.

Question 3

A CSIRT should not include members from the legal department.

Accepted Answer

While members of the legal department may not be directly involved in technical incident response, their expertise can be invaluable in providing guidance on legal and regulatory issues that may arise during an incident. It is important for a CSIRT to include representatives from various departments, including legal, to ensure a comprehensive and effective response to security incidents.

Question 4

Live tests are ________.&#10;A) more effective than walkthroughs&#10;B) inexpensive&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

Live tests are more effective than walkthroughs as they involve actual users performing tasks in real-time, which can uncover issues and provide valuable feedback that may be missed in a walkthrough. While live tests may not be as inexpensive as some other methods of testing, such as automated testing, the benefits they provide make them a worthwhile investment. Therefore, option A is the correct answer.

Question 5

Rehearsals improve ________.&#10;A) accuracy&#10;B) speed&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

Rehearsals help to improve both accuracy and speed. Through repetition and practice, individuals are able to improve their skills and abilities, allowing them to perform tasks more correctly and efficiently. As a result, both accuracy and speed are positively impacted by rehearsals.

Question 6

The business continuity team should be headed by ________.&#10;A) a senior business manager&#10;B) the chief information officer&#10;C) the chief security officer&#10;D) None of the above

Accepted Answer

The business continuity team should be headed by a senior business manager who has a good understanding of the company's operations and can make informed decisions about how to maintain critical functions during an emergency or disruption. While the CIO and CSO may be involved in the team, they should not be the head as this is a business-focused initiative.

Question 7

Walkthroughs are better than live tests because walkthroughs can reveal subtleties that live tests may miss.

Accepted Answer

Walkthroughs and live tests serve different purposes; walkthroughs are good for early detection of issues and understanding system flow, while live tests are crucial for testing the system in real-world scenarios. Neither is inherently better; their effectiveness depends on the context and goals of the testing phase.

Question 8

A major security incident is generally handled by the ________.&#10;A) IT disaster response team&#10;B) business continuity team&#10;C) CSIRT&#10;D) All of the above

Accepted Answer

CSIRT (Computer Security Incident Response Team) is a specialized team responsible for handling and responding to security incidents. While IT disaster response and business continuity teams may have some involvement in security incidents, a CSIRT is specifically focused on security incidents and is best equipped to handle them.

Question 9

A CSIRT should include members from the public relations department.

Accepted Answer

Having members from the public relations department in a CSIRT can be beneficial as they can help manage communications and ensure that external messaging is consistent and appropriate. They can also help manage brand reputation and public perception in the event of a security incident.

Question 10

Which of the following is not one of the four security levels of incidents?&#10;A) False alarms&#10;B) Minor incidents&#10;C) Virus epidemics&#10;D) Disasters

Accepted Answer

The four security levels of incidents are false alarms, minor incidents, major incidents, and disasters. Virus epidemics are typically classified as major incidents.

Question 11

Walkthroughs are ________ table-top exercises.&#10;A) better than&#10;B) just as good as&#10;C) worse than&#10;D) the same thing as

Accepted Answer

The answer of Walkthroughs are ________ table-top exercises.&#10;A) better than&#10;B)...

Question 12

A walkthrough is also called a ________.&#10;A) table-top exercise&#10;B) live test&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of A walkthrough is also called a ________.&#10;A)...

Question 13

Incident response is defined as reacting to incidents according to plan.

Accepted Answer

The answer of Incident response is defined as reacting to...

Question 14

Wal-Mart was able to respond to hurricane Katrina so quickly because it had ________.&#10;A) detailed business continuity plans&#10;B) a full-time director of business continuity&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Wal-Mart was able to respond to hurricane...

Question 15

False positives are legitimate activities that are flagged as suspicious.

Accepted Answer

The answer of False positives are legitimate activities that are...

Question 16

Successful attacks are commonly called ________.&#10;A) security incidents&#10;B) countermeasures&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Successful attacks are commonly called ________.&#10;A) security...

Question 17

________ is concerned with the restarting of the day-to-day revenue generating operations of the firm.&#10;A) Business continuity planning&#10;B) IT disaster recovery&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of ________ is concerned with the restarting of...

Question 18

________ is the act of passing an incident to the CSIRT or business continuity team.&#10;A) Transference&#10;B) Escalation&#10;C) Delegation&#10;D) Acceleration

Accepted Answer

The answer of ________ is the act of passing an...

Question 19

________ allows a response team to determine an incident's damage potential and to gather information needed to begin containment and recovery.&#10;A) Detection&#10;B) Analysis&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of ________ allows a response team to determine...

Question 20

Incident response is defined as reacting to incidents impromptu.

Accepted Answer

The answer of Incident response is defined as reacting to...

Question 21

Once an attack has begun, a company should never allow the attacker to continue.

Accepted Answer

The answer of Once an attack has begun, a company...

Question 22

If it can be applied, the least-damaging recovery option is ________.&#10;A) restoration from backup tapes&#10;B) total reinstallation&#10;C) repair during continuing server operation&#10;D) All of the above are about equally damaging

Accepted Answer

The answer of If it can be applied, the least-damaging...

Question 23

________ is the act of actually stopping an incident's damage.&#10;A) Disconnection&#10;B) Gapping&#10;C) Containment&#10;D) Termination

Accepted Answer

The answer of ________ is the act of actually stopping...

Question 24

Restoration of data files from tape ________.&#10;A) is the fastest recovery method&#10;B) always results in data loss&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Restoration of data files from tape ________.&#10;A)...

Question 25

Repair during ongoing server operation is ________.&#10;A) desirable&#10;B) dangerous&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Repair during ongoing server operation is ________.&#10;A)...

Question 26

The decision to let an attack continue should be made by ________.&#10;A) IT&#10;B) IT security&#10;C) senior business executives&#10;D) public relations

Accepted Answer

The answer of The decision to let an attack continue...

Question 27

Black holing is an effective long-term containment solution.

Accepted Answer

The answer of Black holing is an effective long-term containment...

Question 28

________ eliminates the problem of having to re-baseline the system to proper security levels.&#10;A) Using a disk image&#10;B) Total software reinstallation&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of ________ eliminates the problem of having to...

Question 29

________ deals with interpretations of rights and duties that companies or individuals have relative to each other.&#10;A) Criminal law&#10;B) Civil law&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of ________ deals with interpretations of rights and...

Question 30

The only person who should speak on behalf of a firm should be ________.&#10;A) the public relations director&#10;B) the firm's legal counsel&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of The only person who should speak on...

Question 31

Which of the following should the CSIRT include?&#10;A) senior manager&#10;B) PR director&#10;C) firm's legal counsel&#10;D) All of the above

Accepted Answer

The answer of Which of the following should the CSIRT...

Question 32

It is easier to punish employees than to prosecute outside attackers.

Accepted Answer

The answer of It is easier to punish employees than...

Question 33

Disconnection ________.&#10;A) is the most decisive way to do termination&#10;B) harms legitimate users&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Disconnection ________.&#10;A) is the most decisive way...

Question 34

Which of the following is not one of the three rules for apologies?&#10;A) Explain what happened.&#10;B) Acknowledge responsibility and harm.&#10;C) Use wording aimed at reducing lawsuits.&#10;D) Explain what action will be taken to compensate victims, if any.

Accepted Answer

The answer of Which of the following is not one...

Question 35

________ investigate(s) most violations of local and state computer laws.&#10;A) Local police&#10;B) The FBI&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of ________ investigate(s) most violations of local and...

Question 36

Who should head the CSIRT?&#10;A) IT&#10;B) IT security&#10;C) A senior manager&#10;D) None of the above

Accepted Answer

The answer of Who should head the CSIRT?&#10;A) IT&#10;B) IT...

Question 37

Total software reinstallation effectively addresses data loss.

Accepted Answer

The answer of Total software reinstallation effectively addresses data loss....

Question 38

________ evidence is evidence that is acceptable for court proceedings.&#10;A) Title 18&#10;B) Title 11&#10;C) Forensic&#10;D) Expert

Accepted Answer

The answer of ________ evidence is evidence that is acceptable...

Question 39

Dropping all future packets from a particular IP address is called ________.&#10;A) black holing&#10;B) disconnection&#10;C) IP address spoofing&#10;D) damaging

Accepted Answer

The answer of Dropping all future packets from a particular...

Question 40

Allowing an attacker to continue working in a system after the attack has been discovered ________.&#10;A) may allow the company to collect evidence for prosecution&#10;B) can be dangerous by allowing the attacker to do more damage&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Allowing an attacker to continue working in...

Question 41

Only an expert witness is allowed to interpret facts for juries.

Accepted Answer

The answer of Only an expert witness is allowed to...

Question 42

A(n) ________ is a professional who is trained to collect and evaluate computer evidence in ways that are likely to be admissible in court.&#10;A) expert witness&#10;B) computer forensics expert&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of A(n) ________ is a professional who is...

Question 43

________ punishments may result in fines.&#10;A) Criminal&#10;B) Civil&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of ________ punishments may result in fines.&#10;A) Criminal&#10;B)...

Question 44

A ________ is law dealing with information technology.&#10;A) cyberlaw&#10;B) Title 13&#10;C) Title 17&#10;D) All of the above

Accepted Answer

The answer of A ________ is law dealing with information...

Question 45

The prosecutor must demonstrate ________ at the time of the action at the center of a criminal trial.&#10;A) reasonable doubt&#10;B) mens rea&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of The prosecutor must demonstrate ________ at the...

Question 46

Plaintiffs initiate legal proceedings in ________ cases.&#10;A) civil&#10;B) criminal&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Plaintiffs initiate legal proceedings in ________ cases.&#10;A)...

Question 47

Which of the following is not one of the three levels of U.S. federal courts?&#10;A) U.S. District Courts&#10;B) U.S. Circuit Courts of Appeal&#10;C) U.S. State Courts&#10;D) The U.S. Supreme Court

Accepted Answer

The answer of Which of the following is not one...

Question 48

Courts will often admit unreliable evidence if judges believe that juries can be trusted to evaluate it properly.

Accepted Answer

The answer of Courts will often admit unreliable evidence if...

Question 49

If a defendant has already been prosecuted in a criminal trial, he or she cannot later be tried in a civil trial.

Accepted Answer

The answer of If a defendant has already been prosecuted...

Question 50

Mens Rea usually is important is ________ trials.&#10;A) civil&#10;B) criminal&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Mens Rea usually is important is ________...

Question 51

Federal jurisdiction typically does not extend to computer crimes that are committed entirely within a state and that do not have a bearing on interstate commerce.

Accepted Answer

The answer of Federal jurisdiction typically does not extend to...

Question 52

Past judicial precedents constitute ________.&#10;A) case law&#10;B) statutes&#10;C) criminal law&#10;D) All of the above

Accepted Answer

The answer of Past judicial precedents constitute ________.&#10;A) case law&#10;B)...

Question 53

The normal standard for deciding a case in ________ trials is a preponderance of the evidence.&#10;A) civil&#10;B) criminal&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of The normal standard for deciding a case...

Question 54

Precedents can be created by ________.&#10;A) U.S. Circuit Courts of Appeal.&#10;B) U.S. District Courts&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Precedents can be created by ________.&#10;A) U.S....

Question 55

________ punishments may result in jail time.&#10;A) Criminal&#10;B) Civil&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of ________ punishments may result in jail time.&#10;A)...

Question 56

________ are areas of responsibility within which different government bodies can make and enforce laws but beyond which they cannot.&#10;A) Mens rea&#10;B) Jurisdictions&#10;C) Statutes&#10;D) Precedents

Accepted Answer

The answer of ________ are areas of responsibility within which...

Question 57

Prosecutors initiate legal proceedings in ________ cases.&#10;A) civil&#10;B) criminal&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Prosecutors initiate legal proceedings in ________ cases.&#10;A)...

Question 58

The normal standard for deciding a case in ________ trials is guilt beyond a reasonable doubt.&#10;A) civil&#10;B) criminal&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of The normal standard for deciding a case...

Question 59

________ deals with the violation of criminal statutes.&#10;A) Criminal law&#10;B) Civil law&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of ________ deals with the violation of criminal...

Question 60

International laws about cybercrime are fairly uniform.

Accepted Answer

The answer of International laws about cybercrime are fairly uniform....

Question 61

Communication between IDS ________ must be secure.&#10;A) managers and agents&#10;B) vendors and managers&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Communication between IDS ________ must be secure.&#10;A)...

Question 62

Interactive log file analysis can filter out irrelevant entries.

Accepted Answer

The answer of Interactive log file analysis can filter out...

Question 63

In ________ transfers, the agent waits until it has several minutes or several hours of data and then sends a block of log file data to the manager.&#10;A) batch&#10;B) real-time&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of In ________ transfers, the agent waits until...

Question 64

Which of the following is a function of IDSs?&#10;A) Strike-back&#10;B) Automated analysis&#10;C) Both A and B&#10;D) Neither A nor B

Accepted Answer

The answer of Which of the following is a function...

Deck 10: Incident and Disaster Response