A post-incident review should be conducted by an incident management team to determine: A. relevant electronic evidence. B. lessons learned. C. hacker's identity. D. areas affected.
Correct Answer: B
Explanation:
Explanation:
Post-incident reviews are beneficial in determining ways to improve the response process through lessons learned from the attack. Evaluating the relevance of evidence, who launched the attack or what areas were affected are not the primary purposes for such a meeting because these should have been already established during the response to the incident.
The BEST approach in managing a security incident involving a successful penetration should be to: A. allow business processes to continue during the response. B. allow the security team to assess the attack profile. C. permit the incident to continue to trace the source. D. examine the incident response process for deficiencies.
Correct Answer: A
Explanation:
Explanation:
Since information security objectives should always be linked to the objectives of the business, it is imperative that business processes be allowed to continue whenever possible. Only when there is no alternative should these processes be interrupted. Although it is important to allow the security team to assess the characteristics of an attack, this is subordinate to the needs of the business. Permitting an incident to continue may expose the organization to additional damage. Evaluating the incident management process for deficiencies is valuable but it, too, is subordinate to allowing business processes to continue.
An incident response policy must contain: A. updated call trees. B. escalation criteria. C. press release templates. D. critical backup files inventory.
Correct Answer: B
Explanation:
Explanation:
Escalation criteria, indicating the circumstances under which specific actions are to be undertaken, should be contained within an incident response policy. Telephone trees, press release templates and lists of critical backup files are too detailed to be included in a policy document.
At the conclusion of a disaster recovery test, which of the following should ALWAYS be performed prior to leaving the vendor's hot site facility? A. Erase data and software from devices B. Conduct a meeting to evaluate the test C. Complete an assessment of the hot site provider D. Evaluate the results from all test scripts
Correct Answer: A
Explanation:
Explanation: For security and privacy reasons, all organizational data and software should be erased prior to departure. Evaluations can occur back at the office after everyone is rested, and the overall results can be discussed and compared objectively.
Which of the following is the MOST important element to ensure the success of a disaster recovery test at a vendor-provided hot site? A. Tests are scheduled on weekends B. Network IP addresses are predefined C. Equipment at the hot site is identical D. Business management actively participates
Correct Answer: D
Explanation:
Explanation:
Disaster recovery testing requires the allocation of sufficient resources to be successful. Without the support of management, these resources will not be available, and testing will suffer as a result. Testing on weekends can be advantageous but this is not the most important choice. As vendor-provided hot sites are in a state of constant change, it is not always possible to have network addresses defined in advance. Although it would be ideal to provide for identical equipment at the hot site, this is not always practical as multiple customers must be served and equipment specifications will therefore vary.
Which of the following is the MOST important to ensure a successful recovery? A. Backup media is stored offsite B. Recovery location is secure and accessible C. More than one hot site is available D. Network alternate links are regularly tested
Correct Answer: A
Explanation:
Explanation:
Unless backup media are available, all other preparations become meaningless. Recovery site location and security are important, but would not prevent recovery in a disaster situation. Having a secondary hot site is also important, but not as important as having backup media available. Similarly, alternate data communication lines should be tested regularly and successfully but, again, this is not as critical.
The FIRST priority when responding to a major security incident is: A. documentation. B. monitoring. C. restoration. D. containment.
Correct Answer: D
Explanation:
Explanation: The first priority in responding to a security incident is to contain it to limit the impact. Documentation, monitoring and restoration are all important, but they should follow containment.
The BEST method for detecting and monitoring a hacker's activities without exposing information assets to unnecessary risk is to utilize: A. firewalls. B. bastion hosts. C. decoy files. D. screened subnets.
Correct Answer: C
Explanation:
Explanation:
Decoy files, often referred to as honeypots, are the best choice for diverting a hacker away from critical files and alerting security of the hacker’s presence. Firewalls and bastion hosts attempt to keep the hacker out, while screened subnets or demilitarized zones (DM/.s) provide a middle ground between the trusted internal network and the external untrusted Internet.
Which of the following actions should be taken when an online trading company discovers a network attack in progress? A. Shut off all network access points B. Dump all event logs to removable media C. Isolate the affected network segment D. Enable trace logging on all event
Correct Answer: C
Explanation:
Explanation:
Isolating the affected network segment will mitigate the immediate threat while allowing unaffected portions of the business to continue processing. Shutting off all network access points would create a denial of service that could result in loss of revenue. Dumping event logs and enabling trace logging, while perhaps useful, would not mitigate the immediate threat posed by the network attack.
A company has a network of branch offices with local file/print and mail servers; each branch individually contracts a hot site. Which of the following would be the GREATEST weakness in recovery capability? A. Exclusive use of the hot site is limited to six weeks B. The hot site may have to be shared with other customers C. The time of declaration determines site access priority D. The provider services all major companies in the area
Correct Answer: D
Explanation:
Explanation:
Sharing a hot site facility is sometimes necessary in the case of a major disaster. Also, first come, first served usually determines priority of access based on general industry practice. Access to a hot site is not indefinite; the recovery plan should address a longterm outage. In case of a disaster affecting a localized geographical area, the vendor’s facility and capabilities could be insufficient for all of its clients, which will all be competing for the same resource. Preference will likely be given to the larger corporations, possibly delaying the recovery of a branch that will likely be smaller than other clients based locally.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.