Term
One category of containment actions is disabling ________. |
|
Definition
a. Ports
b. Firewalls
c. Users <--NOT
d. Connectivity |
|
|
Term
To prevent attackers from listening in on wireless networks, ________ should be used. |
|
Definition
a. WEP
b. WPA <--
c. NAC
d. ISP |
|
|
Term
The main containment method for Denial of Service attacks (DoS) is to ________ if possible. |
|
Definition
a. Suspend the affected services on the hosts involved
b. Remove hosts form the network
c. Block traffic from the IP sources <--
d. Run anti-malware checks on the affected hosts |
|
|
Term
For malware incidents, infected hosts should be ________ as an initial containment measure. |
|
Definition
a. Turned off
b. Relocated
c. Assigned a different IP address
d. Disconnected from the network <-- |
|
|
Term
What are the categories of containment actions? |
|
Definition
a. User Participation, Automated Detection, Disabling Services, Disabling Connectivity <--
b. Vendor Participation, Automated Connectivity, Disabling Services, Disabling Detection
c. User Participation, Automated Recovery, Disabling Services, Disabling Detection
d. User Participation, Automated Services, Disabling Detection, Disabling Ports |
|
|
Term
One of the methods used to identify attackers is to monitor possible attacker ________. |
|
Definition
a. Communication channels <--
b. Active services
c. Host ports
d. ISPs |
|
|
Term
The purpose of cyber incident eradication is to remove ________ from systems. |
|
Definition
a. Rootkits
b. Viruses <-- NOT
c. Users
d. Attack artifacts |
|
|
Term
Restoring systems to normal operation is the main purpose of cyber incident ________. |
|
Definition
a. Recovery <--
b. Identification
c. Eradication
d. Containment |
|
|
Term
The purpose of cyber incident host identification is to determine which hosts have been ________. |
|
Definition
a. Compromised <--
b. Infected
c. Lost
d. Eradicated |
|
|
Term
What is the purpose of cyber incident containment? |
|
Definition
a. To limit damage to as few systems and networks as possible <--
b. To remove malware or other attack artifacts from systems
c. To determine which hosts have been compromised
d. To restore systems to normal operation |
|
|
Term
What is the purpose of cyber incident identification? |
|
Definition
a. To limit damage to as few systems and networks as possible
b. To remove malware or other attack artifacts from systems
c. To determine which hosts have been compromised <--
d. To restore systems to normal operation |
|
|
Term
What are the priorities for incident containment, in order? |
|
Definition
a. Protecting human life, protecting classified and sensitive data, protecting other data, protecting hardware and software, minimizing disruptions <--
b. Protecting human life, protecting corporate data, maintaining quota and deadlines, protecting hardware and software, minimizing disruptions
c. Minimizing disruptions, protecting hardware and software, protecting other data, protecting classified and sensitive data, protecting human life
d. Protecting human life, minimizing disruptions, protecting hardware and software, protecting classified and sensitive data, maintaining quota and deadlines |
|
|
Term
Which one of the following is NOT a method used for attacker identification? |
|
Definition
a. Validating the Attacker's IP Address
b. Using a sinkhole router
c. Scanning the attacker's system <--NOT
d. Monitoring possible attacker communication channels |
|
|
Term
What is the purpose of cyber incident eradication? |
|
Definition
a. To restore systems to normal operation
b. To remove malware or other attack artifacts from systems <--
c. To determine which hosts have been compromised
d. To limit damage to as few systems and networks as possible |
|
|
Term
One criterion for containment decisions is the need to ________. |
|
Definition
a. Preserve evidence
b. Remove malware <--
c. Limit cost
d. Identify the attacker(s) |
|
|
Term
To prevent employees/users from copying sensitive data to removable media, an organization can use ________. |
|
Definition
a. USB lockdown software <--
b. Anti-malware software
c. Intrusion detection software
d. Network access control software |
|
|
Term
________ is NOT an example of inappropriate cyber usage. |
|
Definition
a. Viewing pornography on a business workstation
b. Emailing a co-worker for help on an assignment <--
c. Downloading hacking tools to one's workstation in a business
d. Copying organizational info to a USB drive and giving it to an outside party |
|
|
Term
Which one of the following is NOT an activity used in cyber incident host identification? |
|
Definition
a. Review cyber asset lists for new systems placed into service.
b. Review security and system logs.
c. Examine key access control groups for unauthorized entries.
d. Search for sensitive data that might have been moved or hidden. <--NOT |
|
|
Term
With ________ identification, one identifies affected hosts by looking for evidence of past infections. |
|
Definition
a. Inactive
b. Active
c. Forensic <--
d. Manual |
|
|
Term
How to protect against a type of attack in the future should be a part of full cyber incident eradication and ________. |
|
Definition
a. Containment
b. Identification
c. Triage
d. Recovery <-- |
|
|
Term
If system files were replaced by a Trojan horse, then recovery should involve ________ the system. |
|
Definition
a. Replacing
b. Rebooting
c. Rebuilding
d. Restoring <--NOT |
|
|
Term
Two indirect activities required for full recovery are: determining how to protect against the particular type of attack in the future, and notifying others about such matters; what is another indirect activity needed? |
|
Definition
a. Cutting outside network connections, such as to ISPs
b. Removing network segments from the overall network
c. Adding all knowledge gained to the CSIRT's knowledge base <--
d. Limit outbound connections that use encrypted protocols |
|
|
Term
Of the following choices, which one is NOT a condition upon which a system should be fully rebuilt? |
|
Definition
a. The system is unstable or does not function properly after eradication
b. User e-mail contained phishing attempts <--
c. Attackers have gained administrator level access
d. System files were replaced by a Trojan horse, rootkit, etc |
|
|
Term
Protecting human life, protecting classified and sensitive data, protecting other data, protecting hardware and software, minimizing disruptions are (in order) priorities for ________ actions. |
|
Definition
a. Eradication
b. Containment <--
c. Recovery
d. Authentication |
|
|
Term
Potential damage to resources; need to preserve evidence; time and resources to resolve incident; and effectiveness of containment options are some of the criteria for ________ decisions. |
|
Definition
a. Eradication <--?
b. Containment
c. Authentication
d. Confidentiality |
|
|
Term
Which one of the following is NOT a containment procedure for Denial of Service (DoS) attacks? |
|
Definition
a. Relocate the target
b. Use anti-malware software <--
c. Block traffic from the IP sources
d. Attack the attackers |
|
|
Term
Which one of the following is NOT a containment or eradication method for malware attacks? |
|
Definition
a. Disable infected or participating services
b. Block traffic from the IP sources <--?
c. Utilize anti-malware software
d. Remove infected hosts from the network |
|
|
Term
Besides eradication of attack artifacts and restoration of normal operations, there are several other activities that full eradication and recovery should include; name one. |
|
Definition
a. Establishing procedures for disaster evacuation
b. Maintaining a help desk for updates
c. Adding information gained about this type of attack to the knowledge base <--
d. None of the above |
|
|
Term
One category of containment actions is disabling ________. |
|
Definition
a. Intrusion detection devices
b. Firewalls <--
c. Malware
d. Services |
|
|
Term
One of the activities for cyber incident host identification is to examine key ________ control groups for unauthorized entries. |
|
Definition
a. Access <--
b. User
c. Remote
d. Port |
|
|
Term
Eradication of malware typically involves ________. |
|
Definition
a. Suspending affected services
b. Recovering damaged files
c. Rebuilding systems
d. Running anti-malware software <-- |
|
|
Term
The process of host incident ________ involves the determination of which hosts have been compromised. |
|
Definition
a. Containment
b. Recovery
c. Eradication
d. Identification <--? |
|
|
Term
A(n) ________ system can be a replacement for passwords; this type of system provides for better confidentially than a password system, and is more difficult to compromise since it is based on an intrinsic characteristic of the user. |
|
Definition
a. DMZ
b. SSL
c. Anti-malware software
d. Biometric authentication <-- |
|
|
Term
The main purpose of cyber incident recovery is to restore system to ________. |
|
Definition
a. Graceful degradation
b. Normal operation <--
c. Full performance
d. Original configuration |
|
|
Term
Which one of the following is NOT a general method for cyber incident host identification? |
|
Definition
a. Active identification
b. Manual identification
c. Forensic identification
d. Inactive identification <--? |
|
|
Term
Which one of the following is NOT an activity used in cyber incident host identification? |
|
Definition
a. Reviewing security and system logs
b. Reviewing cyber asset lists for new systems placed into service <--?
c. Searching for sensitive data that might have been moved or hidden
d. Examining key access control groups for unauthorized entries |
|
|
Term
WPA should be used to prevent attackers from ________. |
|
Definition
a. Launching a DoD attack
b. Launching a zero-day attack
c. Listening in on wireless networks <--
d. Performing a social engineering exploit |
|
|
Term
The purpose of cyber incident ________ is to limit damage to systems and networks. |
|
Definition
a. Recovery
b. Eradication
c. Exposure
d. Containment <-- |
|
|
Term
The main prevention technique for inappropriate cyber usage is in the form of ________. |
|
Definition
a. Use of WAP and SSL data communication
b. Installation of anti-malware
c. Firewall installation
d. Organizational policies <-- |
|
|
Term
With forensic identification one identifies affected hosts by looking for evidence of ________ infections. |
|
Definition
a. Current
b. Past <--
c. Critical
d. Active |
|
|
Term
One of the methods used to identify attackers is to ________ the attacker's IP address. |
|
Definition
a. Trace <--
b. Validate
c. Ping
d. Change |
|
|