Questions 101-150 – Flashcards

Question When the measured activity is outside the baseline parameters in a behavior-based IDPS, it is said to exceed the ____ (the level at which the IDPS triggers an alert to notify the administrator).

Question A(n) ____ , a type of IDPS that is similar to the NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs.

Question A(n) ____ is a sign that an adverse event is underway and has a probability of becoming an incident.

Question Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.

Question The ____ flow of information needed from the CSIRT to organizational and IT/InfoSec management is a critical communication requirement.

Question A key step in the ____ approach to incident response is to discover the identify of the intruder while documenting his or her activity.

Question A feedback mechanism that can be used to measure the effectiveness of a CSIRT is the ____.

Question One way to build and maintain staff skills is to develop incident-handling ____ and have the team members discuss how they would handle them.

Question Those services performed in response to a request or a defined event such as a help desk alert are called ____.

Question In the absence of the assigned team manager, the ____ should assume authority for overseeing and evaluating a provided service.

Question The first step in building a CSIRT is to ____.

Question The first group to communicate the CSIRT's vision and operational plan is the managerial team or individual serving as the ____.

Question The focus during a(n) ____ is on learning what worked, what didn't, and where communications and response procedures may have failed.

Question ____ is a valuable resource for additional information on building and staffing CSIRTs.

Question When an organization completely outsources its IR work, typically to an on-site contractor, it is called a(n) ____ model.

Question A CSIRT model in which a single CSIRT handles incidents throughout the organization is called a(n) ____.

Question The CSIRT must have a clear and concise ____ statement that, in a few sentences, unambiguously articulates what it will do.

Question The determination of what systems fall under the CSIRT 's responsibility is called its ____.

Question A CSIRT model that is effective for large organizations and for organizations with major computing resources at distant locations is the ____.

Question The announcement of an operational CSIRT should minimally include ____.

Question The CSIRT should be available for contact by anyone who discovers or suspects that an incident involving the organization has occurred. Some organizations prefer that employees contact a ____, which then makes the determination as to whether to contact the CSIRT or not.

Question The champion for the CSIRT may be the same person as the champion for the entire IR function-typically, the ____.

Question The organization must first understand what skills are needed to effectively respond to an incident. If necessary, management must determine if it is willing to acquire needed ____ to fill in the gaps.

Question Those services undertaken to prepare the organization or the CSIRT constituents to protect and secure systems in anticipation of problems, attacks, or other events are called ____.

Question Giving the IR team the responsibility for ____ is generally not recommended.

Question If a user receives a message whose tone and terminology seems intended to invoke a panic or sense of urgency, it may be a(n) ____.

Question The number-one IU preparation-and-prevention strategy is ____.

Question Many malware attacks are ____ attacks, which involve more than one type of malware and/or more than one type of transmission method.

Question Which of the following is the most suitable as a response strategy for malware outbreaks?

Question Essentially a DoS attack, a ____ is a message aimed at causing organizational users to waste time reacting to a nonexistent malware threat.

Question A ____ attack is much more substantial than a DoS attack because of the use of multiple systems to simultaneously attack a single target.

Question Clifford Stoll's book, ____, provides an excellent story about a real-world incident that turned into an international tale of espionage and intrigue.

Question When an incident includes a breach of physical security, all aspects of physical security should be escalated under a containment strategy known as ____.

Question There are a number of professional IR agencies, such as ____, that can provide additional resources to help prevent and detect DoS incidents.

Question Known as ____, procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT's operations.

Question In a "block" containment strategy, in which the attacker's path into the environment is disrupted, you should use the most precise strategy possible, starting with ____.

Question ____ is a common indicator of a DoS attack.

Question When an alert warns of new malicious code that targets software used by an organization, the first response should be to research the new virus to determine whether it is ____.

Question The CSIRT may not wish to "tip off" attackers that they have been detected, especially if the organization is following a(n) ____ approach.

Question A ____ is a small quantity of data kept by a Web site as a means of recording that a system has visited that Web site.

Question When a second attack, using the means and methods of the first attack is undertaken while the first attack is still underway, this is considered a(n) ____ recurrence.

Question A(n) ____ attack is a method of combining attacks with rootkits and back doors.

Question ____ incidents are predominantly characterized as a violation of policy rather than an effort to abuse existing systems.

Question According to the 2010/2011 Computer Crime and Security Survey, ____ is "the most commonly seen attack, with 67.1 percent of respondents reporting it."

Question ____ is a tactic that deliberately permits an attack to continue while the entire event is observed and additional evidence is collected.

Question According to NIST, which of the following is an example of a UA attack?

Question The stability of information over time is called its ____.

Question ____ is the determination of the initial flaw or vulnerability that allowed an incident to occur.

Question In evidence handling, specifically designed ____ are helpful because they are very difficult to remove without breaking.

Question A continuously changing process presents challenges in acquisition, as there is not a fixed state that can be collected, hashed, and so forth. This has given rise to the concept of ____ forensics which captures a point-in-time picture of a process.