SEC 210 – Intrusion Detection – 2016FA FTCC – Flashcards
Unlock all answers in this set
Unlock answersquestion
Full Book
answer
https://www.dropbox.com/s/5toa4ljjcyjkvlj/Principles_Of_Incident_Response_Disaster_Recovery_2nd_Ed.pdf?dl=0
question
A recommended practice for the implementation of the physical IR plan is to select a ____ binder.
answer
red
question
____ is the process of systematically examining information assets for evidentiary material that can provide insight into how an incident transpired.
answer
Forensics analysis
question
One of the primary responsibilities of the IRP team is to ensure that the ____ is prepared to respond to each incident it may face.
answer
CSIRT
question
Should an incident begin to escalate, the CSIRT team leader continues to add resources and skill sets as necessary to attempt to contain and terminate the incident. The resulting team is called the ____ for this particular incident.
answer
reaction force
question
A ____ is commonly a single device or server that attaches to a network and uses TCP/IP-based protocols and communications methods to provide an online storage environment.
answer
network-attached storage
question
Incident analysis resources include network diagrams and lists of ____, such as database servers.
answer
critical assets
question
The ____ of an organization defines the roles and responsibilities for incident response for the CSIRT and others who will be mobilized in the activation of the plan.
answer
IR policy
question
When using virtualization, it is commonplace to use the term ____ to refer to a virtualized environment operating in or on a host platform.
answer
virtual machine
question
____ uses a number of hard drives to store information across multiple drive units.
answer
RAID
question
The U.S. National Institute of Standards and Technology recommends a set of tools for the CSIRT including incident reporting mechanisms with which users can report suspected incidents. At least one of these mechanisms should permit people to report incidents ____.
answer
anonymously
question
A ____ is an agency that provides physical facilities in the event of a disaster for a fee.
answer
service bureau
question
A(n) ____ is an agreement in which the client agrees not to use the vendor's services to compete directly with the vendor, and for the client not to use vendor information to gain a better deal with another vendor.
answer
covenant not to compete
question
Considered to be the traditional "lock and copy" approach to database backup, _____ require the database to be inaccessible while a backup is created to a local drive.
answer
legacy backup applications
question
The training delivery method with the lowest cost to the organization is ____.
answer
self-study (noncomputerized)
question
RAID 0 creates one logical volume across several available hard disk drives and stores the data using ____, in which data segments are written in turn to each disk drive in the array.
answer
disk striping
question
There are several national training programs that focus on incident response tools and techniques.
answer
True
question
A recommended practice for implementation of a physical IR plan document is to attach copies of relevant documents such as service agreements for the ISP, telephone, water, gas, etc.
answer
True
question
Both data backups and archives should be based on a(n) ____ schedule that guides the frequency of replacement and the duration of storage.
answer
retention
question
The ____ Department of an organization needs to review the procedures of the CSIRT and understand the steps the CSIRT will perform to ensure it is within legal and ethical guidelines for the municipal, state, and federal jurisdictions.
answer
Legal
question
A potential disadvantage of a ____ site-resumption strategy is that more than one organization might need the facility simultaneously.
answer
time-share
question
A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment's notice.
answer
hot site
question
E-mail spoofing attacks require an immediate response, typically no more than 30 minutes to one hour.
answer
False
question
A(n) ____ covers the confidentiality of information from everyone unless disclosure is mandated by the courts.
answer
nondisclosure agreement
question
A(n) ____ is a detailed examination of the events that occurred, from first detection of an incident to final recovery.
answer
after-action review
question
A(n) ____ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization's information infrastructure for signs of an incident.
answer
IR duty officer
question
Database shadowing techniques are generally used in organizations that do not need immediate data recovery after an incident or disaster.
answer
False
question
RAID is an acronym for Redundant Array of Incident-Recovery Drives.
answer
False
question
A recommended practice for the implementation of the physical IR plan document is to organize the contents so that the first page contains the ____ actions.
answer
"during attack"
question
General users require training on the technical details of how to do their jobs securely, including good security practices, ____ management, specialized access controls, and violation reporting.
answer
password
question
A(n) ____ is an extension of an organization's intranet into cloud computing.
answer
private cloud
question
A ____ is a contractual document guaranteeing certain minimal levels of service provided by a vendor.
answer
service agreement
question
The Southeast Collegiate Cyber Defense Competition is unique in that it focuses on the operational aspect of managing and protecting an existing network infrastructure. Unlike "capture-the-flag " exercises, this competition is exclusively a real-world ____ competition.
answer
defensive
question
One real-time protection and data backup strategy is the use of mirroring.
answer
True
question
Some data is required by law to be retained and stored for years.
answer
True
question
A(n) ____ is often included in legal documents to ensure that a vendor is not liable for actions taken by a client.
answer
statement of indemnification
question
A favorite pastime of information security professionals is ____, which is a simulation of attack and defense activities using realistic networks and information systems.
answer
war gaming
question
In contingency planning, an adverse event that threatens the security of an organization's information is called a(n) ____.
answer
incident
question
Some recovery strategies seek to improve the ____ of a server or system in addition to, or instead of, performing backups of data.
answer
robustness
question
Advances in cloud computing have opened a new field in application redundancy and backup. Because organizations that lease ____ are in effect using a preconfigured set of applications on someone else's systems, it is reasonable to ask that the service agreement include contingencies for recovery.
answer
SaaS
question
In computer-based training settings, trainees receive a seminar presentation at their computers.
answer
False
question
____ are used for recovery from disasters that threaten on-site backups.
answer
Data archives
question
Regardless of which IR model an organization chooses, multiple employees should be in charge of incident response.
answer
False
question
As soon as the CSIRT is able to determine what exactly is happening, it is expected to report its preliminary finding to management.
answer
True
question
The focus during a(n) ____ is on learning what worked, what didn't, and where communications and response procedures may have failed.
answer
after action review
question
The ____ flow of information needed from the CSIRT to organizational and IT/InfoSec management is a critical communication requirement.
answer
upward
question
One of the first signals that an organization is making progress in the development of its IR program, specifically in the development of its CSIRT, is a dramatic drop in the number of identified incidents.
answer
False
question
The determination of what systems fall under the CSIRT 's responsibility is called its ____.
answer
scope of operations
question
One way to build and maintain staff skills is to develop incident-handling ____ and have the team members discuss how they would handle them.
answer
scenarios
question
The CSIRT is also known as the IR Reaction Team.
answer
True
question
The CSIRT should be available for contact by anyone who discovers or suspects that an incident involving the organization has occurred. Some organizations prefer that employees contact a ____, which then makes the determination as to whether to contact the CSIRT or not.
answer
help desk
question
The involvement of the CSIRT in incident response typically starts with prevention.
answer
False
question
A CSIRT model that is effective for large organizations and for organizations with major computing resources at distant locations is the ____.
answer
distributed CSIRT
question
The announcement of an operational CSIRT should minimally include ____.
answer
contact methods and numbers
question
The organization must first understand what skills are needed to effectively respond to an incident. If necessary, management must determine if it is willing to acquire needed ____ to fill in the gaps.
answer
personnel
question
The first step in building a CSIRT is to ____.
answer
obtain management support and buy-in
question
A(n) ____ is a sign that an activity now occurring may signal an incident that could occur in the future.
answer
precursor
question
When an organization completely outsources its IR work, typically to an on-site contractor, it is called a(n) ____ model.
answer
fully outsourced
question
The process of evaluating the circumstances around organizational events includes determining which adverse events are possible incidents, or ____.
answer
incident candidates
question
A(n) ____ is any system resource that is placed onto a functional system but has no normal use for that system. If it attracts attention, it is from unauthorized access and will trigger a notification or response.
answer
honeytoken
question
Giving the IR team the responsibility for ____ is generally not recommended.
answer
patch management
question
A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
answer
site policy
question
The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.
answer
snort
question
In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers' answers to routine DNS queries from other systems on that network.
answer
DNS cache poisoning
question
A(n) ____ , a type of IDPS that is similar to the NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs.
answer
log file monitor
question
If an intruder can ____ a device, then no electronic protection can deter the loss of information.
answer
physically access
question
A CSIRT model in which a single CSIRT handles incidents throughout the organization is called a(n) ____.
answer
central CSIRT
question
According the to NIST definition of an event as "any observable occurrence in a system or network," all events are computer or network oriented.
answer
False
question
The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.
answer
monitoring port
question
New systems can respond to an incident threat autonomously, based on preconfigured options that go beyond simple defensive actions usually associated with IDPS and IPS systems. These systems, referred to as ____, use a combination of resources to detect an intrusion and then to trace the intrusion back to its source.
answer
trap and trace
question
Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.
answer
false positives
question
Those services undertaken to prepare the organization or the CSIRT constituents to protect and secure systems in anticipation of problems, attacks, or other events are called ____.
answer
proactive services
question
Many attacks come through ports and then attack legitimate processes to allow themselves access or to conduct subsequent attacks.
answer
True
question
The CSIRT must have a clear and concise ____ statement that, in a few sentences, unambiguously articulates what it will do.
answer
mission
question
The ____ is a federal law that creates a general prohibition on the realtime monitoring of traffic data relating to communications.
answer
Pen/Trap Statute
question
The Windows Task Manager can be used to seek out Trojan programs on Microsoft Windows computers.
answer
False
question
____ are closely monitored network decoys serving that can distract adversaries from more valuable machines on a network; can provide early warning about new attack and exploitation trends; and can allow in-depth examination of adversaries during and after exploitation.
answer
Honeypots
question
Those services performed in response to a request or a defined event such as a help desk alert are called ____.
answer
reactive services
question
The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place.
answer
anomaly-based IDPS
question
To help make the detection of actual incidents more reliable, there are three broad categories of incident indicators that have been identified: possible, probable, and definite.
answer
True
question
The first group to communicate the CSIRT's vision and operational plan is the managerial team or individual serving as the ____.
answer
champion
question
____ is a valuable resource for additional information on building and staffing CSIRTs.
answer
NIST
question
The task of monitoring file systems for unauthorized change is best performed by using a(n) ____.
answer
HIDPS
question
The champion for the CSIRT may be the same person as the champion for the entire IR function—typically, the ____.
answer
chief information officer
question
Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.
answer
signature matching
question
Information assets have ____ when authorized users - persons or computer systems - are able to access them in the specified format without interference or obstruction.
answer
availability
question
A ____ attack seeks to deny legitimate users access to services by either tying up a server's available resources or causing it to shut down.
answer
DoS
question
A ____ deals with the preparation for and recovery from a disaster, whether natural or man-made.
answer
disaster recovery plan
question
A(n) ____ is an object, person, or other entity that is a potential risk of loss to an asset.
answer
threat
question
____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
answer
Mitigation
question
____ hack systems to conduct terrorist activities through network or Internet pathways.
answer
Cyberterrorists
question
____ assigns a risk rating or score to each information asset. Although this number does not mean anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates the development of comparative ratings later in the risk control process.
answer
Risk assessment
question
Information assets have ____ when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states.
answer
integrity
question
____ of risk is the choice to do nothing to protect an information asset and to accept the outcome of its potential exploitation.
answer
Acceptance
question
A ____ is a document that describes how, in the event of a disaster, critical business functions continue at an alternate location while the organization recovers its ability to function at the primary site.
answer
business continuity plan
question
____ is the process of moving an organization toward its vision.
answer
Strategic planning
question
A(n) ____ is any clearly identified attack on the organization's information assets that would threaten the assets' confidentiality, integrity, or availability.
answer
incident
question
____ is the process of examining, documenting, and assessing the security posture of an organization's information technology and the risks it faces.
answer
Risk identification
question
The vision of an organization is a written statement of an organization's purpose.
answer
False
question
____ ensures that only those with the rights and privileges to access information are able to do so.
answer
Confidentiality
question
The ____ is an investigation and assessment of the impact that various events or incidents can have on the organization.
answer
business impact analysis
question
Intellectual property (IP) includes trade secrets, copyrights, trademarks, and patents.
answer
True
question
An manual alternative to the normal way of accomplishing an IT task might be employed in the event that IT is unavailable. This is called a ____.
answer
work-around procedure
question
The ____ is the point in time by which systems and data must be recovered after an outage as determined by the business unit.
answer
recovery point objective
question
An enterprise information security policy (EISP) addresses specific areas of technology and contains a statement on the organization's position on each specific area.
answer
False
question
To a large extent, incident response capabilities are part of a normal IT budget. The only area in which additional budgeting is absolutely required for incident response is the maintenance of ____.
answer
redundant equipment
question
The recovery time objective (RTO) downtime metric is the defined as the point in time to which lost systems and data can be recovered after an outage as determined by the business unit.
answer
False
question
The ____ job functions and organizational roles focus on costs of system creation and operation, ease of use for system users, timeliness of system creation, and transaction response time.
answer
information technology management and professionals
question
____ (sometimes referred to as avoidance) is the risk control strategy that attempts to prevent the exploitation of a vulnerability.
answer
Defense
question
An asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or other tangible object.
answer
True
question
A weighted analysis table can be useful in resolving the issue of which business function is the most critical to the organization.
answer
True
question
One modeling technique drawn from systems analysis and design that can provide an excellent way to illustrate how a business functions is a(n) ____.:
answer
collaboration diagram
question
The elements required to begin the ____ process are a planning methodology; a policy environment to enable the planning process; an understanding of the causes and effects of core precursor activities, and access to financial and other resources.
answer
contingency planning
question
A(n) ____ is used to anticipate, react to, and recover from events that threaten the security of information and information assets in an organization; it is also used to restore the organization to normal modes of business operations;
answer
contingency plan
question
A(n) ____ is a plan or course of action used by an organization to convey instructions from its senior management to those who make decisions, take actions, and perform other duties on behalf of the organization.
answer
policy
question
The ____ job functions and organizational roles focus on protecting the organization's information systems and stored information from attacks.
answer
information security management and professionals
question
Effective contingency planning begins with effective policy.
answer
True
question
A(n) ____ is an investigation and assessment of the impact that various attacks can have on the organization.
answer
business impact analysis (BIA)
question
The ____ is the period of time within which systems, applications, or functions must be recovered after an outage.
answer
recovery time objective
question
The ____ illustrates the most critical characteristics of information and has been the industry standard for computer security since the development of the mainframe.
answer
C.I.A. triangle
question
Team leaders from the subordinate teams, including the IR, DR, and BC teams, should not be included in the CPMT.
answer
False
question
The ____ is used to collect information directly from the end users and business managers.
answer
facilitated data-gathering session
question
What is a common approach used in the discipline of systems analysis and design to understand the ways systems operate and to chart process flows and interdependency studies?
answer
systems diagramming
question
The last stage of a business impact analysis is prioritizing the resources associated with the ____, which brings a better understanding of what must be recovered first.
answer
mission/business processes
question
A CPMT should include _____ who can oversee the security planning of the project and provide information on threats, vulnerabilities, and recovery requirements needed in the planning process.
answer
information security managers
question
In a CPMT, a(n) ____ leads the project to make sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed.
answer
project manager
question
In a CPMT, a(n) ____ should be a high-level manager with influence and resources that can be used to support the project team, promote the objectives of the CP project, and endorse the results that come from the combined effort.
answer
champion
question
The purpose of the ____ is to define the scope of the CP operations and establish managerial intent with regard to timetables for response to incidents, recovery from disasters, and reestablishment of operations for continuity.
answer
contingency planning policy
question
____ is a risk control approach that attempts to shift the risk to other assets, other processes, or other organizations.
answer
Transference
question
The final component to the CPMT planning process is to deal with ____.
answer
budgeting for contingency operations
question
Which of the following collects and provides reports on failed login attempts, probes, scans, denial-of-service attacks, and detected malware?
answer
system logs
question
The IR plan is usually ____ when an incident causes minimal damage with little or no disruption to business operations.
answer
activated
question
A key step in the ____ approach to incident response is to discover the identify of the intruder while documenting his or her activity.
answer
apprehend and prosecute
question
The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____.
answer
noise
question
The committees of the CPMT follow a set of general stages to develop their subordinate plans. In the case of incident planning, the first stage is to ____.
answer
form the IR planning committee
question
The U.S. National Institute of Standards and Technology defines the incident response life cycle as having four main processes: 1) preparation; 2) detection and analysis; 3) containment, eradication, and recovery; and 4) ____.
answer
post-incident activity
question
Companies may want to consider budgeting for contributions to employee loss expenses (such as funerals) as well as for counseling services for employees and loved ones as part of ____.
answer
crisis management budgeting
question
In the event that a definite indicator is recognized, the corresponding ____ must be activated immediately.
answer
IR plan
question
According the to NIST definition of an event as "any observable occurrence in a system or network," all events are computer or network oriented.
answer
False
question
A Disaster Recovery Plan (DR plan) deals with identifying, classifying, responding to, and recovering from an incident.
answer
False
question
For recovery from an incident (as opposed to a disaster), archives are used as the most common solution.
answer
False
question
A business impact analysis (BIA) identifies threats, vulnerabilities, and potential attacks to determine what controls can protect the information.
answer
False
question
According to the 2010/2011 Computer Crime and Security Survey, ____ is "the most commonly seen attack, with 67.1 percent of respondents reporting it."
answer
malware infection
question
Known as ____, procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT's operations.
answer
IR reaction strategies
question
Automated IR systems to facilitate IR documentation are available through a number of vendors.
answer
True
question
Many practitioners feel that a system, once compromised, can never be restored to a trusted state.
answer
True
question
When an alert warns of new malicious code that targets software used by an organization, the first response should be to research the new virus to determine whether it is ____.
answer
real
question
The number-one IU preparation-and-prevention strategy is ____.
answer
organizational policy
question
Clifford Stoll's book, ____, provides an excellent story about a real-world incident that turned into an international tale of espionage and intrigue.
answer
The Cuckoo's Egg
question
The CSIRT may not wish to "tip off" attackers that they have been detected, especially if the organization is following a(n) ____ approach.
answer
apprehend and prosecute
question
Essentially a DoS attack, a ____ is a message aimed at causing organizational users to waste time reacting to a nonexistent malware threat.
answer
malware hoax
question
If a user receives a message whose tone and terminology seems intended to invoke a panic or sense of urgency, it may be a(n) ____.
answer
hoax
question
____ is a common indicator of a DoS attack.
answer
User reports of system unavailability
question
According to NIST, which of the following is an example of a UA attack?
answer
Modifying Web-based content without permission
question
A ____ is a small quantity of data kept by a Web site as a means of recording that a system has visited that Web site.
answer
cookie
question
A ____ attack is much more substantial than a DoS attack because of the use of multiple systems to simultaneously attack a single target.
answer
distributed denial-of-service
question
Because it is possible for investigators to confuse the suspect and destination disks when performing imaging, and to preclude any grounds for challenging the image output, it is common practice to protect the suspect media using a ____.
answer
write blocker
question
The laws governing search and seizure in the public sector are much more straightforward than those in the private sector.
answer
False
question
A continuously changing process presents challenges in acquisition, as there is not a fixed state that can be collected, hashed, and so forth. This has given rise to the concept of ____ forensics which captures a point-in-time picture of a process.
answer
snapshot
question
Ignorance of policy is a legal excuse for an employee.
answer
True
question
A forensics team typically uses two methods to document a scene as it exists at the time of arrival: photography and ____.
answer
field notes
question
The forensic tool ____ does extensive pre-processing of evidence items that recovers deleted files and extracts e-mail messages.
answer
Forensic Toolkit (FTK)
question
A search is constitutional if it does not violate a person's reasonable or legitimate____.
answer
expectation of privacy
question
The legal decision that establishes the start point for "warrantless" workplace searches is the Supreme Court's complex ruling in ____.
answer
O'Connor v. Ortega
question
Many private sector organizations require a formal statement, called a(n) ____, which provides search authorization and furnishes much of the same information usually found in a public sector search warrant.
answer
affidavit
question
____ is the determination of the initial flaw or vulnerability that allowed an incident to occur.
answer
Root cause analysis
question
The ____ handles computer crimes that are categorized as felonies.
answer
FBI
question
Forensic investigators use ____ copying when making a forensic image of a device, which reads a sector (or block; 512 bytes on most devices) from the source drive and writes it to the target drive; this process continues until all sectors on the suspect drive have been copied.
answer
bitstream
question
Within the private sector, the Supreme Court stated, "Every warrantless workplace search must be evaluated carefully on its facts. In general, however, law enforcement officers can conduct a warrantless search of private (i.e., nongovernment) workplaces only if the officers obtain the consent of either the employer or another employee with common authority over the area searched."
answer
True
question
____ is defined as the search for, collection, and review of items stored in electronic (or, more precisely, digital) format that are of potential evidentiary value based on criteria specified by a legal team.
answer
eDiscovery
question
The stability of information over time is called its ____.
answer
volatility
question
In evidence handling, specifically designed ____ are helpful because they are very difficult to remove without breaking.
answer
evidence seals
question
When an incident includes a breach of physical security, all aspects of physical security should be escalated under a containment strategy known as ____.
answer
lockdown
question
A(n) ____ attack is a method of combining attacks with rootkits and back doors.
answer
hybrid
question
____ is used both for intrusion analysis and as part of evidence collection and analysis.
answer
Forensics
question
In general, a law enforcement organization can become the target of a retaliatory lawsuit for damages arising from an investigation that proves to be groundless.
answer
False
question
To analyze evidence, the original is obtained from storage, a copy of the evidence is made for analysis, and the original is returned to storage, because it is crucial that the analysis never takes place on the original evidence.
answer
True
question
One way to identify a particular digital item (collection of bits) is by means of a(n) ____.
answer
cryptographic hash
question
The ____ is a detailed examination of the events that occurred, from first detection to final recovery.
answer
after-action review
question
Most digital forensic teams have a prepacked field kit, also known as a(n) ____.
answer
jump bag
question
Many malware attacks are ____ attacks, which involve more than one type of malware and/or more than one type of transmission method.
answer
blended
question
In a "block" containment strategy, in which the attacker's path into the environment is disrupted, you should use the most precise strategy possible, starting with ____.
answer
blocking a specific IP address
question
There are a number of professional IR agencies, such as ____, that can provide additional resources to help prevent and detect DoS incidents.
answer
US-CERT
question
Grounds for challenging the results of a digital investigation can come from possible ____—that is, alleging that the relevant evidence came from somewhere else or was somehow tainted in the collection process.
answer
contamination
question
Once a compromised system is disconnected, it is safe from further damage.
answer
False
question
____ incidents are predominantly characterized as a violation of policy rather than an effort to abuse existing systems.
answer
Inappropriate use
question
The functional part of forensics called ____ is about assessing the "scene," identifying the sources of relevant digital information, and preserving it for later analysis using sound processes.
answer
first response
question
Which of the following is the most suitable as a response strategy for malware outbreaks?
answer
Blocking known attackers
question
____ may be caused by earthquakes, floods, storm winds, tornadoes, or mud flows.
answer
Rapid onset disasters
question
____ are those that occur suddenly, with little warning, taking the lives of people and destroying the means of production.
answer
Rapid onset disasters
question
Deciding which technical contingency strategies are selected, developed, and implemented is most often based on the type of ____ being used.
answer
information system
question
____ are highly probable when infected machines are brought back online or when other infected computers that may have been offline at the time of the attack are brought back up.
answer
Follow-on incidents
question
In disaster recovery, the ____ is the point at which a management decision to react is made in reaction to a notice or other datum such as a weather report or an activity report from IT indicating the escalation of an incident.
answer
trigger
question
Once the incident has been contained, and all signs of the incident removed, the ____ phase begins.
answer
actions after
question
The part of a disaster recovery policy that identifies the organizational units and groups of employees to which the policy applies is called the ____ section.
answer
scope
question
A ____ is a collection of nodes in which the segments are geographically dispersed and the physical link is often a data communications channel provided by a public carrier.
answer
WAN
question
The purpose of the disaster recovery program is to provide for the direction and guidance of all disaster recovery operations.
answer
True
question
An ____ may escalate into a disaster when it grows in scope and intensity.
answer
incident
question
Over 90 percent of organizations that experienced disruption at a data center lasting 10 days or longer were forced into bankruptcy within one year.
answer
True
question
In disaster recovery, most triggers occur in response to one or another natural event.
answer
True
question
A DR plan addendum should include the trigger, the ____ method, and the response time associated with each disaster situation.
answer
notification
question
____ disasters include acts of terrorism and acts of war.
answer
Man-made
question
____ occur over time and slowly deteriorate the organization's capacity to withstand their effects.
answer
Slow onset disasters
question
The ____ team is responsible for recovering and reestablishing operations of critical business applications.
answer
applications recovery
question
The ____ involves providing copies of the DR plan to all teams and team members for review.
answer
DR plan desk check
question
The ____ team is responsible for providing any needed supplies, space, materials, food, services, or facilities needed at the primary site other than vendor-acquired technology and other material obtained by the vendor team.
answer
logistics
question
The ____ team is primarily responsible for data restoration and recovery.
answer
data management
question
A(n) ____ occurs when a situation results in service disruptions for weeks or months, requiring a government to declare a state of emergency.
answer
worst-case scenario
question
The ____ team is responsible for reestablishing connectivity between systems and to the Internet.
answer
network recovery
question
The ____ team is responsible for working with the remainder of the organization to assist in the recovery of nontechnology functions.
answer
business interface
question
The ____ team is responsible for providing the initial assessments of the extent of damage to equipment and systems on-site and/or for physically recovering the equipment to be transported to a location where the other teams can evaluate it.
answer
damage assessment
question
____ is the deactivation of the disaster recovery teams, releasing individuals back to their normal duties.
answer
Standing down
question
The ____ team is responsible for recovering and reestablishing operating systems (OSs).
answer
systems recovery
question
A ____ is a description of the disasters that may befall an organization, along with information on their probability of occurrence, a brief description of the organization's actions to prepare for that disaster, and the best case, worst case, and most likely case outcomes of the disaster.
answer
disaster scenario
question
____ is the inclusion of action steps to minimize the damage associated with the disaster on the operations of the organization.
answer
Mitigation of impact
question
____ means making an organization ready for possible contingencies that can escalate to become disasters.
answer
Preparation
question
Which of the following is not usually an insurable loss?
answer
Electrostatic discharge
question
The ____ is the phase associated with implementing the initial reaction to a disaster; it is focused on controlling or stabilizing the situation, if that is possible.
answer
response phase
question
____ are likely in the event of a hacker attack, when the attacker retreats to a chat room and describes in specific detail to his or her associates the method and results of his or her latest conquest.
answer
Follow-on incidents
question
Network recovery teams may be used to replacing downed systems, but it is unlikely that they have experience in physically repairing damaged systems.
answer
True
question
____ requires effective backup strategies and flexible hardware configurations.
answer
Data recovery
question
The purpose of the ____ is to provide a way for management to obtain input and feedback from representatives of each team.
answer
after-action review
question
During the ____ phase, the organization begins the recovery of the most time-critical business functions - those necessary to reestablish business operations and prevent further economic and image loss to the organization.
answer
recovery
question
Most disaster-related loss occurs because of physical damage to property.
answer
False
question
The alert roster must be tested more frequently than other components of a disaster recovery plan because it is subject to continual change due to employee turnover.
answer
True
question
____ is a set of focused steps that deal primarily with the safety and state of the people from the organization who are involved in the disaster.
answer
Crisis management
question
Training focuses on the particular roles each individual is expected to execute during an actual disaster.
answer
True
question
The ____ assembles a disaster recovery team.
answer
CPMT
question
Useful resources in the DR planning process are the ____ provided by the Federal Agency Security Practices (FASP) section of NIST's Computer Security Resource Center (CSRC).
answer
contingency plan templates
question
In disaster recovery planning, there is a prevention phase similar to that in IR planning.
answer
False
question
The ____ system is an information system with a telephony interface that can be used to automate the alert process.
answer
auxiliary phone alert and reporting system
question
Contingency strategies for ____ should emphasize the need for absolutely reliable data backup and recovery procedures because they have less inherent redundancy than a distributed architecture.
answer
mainframes
question
The ____ team is responsible for the recovery of information and the reestablishment of operations in storage area networks or network attached storage.
answer
storage recovery
question
Mainframe systems leverage data communications to decentralize and/or distribute capacity.
answer
False
question
In the ____ section of the business continuity policy, the training requirements for the various employee groups are defined and highlighted.
answer
training requirements
question
Unless an organization has contracted for a ____ or equivalent, office equipment such as desktop computers are not provided at BC alternate site.
answer
hot site
question
The ____ is the amount of time that a business can tolerate losing capabilities until alternate capabilities are available.
answer
recovery time objective
question
The Business Continuity Institute offers an uncertified category of membership called a(n) ____ that is accepted by application and does not require assessment or a review process.
answer
Affiliate
question
A BC subteam called the ____ is responsible for establishing the core business functions needed to sustain critical business operations.
answer
operations team
question
____ planning represents the final response of the organization when faced with any interruption of its critical operations.
answer
Business continuity
question
A business continuity plan should be a single unified plan.
answer
False
question
One activity that occurs during the clearing phase of a BC implementation is scheduling a move back to the primary site.
answer
False
question
Identifying measures, called ____, that reduce the effects of system disruptions can reduce continuity life-cycle costs.
answer
preventive controls
question
BC is specifically designed to get the organization's most critical services up and running as quickly as possible in order to enable the continued operation of the organization and thereby ensure its existence and minimize the financial losses from the disruption.
answer
True
question
In the ____ phase of the BC plan, the organization specifies what type of relocation services are desired and what type of data management strategies are deployed to support relocation.
answer
preparation for BC actions
question
The ____ section of the business continuity policy identifies the roles and responsibilities of the key players in the business continuity operation.
answer
roles and responsibilities
question
The ____ section of the business continuity policy provides an overview of the information storage and retrieval plans of the organization.
answer
special considerations
question
Once BC activities have come to a close and the organization has reoccupied its primary facility or new permanent facility, the team should meet for a(n) ____.
answer
after-action review
question
The plan maintenance schedule in a BC policy statement should address the ____ of reviews, along with who will be involved in each review.
answer
frequency
question
Testing the BC plan is an ongoing activity, with each scenario tested annually at walk-through level or higher.
answer
False
question
Using desk check, talk-throughs, walk-throughs, simulation, and other exercises on a regular basis helps prepare the organization for crises and, additionally, helps keep the CM plan up to date.
answer
True
question
____ are those steps taken to inform stakeholders regarding the timeline of events, the actions taken, and sometimes the reasons for those actions.
answer
Crisis communications
question
____ are individuals who are hired above and beyond the minimum number of personnel needed to perform a business function.
answer
Redundant personnel
question
The ____ is responsible for contacting and managing all interaction between the organization's management and staff and any needed emergency services, including utility services.
answer
emergency services coordinator
question
____ are those actions taken in order to manage the immediate physical, health, and environmental impacts resulting from an incident.
answer
Emergency response
question
A recent trend in corporate settings is to provide each employee with a disaster recovery identification card.
answer
False
question
A ____ is defined by the ICM as a disruption in the company's business that occurs without warning and is likely to generate news coverage and may adversely impact employees, investors, customers, suppliers, and other stakeholders.
answer
sudden crisis
question
A(n) ____ is created to enable management to gain and maintain control of ongoing emergency situations, to provide oversight and control to designated first responders, and to marshal IR, DR, and DC plans and resources as needed.
answer
crisis management team
question
____ is the set of actions taken by an organization in response to an emergency situation in an effort to minimize injury or loss of life.
answer
Crisis management
question
A special police unit trained to deal with incendiary, explosive, or contaminating devices is known as the ____.
answer
bomb squad
question
In contrast to emergency response that focuses on the immediate safety of those affected, ____ addresses the services needed to get the organization and its stakeholders back to original levels of productivity or satisfaction.
answer
humanitarian assistance
question
____ is the movement of employees from one position to another so they can develop additional skills and abilities.
answer
Job rotation
question
A(n) ____ is an area where people should gather in the event of a specific type of emergency, to facilitate quick head count.
answer
assembly area
question
Cross-training provides a mechanism to get everyone out of the crime scene and thus prevent contamination of possible evidentiary material.
answer
False
question
Organizations typically respond to a crisis by focusing on technical issues and economic priorities, and overlook the steps needed to preserve the most critical assets of the organization: its people.
answer
True
question
A(n) ____ is the list of officials ranging from an individual's immediate supervisor through the top executive of the organization.
answer
chain of command
question
A(n) ____ is the list of officials ranging from an individual's immediate supervisor through the top executive of the organization.
answer
chain of command
