Professional Documents
Culture Documents
Technet24
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
external hacker. Which of the following list of names includes all the
stakeholders?
A. Brown, Vaughn, Jobu, Cerrano, Hays
B. Phelps, Brown, Jobu, Hays
C. Phelps, Brown, Vaughn, Hays
D. Phelps, Brown, Vaughn, Cerrano, Hays
D is correct. Given that the server for handling payment transactions had
unauthorized access, this likely means regulatory noncompliance, involving
legal and the public-facing marketing department. The other roles should be
obvious.
A, B, and C are incorrect. Again, because of the compromised payment server,
both legal and marketing roles would be involved, to handle the regulatory
considerations and to address public concerns of identity theft. Given that this
is an external attack, not from an internal employee, it’s unlikely HR would be
called on as a stakeholder.
14. A company recently finished responding to a serious incident of attempted
sabotage. The attack seemed suspiciously like it was caused by a current
employee. Although the investigation to identify the precise employee is still
ongoing, the internal cybersecurity analysts are certain the attack originated from
accounts payable in the finance department. The incident summary report has been
finished and was sent in encrypted format to the department heads and local
managers of admin, HR, finance, manufacturing, and shipping. Select from the
following list the one risk that could have been avoided.
A. Communication disclosure based on regulatory requirements
B. Extensive communication with management
C. Insecure method of communication
D. Inadvertent release of information to the public
B is correct. As the scenario explains, an employee within the finance
department is suspected of causing the incident. However, the incident
summary report went to multiple people in finance. This does not demonstrate
properly limiting communication to trusted parties.
A, C, and D are incorrect. A is incorrect because no regulatory requirements
were mentioned. C is incorrect because the report was sent in encrypted
format. D is incorrect because there was no mention of a public release of
information.
15. Allowing for budget, what option does a company have when its lack of technical
Technet24
||||||||||||||||||||
||||||||||||||||||||
expertise means the company doesn’t have its own internal CSIRT team?
A. Retain an incident response provider.
B. Cross-train all employees in incident response techniques.
C. None. The company has no ability to respond to incidents.
D. Empower the night security guard to watch over the data center.
A is correct. The choice the company has is to retain an external incident
response provider.
B, C, and D are incorrect. B is incorrect because cross-training all employees
to be an effective IR team is not reasonable. C is incorrect because having no
ability to respond is unacceptable. D is incorrect because the night security
guard is likely unable or unwilling to perform incident response.
16. What are the main challenges for the technical role of incident response? (Choose
two.)
A. Having the necessary technical expertise to address the incident
B. Licensing the proper software tools
C. Granting or delegating the authority for unforeseen decisions
D. Overcoming personality differences and in-house rivalries
A and C are correct. The two challenges are ensuring the technical expertise is
at hand, for any reasonably likely incident (depending on what platforms and
applications your environment is running) and delegating the authority to
members of that team or to immediately accessible managers. Time cannot be
wasted waiting for executives to allow a plug to be pulled.
B and D are incorrect. Software licenses and personality differences are
important obstacles but are hardly challenges in overcoming the urgency of
responding to an incident.
17. A company that has grown quickly in size has not yet developed a proper
communication escalation process in the event of a security incident. Instead,
managers of the cybersecurity team post their analysis and findings on the
company’s internal blog site. In an effort to maintain confidentiality, the blog
posts are kept hidden, with no link on the front page. What is the shortcoming of
this communication process?
A. Disclosure based on legislative requirements
B. Possible inadvertent release of information
C. No encryption
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
CHAPTER 8
Technet24
||||||||||||||||||||
||||||||||||||||||||
Incident response is very rarely, if ever, a straightforward activity. Like any other job
where you are “putting out fires,” the job of incident response involves constantly
measuring severity and then acting accordingly. That is to say, you fight the fire you
determine needs your attention first—you act based on priority.
Q QUESTIONS
||||||||||||||||||||
||||||||||||||||||||
D. EICAR file
E. Known threats
3. A cybersecurity team is responding to an incident. To help prioritize their actions,
an analyst requests a list of essential business processes from the CIO. Select
from the following factors which one the analyst is most concerned with to help
prioritize the team’s response.
A. Downtime
B. System process criticality
C. Recovery time
D. Economic
4. Of the following metrics, which ones rely on a company being able to endure a
certain amount of downtime? (Choose all that apply.)
A. Designated acceptable downtime (DAD)
B. Key performance indicators (KPIs)
C. Maximum tolerable downtime (MTD)
D. Recovery time objective (RTO)
5. Multiple factors can affect the severity of an incident. Which of the following
factors does not necessarily impact an incident’s severity?
A. Downtime
B. Probability of corruption
C. MTD
D. System process criticality
E. None of the above
6. Of the many factors that affect incident severity, which of the following takes the
cybersecurity team the longest time to detect issues for or determine the scope of
its impact?
A. Data integrity
B. System process criticality
C. Recovery time
D. Type of data
7. What is the desired relationship when comparing RTO and MTD?
A. The RTO should be longer than the MTD.
Technet24
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||
||||||||||||||||||||
B. PII
C. Payment card information
D. Accounting data
17. Which of the following are possible consequences for unauthorized disclosure of
PHI, depending on one’s involvement. (Choose all that apply.)
A. Documented record in employee file
B. Suspension from employment
C. Monetary fine
D. Jail time
E. Public execution
||||||||||||||||||||
||||||||||||||||||||
IN-DEPTH ANSWERS A
1. In terms of skill and determination, what type of adversary is regarded as the
most capable and resourceful?
A. Script kiddie
B. Advanced persistent threat
C. Haxor
D. Zero-day
B is correct. The advanced persistent threat (APT) is by far the most skilled,
most resourceful of threats.
A, C, and D are incorrect. A is incorrect because a script kiddie is the name
for someone who is inexperienced, like a child (kiddie), and only knows how
to run a script. C is incorrect because a “haxor,” or hacker, generally is
someone who possess some skill, but acts alone, without massive resources
behind them. D is incorrect because zero-day threats are neither skilled nor
resourceful; the zero-day threat is dangerous because it is a new threat with no
known mitigation.
2. A company has recently installed an IDS that’s capable of detecting a broad set of
malicious traffic and operates on signature-based identification. Which of the
following types of threats will this IDS identify? (Choose all that apply.)
A. Zero-day
B. Threats labeled by CVE
C. Unknown threats
D. EICAR file
E. Known threats
B, D, and E are correct. If an IDS is signature-based, you can assume it’s not
capable of detecting unknown malware or detecting based on anomalous
behavior. Threats with a CVE ID number very likely have a known signature
assigned to them. The EICAR file is a well-known test file for malware
detection. Known threats, as you can tell by the name, will have a signature.
A and C are incorrect. A is incorrect because a zero-day is likely unknown to
a signature-based device. C is incorrect because unknown threats, as obvious
by the name, are unknown to a signature-based device.
3. A cybersecurity team is responding to an incident. To help prioritize their actions,
Technet24
||||||||||||||||||||
||||||||||||||||||||
an analyst requests a list of essential business processes from the CIO. Select
from the following factors which one the analyst is most concerned with to help
prioritize the team’s response.
A. Downtime
B. System process criticality
C. Recovery time
D. Economic
B is correct. System process criticality is the factor that defines whether or not
business processes are essential.
A, C, and D are incorrect. A is incorrect because the downtime factor
involves how much downtime is allowable. C is incorrect because recovery
time, which is related to downtime, describes how quickly business processes
will be recovered. D is incorrect because economic factors include direct and
indirect financial impacts.
4. Of the following metrics, which ones rely on a company being able to endure a
certain amount of downtime? (Choose all that apply.)
A. Designated acceptable downtime (DAD)
B. Key performance indicators (KPIs)
C. Maximum tolerable downtime (MTD)
D. Recovery time objective (RTO)
C and D are correct. Both the MTD and RTO presume a company can survive
some downtime to some degree. The MTD is the maximum tolerable
downtime before an organization’s essential systems suffer critically, while
the recovery time objective (RTO) describes the period of time when a
company strives to recover from a disaster before suffering significant
damage.
A and B are incorrect. A is incorrect because DAD is a fictional term. B is
incorrect because KPIs have nothing to do with downtime.
5. Multiple factors can affect the severity of an incident. Which of the following
factors does not necessarily impact an incident’s severity?
A. Downtime
B. Probability of corruption
C. MTD
D. System process criticality
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||
||||||||||||||||||||
8. The United States Privacy Act of 1974 created rules regarding the collection,
storage, and use of what kind of data?
A. Financial
B. Intellectual property
C. PII
D. Payment card information
C is correct. Personally identifiable information (PII) is protected by the U.S.
Privacy Act of 1974.
A, B, and D are incorrect. A is incorrect because financial information is not
protected by the U.S. Privacy Act of 1974 but instead by Sarbanes-Oxley and
the Graham-Leach Bliley Act. B is incorrect because intellectual property (IP)
is not protected by the U.S. Privacy Act of 1974 but instead by local or state
laws regarding IP. D is incorrect because payment card information is
governed by PCI DSS.
9. Which of the following is not a PCI DSS goal or requirement?
A. Regularly monitor and test networks.
B. Maintain an information security policy.
C. Build and maintain a secure network and systems.
D. Enforce employee security awareness training.
E. Protect cardholder data.
D is correct. Security awareness training is not a PCI DSS requirement.
A, B, C, and E are incorrect. All these answers are requirements of the
Payment Card Industry Data Security Standard.
10. Select from the following the data types that fall under the term “intellectual
property.” (Choose all that apply.)
A. The patent behind a company’s best-selling product
B. Your favorite shoe company’s trademark
C. The secret recipe of a chicken flavoring
D. The details about a company’s marketing campaign
A, B, and C are correct. A is correct because patents are intellectual property.
B is correct because a trademark is intellectual property. Finally, C is correct
because a secret recipe is a company’s trade secret, which is also intellectual
property.
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||
||||||||||||||||||||
13. What is the particular criminal threat when data related to a company’s intent to
integrate with another company is mishandled?
A. Leaked information could lead to trading based on privileged knowledge.
B. Shareholders of both companies could vote to stop the merger.
C. Leaked trade secrets could lead to increased competition.
D. Violations of HIPAA requirements.
A is correct. Leaked information about a merger in progress or even a desired
merger could lead to a stockholder deciding to trade their shares. Trading
based on that privileged information is a crime called insider trading.
B, C, and D are incorrect. B is incorrect because, even if shareholders
somehow became privy to the knowledge, they wouldn’t get a chance to vote
until the decision was legally eligible to be put up for a vote. C is incorrect
because trade secrets wouldn’t be shared between the companies to be merged
until the deal was done. There should be no threat to either company’s trade
secrets. D is incorrect because there was no mention of personal health
information (PHI).
14. Which of the following factors determines some noted event will be considered a
security incident?
A. Downtime
B. Scope of impact
C. Economic
D. Types of data affected
B is correct. Scope of impact is the official determination that has an event
crossing the boundary into being a defined security incident.
A, C, and D are incorrect. A is incorrect because downtime is a serious
outcome of an incident, but it is not the trait that distinguishes an incident from
an event. C is incorrect because the economic effects of an incident are
typically not measurable in the short term compared to other factors. D is
incorrect because the types of data, especially those under regulatory
protection, often distinguish a severe incident from a moderate one. However,
this is not a factor that can push an event into being an incident.
15. In the context of long-term effects from a security incident, particularly to a
company’s reputation and ability to gain potential business, which factor is the
most impactful on an incident’s severity?
A. Recovery time
||||||||||||||||||||
||||||||||||||||||||
B. Data integrity
C. Economic
D. System process criticality
C is correct. The economic factors of an incident affect a company over the
long haul, often in terms of its reputation.
A, B, and D are incorrect. A is incorrect because recovery time is a short-term
factor. B is incorrect because even though it takes longer to determine the
effects of data integrity, it is still a relatively short-term factor. D is incorrect
because system process criticality is definitely a short-term, well-defined
factor in determining an incident’s severity.
16. For which of the following types of data is it suggested that a company take
additional steps, beyond policy and legal guidance, to protect the data’s
confidentiality from unauthorized eyes? Not protecting the selected data type
might jeopardize the company’s sustainability.
A. HR personnel information
B. PII
C. Payment card information
D. Accounting data
D is correct. The security of accounting data is more critical to a business’s
sustainability, relative to the other answers.
A, B, and C are incorrect. A is incorrect because HR personnel information
must be kept confidential, but its release wouldn’t necessarily threaten the
company’s well-being. B is incorrect because personally identifiable
information (PII) is not critical to a company’s health. C is incorrect because
payment card information should be protected as required by PCI DSS.
Although its release would certainly jeopardize a company’s reputation, it’s
hardly a significant threat to the business itself.
17. Which of the following are possible consequences for unauthorized disclosure of
PHI, depending on one’s involvement. (Choose all that apply.)
A. Documented record in employee file
B. Suspension from employment
C. Monetary fine
D. Jail time
E. Public execution
Technet24
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
||||||||||||||||||||
Technet24
||||||||||||||||||||