A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:

A. Trojans

B. Zombies

C. Spyware

D. Worms

Digital evidence plays a major role in prosecuting cyber criminals. John is a cyber-crime investigator, is asked to investigate a child pornography case. The personal computer of the criminal in question was confiscated by the county police. Which of the following evidence will lead John in his investigation?

A. SAM file

B. Web serve log

C. Routing table list

D. Web browser history

Risk is defined as the probability of the occurrence of an incident. Risk formulation generally begins with the likeliness of an event's occurrence, the harm it may cause and is usually denoted as Risk = ∑(events)X(Probability of occurrence)X?

A. Magnitude

B. Probability

C. Consequences

D. Significance

An estimation of the expected losses after an incident helps organization in prioritizing and formulating their incident response. The cost of an incident can be categorized as a tangible and intangible cost. Identify the tangible cost associated with virus outbreak?

A. Loss of goodwill

B. Damage to corporate reputation

C. Psychological damage

D. Lost productivity damage

A security policy will take the form of a document or a collection of documents, depending on the situation or usage. It can become a point of reference in case a violation occurs that results in dismissal or other penalty. Which of the following is NOT true for a good security policy?

A. It must be enforceable with security tools where appropriate and with sanctions where actual prevention is not technically feasible

B. It must be approved by court of law after verifications of the stated terms and facts

C. It must be implemented through system administration procedures, publishing of acceptable use guide lines or other appropriate methods

D. It must clearly define the areas of responsibilities of the users, administrators and management

One of the goals of CSIRT is to manage security problems by taking a certain approach towards the customers' security vulnerabilities and by responding effectively to potential information security incidents. Identify the incident response approach that focuses on developing the infrastructure and security processes before the occurrence or detection of an event or any incident:

A. Interactive approach

B. Introductive approach

C. Proactive approach

D. Qualitative approach

Which of the following terms may be defined as "a measure of possible inability to achieve a goal, objective, or target within a defined security, cost plan and technical limitations that adversely affects the organization's operation and revenues?

A. Risk

B. Vulnerability

C. Threat

D. Incident Response

A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency's reporting timeframe guidelines, this incident should be reported within two (2) HOURS of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which incident category of the US Federal Agency does this incident belong to?

A. CAT 5

B. CAT 1

C. CAT 2

D. CAT 6

Which of the following is NOT one of the techniques used to respond to insider threats:

A. Placing malicious users in quarantine network, so that attack cannot be spread

B. Preventing malicious users from accessing unclassified information

C. Disabling the computer systems from network connection

D. Blocking malicious user accounts

The left over risk after implementing a control is called:

A. Residual risk

B. Unaccepted risk

C. Low risk

D. Critical risk

Which of the following is an incident tracking, reporting and handling tool:

A. CRAMM

B. RTIR

C. NETSTAT

D. EAR/ Pilar

In which of the steps of NIST's risk assessment methodology are the boundary of the IT system, along with the resources and the information that constitute the system identified?

A. Likelihood Determination

B. Control recommendation

C. System characterization

D. Control analysis

In a qualitative risk analysis, risk is calculated in terms of:

A. (Attack Success + Criticality ) “”(Countermeasures)

B. Asset criticality assessment “” (Risks and Associated Risk Levels)

C. Probability of Loss X Loss

D. (Countermeasures + Magnitude of Impact) “” (Reports from prior risk assessments)

US-CERT and Federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 Federal Agency category?

A. Weekly

B. Within four (4) hours of discovery/detection if the successful attack is still ongoing and agency is unable to successfully mitigate activity

C. Within two (2) hours of discovery/detection

D. Monthly

One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure. According to CERT's incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms?

A. Protection

B. Preparation

C. Detection

D. Triage

What is correct about Quantitative Risk Analysis:

A. It is Subjective but faster than Qualitative Risk Analysis

B. Easily automated

C. Better than Qualitative Risk Analysis

D. Uses levels and descriptive expressions

A malware code that infects computer files, corrupts or deletes the data in them and requires a host file to propagate is called:

A. Trojan

B. Worm

C. Virus

D. RootKit

A threat source does not present a risk if NO vulnerability that can be exercised for a particular threat source. Identify the step in which different threat sources are defined:
 

A. Identification Vulnerabilities

B. Control analysis

C. Threat identification

D. System characterization

To recover, analyze, and preserve computer and related materials in such a way that it can be presented as evidence in a court of law and identify the evidence in short time, estimate the potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator is known as:

A. Computer Forensics

B. Digital Forensic Analysis

C. Forensic Readiness

D. Digital Forensic Examiner

Absorbing minor risks while preparing to respond to major ones is called:

A. Risk Mitigation

B. Risk Transfer

C. Risk Assumption

D. Risk Avoidance

A Malicious code attack using emails is considered as:

A. Malware based attack

B. Email attack

C. Inappropriate usage incident

D. Multiple component attack

Ensuring the integrity, confidentiality and availability of electronic protected health information of a patient is known as:

A. Gramm-Leach-Bliley Act

B. Health Insurance Portability and Privacy Act

C. Social Security Act

D. Sarbanes-Oxley Act

Which of the following is NOT one of the common techniques used to detect Insider threats:

A. Spotting an increase in their performance

B. Observing employee tardiness and unexplained absenteeism

C. Observing employee sick leaves

D. Spotting conflicts with supervisors and coworkers

An access control policy authorized a group of users to perform a set of actions on a set of resources. Access to resources is based on necessity and if a particular job role requires the use of those resources. Which of the following is NOT a fundamental element of access control policy

A. Action group: group of actions performed by the users on resources

B. Development group: group of persons who develop the policy

C. Resource group: resources controlled by the policy

D. Access group: group of users to which the policy applies

A computer Risk Policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is NOT part of the computer risk policy?

A. Procedure to identify security funds to hedge risk

B. Procedure to monitor the efficiency of security controls

C. Procedure for the ongoing training of employees authorized to access the system

D. Provisions for continuing support if there is an interruption in the system or if the system crashes

Which of the following service(s) is provided by the CSIRT:

A. Vulnerability handling

B. Technology watch

C. Development of security tools

D. All the above

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focus on limiting the scope and extent of an incident?

A. Eradication

B. Containment

C. Identification

D. Data collection

The largest number of cyber-attacks are conducted by:

A. Insiders

B. Outsiders

C. Business partners

D. Suppliers

Adam calculated the total cost of a control to protect 10,000 $ worth of data as 20,000 $. What do you advise Adam to do?

A. Apply the control

B. Not to apply the control

C. Use qualitative risk assessment

D. Use semi-qualitative risk assessment instead

A computer forensic investigator must perform a proper investigation to protect digital evidence. During the investigation, an investigator needs to process large amounts of data using a combination of automated and manual methods. Identify the computer forensic process involved:

A. Analysis

B. Preparation

C. Examination

D. Collection

The ability of an agency to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy is known as:

A. Business Continuity Plan

B. Business Continuity

C. Disaster Planning

D. Contingency Planning

The data on the affected system must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigations of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?

A. Containment

B. Eradication

C. Incident recording

D. Incident investigation

The insider risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:

A. If the insider’s technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant.

B. If the insider’s technical literacy and process knowledge are high, the risk posed by the threat will be insignificant.

C. If the insider’s technical literacy is high and process knowledge is low, the risk posed by the threat will be high.

D. If the insider’s technical literacy and process knowledge are high, the risk posed by the threat will be high.

The correct sequence of Incident Response and Handling is:

A. Incident Identification, recording, initial response, communication and containment

B. Incident Identification, initial response, communication, recording and containment

C. Incident Identification, communication, recording, initial response and containment

D. Incident Identification, recording, initial response, containment and communication

An organization faced an information security incident where a disgruntled employee passed sensitive access control information to a competitor. The organization's incident response manager, upon investigation, found that the incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incident?

A. High level incident

B. Middle level incident

C. Ultra-High level incident

D. Low level incident

Which of the following incidents are reported under CAT -5 federal agency category?

A. Exercise/ Network Defense Testing

B. Malicious code

C. Scans/ probes/ Attempted Access

D. Denial of Service DoS

Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?

A. Links the appropriate technology to the incident to ensure that the foundation’s offices are returned to normal operations as quickly as possible

B. Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management

C. Applies the appropriate technology and tries to eradicate and recover from the incident

D. Focuses on the incident and handles it from management and technical point of view

An assault on system security that is derived from an intelligent threat is called:

A. Threat Agent

B. Vulnerability

C. Attack

D. Risk

Incident management team provides support to all users in the organization that are affected by the threat or attack. The organization's internal auditor is part of the incident response team. Identify one of the responsibilities of the internal auditor as part of the incident response team:

A. Configure information security controls

B. Perform necessary action to block the network traffic from suspected intruder

C. Identify and report security loopholes to the management for necessary actions

D. Coordinate incident containment activities with the information security officer

Bit stream image copy of the digital evidence must be performed in order to:

A. Prevent alteration to the original disk

B. Copy the FAT table

C. Copy all disk sectors including slack space

D. All the above

The Linux command used to make binary copies of computer media and as a disk imaging tool if given a raw disk device as its input is:

A. “dd” command

B. “netstat” command

C. “nslookup” command

D. “find” command

The service organization that provides 24x7 computer security incident response services to any user, company, government agency, or organization is known as:

A. Computer Security Incident Response Team CSIRT

B. Security Operations Center SOC

C. Digital Forensics Examiner

D. Vulnerability Assessor

Preventing the incident from spreading and limiting the scope of the incident is known as:

A. Incident Eradication

B. Incident Protection

C. Incident Containment

D. Incident Classification

Which of the following incident recovery testing methods works by creating a mock disaster, like fire to identify the reaction of the procedures that are implemented to handle such situations?

A. Scenario testing

B. Facility testing

C. Live walk-through testing

D. Procedure testing

Which one of the following is the correct sequence of flow of the stages in an incident response:

A. Containment – Identification – Preparation – Recovery – Follow-up – Eradication

B. Preparation – Identification – Containment – Eradication – Recovery – Follow-up

C. Eradication – Containment – Identification – Preparation – Recovery – Follow-up

D. Identification – Preparation – Containment – Recovery – Follow-up – Eradication

Which of the following is an appropriate flow of the incident recovery steps?

A. System Operation-System Restoration-System Validation-System Monitoring

B. System Validation-System Operation-System Restoration-System Monitoring

C. System Restoration-System Monitoring-System Validation-System Operations

D. System Restoration-System Validation-System Operations-System Monitoring

An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, application or user activities. Which of the following statements is NOT true for an audit trail policy:

A. It helps calculating intangible losses to the organization due to incident

B. It helps tracking individual actions and allows users to be personally accountable for their actions

C. It helps in compliance to various regulatory laws, rules,and guidelines

D. It helps in reconstructing the events after a problem has occurred

ADAM, an employee from a multinational company, uses his company's accounts to send e-mails to a third party with their spoofed mail address. How can you categorize this type of account?

A. Inappropriate usage incident

B. Unauthorized access incident

C. Network intrusion incident

D. Denial of Service incident

In NIST risk assessment/ methodology; the process of identifying the boundaries of an IT system along with the resources and information that constitute the system is known as:

A. Asset Identification

B. System characterization

C. Asset valuation

D. System classification

A computer virus hoax is a message warning the recipient of non-existent computer virus. The message is usually a chain e-mail that tells the recipient to forward it to every one they know. Which of the following is NOT a symptom of virus hoax message?

A. The message prompts the end user to forward it to his / her e-mail contact list and gain monetary benefits in doing so

B. The message from a known email id is caught by SPAM filters due to change of filter settings

C. The message warns to delete certain files if the user does not take appropriate action

D. The message prompts the user to install Anti-Virus