Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the user's information and system.
These programs may unleash dangerous programs that may erase the unsuspecting user's disk and send the victim's credit card numbers and passwords to a stranger.

A. Cookie tracker

B. Worm

C. Trojan

D. Virus

A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:

A. Trojans

B. Zombies

C. Spyware

D. Worms

Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with high volume of traffic that consumes all existing network resources.

A. URL Manipulation

B. XSS Attack

C. SQL Injection

D. Denial of Service Attack

A security policy will take the form of a document or a collection of documents, depending on the situation or usage. It can become a point of reference in case a violation occurs that results in dismissal or other penalty. Which of the following is NOT true for a good security policy?

A. It must be enforceable with security tools where appropriate and with sanctions where actual prevention is not technically feasible

B. It must be approved by court of law after verifications of the stated terms and facts

C. It must be implemented through system administration procedures, publishing of acceptable use guide lines or other appropriate methods

D. It must clearly define the areas of responsibilities of the users, administrators and management

The correct sequence of Incident Response and Handling is:

A. Incident Identification, recording, initial response, communication and containment

B. Incident Identification, initial response, communication, recording and containment

C. Incident Identification, communication, recording, initial response and containment

D. Incident Identification, recording, initial response, containment and communication

The free, open source, TCP/IP protocol analyzer, sniffer and packet capturing utility standard across many industries and educational institutions is known as:

A. Snort

B. Wireshark

C. Cain & Able

D. nmap

A Host is infected by worms that propagates through a vulnerable service; the sign(s) of the presence of the worm include:

A. Decrease in network usage

B. Established connection attempts targeted at the vulnerable services

C. System becomes instable or crashes

D. All the above

The type of relationship between CSIRT and its constituency have an impact on the services provided by the CSIRT. Identify the level of the authority that enables members of CSIRT to undertake any necessary actions on behalf of their constituency?

A. Full-level authority

B. Mid-level authority

C. Half-level authority

D. Shared-level authority

The largest number of cyber-attacks are conducted by:

A. Insiders

B. Outsiders

C. Business partners

D. Suppliers

An access control policy authorized a group of users to perform a set of actions on a set of resources. Access to resources is based on necessity and if a particular job role requires the use of those resources. Which of the following is NOT a fundamental element of access control policy

A. Action group: group of actions performed by the users on resources

B. Development group: group of persons who develop the policy

C. Resource group: resources controlled by the policy

D. Access group: group of users to which the policy applies

An information security incident is

A. Any real or suspected adverse event in relation to the security of computer systems or networks

B. Any event that disrupts normal today’s business functions

C. Any event that breaches the availability of information assets

D. All of the above

In a qualitative risk analysis, risk is calculated in terms of:

A. (Attack Success + Criticality ) “”(Countermeasures)

B. Asset criticality assessment “” (Risks and Associated Risk Levels)

C. Probability of Loss X Loss

D. (Countermeasures + Magnitude of Impact) “” (Reports from prior risk assessments)

One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure. According to CERT's incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms?

A. Protection

B. Preparation

C. Detection

D. Triage

In which of the steps of NIST's risk assessment methodology are the boundary of the IT system, along with the resources and the information that constitute the system identified?

A. Likelihood Determination

B. Control recommendation

C. System characterization

D. Control analysis

The data on the affected system must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigations of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?

A. Containment

B. Eradication

C. Incident recording

D. Incident investigation

Based on the some statistics; what is the typical number one top incident?

A. Phishing

B. Policy violation

C. Un-authorized access

D. Malware

Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism. Select the technique that helps in detecting insider threats:

A. Correlating known patterns of suspicious and malicious behavior

B. Protecting computer systems by implementing proper controls

C. Making is compulsory for employees to sign a none disclosure agreement

D. Categorizing information according to its sensitivity and access rights

The left over risk after implementing a control is called:

A. Residual risk

B. Unaccepted risk

C. Low risk

D. Critical risk

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following steps focus on limiting the scope and extent of an incident?

A. Eradication

B. Containment

C. Identification

D. Data collection

Ensuring the integrity, confidentiality and availability of electronic protected health information of a patient is known as:

A. Gramm-Leach-Bliley Act

B. Health Insurance Portability and Privacy Act

C. Social Security Act

D. Sarbanes-Oxley Act

Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices. What is the main purpose of the reconstitution plan?

A. To restore the original site, tests systems to prevent the incident and terminates operations

B. To define the notification procedures, damage assessments and offers the plan activation

C. To provide the introduction and detailed concept of the contingency plan

D. To provide a sequence of recovery activities with the help of recovery procedures

The role that applies appropriate technology and tries to eradicate and recover from the incident is known as:

A. Incident Manager

B. Incident Analyst

C. Incident Handler

D. Incident coordinator

Which of the following is NOT one of the techniques used to respond to insider threats:

A. Placing malicious users in quarantine network, so that attack cannot be spread

B. Preventing malicious users from accessing unclassified information

C. Disabling the computer systems from network connection

D. Blocking malicious user accounts

Preventing the incident from spreading and limiting the scope of the incident is known as:

A. Incident Eradication

B. Incident Protection

C. Incident Containment

D. Incident Classification

Digital evidence plays a major role in prosecuting cyber criminals. John is a cyber-crime investigator, is asked to investigate a child pornography case. The personal computer of the criminal in question was confiscated by the county police. Which of the following evidence will lead John in his investigation?

A. SAM file

B. Web serve log

C. Routing table list

D. Web browser history

Performing Vulnerability Assessment is an example of a:

A. Incident Response

B. Incident Handling

C. Pre-Incident Preparation

D. Post Incident Management

The person who offers his formal opinion as a testimony about a computer crime incident in the court of law is known as:

A. Expert Witness

B. Incident Analyzer

C. Incident Responder

D. Evidence Documenter

Incident handling and response steps help you to detect, identify, respond and manage an incident. Which of the following helps in recognizing and separating the infected hosts from the information system?

A. Configuring firewall to default settings

B. Inspecting the process running on the system

C. Browsing particular government websites

D. Sending mails to only group of friends

A payroll system has a vulnerability that cannot be exploited by current technology. Which of the following is correct about this scenario:

A. The risk must be urgently mitigated

B. The risk must be transferred immediately

C. The risk is not present at this time

D. The risk is accepted

A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency's reporting timeframe guidelines, this incident should be reported within two (2) HOURS of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which incident category of the US Federal Agency does this incident belong to?

A. CAT 5

B. CAT 1

C. CAT 2

D. CAT 6

Adam calculated the total cost of a control to protect 10,000 $ worth of data as 20,000 $. What do you advise Adam to do?

A. Apply the control

B. Not to apply the control

C. Use qualitative risk assessment

D. Use semi-qualitative risk assessment instead

Which of the following service(s) is provided by the CSIRT:

A. Vulnerability handling

B. Technology watch

C. Development of security tools

D. All the above

An adversary attacks the information resources to gain undue advantage is called:

A. Defensive Information Warfare

B. Offensive Information Warfare

C. Electronic Warfare

D. Conventional Warfare

A risk mitigation strategy determines the circumstances under which an action has to be taken to minimize and overcome risks. Identify the risk mitigation strategy that focuses on minimizing the probability of risk and losses by searching for vulnerabilities in the system and appropriate controls:

A. Risk Assumption

B. Research and acknowledgment

C. Risk limitation

D. Risk absorption

Which of the following incidents are reported under CAT -5 federal agency category?

A. Exercise/ Network Defense Testing

B. Malicious code

C. Scans/ probes/ Attempted Access

D. Denial of Service DoS

ADAM, an employee from a multinational company, uses his company's accounts to send e-mails to a third party with their spoofed mail address. How can you categorize this type of account?

A. Inappropriate usage incident

B. Unauthorized access incident

C. Network intrusion incident

D. Denial of Service incident

Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?

A. Links the appropriate technology to the incident to ensure that the foundation’s offices are returned to normal operations as quickly as possible

B. Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management

C. Applies the appropriate technology and tries to eradicate and recover from the incident

D. Focuses on the incident and handles it from management and technical point of view

The Malicious code that is installed on the computer without user's knowledge to acquire information from the user's machine and send it to the attacker who can access it remotely is called:

A. Spyware

B. Logic Bomb

C. Trojan

D. Worm

A Malicious code attack using emails is considered as:

A. Malware based attack

B. Email attack

C. Inappropriate usage incident

D. Multiple component attack

Which of the following is an appropriate flow of the incident recovery steps?

A. System Operation-System Restoration-System Validation-System Monitoring

B. System Validation-System Operation-System Restoration-System Monitoring

C. System Restoration-System Monitoring-System Validation-System Operations

D. System Restoration-System Validation-System Operations-System Monitoring

In NIST risk assessment/ methodology; the process of identifying the boundaries of an IT system along with the resources and information that constitute the system is known as:

A. Asset Identification

B. System characterization

C. Asset valuation

D. System classification

When an employee is terminated from his or her job, what should be the next immediate step taken by an organization?

A. All access rights of the employee to physical locations, networks, systems, applications and data should be disabled

B. The organization should enforce separation of duties

C. The access requests granted to an employee should be documented and vetted by the supervisor

D. The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information

Which of the following incident recovery testing methods works by creating a mock disaster, like fire to identify the reaction of the procedures that are implemented to handle such situations?

A. Scenario testing

B. Facility testing

C. Live walk-through testing

D. Procedure testing

Which of the following is a correct statement about incident management, handling and response:

A. Incident response is on the functions provided by incident handling

B. Incident handling is on the functions provided by incident response

C. Triage is one of the services provided by incident response

D. Incident response is one of the services provided by triage

The goal of incident response is to handle the incident in a way that minimizes damage and reduces recovery time and cost. Which of the following does NOT constitute a goal of incident response?

A. Dealing with human resources department and various employee conflict behaviors.

B. Using information gathered during incident handling to prepare for handling future incidents in a better way and to provide stronger protection for systems and data.

C. Helping personal to recover quickly and efficiently from security incidents, minimizing loss or theft and disruption of services.

D. Dealing properly with legal issues that may arise during incidents.

An estimation of the expected losses after an incident helps organization in prioritizing and formulating their incident response. The cost of an incident can be categorized as a tangible and intangible cost. Identify the tangible cost associated with virus outbreak?

A. Loss of goodwill

B. Damage to corporate reputation

C. Psychological damage

D. Lost productivity damage

An assault on system security that is derived from an intelligent threat is called:

A. Threat Agent

B. Vulnerability

C. Attack

D. Risk

The ability of an agency to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy is known as:

A. Business Continuity Plan

B. Business Continuity

C. Disaster Planning

D. Contingency Planning

A computer Risk Policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is NOT part of the computer risk policy?

A. Procedure to identify security funds to hedge risk

B. Procedure to monitor the efficiency of security controls

C. Procedure for the ongoing training of employees authorized to access the system

D. Provisions for continuing support if there is an interruption in the system or if the system crashes

Insiders may be:

A. Ignorant employees

B. Carless administrators

C. Disgruntled staff members

D. All the above