1.
Below are the lists of types of training suitable to train CSIRT except for:
Correct Answer
D. None of the above
Explanation
The given options are all types of training suitable to train CSIRT. Establishing a mentoring system can provide guidance and support to team members, encouraging self-study allows individuals to enhance their knowledge and skills independently, and involving team members in incident simulation helps them gain hands-on experience in handling real-life scenarios. Therefore, all the options listed are appropriate types of training for CSIRT.
2.
The acceptance of the CSIRT team in an organization depends on:
Correct Answer
D. All of the above
Explanation
The acceptance of the CSIRT team in an organization depends on its ability to coordinate with other organizations, the expertise and professionalism it displays, and its perceived capabilities. This means that for the CSIRT team to be accepted and trusted within the organization, they need to effectively collaborate and communicate with other organizations, demonstrate their knowledge and skills in handling incidents, and create a perception of being capable and reliable in responding to and mitigating cyber threats.
3.
Which of these are not part of the steps taken under the preparation phase in Incident Response Methodology?
Correct Answer
C. Gathering incident logs and write report
Explanation
The given answer "Gathering incident logs and write report" is not part of the steps taken under the preparation phase in Incident Response Methodology. The preparation phase mainly involves developing the IR policy and organizing the CSIRT (Computer Security Incident Response Team). Gathering incident logs and writing a report are typically part of the detection and analysis phase, where the incident is investigated and documented.
4.
What are the barriers to success in organizing a team?
Correct Answer
B. Politics
Explanation
Politics can be a barrier to success in organizing a team because it involves the use of power, influence, and manipulation to gain control or advantage. When politics come into play, individuals may prioritize personal interests over the goals of the team, leading to conflicts, lack of cooperation, and a breakdown in communication. This can hinder the team's ability to work together effectively and achieve their objectives.
5.
The __________ department typically controls all physical access to the facility.
Correct Answer
A. pHysical security
Explanation
The physical security department is responsible for controlling all physical access to the facility. This includes implementing measures such as security guards, surveillance systems, access control systems, and visitor management protocols to ensure the safety and security of the premises. They play a crucial role in preventing unauthorized entry, theft, vandalism, and other physical threats to the facility and its occupants.
6.
The most important issue in forming and managing an incident response team is ________.
Correct Answer
C. Policy
Explanation
The most important issue in forming and managing an incident response team is policy. A well-defined and comprehensive policy provides guidelines and procedures for the team to follow in the event of an incident. It ensures that the team members understand their roles and responsibilities, helps in effective decision-making, and promotes consistency in handling incidents. A strong policy also helps in coordinating with other teams, communicating with stakeholders, and maintaining compliance with legal and regulatory requirements. Without a clear policy in place, the incident response team may struggle to effectively respond to and mitigate incidents.
7.
Which of the below are skills needed to be included in a SCIRT team?
Correct Answer(s)
A. CryptograpHy
B. Intrusion detection systems
C. Documentation creation and maintenance
E. Managerial experience
Explanation
The skills needed to be included in a SCIRT team are cryptography, intrusion detection systems, documentation creation and maintenance, and managerial experience. Cryptography is important for ensuring secure communication and data protection. Intrusion detection systems help in identifying and responding to potential security breaches. Documentation creation and maintenance is crucial for keeping track of processes and procedures. Managerial experience is necessary for effective team coordination and decision-making. Re-assembling PCs is not mentioned as a required skill for a SCIRT team.
8.
CSIRT services that are triggered by an event or request, and are the core component of CSIRT work is called:
Correct Answer
D. Reactive services
Explanation
Reactive services are the correct answer because they are the CSIRT services that are triggered by an event or request. These services are responsive in nature and are designed to react to incidents or issues as they arise. They involve activities such as incident response, incident handling, and incident investigation. Unlike proactive services, which aim to prevent incidents from occurring, reactive services focus on addressing and resolving incidents that have already occurred.
9.
Users must be knowledgeable not only about basic security practices but also about what constitutes an anomaly or what might be an incident in the making therefore the need for ______________.
Correct Answer
B. Training
Explanation
Users must be knowledgeable not only about basic security practices but also about what constitutes an anomaly or what might be an incident in the making. This knowledge can be gained through training, which provides users with the necessary skills and understanding to identify and respond to potential security threats. Training helps users develop a proactive mindset towards security, enabling them to detect and address anomalies or incidents before they escalate. By undergoing training, users become more equipped to protect themselves and their organization from potential security breaches.
10.
Which factor is the most important item when it comes to ensuring that security is successful in an organization?
Correct Answer
D. Senior management support
Explanation
Senior management support is the most important factor when it comes to ensuring that security is successful in an organization. This is because senior management plays a crucial role in setting the tone and priorities for security within the organization. Their support and commitment to security initiatives are essential for establishing a culture of security awareness and compliance throughout the organization. Without senior management support, it would be difficult to allocate resources, implement effective controls, and enforce security policies and procedures.
11.
An organization that would like to form an incident response team would have to focus on reasons. What are the reasons?
Correct Answer(s)
A. To build experts
B. Ability to Work Proactively
Explanation
An organization would form an incident response team to build experts and have the ability to work proactively. By building a team of experts, the organization can ensure that they have the necessary skills and knowledge to effectively respond to incidents. Additionally, having the ability to work proactively allows the team to identify and address potential issues before they become major incidents, helping to minimize the impact on the organization.
12.
A server has been compromised by a hacker who used it to send spam messages to thousands of people on the Internet. A member of the IT staff noticed the problem while monitoring network and service performance over the weekend, and has noticed that several windows are open on the server’s monitor. He also notices that a program he is unfamiliar with is running on the computer. He has called you for instructions as to what he should do next. As the CSIRT team leader, which of the following will you tell him to do immediately?
Correct Answer
C. Document what appears on the screen
Explanation
The IT staff member should document what appears on the screen immediately. This is important because it will provide valuable information about the compromise and help in the investigation process. The open windows and unfamiliar program running on the server may contain clues about the hacker's activities and potential vulnerabilities that were exploited. Documenting this information will assist the CSIRT team in analyzing the incident, identifying the extent of the compromise, and taking appropriate actions to mitigate the attack.
13.
What has caused the rise in computer crimes and new methods of committing old computer crimes?
Correct Answer
B. World Wide Web
Explanation
The rise in computer crimes and new methods of committing old computer crimes can be attributed to the increased use of computers and the expansion of the internet and its services. The World Wide Web has provided a platform for individuals to connect globally and access information, but it has also opened doors for cybercriminals to exploit vulnerabilities and commit computer crimes. As more people rely on computers and the internet for various activities, the opportunities for cybercriminals to target individuals and organizations have also increased.
14.
How do users prevent and protect themselves against viruses?
Correct Answer
D. Do not open e-mail attachments, use an OS that has virus security features, scan other users’ media storage devices before using them on your computer
Explanation
The correct answer is to not open e-mail attachments, use an OS that has virus security features, and scan other users' media storage devices before using them on your computer. This is because opening e-mail attachments can introduce viruses to your computer, using an OS with virus security features can help protect against viruses, and scanning other users' media storage devices can help identify and remove any potential viruses before they can infect your computer.
15.
Your machine was infected by a particularly destructive virus. Luckily, you have backups of your data. Which of the following should you do first?
Correct Answer
D. Use the installed anti-virus program to scan and disinfect your machine
16.
Which group causes the most risk of fraud and computer compromises?
Correct Answer
C. Employees
Explanation
Employees pose the most risk of fraud and computer compromises because they have direct access to sensitive information and systems within an organization. They are familiar with the internal processes and controls, making it easier for them to exploit vulnerabilities or manipulate data for personal gain. Additionally, employees may inadvertently compromise systems through negligence, such as falling victim to phishing attacks or using weak passwords. Therefore, organizations need to implement strong security measures and regularly educate employees about the importance of cybersecurity to mitigate these risks.
17.
Which element must computer evidence have to be admissible in court?
Correct Answer
D. It must be relevant
Explanation
Computer evidence must be relevant in order to be admissible in court. This means that the evidence must have a direct connection to the case and be able to provide information or support the claims being made. Irrelevant evidence would not be considered admissible as it would not have any bearing on the case at hand. Therefore, for computer evidence to be admissible, it must be relevant to the specific matter being litigated.
18.
First point to test in the notification process:
Correct Answer
C. Identifying a typical user
Explanation
The first point to test in the notification process is identifying a typical user. This is important because it allows the tester to select a representative user who will be able to provide valuable feedback on the notification system. By presenting this user with a form, the tester can gather specific information and evaluate the effectiveness of the notification process. Observing the process and conducting tests can come later in the testing process, but identifying a typical user is the initial step.
19.
Attack tracing can be implemented in the PDCERF methodology such as:
Correct Answer
C. Detection, containment, eradication
Explanation
In the PDCERF methodology, attack tracing can be implemented by following the steps of detection, containment, and eradication. First, the attack is detected, which involves identifying any signs or indicators of an attack. Once detected, the next step is containment, which involves isolating and minimizing the impact of the attack to prevent further damage. Finally, eradication is the process of completely removing the attack and its effects from the system. This sequence ensures that the attack is identified, controlled, and eliminated effectively.
20.
There are 5 common incident prorities. In priority 3, the CSIRT should:
Correct Answer
D. Protect important data in the organization
Explanation
In priority 3, the CSIRT should protect important data in the organization. This means that when an incident occurs, the CSIRT should prioritize the security and integrity of important data within the organization. This could involve implementing measures such as encryption, access controls, and backups to ensure that important data is not compromised or lost during the incident. Protecting important data is crucial for maintaining the confidentiality, availability, and integrity of the organization's information assets.
21.
What is the main task of a CSIRT?
Correct Answer
F. All of the above
Explanation
A CSIRT, or Computer Security Incident Response Team, is responsible for multiple tasks. Firstly, it provides assistance in preventing and handling computer security incidents, which involves proactive measures and reactive responses to incidents. Secondly, it shares information and lessons learned with other organizations or teams, contributing to the overall knowledge and improvement of computer security. Lastly, it serves as a place to report local computer security incident problems, acting as a central point for incident reporting and coordination. Therefore, the correct answer is "All of the above" as it encompasses all the main tasks of a CSIRT.
22.
A CSIRT with a _______________ relationship with it constituency, would be able to
advise & influence the constituency.
Correct Answer
B. Share authority
Explanation
A CSIRT with a "share authority" relationship with its constituency would be able to advise and influence the constituency. This means that the CSIRT has a level of authority and power that is shared with the constituency, allowing for collaboration and cooperation in decision-making processes. This type of relationship fosters trust and open communication, enabling the CSIRT to effectively provide guidance and influence the actions of the constituency in matters of cybersecurity.
23.
Why does organizational resistance become a barrier to the success of a CSIRT?
Correct Answer
A. Feeling threatened
Explanation
Organizational resistance becomes a barrier to the success of a CSIRT because when employees feel threatened by the establishment of a CSIRT, they may resist its implementation and hinder its effectiveness. This resistance can stem from a fear of change, a perception that the CSIRT threatens their job security or power dynamics within the organization. Such resistance can lead to a lack of cooperation, reluctance to share information, and a failure to fully engage with the CSIRT's activities, ultimately impeding its ability to effectively respond to and mitigate cybersecurity incidents.
24.
There are many ways to spread the information about the incident response team. Which is first best way to do so?
Correct Answer
C. Train and educate the people within the team, especially the help desks
Explanation
Training and educating the people within the team, especially the help desks, is the first best way to spread information about the incident response team. By providing proper training and education, team members will have a clear understanding of their roles and responsibilities, as well as the protocols and procedures to follow during incidents. This will ensure that they are well-equipped to handle any incidents that may arise and can effectively communicate the necessary information to others. Additionally, by focusing on educating the help desks, who often interact directly with users, the team can ensure that accurate and consistent information is provided to all staff members.
25.
Which of the below are important to have in the documentation of the incident?
Correct Answer(s)
A. Employees questioned and involved
C. Expense and time logs
Explanation
The documentation of an incident should include information about the employees who were questioned and involved in the incident, as this helps in understanding the sequence of events and identifying any potential witnesses or individuals responsible. Additionally, including expense and time logs in the documentation is important as it provides a record of the resources utilized during the incident response and helps in assessing the impact and cost of the incident. However, the cost of repairing the damage and the date the case will be brought to court are not directly relevant to the documentation of the incident.