1) The CEO of Erich's company had her laptop stolen. The laptop was encrypted but contained sensitive information about the company's employees. How should Erich classify the information impact of this security event? a) None b) Privacy Breach c) Proprietary breach d) Integrity loss 2) Which of the following elements is not normally found in an incident response policy? a) Performance measures for the CSIRT b) Definition of cybersecurity incidents c) Definition of roles, responsibilities, and levels of authority d) Procedures for rebuilding systems 3) What phase of the incident response process would include measures designed to limit the damage caused by an ongoing breach? a) Preparation b) Detection and analysis c) Containment, eradication, and recovery d) Post-incident activity 4) Jared wants to validate the integrity of a drive that he has forensically imaged as part of an incident response process. Which of the options should he select? a) Compare a hash of the original drive to the drive image. b) Compare the file size on disk of the original drive to the space taken up by the drive image c) Compare the vendor's drive size listing to the space taken up by the drive image d) Use PGP to encrypt the drive and image and make sure that both encrypted versions match 5) Mary wants to determine if the traffic she is seeing is unusual for her network. Which of the following options would be most useful to determine if traffic levels are not typical for this time of day in a normal week? a) Heuristics b) Baselines c) Protocol analysis d) Network flow logs 6) Which of the following tools may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts? a) Sandbox b) Playpen c) IDS d) DLP 7) Which of the following pieces of information is most critical to conducting a solid incident recovery effort? a) Identity of the attacker b) Time of the attack c) Root cause of the attack d) Attacks on other organizations 8) Which one of the following is not a common use of formal incident reports? a) Training new team members b) Sharing with other organizations c) Developing new security controls d) Assisting with legal action 9) David wants to identify stakeholders for vulnerability management communications. Which stakeholder group is most likely to want information to be available via an API instead of a written communication? a) Security operations and oversight stakeholders b) Audit and compliance stakeholders c) System administration stakeholders d) Management stakeholders 10) Which of the following potential incident response metrics is least useful in understanding the organization's ability to respond to incidents? a) MTTD b) Alert volume c) MTTR d) MTTRM 11) Rubin wants to ensure that patches are installed as part of a baseline for his organization. What type of tool should he invest in as part of his overall action plan for remediation? a) a vulnerability scanner b) a baseline configuration scanner c) an endpoint detection and response tool d) a configuration management tool or system 12) Roshandra is performing root cause analysis. Which of the following is not one of the four common steps in a RCA exercise? a) Documenting the root cause analysis using a chart or diagram b) Establishing a timeline of events c) Determine which individual or team was responsible for the problem d) Identifying the problems and events that occurred during the event and describing them as completely as possible 13) Shanard's organization has been informed that data must be preserved due to pending legal action. What is this type of requirement called? a) A retainer b) A legal hold c) A data freeze d) An extra-legal hold 14) Aquil needs to capture network traffic from a Linux server that does not use a GUI. What packet capture utility is found on many Linux systems and works from the command line? a) tcpdump b) netdd c) Wireshark d) Snifman 15) Which of the following is a key differentiator between a SIEM and a SOAR? a) A SIEM does not provide a dashboard b) A SOAR provides automated response capabilities c) A SOAR does not provide log aggregation d) A SIEM provides log analysis

Incidence Response Team CYSA+

by
Print
Embed

Leaderboard

Visual style

Options

Switch template

Continue editing: ?