Unit 2

Preparing for Incident Response

What is the first step in incident response?

A) Identification
B) Containment
C) Eradication
D) Recovery
Answer: A

Which of the following is not an objective of incident response?

A) Reducing the impact of the incident
B) Identifying the source of the incident
C) Restoring the affected systems and data
D) Punishing the perpetrator of the incident
Answer: D

What is the purpose of an incident response plan?

A) To prevent incidents from happening
B) To reduce the impact of incidents
C) To punish the perpetrators of incidents
D) To identify the source of incidents
Answer: B

Which of the following is a common trigger for an incident?

A) Malicious insider
B) Unpatched software vulnerability
C) Natural disaster
D) All of the above
Answer: D

Which of the following is not a phase of incident response?

A) Detection
B) Response
C) Prevention
D) Recovery
Answer: C

What is the role of a first responder in incident response?

A) Contain the incident
B) Investigate the incident
C) Restore the affected systems and data
D) All of the above
Answer: A

What is the goal of containment in incident response?

A) To prevent the incident from spreading
B) To eradicate the incident
C) To restore the affected systems and data
D) To identify the source of the incident
Answer: A

Which of the following is not a component of an incident response team?

A) Technical experts
B) Legal experts
C) Management representatives
D) Sales representatives
Answer: D

What is the purpose of a communication plan in incident response?

A) To communicate with the public about the incident
B) To communicate with internal stakeholders about the incident
C) To communicate with law enforcement about the incident
D) All of the above
Answer: B

Which of the following is not a best practice for incident response?

A) Having an incident response plan
B) Conducting regular incident response training
C) Ignoring incidents until they become major problems
D) Conducting regular security assessments
Answer: C

Which of the following is a key component of incident response?

A) Analysis
B) Reprimand
C) Publicity
D) Resignation
Answer: A

What is the purpose of an incident response exercise?

A) To test the incident response plan
B) To punish employees for security lapses
C) To identify the source of incidents
D) To prevent incidents from happening
Answer: A

What is the difference between a vulnerability and an exploit?

A) A vulnerability is a weakness in a system or application, while an exploit is a program or technique that
takes advantage of a vulnerability.
B) A vulnerability is a program or technique that takes advantage of a weakness in a system or applicatio
n, while an exploit is a weakness in a system or application.
C) A vulnerability and an exploit are the same thing.
D) A vulnerability is a weakness in hardware, while an exploit is a weakness in software.
Answer: A

What is the purpose of a forensic investigation in incident response?

A) To restore the affected systems and data
B) To identify the source of the incident
C) To punish the perpetrator of the incident
D) To prevent similar incidents from happening in the future
Answer: B

What is the purpose of a business impact analysis in incident response?

A) To determine the financial impact of an incident
B) To determine the operational impact
of an incident
C) To determine the reputational impact of an incident
D) All of the above
Answer: D
What is the goal of eradication in incident response?
A) To restore the affected systems and data
B) To identify the source of the incident
C) To prevent the incident from happening again
D) To contain the incident
Answer: C

What is the purpose of a security incident management system?

A) To prevent incidents from happening
B) To detect incidents as they occur
C) To respond to incidents in a timely manner
D) All of the above
Answer: D

What is the difference between an incident and a breach?

A) An incident is a security event that violates a security policy, while a breach is an unauthorized access
to data or systems.
B) An incident and a breach are the same thing.
C) An incident is an unauthorized access to data or systems, while a breach is a security event that violat
es a security policy.
D) An incident and a breach both involve unauthorized access to data or systems, but a breach is more s
erious than an incident.
Answer: A

What is the purpose of a chain of custody in incident response?

A) To maintain the integrity of evidence
B) To identify the source of an incident
C) To restore the affected systems and data
D) To prevent similar incidents from happening in the future
Answer: A

What is the purpose of a vulnerability assessment in incident response?

A) To identify vulnerabilities in systems and applications
B) To respond to incidents in a timely manner
C) To restore the affected systems and data
D) To prevent incidents from happening
Answer: A

What is the purpose of a threat intelligence program in incident response?

A) To prevent incidents from happening
B) To detect incidents as they occur
C) To respond to incidents in a timely manner
D) To gather information about potential threats
Answer: D

What is the difference between a disaster recovery plan and an incident response plan?
A) A disaster recovery plan focuses on restoring IT systems after a disaster, while an incident response pl
an focuses on responding to security incidents.
B) A disaster recovery plan focuses on responding to security incidents, while an incident response plan f
ocuses on restoring IT systems after a disaster.
C) A disaster recovery plan and an incident response plan are the same thing.
D) A disaster recovery plan and an incident response plan both focus on preventing security incidents.
Answer: A
What is the purpose of a tabletop exercise in incident response?
A) To test the incident response plan
B) To punish employees for security lapses
C) To identify the source of incidents
D) To prevent incidents from happening
Answer: A

What is the purpose of a security incident report?

A) To identify the source of an incident
B) To restore the affected systems and data
C) To maintain a record of the incident for future reference
D) To prevent similar incidents from happening in the future
Answer: C

Which of the following is a common mistake in incident response?

A) Failing to document the incident
B) Overreacting to the incident
C) Ignoring the incident
D) All of the above
Answer: A

What is the goal of recovery in incident response?

A) To identify the source of the incident
B) To prevent the incident from happening again
C) To restore the affected systems and data
D) To contain the incident
Answer: C

What is the purpose of a security incident response team?

A) To prevent incidents from happening
B) To detect incidents as they occur
What is the purpose of a forensic analysis in incident response?
A) To identify the source of an incident
B) To restore the affected systems and data
C) To prevent similar incidents from happening in the future
D) To gather evidence for legal or disciplinary action
Answer: D

What is the role of management in incident response?

A) To respond to the incident
B) To oversee the incident response process
C) To restore the affected systems and data
D) To prevent similar incidents from happening in the future
Answer: B

What is the goal of containment in incident response?

A) To restore the affected systems and data
B) To prevent the incident from happening again
C) To identify the source of the incident
D) To limit the scope of the incident
Answer: D

What is the purpose of a post-incident review in incident response?

A) To identify the source of the incident
B) To restore the affected systems and data
C) To prevent similar incidents from happening in the future
D) To punish employees for security lapses
Answer: C

What is the role of legal in incident response?

A) To respond to the incident
B) To provide guidance on legal and regulatory requirements
C) To restore the affected systems and data
D) To prevent similar incidents from happening in the future
Answer: B

What is the difference between an incident response team and a security operations center (SOC)?
A) An incident response team focuses on responding to security incidents, while a SOC focuses on monit
oring and detecting security threats.
B) An incident response team and a SOC are the same thing.
C) An incident response team focuses on monitoring and detecting security threats, while a SOC focuses
on responding to security incidents.
D) An incident response team and a SOC both focus on preventing security incidents.
Answer: A

What is the purpose of a communication plan in incident response?

A) To prevent incidents from happening
B) To communicate with stakeholders during an incident
C) To respond to incidents in a timely manner
D) To restore the affected systems and data
Answer: B

What is the purpose of a vulnerability management program in incident response?

A) To identify vulnerabilities in systems and applications
B) To respond to incidents in a timely manner
C) To restore the affected systems and data
D) To prevent incidents from happening
Answer: A

What is the role of IT in incident response?

A) To respond to the incident
B) To provide technical expertise and support
C) To restore the affected systems and data
D) To prevent similar incidents from happening in the future
Answer: B

What is the goal of preparation in incident response?

A) To identify potential security incidents
B) To prevent security incidents from happening
C) To respond to security incidents in a timely manner
D) All of the above
Answer: D

What is the purpose of an incident response plan?

A) To prevent incidents from happening
B) To respond to incidents in a timely manner
C) To restore the affected systems and data
D) All of the above
Answer: B
What is the purpose of a data backup and recovery plan in incident response?
A) To prevent incidents from happening
B) To respond to incidents in a timely manner
C) To restore the affected systems and data
D) All of the above
Answer: C

What is the purpose of a business continuity plan in incident response?

A) To prevent business disruptions during an incident
B) To respond to incidents in a timely manner
C) To restore the affected systems and data
D) All of the above
Answer: A

What is the goal of a tabletop exercise in incident response?

A) To test the incident response plan
B) To restore the affected systems and data
C) To prevent incidents from happening
D) To punish employees for security lapses
Answer: A

What is the role of HR in incident response?

A) To respond to the incident
B) To provide guidance on legal and regulatory requirements
C) To restore the affected systems and data
D) To manage personnel issues related to the incident
Answer: D

What is the purpose of a root cause analysis in incident response?

A) To identify the source of the incident
B) To restore the affected systems and data
C) To prevent similar incidents from happening in the future
D) To punish employees for security lapses
Answer: C

What is the goal of a threat intelligence program in incident response?

A) To prevent incidents from happening
B) To respond to incidents in a timely manner
C) To identify potential security threats
D) To restore the affected systems and data
Answer: C

What is the purpose of an incident response policy?

A) To prevent incidents from happening
B) To respond to incidents in a timely manner
C) To restore the affected systems and data
D) All of the above
Answer: B

What is the purpose of an incident response team charter?

A) To prevent incidents from happening
B) To communicate with stakeholders during an incident
C) To identify roles and responsibilities within the incident response team
D) To restore the affected systems and data
Answer: C
What is the goal of recovery in incident response?
A) To prevent similar incidents from happening in the future
B) To identify the source of the incident
C) To restore the affected systems and data
D) To limit the scope of the incident
Answer: C

What is the role of external resources in incident response?

A) To provide technical expertise and support
B) To manage personnel issues related to the incident
C) To prevent incidents from happening
D) All of the above
Answer: A

What is the purpose of a chain of custody in incident response?

A) To prevent similar incidents from happening in the future
B) To identify the source of the incident
C) To document the handling of evidence in a legal and defensible manner
D) To restore the affected systems and data
Answer: C

What is the purpose of an incident response playbook?

A) To prevent incidents from happening
B) To respond to incidents in a timely manner
C) To restore the affected systems and data
D) To document the incident response process
Answer: D

What is the role of public relations in incident response?

A) To prevent incidents from happening
B) To communicate with stakeholders during an incident
C) To restore the affected systems and data
D) To identify potential security incidents
Answer: B

What is the purpose of a disaster recovery plan in incident response?

A) To prevent incidents from happening
B) To respond to incidents in a timely manner
C) To restore the affected systems and data
D) To limit the scope of the incident
Answer: C

What is the role of a third-party provider in incident response?

A) To prevent incidents from happening
B) To provide technical expertise and support
C) To manage personnel issues related to the incident
D) To punish employees for security lapses
Answer: B
What is the goal of a debriefing session after an incident?
A) To identify the source of the incident
B) To document the incident response process
C) To prevent similar incidents from happening in the future
D) All of the above
Answer: D
What is the role of legal in incident response?
A) To respond to the incident
B) To provide guidance on legal and regulatory requirements
C) To restore the affected systems and data
D) To manage personnel issues related to the incident
Answer: B

What is the purpose of a communication plan in incident response?

A) To prevent incidents from happening
B) To communicate with stakeholders during an incident
C) To restore the affected systems and data
D) To identify potential security incidents
Answer: B

What is the goal of containment in incident response?

A) To limit the scope of the incident
B) To restore the affected systems and data
C) To prevent similar incidents from happening in the future
D) To identify the source of the incident
Answer: A

What is the role of IT in incident response?

A) To prevent incidents from happening
B) To respond to the incident
C) To restore the affected systems and data
D) To manage personnel issues related to the incident
Answer: C

What is the purpose of a vulnerability management program in incident response?

A) To prevent incidents from happening
B) To identify potential security threats
C) To respond to incidents in a timely manner
D) To restore the affected systems and data
Answer: B

What is the purpose of a post-incident review in incident response?

A) To prevent incidents from happening
B) To document the incident response process
C) To identify potential improvements to the incident response plan
D) All of the above
Answer: D

What is the purpose of pre-incident preparation?

A. To prevent incidents from occurring
B. To respond effectively when incidents occur
C. To identify and manage risks
D. All of the above
Answer: D

What is the first step in preparing for incident response?

A. Identifying risks
B. Creating a network topology map
C. Setting up remote logging
D. Creating acceptable use policies
Answer: A

What is the purpose of identifying risks?

A. To prevent incidents from occurring
B. To assess the potential impact of incidents
C. To allocate resources effectively
D. All of the above
Answer: D

What is the purpose of recording cryptographic checksums of critical files?

A. To prevent unauthorized access to files
B. To detect changes to critical files
C. To recover deleted files
D. None of the above
Answer: B

What algorithm is commonly used to create cryptographic checksums?

A. SHA-256
B. MD5
C. AES
D. RSA
Answer: B

What is the benefit of automating pre-incident checksums?

A. It saves time and reduces errors
B. It improves system performance
C. It eliminates the need for backups
D. None of the above
Answer: A

What is the benefit of increasing or enabling secure audit logging?

A. It reduces the risk of data breaches
B. It improves system performance
C. It reduces the need for backups
D. None of the above
Answer: A

What is the purpose of setting up remote logging?

A. To monitor network traffic
B. To reduce system downtime
C. To improve system performance
D. None of the above
Answer: A

What is the purpose of configuring Windows logging?

A. To monitor network traffic
B. To reduce system downtime
C. To improve system performance
D. None of the above
Answer: A

What is the purpose of enabling security auditing?

A. To monitor network traffic
B. To reduce system downtime
C. To improve system performance
D. None of the above
Answer: A

What is the benefit of auditing file and directory actions?

A. It improves system performance
B. It reduces the risk of data breaches
C. It reduces the need for backups
D. None of the above
Answer: B

What is the purpose of Linux backup tools?

A. To back up critical files
B. To improve system performance
C. To reduce the risk of data breaches
D. None of the above
Answer: A

What is the purpose of Windows backup tools?

A. To back up critical files
B. To improve system performance
C. To reduce the risk of data breaches
D. None of the above
Answer: A

What are the limitations of backup?

A. It can be time-consuming and resource-intensive
B. It may not capture all changes to critical files
C. It may not be secure
D. All of the above
Answer: D

What is the benefit of educating users about host-based security?

A. It reduces the risk of data breaches
B. It improves system performance
C. It reduces the need for backups
D. None of the above
Answer: A

What is the benefit of creating a network topology conducive to monitoring?

A. It improves system performance
B. It reduces the risk of data breaches
C. It makes it easier to detect and respond to incidents
D. None of the above
Answer: C
What is the purpose of creating a network topology map?
A. To identify potential security risks
B. To improve network performance
C. To allocate resources effectively
D. All of the above
Answer: A

What is the purpose of creating a network architecture map?

A. To identify potential security risks
B. To improve network performance
C. To allocate resources effectively
D. All of the above
Answer: D

What is the benefit of encrypting network traffic?

A. It improves system performance
B. It reduces the risk of data breaches
C. It reduces the need for backups
D. None of the above
Answer: B

What is the purpose of determining your response stance?

A. To prevent incidents from occurring
B. To respond effectively when incidents occur
C. To identify and manage risks
D. None of the above
Answer: B

What is the benefit of blending corporate and law enforcement objectives?

A. It reduces the risk of data breaches
B. It improves system performance
C. It increases the effectiveness of incident response
D. None of the above
Answer: C

How can understanding policies aid investigative steps?

A. It provides guidance on how to respond to incidents
B. It reduces the need for backups
C. It improves system performance
D. None of the above
Answer: A

What is the benefit of sound policies?

A. It reduces the risk of data breaches
B. It improves system performance
C. It provides guidance on how to respond to incidents
D. None of the above
Answer: C

What is the purpose of developing acceptable use policies?

A. To prevent incidents from occurring
B. To respond effectively when incidents occur
C. To reduce the risk of data breaches
D. All of the above
Answer: C

What is the benefit of designing AUPs from the top down?

A. It ensures that all stakeholders are involved in the process
B. It reduces the need for backups
C. It improves system performance
D. None of the above
Answer: A

What is the benefit of creating separate policies?

A. It reduces the need for backups
B. It improves system performance
C. It ensures that policies are tailored to specific needs
D. None of the above
Answer: C

What is the purpose of establishing an incident response team?

A. To prevent incidents from occurring
B. To respond effectively when incidents occur
C. To reduce the risk of data breaches
D. All of the above
Answer: B

What is the first step in incident response after detection of an incident?

A. Obtaining preliminary information
B. Documenting steps to take
C. Assembling the CSIRT
D. All of the above
Answer: A

What is the purpose of obtaining preliminary information?

A. To assess the severity of the incident
B. To identify the source of the incident
C. To determine the appropriate response
D. All of the above
Answer: D

What is the purpose of documenting steps to take?

A. To ensure that all necessary steps are taken
B. To provide a record of the incident for future reference
C. To aid in the investigation of the incident
D. All of the above
Answer: D

What is the purpose of establishing an incident notification procedure?

A. To prevent incidents from occurring
B. To respond effectively when incidents occur
C. To reduce the risk of data breaches
D. All of the above
Answer: B

What is the purpose of recording the details after initial detection?

A. To assess the severity of the incident
B. To identify the source of the incident
C. To determine the appropriate response
D. All of the above
Answer: D

What is the purpose of incident declaration?

A. To notify stakeholders of the incident
B. To assess the severity of the incident
C. To identify the source of the incident
D. All of the above
Answer: A

What is the purpose of assembling the CSIRT?

A. To assess the severity of the incident
B. To identify the source of the incident
C. To determine the appropriate response
D. All of the above
Answer: C

What is the benefit of determining escalation procedures?

A. It ensures that incidents are handled promptly and effectively
B. It reduces the risk of data breaches
C. It improves system performance
D. None of the above
Answer: A

What is the benefit of implementing notification procedures?

A. It ensures that stakeholders are notified promptly and effectively
B. It reduces the risk of data breaches
C. It improves system performance
D. None of the above
Answer: A

What is the benefit of scoping an incident and assembling the appropriate resources?
A. It ensures that incidents are handled promptly and effectively
B. It reduces the risk of data breaches
C. It improves system performance
D. None of the above
Answer: A

What is the purpose of assigning a team leader?

A. To ensure that all necessary steps are taken
B. To provide a point of contact for stakeholders
C. To aid in the investigation of the incident
D. All of the above
Answer: B

What is the purpose of assigning technical staff?

A. To ensure that all necessary steps are taken
B. To provide a point of contact for stakeholders
C. To aid in the investigation of the incident
D. All of the above
Answer: C

What are traditional investigative steps?

A. Collecting and preserving evidence
B. Conducting interviews
C. Analyzing the evidence
D. All of the above
Answer: D

What is the purpose of collecting and preserving evidence?

A. To identify the source of the incident
B. To aid in the investigation of the incident
C. To determine the appropriate response
D. All of the above
Answer: B

What is the purpose of conducting interviews?

A. To identify the source of the incident
B. To assess the severity of the incident
C. To determine the appropriate response
D. All of the above
Answer: A

What is the purpose of analyzing the evidence?

A. To identify the source of the incident
B. To assess the severity of the incident
C. To determine the appropriate response
D. All of the above
Answer: D

What is the purpose of developing a communication plan?

A. To ensure that stakeholders are informed of the incident
B. To reduce the risk of data breaches
C. To improve system performance
D. None of the above
Answer: A

What is the benefit of developing a communication plan?

A. It ensures that stakeholders are informed of the incident
B. It reduces the need for backups
C. It improves system performance
D. None of the above
Answer: A

What is the purpose of creating incident reports?

A. To document the incident for future reference
B. To assess the severity of the incident
C. To determine the appropriate response
D. All of the above
Answer: A

What is the benefit of creating incident reports?

A. It provides a record of the incident for future reference
B. It reduces the risk of data breaches
C. It improves system performance
D. None of the above
Answer: A

What is the purpose of conducting a post-incident review?

A. To assess the effectiveness of the incident response process
B. To identify areas for improvement
C. To document the incident for future reference
D. All of the above
Answer: D

What is the benefit of conducting a post-incident review?

A. It assesses the effectiveness of the incident response process
B. It reduces the need for backups
C. It improves system performance
D. None of the above
Answer: A
Which of the following is NOT a component of incident response?
A. Pre-incident preparation
B. Incident declaration
C. Post-incident review
D. Incident escalation
E. All of the above are components of incident response
Answer: E

What is the first step in pre-incident preparation?

A. Identifying risk
B. Preparing individual hosts
C. Creating a network topology map
D. Establishing appropriate policies and procedures
Answer: A

What is the purpose of identifying risk in pre-incident preparation?

A. To assess the likelihood of incidents occurring
B. To prioritize incident response efforts
C. To identify vulnerabilities in the system
D. All of the above
Answer: D

What is the purpose of preparing individual hosts in pre-incident preparation?

A. To prevent incidents from occurring
B. To facilitate incident response
C. To identify vulnerabilities in the system
D. All of the above
Answer: B

What is the purpose of recording cryptographic checksums of critical files?

A. To identify changes to critical files
B. To facilitate incident response
C. To prevent incidents from occurring
D. None of the above
Answer: A

What algorithm is typically used to create cryptographic checksums?

A. SHA-1
B. MD5
C. AES
D. RSA
Answer: B

What is the benefit of automating pre-incident checksums?

A. It reduces the risk of human error
B. It speeds up the pre-incident preparation process
C. It improves system performance
D. All of the above
Answer: A

What is the purpose of enabling secure audit logging?

A. To facilitate incident response
B. To improve system performance
C. To identify changes to critical files
D. All of the above
Answer: A

What is the benefit of setting up remote logging?

A. It allows logs to be collected from multiple sources
B. It reduces the need for backups
C. It improves system performance
D. None of the above
Answer: A

What is the purpose of configuring Windows logging?

A. To facilitate incident response
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the purpose of enabling security auditing in Windows?

A. To facilitate incident response
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the purpose of auditing file and directory actions?

A. To identify unauthorized access to files and directories
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the benefit of setting up remote logging in Linux?

A. It allows logs to be collected from multiple sources
B. It reduces the need for backups
C. It improves system performance
D. None of the above
Answer: A

What is the purpose of creating a network topology conducive to monitoring?

A. To facilitate incident response
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the purpose of creating a network topology map?

A. To identify network devices and their configurations
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the purpose of creating a network architecture map?

A. To identify network devices and their configurations
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the benefit of establishing appropriate policies and procedures?

A. It facilitates incident response
B. It improves system performance
C. It prevents incidents from occurring
D. All of the above
Answer: A

What is the benefit of blending corporate and law enforcement objectives in incident response policies?
A. It improves communication between the two groups
B. It facilitates incident response
C. It improves system performance
D. None of the above
Answer: B

How can understanding policies aid investigative steps in incident response?

A. It provides guidance on how to respond to incidents
B. It identifies the roles and responsibilities of team members
C. It helps identify potential conflicts between policies and procedures
D. All of the above
Answer: D

What are the benefits of sound policies in incident response?

A. It helps ensure a consistent and efficient response to incidents
B. It helps prevent incidents from occurring
C. It improves system performance
D. All of the above
Answer: A

What is the purpose of developing acceptable use policies?

A. To prevent incidents from occurring
B. To educate users on how to use system resources responsibly
C. To facilitate incident response
D. All of the above
Answer: B

What is the benefit of designing AUPs from the top down?

A. It ensures consistency with organizational policies
B. It makes the policies easier to understand for end-users
C. It improves system performance
D. None of the above
Answer: A

What is the purpose of creating separate policies for different types of users?
A. To ensure that policies are tailored to specific needs
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the purpose of establishing an incident response team?

A. To facilitate incident response
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the benefit of training the incident response team?

A. It ensures that team members are prepared to respond to incidents
B. It improves system performance
C. It prevents incidents from occurring
D. None of the above
Answer: A

What is the benefit of obtaining preliminary information after detecting an incident?

A. It helps the incident response team determine the severity of the incident
B. It improves system performance
C. It prevents incidents from occurring
D. None of the above
Answer: A

What is the purpose of documenting steps to take in incident response?

A. To ensure a consistent and efficient response to incidents
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the purpose of establishing an incident notification procedure?

A. To ensure that incidents are reported in a timely and consistent manner
B. To improve system performance
C. To prevent incidents from occurring
D. None of the above
Answer: A

What details should be recorded after initial detection of an incident?

A. The date and time of the incident
B. The location of the incident
C. The type of incident
D. All of the above
Answer: D

What is the purpose of incident declaration?

A. To ensure that the incident response team is notified of the incident
B. To improve system performance
C. To prevent incidents from occurring
D. None of the above
Answer: A

What is the purpose of assembling the CSIRT?

A. To ensure that the incident response team is prepared to respond to the incident
To ensure that the appropriate resources are assigned to the incident response team
C. To improve system performance
D. None of the above
Answer: B

What is the benefit of scoping an incident and assembling the appropriate resources?
A. It helps ensure a consistent and efficient response to incidents
B. It improves system performance
C. It prevents incidents from occurring
D. All of the above
Answer: A

What is the benefit of assigning a team leader in incident response?

A. It ensures that the incident response team is organized and efficient
B. It improves system performance
C. It prevents incidents from occurring
D. None of the above
Answer: A

What is the purpose of assigning technical staff in incident response?

A. To ensure that technical expertise is available to the incident response team
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What are traditional investigative steps in incident response?

A. Collecting and analyzing evidence
B. Interviewing witnesses
C. Documenting findings
D. All of the above
Answer: D

What is the benefit of collecting and analyzing evidence in incident response?

A. It helps determine the cause of the incident
B. It improves system performance
C. It prevents incidents from occurring
D. None of the above
Answer: A

What is the purpose of interviewing witnesses in incident response?

A. To gather information about the incident
B. To improve system performance
C. To prevent incidents from occurring
D. None of the above
Answer: A

What is the purpose of documenting findings in incident response?

A. To create a record of the incident and the response to it
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the benefit of using a network topology conducive to monitoring?

A. It makes it easier to monitor network traffic
B. It improves system performance
C. It prevents incidents from occurring
D. None of the above
Answer: A

What is the purpose of creating a network topology map?

A. To document the layout of the network
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the purpose of creating a network architecture map?

A. To document the systems and services that make up the network
B. To improve system performance
C. To prevent incidents from occurring
D. None of the above
Answer: A

What is the benefit of supporting network monitoring in incident response?

A. It makes it easier to detect and respond to incidents
B. It improves system performance
C. It prevents incidents from occurring
D. None of the above
Answer: A

What is the benefit of encrypting network traffic in incident response?

A. It helps prevent unauthorized access to sensitive data
B. It improves system performance
C. It prevents incidents from occurring
D. All of the above
Answer: A

What is the purpose of determining your response stance in incident response?

A. To determine how the incident response team should respond to the incident
B. To improve system performance
C. To prevent incidents from occurring
D. All of the above
Answer: A

What is the benefit of blending corporate and law enforcement objectives in incident response policies?
A. It facilitates communication between the two groups
B. It improves system performance
C. It prevents incidents from occurring
D. None of the above
Answer: A

Which of the following is not an appropriate response to an incident?

a) Denying that an incident has occurred
b) Mitigating the impact of an incident
c) Documenting the incident
d) Responding aggressively to the incident
Answer: a) Denying that an incident has occurred

Which of the following is not an objective of the incident response team?

a) Restoring operations to normal levels as quickly as possible
b) Investigating the incident to determine its cause
c) Identifying any weaknesses or vulnerabilities that may have contributed to the incident
d) Assigning blame for the incident
Answer: d) Assigning blame for the incident
Which of the following is not an appropriate action to take after an incident?
a) Conducting a debrief to identify what went well and what could be improved
b) Updating incident response procedures based on lessons learned
c) Documenting the incident response process for future reference
d) Continuing to operate as usual without making any changes
Answer: d) Continuing to operate as usual without making any changes

What is the first step in responding to an incident?

a) Identifying the scope of the incident
b) Assessing the impact of the incident
c) Containing the incident
d) Documenting the incident
Answer: a) Identifying the scope of the incident

What is the goal of the containment phase of incident response?

a) To prevent the incident from spreading
b) To identify the cause of the incident
c) To restore operations to normal levels
d) To document the incident for future reference
Answer: a) To prevent the incident from spreading

Which of the following is not an appropriate tool for containing an incident?

a) Disconnecting affected systems from the network
b) Shutting down affected systems
c) Running antivirus software to remove malware
d) Ignoring the incident and hoping it goes away
Answer: d) Ignoring the incident and hoping it goes away

What is the goal of the eradication phase of incident response?

a) To prevent the incident from spreading
b) To identify the cause of the incident
c) To restore operations to normal levels
d) To remove all traces of the incident from the affected systems
Answer: d) To remove all traces of the incident from the affected systems

Which of the following is not an appropriate tool for eradicating an incident?

a) Restoring affected systems from a known good backup
b) Running antivirus software to remove malware
c) Reformatting affected systems
d) Ignoring the incident and hoping it goes away
Answer: d) Ignoring the incident and hoping it goes away

What is the goal of the recovery phase of incident response?

a) To prevent the incident from spreading
b) To identify the cause of the incident
c) To restore operations to normal levels
d) To remove all traces of the incident from the affected systems
Answer: c) To restore operations to normal levels

Which of the following is not an appropriate tool for recovering from an incident?
a) Restoring affected systems from a known good backup
b) Reformatting affected systems
c) Running antivirus software to remove malware
d) Ignoring the incident and hoping it goes away
Answer: d) Ignoring the incident and hoping it goes away
What is the goal of the post-incident review phase of incident response?
a) To prevent the incident from spreading
b) To identify the cause of the incident
c) To restore operations to normal levels
d) To document the incident and learn from it
Answer: d) To document the incident and learn from

What are the key components of an incident response plan?

a) Identifying the incident, preparing a response, containing the incident, analyzing the incident, eradicatin
g the incident, recovering from the incident, and post-incident activities.
b) Identifying the incident, analyzing the incident, eradicating the incident, recovering from the incident, an
d post-incident activities.
c) Identifying the incident, preparing a response, containing the incident, analyzing the incident, and post-i
ncident activities.
d) Identifying the incident, preparing a response, analyzing the incident, eradicating the incident, recoverin
g from the incident, and post-incident activities.
Answer: d) Identifying the incident, preparing a response, analyzing the incident, eradicating the incident,
recovering from the incident, and post-incident activities.

What is the purpose of a cyber insurance policy?

a) To protect against malicious insiders
b) To prevent data breaches
c) To provide coverage for losses or damages resulting from cyberattacks
d) To ensure compliance with cybersecurity regulations
Answer: c) To provide coverage for losses or damages resulting from cyberattacks

What is the difference between a vulnerability and an exploit?

a) A vulnerability is a flaw in a system that can be exploited, whereas an exploit is a type of malware.
b) A vulnerability is a type of malware, whereas an exploit is a flaw in a system that can be exploited.
c) A vulnerability is a weakness or flaw in a system, whereas an exploit is a technique or tool that takes a
dvantage of that weakness or flaw.
d) A vulnerability is a technique or tool that takes advantage of a system’s weakness, whereas an exploit i
s a type of malware.
Answer: c) A vulnerability is a weakness or flaw in a system, whereas an exploit is a technique or tool that
takes advantage of that weakness or flaw.

What is the purpose of conducting a post-incident review?

a) To assign blame for the incident
b) To identify weaknesses in the incident response plan
c) To determine if the incident was a false positive
d) To identify new attack vectors
Answer: b) To identify weaknesses in the incident response plan

What is the difference between a virus and a worm?

a) A virus is a self-replicating program that requires a host file to infect, whereas a worm is a self-replicati
ng program that can spread on its own.
b) A virus is a type of malware that spreads through email, whereas a worm spreads through the internet.
c) A virus is a type of malware that steals data, whereas a worm causes damage to the system.
d) A virus and a worm are the same thing.
Answer: a) A virus is a self-replicating program that requires a host file to infect, whereas a worm is a self-
replicating program that can spread on its own.

What is the best way to secure a wireless network?

a) Use WEP encryption
b) Use a strong password
c) Use MAC filtering
d) Use WPA2 encryption and a strong password
Answer: d) Use WPA2 encryption and a strong password

What is the purpose of a honeypot?

a) To capture and analyze network traffic
b) To lure attackers away from valuable systems
c) To generate false alarms to test the incident response team
d) To provide an additional layer of security
Answer: b) To lure attackers away from valuable systems

Which of the following is an example of a physical security control?

a) Encryption
b) Firewalls
c) Biometric authentication
d) Security cameras
Answer: d) Security cameras

What is the goal of the incident response process?

a) To prevent future incidents from occurring
b) To detect and respond to security incidents in a timely manner
c) To minimize the impact of security incidents on the organization
d) All of the above
Answer: d) All of the above

Which of the following is a key component of pre-incident preparation?

a) Identifying risks
b) Establishing an incident response team
c) Educating users about host-based security
d) All of the above
Answer: d) All of the above

Which cryptographic algorithm is commonly used to create checksums of critical files?

a) SHA-1
b) SHA-256
c) MD5
d) AES
Answer: c) MD5

Which of the following is a benefit of using a network topology conducive to monitoring?

a) It allows for easier identification of security incidents
b) It reduces the likelihood of security incidents occurring
c) It increases network speed and efficiency
d) It improves network reliability
Answer: a) It allows for easier identification of security incidents

What is the purpose of determining your response stance?

a) To determine who will be on the incident response team
b) To determine which policies and procedures to follow
c) To determine how to respond to a security incident
d) All of the above
Answer: c) To determine how to respond to a security incident

Which of the following is a key component of establishing an incident response team?

a) Training the team
b) Developing acceptable use policies
c) Creating network topology maps
d) Encrypting network traffic
Answer: a) Training the team

What is the purpose of an incident notification procedure?

a) To detect and respond to security incidents
b) To notify the incident response team of a security incident
c) To determine the scope of a security incident
d) To document the steps taken during a security incident
Answer: b) To notify the incident response team of a security incident

Which of the following is a traditional investigative step in incident response?

a) Scoping the incident
b) Assembling the CSIRT
c) Analyzing network traffic
d) Setting up remote logging
Answer: c) Analyzing network traffic

What is the purpose of scoping an incident?

a) To determine the cause of the incident
b) To determine the impact of the incident
c) To determine the extent of the incident
d) To determine the response to the incident
Answer: c) To determine the extent of the incident

What is the purpose of assembling the CSIRT?

a) To determine the cause of the incident
b) To determine the impact of the incident
c) To determine the extent of the incident
d) To respond to the incident
Answer: d) To respond to the incident

Which of the following is a key component of responding to a security incident?

a) Scoping the incident
b) Analyzing network traffic
c) Documenting the steps taken
d) All of the above
Answer: d) All of the above

What is the purpose of analyzing network traffic during incident response?

a) To determine the cause of the incident
b) To determine the extent of the incident
c) To determine the impact of the incident
d) To respond to the incident
Answer: b) To determine the extent of the incident