logo image

SEC 210 – Intrusion Detection – 2016FA FTCC

Full Book
https://www.dropbox.com/s/5toa4ljjcyjkvlj/Principles_Of_Incident_Response_Disaster_Recovery_2nd_Ed.pdf?dl=0
A recommended practice for the implementation of the physical IR plan is to select a ____ binder.
red
____ is the process of systematically examining information assets for evidentiary material that can provide insight into how an incident transpired.
Forensics analysis
One of the primary responsibilities of the IRP team is to ensure that the ____ is prepared to respond to each incident it may face.
CSIRT
Should an incident begin to escalate, the CSIRT team leader continues to add resources and skill sets as necessary to attempt to contain and terminate the incident. The resulting team is called the ____ for this particular incident.
reaction force
A ____ is commonly a single device or server that attaches to a network and uses TCP/IP-based protocols and communications methods to provide an online storage environment.
network-attached storage
Incident analysis resources include network diagrams and lists of ____, such as database servers.
critical assets
The ____ of an organization defines the roles and responsibilities for incident response for the CSIRT and others who will be mobilized in the activation of the plan.
IR policy
When using virtualization, it is commonplace to use the term ____ to refer to a virtualized environment operating in or on a host platform.
virtual machine
____ uses a number of hard drives to store information across multiple drive units.
RAID
The U.S. National Institute of Standards and Technology recommends a set of tools for the CSIRT including incident reporting mechanisms with which users can report suspected incidents. At least one of these mechanisms should permit people to report incidents ____.
anonymously
A ____ is an agency that provides physical facilities in the event of a disaster for a fee.
service bureau
A(n) ____ is an agreement in which the client agrees not to use the vendor’s services to compete directly with the vendor, and for the client not to use vendor information to gain a better deal with another vendor.
covenant not to compete
Considered to be the traditional “lock and copy” approach to database backup, _____ require the database to be inaccessible while a backup is created to a local drive.
legacy backup applications
The training delivery method with the lowest cost to the organization is ____.
self-study (noncomputerized)
RAID 0 creates one logical volume across several available hard disk drives and stores the data using ____, in which data segments are written in turn to each disk drive in the array.
disk striping
There are several national training programs that focus on incident response tools and techniques.
True
A recommended practice for implementation of a physical IR plan document is to attach copies of relevant documents such as service agreements for the ISP, telephone, water, gas, etc.
True
Both data backups and archives should be based on a(n) ____ schedule that guides the frequency of replacement and the duration of storage.
retention
The ____ Department of an organization needs to review the procedures of the CSIRT and understand the steps the CSIRT will perform to ensure it is within legal and ethical guidelines for the municipal, state, and federal jurisdictions.
Legal
A potential disadvantage of a ____ site-resumption strategy is that more than one organization might need the facility simultaneously.
time-share
A resumption location known as a ____ is a fully configured computer facility capable of establishing operations at a moment’s notice.
hot site
E-mail spoofing attacks require an immediate response, typically no more than 30 minutes to one hour.
False
A(n) ____ covers the confidentiality of information from everyone unless disclosure is mandated by the courts.
nondisclosure agreement
A(n) ____ is a detailed examination of the events that occurred, from first detection of an incident to final recovery.
after-action review
A(n) ____ is a CSIRT team member, other than the team leader, who is currently performing the responsibilities of the team leader in scanning the organization’s information infrastructure for signs of an incident.
IR duty officer
Database shadowing techniques are generally used in organizations that do not need immediate data recovery after an incident or disaster.
False
RAID is an acronym for Redundant Array of Incident-Recovery Drives.
False
A recommended practice for the implementation of the physical IR plan document is to organize the contents so that the first page contains the ____ actions.
“during attack”
General users require training on the technical details of how to do their jobs securely, including good security practices, ____ management, specialized access controls, and violation reporting.
password
A(n) ____ is an extension of an organization’s intranet into cloud computing.
private cloud
A ____ is a contractual document guaranteeing certain minimal levels of service provided by a vendor.
service agreement
The Southeast Collegiate Cyber Defense Competition is unique in that it focuses on the operational aspect of managing and protecting an existing network infrastructure. Unlike “capture-the-flag ” exercises, this competition is exclusively a real-world ____ competition.
defensive
One real-time protection and data backup strategy is the use of mirroring.
True
Some data is required by law to be retained and stored for years.
True
A(n) ____ is often included in legal documents to ensure that a vendor is not liable for actions taken by a client.
statement of indemnification
A favorite pastime of information security professionals is ____, which is a simulation of attack and defense activities using realistic networks and information systems.
war gaming
In contingency planning, an adverse event that threatens the security of an organization’s information is called a(n) ____.
incident
Some recovery strategies seek to improve the ____ of a server or system in addition to, or instead of, performing backups of data.
robustness
Advances in cloud computing have opened a new field in application redundancy and backup. Because organizations that lease ____ are in effect using a preconfigured set of applications on someone else’s systems, it is reasonable to ask that the service agreement include contingencies for recovery.
SaaS
In computer-based training settings, trainees receive a seminar presentation at their computers.
False
____ are used for recovery from disasters that threaten on-site backups.
Data archives
Regardless of which IR model an organization chooses, multiple employees should be in charge of incident response.
False
As soon as the CSIRT is able to determine what exactly is happening, it is expected to report its preliminary finding to management.
True
The focus during a(n) ____ is on learning what worked, what didn’t, and where communications and response procedures may have failed.
after action review
The ____ flow of information needed from the CSIRT to organizational and IT/InfoSec management is a critical communication requirement.
upward
One of the first signals that an organization is making progress in the development of its IR program, specifically in the development of its CSIRT, is a dramatic drop in the number of identified incidents.
False
The determination of what systems fall under the CSIRT ‘s responsibility is called its ____.
scope of operations
One way to build and maintain staff skills is to develop incident-handling ____ and have the team members discuss how they would handle them.
scenarios
The CSIRT is also known as the IR Reaction Team.
True
The CSIRT should be available for contact by anyone who discovers or suspects that an incident involving the organization has occurred. Some organizations prefer that employees contact a ____, which then makes the determination as to whether to contact the CSIRT or not.
help desk
The involvement of the CSIRT in incident response typically starts with prevention.
False
A CSIRT model that is effective for large organizations and for organizations with major computing resources at distant locations is the ____.
distributed CSIRT
The announcement of an operational CSIRT should minimally include ____.
contact methods and numbers
The organization must first understand what skills are needed to effectively respond to an incident. If necessary, management must determine if it is willing to acquire needed ____ to fill in the gaps.
personnel
The first step in building a CSIRT is to ____.
obtain management support and buy-in
A(n) ____ is a sign that an activity now occurring may signal an incident that could occur in the future.
precursor
When an organization completely outsources its IR work, typically to an on-site contractor, it is called a(n) ____ model.
fully outsourced
The process of evaluating the circumstances around organizational events includes determining which adverse events are possible incidents, or ____.
incident candidates
A(n) ____ is any system resource that is placed onto a functional system but has no normal use for that system. If it attracts attention, it is from unauthorized access and will trigger a notification or response.
honeytoken
Giving the IR team the responsibility for ____ is generally not recommended.
patch management
A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.
site policy
The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.
snort
In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers’ answers to routine DNS queries from other systems on that network.
DNS cache poisoning
A(n) ____ , a type of IDPS that is similar to the NIDPS, reviews the log files generated by servers, network devices, and even other IDPSs.
log file monitor
If an intruder can ____ a device, then no electronic protection can deter the loss of information.
physically access
A CSIRT model in which a single CSIRT handles incidents throughout the organization is called a(n) ____.
central CSIRT
According the to NIST definition of an event as “any observable occurrence in a system or network,” all events are computer or network oriented.
False
The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.
monitoring port
New systems can respond to an incident threat autonomously, based on preconfigured options that go beyond simple defensive actions usually associated with IDPS and IPS systems. These systems, referred to as ____, use a combination of resources to detect an intrusion and then to trace the intrusion back to its source.
trap and trace
Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.
false positives
Those services undertaken to prepare the organization or the CSIRT constituents to protect and secure systems in anticipation of problems, attacks, or other events are called ____.
proactive services
Many attacks come through ports and then attack legitimate processes to allow themselves access or to conduct subsequent attacks.
True
The CSIRT must have a clear and concise ____ statement that, in a few sentences, unambiguously articulates what it will do.
mission
The ____ is a federal law that creates a general prohibition on the realtime monitoring of traffic data relating to communications.
Pen/Trap Statute
The Windows Task Manager can be used to seek out Trojan programs on Microsoft Windows computers.
False
____ are closely monitored network decoys serving that can distract adversaries from more valuable machines on a network; can provide early warning about new attack and exploitation trends; and can allow in-depth examination of adversaries during and after exploitation.
Honeypots
Those services performed in response to a request or a defined event such as a help desk alert are called ____.
reactive services
The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place.
anomaly-based IDPS
To help make the detection of actual incidents more reliable, there are three broad categories of incident indicators that have been identified: possible, probable, and definite.
True
The first group to communicate the CSIRT’s vision and operational plan is the managerial team or individual serving as the ____.
champion
____ is a valuable resource for additional information on building and staffing CSIRTs.
NIST
The task of monitoring file systems for unauthorized change is best performed by using a(n) ____.
HIDPS
The champion for the CSIRT may be the same person as the champion for the entire IR function—typically, the ____.
chief information officer
Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.
signature matching
Information assets have ____ when authorized users – persons or computer systems – are able to access them in the specified format without interference or obstruction.
availability
A ____ attack seeks to deny legitimate users access to services by either tying up a server’s available resources or causing it to shut down.
DoS
A ____ deals with the preparation for and recovery from a disaster, whether natural or man-made.
disaster recovery plan
A(n) ____ is an object, person, or other entity that is a potential risk of loss to an asset.
threat
____ is the risk control approach that attempts to reduce the impact caused by the exploitation of vulnerability through planning and preparation.
Mitigation
____ hack systems to conduct terrorist activities through network or Internet pathways.
Cyberterrorists
____ assigns a risk rating or score to each information asset. Although this number does not mean anything in absolute terms, it is useful in gauging the relative risk to each vulnerable information asset and facilitates the development of comparative ratings later in the risk control process.
Risk assessment
Information assets have ____ when they are not exposed (while being stored, processed, or transmitted) to corruption, damage, destruction, or other disruption of their authentic states.
integrity
____ of risk is the choice to do nothing to protect an information asset and to accept the outcome of its potential exploitation.
Acceptance
A ____ is a document that describes how, in the event of a disaster, critical business functions continue at an alternate location while the organization recovers its ability to function at the primary site.
business continuity plan
____ is the process of moving an organization toward its vision.
Strategic planning
A(n) ____ is any clearly identified attack on the organization’s information assets that would threaten the assets’ confidentiality, integrity, or availability.
incident
____ is the process of examining, documenting, and assessing the security posture of an organization’s information technology and the risks it faces.
Risk identification
The vision of an organization is a written statement of an organization’s purpose.
False
____ ensures that only those with the rights and privileges to access information are able to do so.
Confidentiality
The ____ is an investigation and assessment of the impact that various events or incidents can have on the organization.
business impact analysis
Intellectual property (IP) includes trade secrets, copyrights, trademarks, and patents.
True
An manual alternative to the normal way of accomplishing an IT task might be employed in the event that IT is unavailable. This is called a ____.
work-around procedure
The ____ is the point in time by which systems and data must be recovered after an outage as determined by the business unit.
recovery point objective
An enterprise information security policy (EISP) addresses specific areas of technology and contains a statement on the organization’s position on each specific area.
False
To a large extent, incident response capabilities are part of a normal IT budget. The only area in which additional budgeting is absolutely required for incident response is the maintenance of ____.
redundant equipment
The recovery time objective (RTO) downtime metric is the defined as the point in time to which lost systems and data can be recovered after an outage as determined by the business unit.
False
The ____ job functions and organizational roles focus on costs of system creation and operation, ease of use for system users, timeliness of system creation, and transaction response time.
information technology management and professionals
____ (sometimes referred to as avoidance) is the risk control strategy that attempts to prevent the exploitation of a vulnerability.
Defense
An asset can be logical, such as a Web site, information, or data; or an asset can be physical, such as a person, computer system, or other tangible object.
True
A weighted analysis table can be useful in resolving the issue of which business function is the most critical to the organization.
True
One modeling technique drawn from systems analysis and design that can provide an excellent way to illustrate how a business functions is a(n) ____.:
collaboration diagram
The elements required to begin the ____ process are a planning methodology; a policy environment to enable the planning process; an understanding of the causes and effects of core precursor activities, and access to financial and other resources.
contingency planning
A(n) ____ is used to anticipate, react to, and recover from events that threaten the security of information and information assets in an organization; it is also used to restore the organization to normal modes of business operations;
contingency plan
A(n) ____ is a plan or course of action used by an organization to convey instructions from its senior management to those who make decisions, take actions, and perform other duties on behalf of the organization.
policy
The ____ job functions and organizational roles focus on protecting the organization’s information systems and stored information from attacks.
information security management and professionals
Effective contingency planning begins with effective policy.
True
A(n) ____ is an investigation and assessment of the impact that various attacks can have on the organization.
business impact analysis (BIA)
The ____ is the period of time within which systems, applications, or functions must be recovered after an outage.
recovery time objective
The ____ illustrates the most critical characteristics of information and has been the industry standard for computer security since the development of the mainframe.
C.I.A. triangle
Team leaders from the subordinate teams, including the IR, DR, and BC teams, should not be included in the CPMT.
False
The ____ is used to collect information directly from the end users and business managers.
facilitated data-gathering session
What is a common approach used in the discipline of systems analysis and design to understand the ways systems operate and to chart process flows and interdependency studies?
systems diagramming
The last stage of a business impact analysis is prioritizing the resources associated with the ____, which brings a better understanding of what must be recovered first.
mission/business processes
A CPMT should include _____ who can oversee the security planning of the project and provide information on threats, vulnerabilities, and recovery requirements needed in the planning process.
information security managers
In a CPMT, a(n) ____ leads the project to make sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed.
project manager
In a CPMT, a(n) ____ should be a high-level manager with influence and resources that can be used to support the project team, promote the objectives of the CP project, and endorse the results that come from the combined effort.
champion
The purpose of the ____ is to define the scope of the CP operations and establish managerial intent with regard to timetables for response to incidents, recovery from disasters, and reestablishment of operations for continuity.
contingency planning policy
____ is a risk control approach that attempts to shift the risk to other assets, other processes, or other organizations.
Transference
The final component to the CPMT planning process is to deal with ____.
budgeting for contingency operations
Which of the following collects and provides reports on failed login attempts, probes, scans, denial-of-service attacks, and detected malware?
system logs
The IR plan is usually ____ when an incident causes minimal damage with little or no disruption to business operations.
activated
A key step in the ____ approach to incident response is to discover the identify of the intruder while documenting his or her activity.
apprehend and prosecute
The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____.
noise
The committees of the CPMT follow a set of general stages to develop their subordinate plans. In the case of incident planning, the first stage is to ____.
form the IR planning committee
The U.S. National Institute of Standards and Technology defines the incident response life cycle as having four main processes: 1) preparation; 2) detection and analysis; 3) containment, eradication, and recovery; and 4) ____.
post-incident activity
Companies may want to consider budgeting for contributions to employee loss expenses (such as funerals) as well as for counseling services for employees and loved ones as part of ____.
crisis management budgeting
In the event that a definite indicator is recognized, the corresponding ____ must be activated immediately.
IR plan
According the to NIST definition of an event as “any observable occurrence in a system or network,” all events are computer or network oriented.
False
A Disaster Recovery Plan (DR plan) deals with identifying, classifying, responding to, and recovering from an incident.
False
For recovery from an incident (as opposed to a disaster), archives are used as the most common solution.
False
A business impact analysis (BIA) identifies threats, vulnerabilities, and potential attacks to determine what controls can protect the information.
False
According to the 2010/2011 Computer Crime and Security Survey, ____ is “the most commonly seen attack, with 67.1 percent of respondents reporting it.”
malware infection
Known as ____, procedures for regaining control of systems and restoring operations to normalcy are the heart of the IR plan and the CSIRT’s operations.
IR reaction strategies
Automated IR systems to facilitate IR documentation are available through a number of vendors.
True
Many practitioners feel that a system, once compromised, can never be restored to a trusted state.
True
When an alert warns of new malicious code that targets software used by an organization, the first response should be to research the new virus to determine whether it is ____.
real
The number-one IU preparation-and-prevention strategy is ____.
organizational policy
Clifford Stoll’s book, ____, provides an excellent story about a real-world incident that turned into an international tale of espionage and intrigue.
The Cuckoo’s Egg
The CSIRT may not wish to “tip off” attackers that they have been detected, especially if the organization is following a(n) ____ approach.
apprehend and prosecute
Essentially a DoS attack, a ____ is a message aimed at causing organizational users to waste time reacting to a nonexistent malware threat.
malware hoax
If a user receives a message whose tone and terminology seems intended to invoke a panic or sense of urgency, it may be a(n) ____.
hoax
____ is a common indicator of a DoS attack.
User reports of system unavailability
According to NIST, which of the following is an example of a UA attack?
Modifying Web-based content without permission
A ____ is a small quantity of data kept by a Web site as a means of recording that a system has visited that Web site.
cookie
A ____ attack is much more substantial than a DoS attack because of the use of multiple systems to simultaneously attack a single target.
distributed denial-of-service
Because it is possible for investigators to confuse the suspect and destination disks when performing imaging, and to preclude any grounds for challenging the image output, it is common practice to protect the suspect media using a ____.
write blocker
The laws governing search and seizure in the public sector are much more straightforward than those in the private sector.
False
A continuously changing process presents challenges in acquisition, as there is not a fixed state that can be collected, hashed, and so forth. This has given rise to the concept of ____ forensics which captures a point-in-time picture of a process.
snapshot
Ignorance of policy is a legal excuse for an employee.
True
A forensics team typically uses two methods to document a scene as it exists at the time of arrival: photography and ____.
field notes
The forensic tool ____ does extensive pre-processing of evidence items that recovers deleted files and extracts e-mail messages.
Forensic Toolkit (FTK)
A search is constitutional if it does not violate a person’s reasonable or legitimate____.
expectation of privacy
The legal decision that establishes the start point for “warrantless” workplace searches is the Supreme Court’s complex ruling in ____.
O’Connor v. Ortega
Many private sector organizations require a formal statement, called a(n) ____, which provides search authorization and furnishes much of the same information usually found in a public sector search warrant.
affidavit
____ is the determination of the initial flaw or vulnerability that allowed an incident to occur.
Root cause analysis
The ____ handles computer crimes that are categorized as felonies.
FBI
Forensic investigators use ____ copying when making a forensic image of a device, which reads a sector (or block; 512 bytes on most devices) from the source drive and writes it to the target drive; this process continues until all sectors on the suspect drive have been copied.
bitstream
Within the private sector, the Supreme Court stated, “Every warrantless workplace search must be evaluated carefully on its facts. In general, however, law enforcement officers can conduct a warrantless search of private (i.e., nongovernment) workplaces only if the officers obtain the consent of either the employer or another employee with common authority over the area searched.”
True
____ is defined as the search for, collection, and review of items stored in electronic (or, more precisely, digital) format that are of potential evidentiary value based on criteria specified by a legal team.
eDiscovery
The stability of information over time is called its ____.
volatility
In evidence handling, specifically designed ____ are helpful because they are very difficult to remove without breaking.
evidence seals
When an incident includes a breach of physical security, all aspects of physical security should be escalated under a containment strategy known as ____.
lockdown
A(n) ____ attack is a method of combining attacks with rootkits and back doors.
hybrid
____ is used both for intrusion analysis and as part of evidence collection and analysis.
Forensics
In general, a law enforcement organization can become the target of a retaliatory lawsuit for damages arising from an investigation that proves to be groundless.
False
To analyze evidence, the original is obtained from storage, a copy of the evidence is made for analysis, and the original is returned to storage, because it is crucial that the analysis never takes place on the original evidence.
True
One way to identify a particular digital item (collection of bits) is by means of a(n) ____.
cryptographic hash
The ____ is a detailed examination of the events that occurred, from first detection to final recovery.
after-action review
Most digital forensic teams have a prepacked field kit, also known as a(n) ____.
jump bag
Many malware attacks are ____ attacks, which involve more than one type of malware and/or more than one type of transmission method.
blended
In a “block” containment strategy, in which the attacker’s path into the environment is disrupted, you should use the most precise strategy possible, starting with ____.
blocking a specific IP address
There are a number of professional IR agencies, such as ____, that can provide additional resources to help prevent and detect DoS incidents.
US-CERT
Grounds for challenging the results of a digital investigation can come from possible ____—that is, alleging that the relevant evidence came from somewhere else or was somehow tainted in the collection process.
contamination
Once a compromised system is disconnected, it is safe from further damage.
False
____ incidents are predominantly characterized as a violation of policy rather than an effort to abuse existing systems.
Inappropriate use
The functional part of forensics called ____ is about assessing the “scene,” identifying the sources of relevant digital information, and preserving it for later analysis using sound processes.
first response
Which of the following is the most suitable as a response strategy for malware outbreaks?
Blocking known attackers
____ may be caused by earthquakes, floods, storm winds, tornadoes, or mud flows.
Rapid onset disasters
____ are those that occur suddenly, with little warning, taking the lives of people and destroying the means of production.
Rapid onset disasters
Deciding which technical contingency strategies are selected, developed, and implemented is most often based on the type of ____ being used.
information system
____ are highly probable when infected machines are brought back online or when other infected computers that may have been offline at the time of the attack are brought back up.
Follow-on incidents
In disaster recovery, the ____ is the point at which a management decision to react is made in reaction to a notice or other datum such as a weather report or an activity report from IT indicating the escalation of an incident.
trigger
Once the incident has been contained, and all signs of the incident removed, the ____ phase begins.
actions after
The part of a disaster recovery policy that identifies the organizational units and groups of employees to which the policy applies is called the ____ section.
scope
A ____ is a collection of nodes in which the segments are geographically dispersed and the physical link is often a data communications channel provided by a public carrier.
WAN
The purpose of the disaster recovery program is to provide for the direction and guidance of all disaster recovery operations.
True
An ____ may escalate into a disaster when it grows in scope and intensity.
incident
Over 90 percent of organizations that experienced disruption at a data center lasting 10 days or longer were forced into bankruptcy within one year.
True
In disaster recovery, most triggers occur in response to one or another natural event.
True
A DR plan addendum should include the trigger, the ____ method, and the response time associated with each disaster situation.
notification
____ disasters include acts of terrorism and acts of war.
Man-made
____ occur over time and slowly deteriorate the organization’s capacity to withstand their effects.
Slow onset disasters
The ____ team is responsible for recovering and reestablishing operations of critical business applications.
applications recovery
The ____ involves providing copies of the DR plan to all teams and team members for review.
DR plan desk check
The ____ team is responsible for providing any needed supplies, space, materials, food, services, or facilities needed at the primary site other than vendor-acquired technology and other material obtained by the vendor team.
logistics
The ____ team is primarily responsible for data restoration and recovery.
data management
A(n) ____ occurs when a situation results in service disruptions for weeks or months, requiring a government to declare a state of emergency.
worst-case scenario
The ____ team is responsible for reestablishing connectivity between systems and to the Internet.
network recovery
The ____ team is responsible for working with the remainder of the organization to assist in the recovery of nontechnology functions.
business interface
The ____ team is responsible for providing the initial assessments of the extent of damage to equipment and systems on-site and/or for physically recovering the equipment to be transported to a location where the other teams can evaluate it.
damage assessment
____ is the deactivation of the disaster recovery teams, releasing individuals back to their normal duties.
Standing down
The ____ team is responsible for recovering and reestablishing operating systems (OSs).
systems recovery
A ____ is a description of the disasters that may befall an organization, along with information on their probability of occurrence, a brief description of the organization’s actions to prepare for that disaster, and the best case, worst case, and most likely case outcomes of the disaster.
disaster scenario
____ is the inclusion of action steps to minimize the damage associated with the disaster on the operations of the organization.
Mitigation of impact
____ means making an organization ready for possible contingencies that can escalate to become disasters.
Preparation
Which of the following is not usually an insurable loss?
Electrostatic discharge
The ____ is the phase associated with implementing the initial reaction to a disaster; it is focused on controlling or stabilizing the situation, if that is possible.
response phase
____ are likely in the event of a hacker attack, when the attacker retreats to a chat room and describes in specific detail to his or her associates the method and results of his or her latest conquest.
Follow-on incidents
Network recovery teams may be used to replacing downed systems, but it is unlikely that they have experience in physically repairing damaged systems.
True
____ requires effective backup strategies and flexible hardware configurations.
Data recovery
The purpose of the ____ is to provide a way for management to obtain input and feedback from representatives of each team.
after-action review
During the ____ phase, the organization begins the recovery of the most time-critical business functions – those necessary to reestablish business operations and prevent further economic and image loss to the organization.
recovery
Most disaster-related loss occurs because of physical damage to property.
False
The alert roster must be tested more frequently than other components of a disaster recovery plan because it is subject to continual change due to employee turnover.
True
____ is a set of focused steps that deal primarily with the safety and state of the people from the organization who are involved in the disaster.
Crisis management
Training focuses on the particular roles each individual is expected to execute during an actual disaster.
True
The ____ assembles a disaster recovery team.
CPMT
Useful resources in the DR planning process are the ____ provided by the Federal Agency Security Practices (FASP) section of NIST’s Computer Security Resource Center (CSRC).
contingency plan templates
In disaster recovery planning, there is a prevention phase similar to that in IR planning.
False
The ____ system is an information system with a telephony interface that can be used to automate the alert process.
auxiliary phone alert and reporting system
Contingency strategies for ____ should emphasize the need for absolutely reliable data backup and recovery procedures because they have less inherent redundancy than a distributed architecture.
mainframes
The ____ team is responsible for the recovery of information and the reestablishment of operations in storage area networks or network attached storage.
storage recovery
Mainframe systems leverage data communications to decentralize and/or distribute capacity.
False
In the ____ section of the business continuity policy, the training requirements for the various employee groups are defined and highlighted.
training requirements
Unless an organization has contracted for a ____ or equivalent, office equipment such as desktop computers are not provided at BC alternate site.
hot site
The ____ is the amount of time that a business can tolerate losing capabilities until alternate capabilities are available.
recovery time objective
The Business Continuity Institute offers an uncertified category of membership called a(n) ____ that is accepted by application and does not require assessment or a review process.
Affiliate
A BC subteam called the ____ is responsible for establishing the core business functions needed to sustain critical business operations.
operations team
____ planning represents the final response of the organization when faced with any interruption of its critical operations.
Business continuity
A business continuity plan should be a single unified plan.
False
One activity that occurs during the clearing phase of a BC implementation is scheduling a move back to the primary site.
False
Identifying measures, called ____, that reduce the effects of system disruptions can reduce continuity life-cycle costs.
preventive controls
BC is specifically designed to get the organization’s most critical services up and running as quickly as possible in order to enable the continued operation of the organization and thereby ensure its existence and minimize the financial losses from the disruption.
True
In the ____ phase of the BC plan, the organization specifies what type of relocation services are desired and what type of data management strategies are deployed to support relocation.
preparation for BC actions
The ____ section of the business continuity policy identifies the roles and responsibilities of the key players in the business continuity operation.
roles and responsibilities
The ____ section of the business continuity policy provides an overview of the information storage and retrieval plans of the organization.
special considerations
Once BC activities have come to a close and the organization has reoccupied its primary facility or new permanent facility, the team should meet for a(n) ____.
after-action review
The plan maintenance schedule in a BC policy statement should address the ____ of reviews, along with who will be involved in each review.
frequency
Testing the BC plan is an ongoing activity, with each scenario tested annually at walk-through level or higher.
False
Using desk check, talk-throughs, walk-throughs, simulation, and other exercises on a regular basis helps prepare the organization for crises and, additionally, helps keep the CM plan up to date.
True
____ are those steps taken to inform stakeholders regarding the timeline of events, the actions taken, and sometimes the reasons for those actions.
Crisis communications
____ are individuals who are hired above and beyond the minimum number of personnel needed to perform a business function.
Redundant personnel
The ____ is responsible for contacting and managing all interaction between the organization’s management and staff and any needed emergency services, including utility services.
emergency services coordinator
____ are those actions taken in order to manage the immediate physical, health, and environmental impacts resulting from an incident.
Emergency response
A recent trend in corporate settings is to provide each employee with a disaster recovery identification card.
False
A ____ is defined by the ICM as a disruption in the company’s business that occurs without warning and is likely to generate news coverage and may adversely impact employees, investors, customers, suppliers, and other stakeholders.
sudden crisis
A(n) ____ is created to enable management to gain and maintain control of ongoing emergency situations, to provide oversight and control to designated first responders, and to marshal IR, DR, and DC plans and resources as needed.
crisis management team
____ is the set of actions taken by an organization in response to an emergency situation in an effort to minimize injury or loss of life.
Crisis management
A special police unit trained to deal with incendiary, explosive, or contaminating devices is known as the ____.
bomb squad
In contrast to emergency response that focuses on the immediate safety of those affected, ____ addresses the services needed to get the organization and its stakeholders back to original levels of productivity or satisfaction.
humanitarian assistance
____ is the movement of employees from one position to another so they can develop additional skills and abilities.
Job rotation
A(n) ____ is an area where people should gather in the event of a specific type of emergency, to facilitate quick head count.
assembly area
Cross-training provides a mechanism to get everyone out of the crime scene and thus prevent contamination of possible evidentiary material.
False
Organizations typically respond to a crisis by focusing on technical issues and economic priorities, and overlook the steps needed to preserve the most critical assets of the organization: its people.
True
A(n) ____ is the list of officials ranging from an individual’s immediate supervisor through the top executive of the organization.
chain of command

Need essay sample on "SEC 210 – Intrusion Detection – 2016FA FTCC"? We will write a custom essay sample specifically for you for only $ 13.90/page

Can’t wait to take that assignment burden offyour shoulders?

Let us know what it is and we will show you how it can be done!
×
Sorry, but copying text is forbidden on this website. If you need this or any other sample, please register

Already on Businessays? Login here

No, thanks. I prefer suffering on my own
Sorry, but copying text is forbidden on this website. If you need this or any other sample register now and get a free access to all papers, carefully proofread and edited by our experts.
Sign in / Sign up
No, thanks. I prefer suffering on my own
Not quite the topic you need?
We would be happy to write it
Join and witness the magic
Service Open At All Times
|
Complete Buyer Protection
|
Plagiarism-Free Writing

Emily from Businessays

Hi there, would you like to get such a paper? How about receiving a customized one? Check it out https://goo.gl/chNgQy

We use cookies to give you the best experience possible. By continuing we’ll assume you’re on board with our cookie policy