Chapter 4
Reporting and Communication

  1. Kyong manages the vulnerability scans for his organization. The senior director that oversees Kyong's group provides a report to the CIO on a monthly basis on operational activity, and he includes the number of open critical vulnerabilities. He would like to provide this information to his director in as simple a manner as possible each month. What should Kyong do?
    1. Provide the director with access to the scanning system.
    2. Check the system each month for the correct number and email it to the director.
    3. Configure a report that provides the information to automatically send to the director's email at the proper time each month.
    4. Ask an administrative assistant to check the system and provide the director with the information.
  2. Carla is designing a vulnerability scanning workflow and has been tasked with selecting the person responsible for remediating vulnerabilities. Which one of the following people would normally be in the best position to remediate a server vulnerability?
    1. Cybersecurity analyst
    2. System administrator
    3. Network engineer
    4. IT manager
  3. During a vulnerability scan, Patrick discovered that the configuration management agent installed on all of his organization's Windows servers contains a serious vulnerability. The manufacturer is aware of this issue, and a patch is available. What process should Patrick follow to correct this issue?
    1. Immediately deploy the patch to all affected systems.
    2. Deploy the patch to a single production server for testing and then deploy to all servers if that test is successful.
    3. Deploy the patch in a test environment and then conduct a staged rollout in production.
    4. Disable all external access to systems until the patch is deployed.
  4. Ben is preparing to conduct a vulnerability scan for a new client of his security consulting organization. Which one of the following steps should Ben perform first?
    1. Conduct penetration testing.
    2. Run a vulnerability evaluation scan.
    3. Run a discovery scan.
    4. Obtain permission for the scans.
  5. Katherine coordinates the remediation of security vulnerabilities in her organization and is attempting to work with a system engineer on the patching of a server to correct a moderate impact vulnerability. The engineer is refusing to patch the server because of the potential interruption to a critical business process that runs on the server. What would be the most reasonable course of action for Katherine to take?
    1. Schedule the patching to occur during a regular maintenance cycle.
    2. Exempt the server from patching because of the critical business impact.
    3. Demand that the server be patched immediately to correct the vulnerability.
    4. Inform the engineer that if he does not apply the patch within a week that Katherine will file a complaint with his manager.
  6. Grace ran a vulnerability scan and detected an urgent vulnerability in a public-facing web server. This vulnerability is easily exploitable and could result in the complete compromise of the server. Grace wants to follow best practices regarding change control while also mitigating this threat as quickly as possible. What would be Grace's best course of action?
    1. Initiate a high-priority change through her organization's change management process and wait for the change to be approved.
    2. Implement a fix immediately and document the change after the fact.
    3. Schedule a change for the next quarterly patch cycle.
    4. Initiate a standard change through her organization's change management process.
  7. Joe discovered a critical vulnerability in his organization's database server and received permission from his supervisor to implement an emergency change after the close of business. He has eight hours before the planned change window. In addition to planning the technical aspects of the change, what else should Joe do to prepare for the change?
    1. Ensure that all stakeholders are informed of the planned outage.
    2. Document the change in his organization's change management system.
    3. Identify any potential risks associated with the change.
    4. All of the above.
  8. Sally discovered during a vulnerability scan that a system she manages has a high-priority vulnerability that requires a patch. The system is behind a firewall and there is no imminent threat, but Sally wants to get the situation resolved as quickly as possible. What would be her best course of action?
    1. Initiate a high-priority change through her organization's change management process.
    2. Implement a fix immediately and then document the change after the fact.
    3. Implement a fix immediately and then inform her supervisor of her action and the rationale.
    4. Schedule a change for the next quarterly patch cycle.
  9. Gene runs a vulnerability scan of his organization's datacenter and produces a summary report to share with his management team. The report includes the chart shown here. When Gene's manager reads the report, she points out that the report is burying important details because it is highlighting too many unimportant issues. What should Gene do to resolve this issue?
    A window page depicts a bar chart of vulnerabilities versus severity level.
    1. Tell his manager that all vulnerabilities are important and should appear on the report.
    2. Create a revised version of the chart using Excel.
    3. Modify the sensitivity level of the scan.
    4. Stop sharing reports with the management team.
  10. Glenda routinely runs vulnerability scans of servers in her organization. She is having difficulty with one system administrator who refuses to correct vulnerabilities on a server used as a jump box by other IT staff. The server has had dozens of vulnerabilities for weeks and would require downtime to repair. One morning, her scan reports that all of the vulnerabilities suddenly disappeared overnight, while other systems in the same scan are reporting issues. She checks the service status dashboard, and the service appears to be running properly with no outages reported in the past week. What is the most likely cause of this result?
    1. The system administrator corrected the vulnerabilities.
    2. The server is down.
    3. The system administrator blocked the scanner.
    4. The scan did not run.
  11. Tom is planning a series of vulnerability scans and wants to ensure that the organization is meeting its customer commitments with respect to the scans' performance impact. What two documents should Tom consult to find these obligations?
    1. SLAs and MOUs
    2. SLAs and DRPs
    3. DRPs and BIAs
    4. BIAs and MOUs
  12. Zhang Wei is evaluating the success of his vulnerability management program and would like to include some metrics. Which one of the following would be the least useful metric?
    1. Time to resolve critical vulnerabilities
    2. Number of open critical vulnerabilities over time
    3. Total number of vulnerabilities reported
    4. Number of systems containing critical vulnerabilities
  13. Donna is working with a system engineer who wants to remediate vulnerabilities in a server that he manages. Of the report templates shown here, which would be most useful to the engineer?
    A window page depicts the title, type, and vulnerability data.
    1. Qualys Top 20 Report
    2. PCI Technical Report
    3. Executive Report
    4. Technical Report
  14. Abdul received the vulnerability report shown here for a server in his organization. The server runs a legacy application that cannot easily be updated. What risks does this vulnerability present?
    A window page presents the first detected, last detected, time detected, and last fixed data.
    1. Unauthorized access to files stored on the server
    2. Theft of credentials
    3. Eavesdropping on communications
    4. All of the above
  15. William is preparing a legal agreement for his organization to purchase services from a vendor. He would like to document the requirements for system availability, including the vendor's allowable downtime for patching. What type of agreement should William use to incorporate this requirement?
    1. MOU
    2. SLA
    3. BPA
    4. BIA
  16. Raul is replacing his organization's existing vulnerability scanner with a new product that will fulfill that functionality moving forward. As Raul begins to build the policy, he notices some conflicts in the scanning settings between different documents. Which one of the following document sources should Raul give the highest priority when resolving these conflicts?
    1. NIST guidance documents
    2. Vendor best practices
    3. Corporate policy
    4. Configuration settings from the prior system
  17. Pietro is responsible for distributing vulnerability scan reports to system engineers who will remediate the vulnerabilities. What would be the most effective and secure way for Pietro to distribute the reports?
    1. Pietro should configure the reports to generate automatically and provide immediate, automated notification to administrators of the results.
    2. Pietro should run the reports manually and send automated notifications after he reviews them for security purposes.
    3. Pietro should run the reports on an automated basis and then manually notify administrators of the results after he reviews them.
    4. Pietro should run the reports manually and then manually notify administrators of the results after he reviews them.
  18. Nitesh would like to identify any systems on his network that are not registered with his asset management system because he is concerned that they might not be remediated to his organization's current security configuration baseline. He looks at the reporting console of his vulnerability scanner and sees the options shown here. Which of the following report types would be his best likely starting point?
    A window page depicts the title, type, and vulnerability data.
    1. Technical Report
    2. High Severity Report
    3. Qualys Patch Report
    4. Unknown Device Report
  19. Nabil is the vulnerability manager for his organization and is responsible for tracking vulnerability remediation. There is a critical vulnerability in a network device that Nabil has handed off to the device's administrator, but it has not been resolved after repeated reminders to the engineer. What should Nabil do next?
    1. Threaten the engineer with disciplinary action.
    2. Correct the vulnerability himself.
    3. Mark the vulnerability as an exception.
    4. Escalate the issue to the network administrator's manager.
  20. Maria discovered an operating system vulnerability on a system on her network. After tracing the IP address, she discovered that the vulnerability is on a proprietary search appliance installed on her network. She consulted with the responsible engineer who informed her that he has no access to the underlying operating system. What is the best course of action for Maria?
    1. Contact the vendor to obtain a patch.
    2. Try to gain access to the underlying operating system and install the patch.
    3. Mark the vulnerability as a false positive.
    4. Wait 30 days and rerun the scan to see whether the vendor corrected the vulnerability.
  21. Trevor is working with an application team on the remediation of a critical SQL injection vulnerability in a public-facing service. The team is concerned that deploying the fix will require several hours of downtime and will block customer transactions from completing. What is the most reasonable course of action for Trevor to suggest?
    1. Wait until the next scheduled maintenance window.
    2. Demand that the vulnerability be remediated immediately.
    3. Schedule an emergency maintenance for an off-peak time later in the day.
    4. Convene a working group to assess the situation.
  22. Thomas discovers a vulnerability in a web application that is part of a proprietary system developed by a third-party vendor, and he does not have access to the source code. Which one of the following actions can he take to mitigate the vulnerability without involving the vendor?
    1. Apply a patch.
    2. Update the source code.
    3. Deploy a web application firewall.
    4. Conduct dynamic testing.
  23. Walt is designing his organization's vulnerability management program and is working to identify potential inhibitors to vulnerability remediation. He has heard concern from functional leaders that remediating vulnerabilities will impact the ability of a new system to fulfill user requests. Which one of the following inhibitors does not apply to this situation?
    1. Degrading functionality
    2. Organizational governance
    3. Legacy systems
    4. Business process interruption
  24. The company that Brian works for processes credit cards and is required to be compliant with PCI DSS. If Brian's company experiences a breach of card data, what type of disclosure will they be required to provide?
    1. Notification to local law enforcement
    2. Notification to their acquiring bank
    3. Notification to federal law enforcement
    4. Notification to Visa and MasterCard
  25. As Lauren prepares her organization's security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness?
    1. Attrition
    2. Impersonation
    3. Improper usage
    4. Web
  26. Laura wants to ensure that her team can communicate during an incident. Which of the following should the team prepare to be ready for an incident?
    1. A second, enterprise authenticated messaging system
    2. An enterprise VoIP system using encryption
    3. Enterprise email with TLS enabled
    4. A messaging capability that can function if enterprise authentication is unavailable
  27. Which of the following is not an important part of the incident response communication process?
    1. Limiting communication to trusted parties
    2. Disclosure based on public feedback
    3. Using a secure method of communication
    4. Preventing accidental release of incident-related information
  28. After law enforcement was called because of potential criminal activity discovered as part of a forensic investigation, the officers on the scene seized three servers. When can Joe expect his servers to be returned?
    1. After 30 days, which provides enough time for a reasonable imaging process
    2. After 6 months, as required by law
    3. After 1 year, as most cases resolve in that amount of time
    4. Joe should not plan on a timeframe for return
  29. NIST SP 800-61 identifies six outside parties that an incident response team will typically communicate with. Which of the following is not one of those parties?
    1. Customers, constituents, and media
    2. Internet service providers
    3. Law enforcement agencies
    4. Legal counsel
  30. Ben works at a U.S. federal agency that has experienced a data breach. Under FISMA, which organization does he have to report this incident to?
    1. US-CERT
    2. The National Cyber Security Authority
    3. The National Cyber Security Centre
    4. CERT/CC
  31. Which of the following organizations is not typically involved in post-incident communications?
    1. Developers
    2. Marketing
    3. Public relations
    4. Legal
  32. Tom is building his incident response team and is concerned about how the organization will address insider threats. Which business function would be most capable of assisting with the development of disciplinary policies?
    1. Information security
    2. Human resources
    3. Legal counsel
    4. Senior management
  33. Craig is revising his organization's incident response plan and wants to ensure that the plan includes coordination with all relevant internal and external entities. Which one of the following stakeholders should he be most cautious about coordinating with?
    1. Regulatory bodies
    2. Senior leadership
    3. Legal
    4. Human resources
  34. The vulnerability management action plan that was sent to Jacinda notes that a critical application that her organization uses relies on an insecure version of a software package because of a long-standing workflow requirement. Jacinda's organization's best practices state that the organization will select the most secure option that also permits business to be conducted. What should Jacinda do?
    1. Mark the vulnerability as “ignored.”
    2. Change the business requirements to enable the vulnerability to be handled.
    3. Disable the service.
    4. Install a third-party patch for the service.
  35. What section of an incident response report provides a brief, clear summary of the incident, response activities, and current state of the incident?
    1. The timeline
    2. The scope statement
    3. The executive summary
    4. The documentation of evidence
  36. Ian wants to prepare his organization for communications with the media as part of incident related public relations. What should he recommend that his organization do to prepare?
    1. Build a list of phrases and topics to avoid.
    2. Hire a reputation defense firm.
    3. Engage legal counsel.
    4. Conduct media training.
  37. Jason is required to notify the company that provides credit card processing services to his organization if an incident impacting credit card data occurs. What type of communications does he need to perform?
    1. Regulatory reporting
    2. Customer communications
    3. Law enforcement communications
    4. None of the above
  38. The incident response report that Kathleen has prepared includes the following statement:

    “Unnecessary services including HTTP and FTP should be disabled on all devices of this type that are deployed.”

    What incident response reporting component will most commonly include this type of statement?

    1. Scope
    2. Executive summary
    3. Recommendations
    4. Timeline
  39. What common score is used to help with prioritization of vulnerability remediation in many organizations?
    1. CVE
    2. ATT&CK
    3. CVSS
    4. PASTA
  40. Olivia has been notified that a vulnerability has recurred on a server after being marked as remediated through a compensating control by an administrator. Which of the following is the most likely reason that a vulnerability may recur in this circumstance?
    1. An attacker has removed the patch to expose the vulnerability.
    2. The system has been reinstalled by the administrator.
    3. A patch has caused the compensating control to fail.
    4. The service has been re-enabled by a user.
  41. The incident response report that Brian is reading includes a statement that says “Impacted systems were limited to those in the organization's AWS VPC.” What part of an incident response report will typically contain this type of information?
    1. The timeline
    2. The evidence statement
    3. The impact statement
    4. The scope statement
  42. Nila's incident response team has discovered evidence of an employee who may have been engaged in criminal activity while they were conducting an incident investigation. The team has suggested that law enforcement should be contacted. What significant concern should Nila raise about this potential communication?
    1. Law enforcement can't enforce organizational policy.
    2. Law enforcement engagement may hinder the organization's ability to respond or operate.
    3. Law enforcement involvement may create communications issues.
    4. Law enforcement may arrest a critical employee.
  43. Sameer wants to establish and track a metric for his organization that will help him know if his IoC monitoring processes are working well. Which of the following metrics is best suited to determining if IoCs are being effectively captured and analyzed?
    1. Mean time to detect
    2. Mean time to respond
    3. Mean time to remediate
    4. Mean time to compromise
  44. Sameer is continuing to improve his metrics to report to his organization's board of directors. The board has requested that he include alert volumes in his reporting. What issue should Sameer discuss with the board after receiving this request?
    1. High-alert volumes indicate poor incident response processes.
    2. Low-alert volumes indicate effective incident response processes.
    3. Alert volume is not an effective security metric.
    4. Alert volume requires other measures like number of patches installed to be an effective security metric.
  45. What important incident response report section relies heavily on NTP to be successful?
    1. The executive summary
    2. The recommendations
    3. The timeline
    4. The scope statement
  46. What type of agreement between two organizations is a common inhibitor to remediation because of uptime requirements?
    1. An NDA
    2. An SLA
    3. A TLA
    4. A KPI
  47. Valerie needs to explain CVSS score metrics to her team. Which of the following is not part of the basic metric group for CVSS scores?
    1. The attack vector
    2. The maturity of the exploit code
    3. The attack complexity
    4. The privileges required
  48. The scientific instrument that Chas is responsible for has multiple critical severity vulnerabilities in its operating system and services. The device cannot be patched according to instructions from the vendor who provides it. Which of the following is not an appropriate compensating control in this scenario?
    1. Place a network security device configured to prevent access to the system between the instrument and the network.
    2. Install vendor patches against recommendations.
    3. Disable network connectivity to the device.
    4. Place the device on a protected network segment.
  49. Hui's incident response report includes log entries showing that a user logged in from another country, despite living and working in the country that the company Hui works for is located in. What incident response report section is most likely to contain this type of information?
    1. The impact section
    2. The scope section
    3. The evidence section
    4. The timeline section
  50. Melissa is conducting a root-cause analysis. Which of the following is not a common step in RCA processes?
    1. Identify problems and events.
    2. Establish a timeline.
    3. Differentiate causal factors and the root cause.
    4. Implement compensating controls.
  51. What information is typically included in a list of affected hosts in a vulnerability management report?
    1. Hostname and IP address
    2. IP address and MAC address
    3. Hostname and MAC address
    4. Hostname and subnet mask
  52. Hannah wants to establish a metric that will help her organization determine if their response process completes in a timely manner. Which common metric should she select to help assess this?
    1. Mean time to detect
    2. Mean time to report
    3. Mean time to respond
    4. Mean time to remediate
  53. Mikayla's team has determined that a previously remediated vulnerability has re-appeared after installation of a vendor supplied patch. What type of vulnerability management issue is this?
    1. Risk scoring
    2. Prioritization
    3. Mitigation
    4. Recurrence
  54. Gurvinder wants to consider impact metrics like the integrity impact, availability impact, and compatibility impact of a vulnerability that is scored using CVSS. What metric group includes this information?
    1. Basic
    2. Environmental
    3. Temporal
    4. Residual
  55. Which of the following is not a type of stakeholder that will frequently need to understand an organization's overall vulnerability stance or status?
    1. Security practitioners
    2. Legal counsel
    3. Auditors
    4. Compliance stakeholders
  56. Which of the following CVSS scores indicates the highest impact to an organization?
    1. 9.6
    2. 7.5
    3. 3.2
    4. 1.3
  57. Expectations of time to remediate and time to patch by a vendor are both examples of what in a vulnerability management program?
    1. Service level objectives
    2. Risks
    3. Vulnerabilities
    4. Internal policies
  58. What issue is organizational governance likely to cause in a vulnerability management program?
    1. It may prevent vulnerabilities from being patched or compensating controls being used.
    2. It may increase the number of vulnerabilities that need patched.
    3. It may slow down patching.
    4. It may limit the vulnerabilities that will be patched.
  59. Jacob has initiated the incident response process in his organization. IoCs have been identified, and Jacob is ready to take the next step in the process. What typically happens next?
    1. Legal counsel is notified.
    2. Incident responders collect forensic data.
    3. Law enforcement is notified.
    4. Incident responders determine if it is a real incident.
  60. Asha wants to reduce the alert volumes her team are dealing with due to the numbers of emails and SMS alerts they are receiving. Which of the following is most likely to help reduce the volume of alerts?
    1. Tune alerting thresholds.
    2. Subscribe to more IoC feeds.
    3. Create additional IoCs.
    4. Set work hours to avoid after hours alerts.
  61. What NIST standard provides information on incident handling practices?
    1. NIST SP 800-61
    2. ISO 27001
    3. NIST SP 800-53
    4. SOC 2
  62. Jaime want to consider critical components of public relations as part of her incident communications plan. What two topics are best aligned to this?
    1. Customer and law enforcement communications
    2. Customer and executive communications
    3. Customer and media communications
    4. Customer and legal counsel communications
  63. Annie's organization makes divisional administrators responsible for patching vulnerabilities after they are notified of them using a ticketing system. Annie has noticed that the administrators are not promptly patching systems. What should she do to most effectively address this issue?
    1. Switch notification to automated emails.
    2. Invest in an awareness and training campaign.
    3. Use the vulnerabilities to compromise the systems to prove a point.
    4. Involve HR due to a lack of job performance.
  64. Henry's organization handles credit card data as part of their operations. What type of vulnerability management report is Henry most likely to need to run due to this?
    1. PCI compliance reporting
    2. GLBA compliance reporting
    3. A list of compromised systems
    4. A list of unpatched systems
  65. Jen has discovered that many systems in her organization are being deployed with a vulnerable service active. What solution is best suited to addressing this type of issue in a large organization?
    1. An awareness program
    2. Compensating controls
    3. Changing business requirements
    4. Configuration management
  66. An incident report should indicate the individuals involved, as well as which of the following items?
    1. The hardware addresses of the systems involved
    2. The time frame the event or incident occurred
    3. A written statement from each individual interviewed
    4. A police report
  67. Jason has defined the problem as part of a root-cause analysis effort. What step typically comes next in RCA?
    1. Collecting data about the problem
    2. Determining the root cause of the problem
    3. Determining potential causal factors
    4. Analyzing the causes
  68. Mean time to respond is an example of what?
    1. An incident response report target
    2. An industry standard SOW
    3. An industry standard SLA
    4. An incident response KPI
  69. What information is gathered as part of a lessons learned exercise conducted at the end of an incident response process?
    1. Issues that will positively impact future incident response processes
    2. Both positive and negative lessons learned during the process
    3. Issues that will negatively impact future incident response processes
    4. Root causes of the incident
  70. Jason wants to quickly understand the content of an incident report. What should he read?
    1. The scope statement
    2. The timeline
    3. The executive summary
    4. The evidence
  71. What important role does criticality and impact information play in organizational use of CVSS scores?
    1. It helps with prioritization.
    2. It determines if a patch should be installed.
    3. It determines if a compensating control should be used.
    4. It helps prevent recurrence.
  72. Natalie has signed a service level agreement with a customer that specifies performance requirements for a service that her company provides. How is this most likely to impact her ability to remediate vulnerabilities on the underlying containerized services that provide the service?
    1. It will require Natalie to seek customer approval for each patch that is deployed via their governance process.
    2. It will require Natalie to ensure that the service is not disrupted when new, patched containers are deployed and vulnerable containers are disabled.
    3. It will allow as much downtime as needed as patches are deployed to the containerized services.
    4. It will prevent Natalie from upgrading the legacy systems the customer relies on.
  73. Angela's organization has discovered that their Windows workstations have a vulnerability that was discovered more than a year ago. What solution is best suited to handling this known vulnerability?
    1. Patching
    2. Awareness, education, and training
    3. Changing business requirements
    4. Compensating controls
  74. Jacob wants to update mitigation notes for a vulnerability on a server. Which of the following is not a common mitigation option?
    1. Installing a patch
    2. Deploying a compensating control
    3. Disabling a service or software
    4. Turning the system off
  75. Which of the following is the most critical to have involved in incident escalation processes?
    1. End users
    2. Legal
    3. Management
    4. Law enforcement
  76. Gurvinder's organization is required to report breaches within 24 hours of the breach being detected, regardless of how far into the investigation the organization is. What type of requirement is most likely to drive this type of communication?
    1. Contractual requirements
    2. Social media requirements
    3. Regulatory requirements
    4. Reputational requirements
  77. Xuan's organization uses an old, no longer updated or sold software package that has an embedded web server that it exposes on every workstation that runs the software allowing file transfer between workstations. During a vulnerability scan the web browser was highlighted as a critical vulnerability. Which of the following solutions should Xuan recommend to best resolve the issue?
    1. An awareness program
    2. Compensating controls
    3. Changing business requirements
    4. Configuration management
  78. Jackie is reviewing the risk scores round in a vulnerability report and notes that the risk she is reviewing scores a 1.0. What recommendation should Jackie make about the vulnerability?
    1. It should be patched immediately because the risk score is high.
    2. The risk is very low and can likely be ignored.
    3. The risk is low and should be patched in the next patch cycle.
    4. It should be patched immediately because it is in the top 10 percent of risks.
  79. Log entries are commonly found in what part of an incident response report?
    1. Recommendations
    2. Executive summary
    3. Evidence
    4. Timeline
  80. Kathleen wants to build a prioritized list of vulnerabilities for her organization. What part of the CVSS metric will help her adjust the score to best match her organization's availability requirements?
    1. The base metric group
    2. The advanced metric group
    3. The temporal metric group
    4. The environmental metric group
  81. Derek is the lead of his organization's finance and accounting team and has expressed concerns about installing patches because his team relies on the service that is being patched. Derek noted that the team is at a critical time because of annual financial reports. What type of inhibitor to remediation is this?
    1. A potential MOU violation
    2. A legacy system issue
    3. A business process interruption issue
    4. A potential SLA violation
  82. What part of an incident response report describes detailed ways to avoid similar issues in the future?
    1. The executive summary
    2. Lessons learned
    3. The scope
    4. Evidence
  83. Potential compensating controls can be found in what section of a vulnerability management report?
    1. The mitigations section
    2. The risk scores
    3. The recurrence section
    4. The affected hosts list
  84. The company that Amari works for uses an embedded system as part of a manufacturing process. The system relies on an operating system created by the machine's vendor and Amari's team has identified vulnerabilities during a network scan. What type of system should Amari identify this device as?
    1. A proprietary system
    2. A legacy system
    3. A primary system
    4. A secondary system
  85. Amari wants to ensure that her team can meet her organization's service level agreement for the embedded system that has been identified as vulnerable. Which of the following compensating controls would be the most appropriate solution to allow the system to stay online while remaining secure?
    1. Install a hardware-based IDS between the system and the network.
    2. Place a hardware firewall between the system and the network.
    3. Disable the device's network connection.
    4. Install a nonproprietary operating system on the embedded system.
  86. Amari has deployed a compensating control to protect the vulnerable embedded system that she is responsible for. What step should she take next?
    1. Create an incident report and distribute it to appropriate recipients.
    2. Remove the device from the vulnerability scanning process to avoid continued false positives.
    3. Note the compensating control and flag the device for follow-up to see if patches become available.
    4. Flag the vulnerabilities previously discovered as false positives.
  87. NIST provides recommendations for communication with the media as part of incident response. Which of the following is a NIST recommended preparation for working with the media?
    1. Pre-writing all incident communications before incident occur
    2. Holding media practice sessions for incident responders as part of IR exercises
    3. Creating procedures on media avoidance as part of incident response planning
    4. Contacting law enforcement to prepare for media concerns
  88. Michele's root-cause analysis has determined a number of events that contributed to the problem but were not the root cause. What has she identified?
    1. Compensating controls
    2. Causal factors
    3. Branch causes
    4. Nonroot causes
  89. What three groups of metrics make up a CVSS score?
    1. The Core Metric Group, the Impact Metric Group, and the Organizational Metric Group
    2. The Core Metric Group, the Temporal Metric Group, and the Organizational Metric Group
    3. The Basic Metric Group, the Impact Metric Group, and the Environmental Metric Group
    4. The Basic Metric Group, the Temporal Metric Group, and the Environmental Metric Group
  90. Which of the following questions is not typically answered as part of an incident response report?
    1. Who?
    2. When?
    3. What?
    4. With whom?
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.223.196.211