CHAPTER 13 ASSESSMENT
1. To ensure a secure computing environment, investigate each reported event.
True
False
2. Many incidents go unreported because they are never recognized.
True
False
3. Which of the following is the best description of the CSIRT’s initial responsibility for incidents?
Recognize incidents.
Validate that an incident has occurred.
Initiate the incident investigation.
Contain the incident damage.
4. The ________ step of handling incidents should always occur before an incident happens.
5. Which incident-handling step might include disconnecting a computer from the network?
Identification
Eradication
Containment
Recovery
6. The ________ step to handling incidents is the most important step to continuously improving your incident response plan.
7. IT investigators (SMEs) are all CSIRT team members.
True
False
8. Which incident classification would apply to a situation where you find that your user account is locked due to too many logon tries using an incorrect password?
Unauthorized access of a limited account
AUP violation
Failed attempt to access any account
Unauthorized scan of one or more systems
9. Which incident security level would be appropriate after discovering that several of your workstations are infected with worms that will launch a coordinated DoS attack against your web servers in 12 hours?
Severe
High
Moderate
Low
10. Which incident-handling step might include scanning a computer for malware?
Identification
Containment
Eradication
Recovery
11. Which incident-handling step might include removing a virus from a computer?
Identification
Containment
Eradication
Recovery
12. The contents of log files are which type of evidence?
Real evidence
Documentary evidence
Testimonial evidence
Demonstrative evidence
13. The documentation that provides details of every move and access of evidence is called the ________.
14. You should treat every incident as if it might end up in court.
True
False
15. Any small change to evidence data may render that evidence unusable to your case.
True
False