FEDVTE Foundations of Incident Management 51 Questions with Verified Answers
Political motivations and financial interests are the two most common
... [Show More] motivations behind current cyber threats.
A. True
B. False - CORRECT ANSWER A. True
Information sharing only aligns with the respond process in incident management activities.
A. True
B. False - CORRECT ANSWER B. False
Sensors are defined only as technical or information systems.
A. True
B. False - CORRECT ANSWER B. False
Eradication consists of short-term, tactical actions.
A. True
B. False - CORRECT ANSWER B. False
Containment strategies may include:
A. Rebuilding systems from original media
B. Remediating vulnerabilities
C. Leaving systems online
D. Shutting down a service - CORRECT ANSWER D. Shutting down a service
Which of the following is a decision that might need to be made ahead of time as part of the Prepare process?
A. When and if forensics evidence will be collected
B. When, if, and how law enforcement will be involved
C. What systems can be isolated or shutdown
D. Who to notify when handling certain incidents
E. All of the above
F. None of the above - CORRECT ANSWER E. All of the above
What are the three impact attributes described in the course material?
A. Function, Availability, Impact
B. Availability, Information, Confidentiality
C. Function, Information, Recoverability
D. Recoverability, Externality, Impact - CORRECT ANSWER C. Function, Information, Recoverability
Which of the following is NOT a method of conducting operational exercises?
A. Table top scenarios
B. Virtual simulations
C. Vulnerability scanning
D. Capture the flag competition - CORRECT ANSWER C. Vulnerability scanning
Information sharing protocols include:
A. STIX / CAB
B. IDGEMF
C. OpenSOC
D. CRITS - CORRECT ANSWER D. CRITS
Which of the following is NOT an approach for institutionalizing an incident management capability?
A. National CSIRT
B. Network and security operations center (NSOC)
C. Red team
D. Crisis management team
E. Security incident response team - CORRECT ANSWER C. Red team
Elements of situational awareness are only technical in nature.
A. True
B. False - CORRECT ANSWER B. False
Which of the following are NOT considered indicators of compromise (IOCs)?
A. Domain names
B. Virus signatures
C. Timestamps
D. Registry keys - CORRECT ANSWER C. Timestamps
Postmortems can be done after an incident to identify:
A. What went right
B. What went wrong
C. Training needs
D. Tools needed
E. A and B only
F. C and D only
G. B and C only
H. None of the above
I. All of the above - CORRECT ANSWER I. All of the above
Incident response only starts once you receive an incident report.
A. True
B. False - CORRECT ANSWER B. False
Recovery strategies may include:
A. Isolating the system from the network
B. Improving network and host security
C. Modifying access controls
D. Deleting malware - CORRECT ANSWER B. Improving network and host security
Fusion is the correlation and analysis of information collected from an incident report.
A. True
B. False - CORRECT ANSWER B. False
Which of the following resources will facilitate incident management activities?
A. A communication plan
B. Data classification schema
C. Network topologies and baselines
D. Points of Contact (POC) lists
E. All of the above
F. None of the above - CORRECT ANSWER E. All of the above
Which of the following is NOT considered a type of analysis?
A. Triage
B. Situational analysis
C. Media analysis
D. Mitigation analysis - CORRECT ANSWER B. Situational analysis
Which of the following is NOT a response sub-process?
A. Planning the response strategy
B. Performing malware analysis
C. Coordinating response
D. Communicating with stakeholders - CORRECT ANSWER B. Performing malware analysis
Which of the following staff would NOT be involved in performing incident management functions?
A. Human resources (HR) staff
B. Public relations (PR) staff
C. Internet service providers
D. Law enforcement
E. Managed service providers
F. None of the above
G. All of the above - CORRECT ANSWER G. All of the above
Three key activities that should be performed throughout all the phases of the incident handling lifecycle are:
A. Analysis, detection, and eradication
B. Collaboration, containment, and analysis
C. Documentation, coordination, and notification
D. Communication, collaboration, and containment - CORRECT ANSWER C. Documentation, coordination, and notification
Which of the following is true regarding impact analysis and its role in incident management?
A. Impact is the sole attribute for assessing risk to an organization
B. Impact should always be assessed as a monetary value
C. Determining impact and likelihood of an incident assesses the risk a particular situation presents to an organization
D. Impact analysis is not important in the context of incident management - CORRECT ANSWER C. Determining impact and likelihood of an incident assesses the risk a particular situation presents to an organization
What is a botnet?
A. A server controlled by a malicious actor
B. A network of computers vulnerable due to poor access controls
C. Malicious code infecting an industrial control system
D. A collection of compromised computers controlled remotely - CORRECT ANSWER D. A collection of compromised computers controlled remotely
Situational awareness should be viewed as a real-time, short-term function.
A. True
B. False - CORRECT ANSWER A. True
If an organization follows key practices for computer network defense it can guarantee that intrusions and other malicious acts will not happen.
A. True
B. False - CORRECT ANSWER B. False
Which of the following are a well-known type of malware?
A. Heartbleed
B. Shellshock
C. Conficker
D. Ubuntu - CORRECT ANSWER C. Conficker
All of the following are steps organizations should take to respond to incidents with impacts to external actors EXCEPT?
A. Organizations should have supply chain plans-of-action ready for when and if an incident impacts their supply chain
B. Organizations should create contact information databases in order to contact external actors identified with a potential impact scenario
C. Organizations should provide supply chain partners with detailed data on their past and current incident impacts
D. Organizations should put in place agreements detailing requirements for supply chain partner notification and responsivity - CORRECT ANSWER C. Organizations should provide supply chain partners with detailed data on their past and current incident impacts
Which of the following is NOT considered a sensor?
A. A blog
B. A motion detector
C. An employee resume
D. An employee reporting a problem - CORRECT ANSWER C. An employee resume
Situational awareness applies to which disciplines?
A. Aviation
B. Information security
C. Self defense
D. Emergency response
E. All of the above
F. None of the above - CORRECT ANSWER E. All of the above
Information sharing in the incident management context refers to sharing:
A. Threat and mitigation information
B. Threat and risk information
C. Risk and disaster recovery information
D. Business continuity information - CORRECT ANSWER A. Threat and mitigation information
Methods for disseminating information may include:
A. A. Mailing lists
B. B. Blogs
C. C. Paper signs
D. D. Facebook
E. E. A and C only
F. F. B and D only
G. G. A and B only
H. H. None of the above
I. I. All of the above - CORRECT ANSWER I. I. All of the above
Which statement is true?
A. Tactical triage involves determining the business impact
B. Strategic triage involves doing a higher level assessment
C. Tactical triage requires a good understanding of business drivers
D. Strategic triage involves categorizing and assigning reports - CORRECT ANSWER B. Strategic triage involves doing a higher level assessment
Response steps do NOT include:
A. Containment
B. Eradication
C. Correlation
D. Recovery - CORRECT ANSWER C. Correlation
Having a better response process in place enables a higher level of operational resilience.
A. True
B. False - CORRECT ANSWER A. True
Which organization attributes do you NOT need to document in order to properly prepare for an impact assessment?
A. Services
B. Service criticality
C. Legal obligations attributed to services
D. Current service availability statistics - CORRECT ANSWER D. Current service availability statistics
A data model is an agreed upon form that must be filled out to report an incident:
A. True
B. False - CORRECT ANSWER B. False
Establishing trust is the first step towards creating serious sharing partnerships:
A. True
B. False - CORRECT ANSWER A. True
Which statement is true?
A. Incident analysis and media (or forensic) analysis often use the same tools
B. Incident analysis and media (or forensic) analysis are equivalent activities
C. Incident analysis and media (or forensic) analysis have the same goals
D. All incident analysis includes performing media (or forensic) analysis - CORRECT ANSWER A. Incident analysis and media (or forensic) analysis often use the same tools
How does amplification modify a denial of service attack?
A. Increases the number of network appliances (like firewalls) associated with an attack
B. Decreases the frequency of denial of service traffic while increasing the variance
C. Modifies target machines in order to more effectively attack the target
D. Takes advantage of existing internet infrastructure to greatly increase denial of service traffic - CORRECT ANSWER D. Takes advantage of existing internet infrastructure to greatly increase denial of service traffic
The activities within the Triage process include:
A. Categorize, coordinate, prioritize, assign
B. Identify, categorize, prioritize, assign
C. Categorize, correlate, prioritize, assign
D. Identify, correlate, categorize, prioritize - CORRECT ANSWER C. Categorize, correlate, prioritize, assign
Information to be documented during incident analysis includes:
A. Type and results of analysis performed
B. Mitigations researched
C. Analyst notes related to confidence of information reported
D. Who was interviewed concerning the incident
E. None of the above
F. All of the above - CORRECT ANSWER F. All of the above
Threat feeds can come from:
A. Vendors
B. National CSIRTs
C. Sharing communities
D. Security organizations
E. None of the above
F. All of the above - CORRECT ANSWER F. All of the above
Incident analysis activities include:
A. Diagraming a timeline of activity
B. Verifying the integrity of restored data
C. Receiving IDS alerts
D. Reverse engineering - CORRECT ANSWER A. Diagraming a timeline of activity
Which of the following are NOT host-based solutions for detecting or preventing malicious code operations?
A. Anti-virus software
B. Network boundary firewalls
C. Memory management utilities
D. Host-based monitoring tools - CORRECT ANSWER B. Network boundary firewalls
Fusion analysis is most effective when information is unstructured.
A. True
B. False - CORRECT ANSWER B. False
Others who may be involved in recovery may include:
A. Information technology staff
B. Database administrators
C. Business continuity staff
D. System owners
E. None of the above
F. All of the above - CORRECT ANSWER F. All of the above
Swimlanes can be used for the following:
A. A. Defining interfaces between organizational components performing incident management
B. B. Defining roles and responsibilities for performing incident management
C. C. Identifying handoffs of information during incident management
D. D. Outlining a workflow for incident management activities
E. E. A and B only
F. F. A and C only
G. G. B and D only
H. H. None of the above
I. I. All of the above - CORRECT ANSWER I. I. All of the above
Which of the following statements are true?
A. Incident management and information security are the same activity
B. Incident management is part of the information assurance ecosystem
C. Incident management is not included in the NICE framework
D. Incident management and computer network defense are the same activity - CORRECT ANSWER B. Incident management is part of the information assurance ecosystem
Data sources to be collected and reviewed during incident analysis might include:
A. A. DNS and whois records
B. B. Threat feeds
C. C. Application and system logs
D. D. Symptoms reported by users
E. E. A and C only
F. F. B and D only
G. G. None of the above
H. H. All of the above - CORRECT ANSWER H. H. All of the above
Which of these statements is NOT true in relation to the STIX data model?
A. Observables describe what has been or might be seen
B. Indicators describe instances of specific adversary actions
C. Reports describe response actions to be taken
D. Courses of actions describe sets of incidents and/or TTPs - CORRECT ANSWER A. Observables describe what has been or might be seen
Which of the following are NOT an element of situational awareness?
A. Knowledge of potential storms or severe weather
B. Knowledge of your competitor?s new products
C. Knowledge of the training curriculum for staff
D. Knowledge of current security threats and vulnerabilities - CORRECT ANSWER C. Knowledge of the training curriculum for staff [Show Less]