190. Which of the following is not a recovery action after a computer security incident was contained?
a. Rebuilding systems from scratch
b. Changing passwords
c. Preserving the evidence
d. Installing patches
190. c. Preserving the evidence is a containment strategy, whereas all the other choices are part of recovery actions. Preserving the evidence is a legal matter, not a recovery action, and is a part of the containment strategy. In recovery action, administrators restore systems to normal operation and harden systems to prevent similar incidents, including the actions taken in the other three choices.
191. Contrary to best practices, which of the following parties is usually not notified at all or is notified last when a computer security incident occurs?
a. System administrator
b. Legal counsel
c. Disaster recovery coordinator
d. Hardware and software vendors
191. b. The first part of a response mechanism is notification, whether automatic or manual. Besides technical staff, several others must be notified, depending on the nature and scope of the incident. Unfortunately, legal counsel is not always notified or is notified thinking that involvement is not required.
192. Which of the following is not a viable option in the event of an audit processing failure or audit storage capacity being reached?
a. Shut down the information system.
b. Overwrite the oldest-audit records.
c. Stop generating the audit records.
d. Continue processing after notification.
192. d. In the event of an audit processing failure or audit storage capacity being reached, the information system alerts appropriate management officials and takes additional actions such as shutting down the system, overwriting the oldest-audit records, and stopping the generation of audit records. It should not continue processing, either with or without notification because the audit-related data would be lost.
193. Which of the following surveillance techniques is passive in nature?
a. Audit logs
b. Keyboard monitoring
c. Network sniffing
d. Online monitoring
193. a. Audit logs collect data passively on computer journals or files for later review and analysis followed by action. The other three choices are examples of active surveillance techniques where electronic (online) monitoring is done for immediate review and analysis followed by action.
194. A good computer security incident handling capability is closely linked to which of the following?
a. Systems software
b. Applications software
c. Training and awareness program
d. Help desk
194. c. A good incident handling capability is closely linked to an organization’s training and awareness program. It will have educated users about such incidents so users know what to do when they occur. This can increase the likelihood that incidents will be reported early, thus helping to minimize damage. The help desk is a tool to handle incidents. Intruders can use both systems software and applications software to create security incidents.
195. System users seldom consider which of the following?
a. Internet security
b. Residual data security
c. Network security
d. Application system security
195. b. System users seldom consider residual data security as part of their job duties because they think it is the job of computer operations or information security staff. Residual data security means data remanence where corporate spies can scavenge discarded magnetic or paper media to gain access to valuable data. Both system users and system managers usually consider the measures mentioned in the other three choices.
196. Which of the following is not a special privileged user?
a. System administrator
b. Business end-user
c. Security administrator
d. Computer operator
196. b. A special privileged user is defined as an individual who has access to system control, monitoring, or administration functions. A business end-user is a normal system user performing day-to-day and routine tasks required by his job duties, and should not have special privileges as does with the system administrator, security administrator, computer operator, system programmer, system maintainer, network administrator, or desktop administrator. Privileged users have access to a set of access rights on a given system. Privileged access to privileged function should be limited to only few individuals in the IT department and should not be given to or shared with business end-users who are so many.
197. Which of the following is the major consideration when an organization gives its incident response work to an outsourcer?
a. Division of responsibilities
b. Handling incidents at multiple locations
c. Current and future quality of work
d. Lack of organization-specific knowledge
197. c. The quality of the outsourcer’s work remains an important consideration. Organizations should consider not only the current quality of work, but also the outsourcer’s efforts to ensure the quality of future work, which are the major considerations. Organizations should think about how they could audit or otherwise objectively assess the quality of the outsourcer’s work. Lack of organization-specific knowledge will reflect in the current and future quality of work. The other three choices are minor considerations and are a part of the major considerations.
198. The incident response team should work with which of the following when attempting to contain, eradicate, and recover from large-scale incidents?
a. Advisory distribution team
b. Vulnerability assessment team
c. Technology watch team
d. Patch management team
198. d. Patch management staff work is separate from that of the incident response staff. Effective communication channels between the patch management team and the incident response team are likely to improve the success of a patch management program when containing, eradicating, and recovering from large-scale incidents. The activities listed in the other choices are the responsibility of the incident response team.
199. Which of the following is the foundation of the incident response program?
a. Incident response policies