security exam

1.

1 point

Which of these CSIRT services is a proactive service?

Vulnerability handling

Alerts and warnings

Technology watch

Artifact analysis

2.

1 point

In what phase in the intrusion kill chain model is antivirus a useful course of action?

Installation

Reconnaissance

Exploitation

Command and control

3.

2 points

What type of IDPS makes use of a clipping level?

Log file monitors

Anomaly-based IDPS

Signature-based IDPS

Automated response

4.

2 points

Which backup technique yield the shortest elapsed time needed to restore files?

Differential backup

Copy backup

Incremental backup

Full backup

5.

2 points

Which of these actions is NOT a containment, eradication or recovery action?

Removing malware

After action review

Confirm that the affected systems are functioning normally

Identify vulnerabilities that were exploited

6.

2 points

Which of these protocols are commonly misused in reflective DDoS attacks?

DNS, NTP and CHARGEN

CHARGEN, BGP and HTTPS

DNS, FTP and SSL

NTP, BGP and TLS

7.

1 point

What is an example of an atomic indicator?

Hash value

IP address

IDS rule

Regular expression

8.

2 points

In what phase in the intrusion kill chain model is data execution prevention (DEP) a useful course of action?

Installation

Command and control

Exploitation

Reconnaissance

9.

2 points

Which of these tools is NOT a NIDPS?

Suricata

Bro

Nmap

Snort

10.

1 point

What type of IDPS makes use of a clipping level?

Log file monitors

Signature‐based IDPS

Anomaly-based IDPS

Automated response

11.

2 points

Which of these is an example of a smoldering crisis?

Disruptions in utilities or vital services necessary for operations

A natural disaster that endagers stakeholders or disrupts operations

Revelations by disgruntled employees that receive media attention

Job actions or labor disruptions that lose control or containment

12.

2 points

Which of these statements is NOT correct?

Data communications contingency strategies rely on coordination with service providers.

Mainframe contingency strategies relies on decentralized key capabilities.

Client/server systems primary recovery control is frequent backups of data.

Mainframes are considered as being less robust than n-tier server architectures.

13.

2 points

What is the main difference between Risk Management and Business Continuity Management (BCM)?

BCM focuses more on how to prevent incidents

BCM is more concerned about availabilty of core processes

BCM key method is risk analysis

BCM key parameters are impact and probability

14.

2 points

Which of these tools is used for sharing of indicators between CSIRTs?

Virus Total

MISP

IP2Location

DNSDB

15.

2 points

Which of these is NOT a normal Windows process, and could indicate a malicious process running on a computer?

Explorer.exe

Scvhost.exe

Svchost.exe

Services.exe

16.

2 points

Which team should be in charge of resuming operations at an alternate site?

Business continuity team

Crisis management team

Disaster recovery team

Business restoration team

17.

2 points

Which of these is a typical infection vector for APT-malware?

Banking trojans

Spam

Spear phishing

Malvertizing

18.

2 points

Which of these is NOT an APT campaign name?

Sykipot

APT1

Nitro

Heartbleed

19.

2 points

Which of these incident indicators is an example of a definite indicator of an actual incident?

Notification from IDPS

Attack reported by a user

Unusual system crashes

Notifications by partner or peer

20.

2 points

Which of these vulnerabilities was most recently discovered?

Poodle

Venom

Ghost

Heartbleed

21.

2 points

in what disaster recovery phase do you evaluate the need to invoke the business continuity plan?

Recovery phase

Response phase

Resumption phase

Restoration phase

22.

2 points

What type of IDPS is most suitable for processing encrypted data?

NIDPS

AppIDPS

Wireless NIDPS

Log file monitors

23.

2 points

Which of these incident indicators is an example of a definite indicator of an actual incident?

Notification from IDPS

Use of dormant accounts

Unusual system crashes

Attack reported by a user

24.

2 points

Which of these statements is NOT correct?

Most crises fall into the category of bad management decisions.

Crises are most commonly the result of employee mistakes or acts of nature.

There are significantly more smoldering crises than sudden ones.

Over 40 percent of companies that experience a disaster never reopen.

25.

2 points

Which of these is NOT a good example of methods for collecting BIA data?

BCP/DRP audit documentation

Brainstorming sessions controlled by managers

IT application or system logs

Online questionnaires

26.

2 points

What can ISPs do to prevent IP source address spoofing commonly used in DDoS attacks?

Monitor BGP traffic to detect IP hijacking

Implement bogon filtering

Implement network ingress and egress filtering

Monitor DDoS backscatter traffic in darknets

27.

2 points

What can the tool Suricata be used for?

Network-based intrusion detection

Network packet manipulation

Forensics analysis

Network scanning

28.

1 point

What tool would be most useful when dealing with APTs?

Client honeypots

Spamtraps

Darknets

Passive Passive DNS

29.

2 points

What do we call the remaining risk after application of risk control strategies?

Residual risk

Transferred risk

Controlled risk

Mitigated risk

30.

2 points

Which CSIRT organizational model usually has the most diverse constituency?

Internal centralized CSIRT

Coordinating CSIRT

Internal distributed CSIRT

Internal combined distributed and centralized CSIRT

31.

2 points

What key downtime metric describes the period of time within which systems, applications, or functions must be recovered after an outage?

RTO

ROI

RPO

MTD

32.

2 points

Which of these indicators of malicious code indicates a possible Trojan horse infection?

New files or directories with unusual names

New and unfamiliar icons appearing on the desktop

Unexpected dialog boxes requesting permission to do something

Sudden increase in the number of e-mails being sent

33.

1 point

What kind of backup technique would you choose for a mission‐critical system?

Disk to disk to tape

Electronic vaulting

Remote journaling

Disk to disk to cloud

34.

2 points

What is an example of an atomic indicator?

Regular expression

IDS rule

Email address

Hash value

35.

2 points

Which of these decoys require the least amount of data monitoring?

Honeynet

Honeytoken

Honeypot farm

Honeypot

36.

2 points

Which of these is NOT an example of a shared-site resumption strategy?

Service agreements

Service bureaus

Time-share

Mutual agreements

37.

1 point

Name three key downtime metrics

BCP, DRP and IRP

RTO, RPO and ROI

MTD, RTO and RPO

BIA, MTD and RTO

38.

2 points

What can the tool scapy be used for?

Network packet manipulation

Network scanning

Network-based intrusion detection

Forensics analysis

39.

2 points

What should be the first step when building a CSIRT?

Obtain management support and buy-in

Gather relevant informasjon

Determine the CSIRT strategic plan

Design the CSIRT vision

40.

2 points

Which of these indicators of malicious code indicates a possible Trojan horse infection?

New and unfamiliar icons appearing on the desktop

Unknown processes running

Sudden increase in the number of e-mails being sent

Unexpected dialog boxes requesting permission to do something

41.

2 points

Which of these actions is NOT a containment, eradication or recovery action?

Identify vulnerabilities that were exploited

Confirm that the affected systems are functioning normally

Removing malware

Determine whether an incident has occured

42.

2 points

Which of these tools would be most useful for analyzing a pcap file?

Nmap

Zenmap

Wireshark

LaBrea