Explore all topics
Start Free Trial
Need Help? Contact us
back arrowfull exam logo
search
ai logoChat with AI
Servicesarrow
Discoverarrow

Topics

Explore all topics
Discover more topics

Deck 5: Incidence Response: Reaction, Recovery, and Maintenance

Full screen (f)
exit full mode
Question
When an incident violates civil or criminal law and the crime is not directed at or does not affect the national infrastructure,the FBI may be able to assist the organization as effectively as state or local agencies can.
Use Space or
up arrow
down arrow
to flip the card.
Question
Everyone should know how to handle an incident,not just the CISO and systems administrators.
Question
A(n)____ has the first person call certain other people on the roster,who in turn call other people,and so on.

A)sequential roster
B)hierarchical roster
C)alert roster
D)alert message
Question
____ is the coherent application of methodical investigatory techniques to solve crime cases.

A)Forensics
B)Alarm Compaction
C)Signature matching
D)Scanning
Question
The ____ is a scripted description of the incident and consists of just enough information so that each responder knows what portion of the IR plan to implement without impeding the notification process.

A)sequential roster
B)hierarchical roster
C)alert roster
D)alert message
Question
The first and most important part of ____ is the identification and collection of evidentiary material without damage or modification of its content.

A)site policy
B)disaster recovery
C)Alarm Compaction
D)computer forensics
Question
The training plan should not include references to the provisioning of actual or contingent credentials needed to execute the containment and recovery steps in the plan.
Question
All changes proposed to the IR plan must be coordinated with the CPMT so that changes to the IR plan stay aligned with the use of other contingency planning documents used in the company.
Question
If properly structured and conducted,the ____ can have a positive effect on the organization's IR capacity and employee confidence in responding to incidents.

A)black bag operation
B)system backup
C)system maintenance
D)AAR
Question
____ is information,graphics,images,or any other physical or electronic item that could have value as evidence of guilt (or innocence)in a legal proceeding,whether criminal or civil.

A)Chain of custody
B)Evidentiary material
C)Computer forensics
D)False positive material
Question
If poorly handled,the ____ can actually reduce the organization's ability to react because individuals,especially users,may prefer to sweep potential incidents under the rug rather than risk improperly responding and having to face "the firing squad."

A)AAR
B)sequential roster
C)after-action review
D)system log
Question
A(n)____ requires that a contact person call each and every person on the roster.

A)sequential roster
B)hierarchical roster
C)alert roster
D)root roster
Question
____ is the determination of the initial flaw or vulnerability that allowed the incident to occur by examining the systems,networks,and procedures that were involved.

A)Hash analysis
B)Root cause analysis
C)black bag analysis
D)containment analysis
Question
An effective ____ plan guides an organization's response when an incident occurs,enables the prompt recovery of normal operations,and assists in the smooth transition to disaster recovery or business continuity plans when needed.

A)sequential roster
B)hierarchical
C)Incident Response
D)war game
Question
The first step in acquiring computer evidence is the establishment of ____ procedures.

A)search and seizure
B)after-action
C)incidence response
D)disaster recovery
Question
____ involves the preservation,identification,extraction,documentation,and interpretation of computer media for evidentiary and/or root cause analysis.

A)Alarm Compaction
B)Alarm filtering
C)Computer forensics
D)Enticement
Question
Rehearsals that closely match reality are called ____.

A)virtual reality
B)computer games
C)forensics
D)war games
Question
AARs are conducted with all participants in attendance.
Question
At the end of the incident review,the ____ serves as a review tool,allowing the team to examine how the team responded to the incident.

A)sequential roster
B)AAR
C)hierarchical roster
D)chain of custody
Question
A(n)____ is a document containing contact information for the individuals that need to be notified in the event of an actual incident.

A)sequential roster
B)hierarchical roster
C)alert roster
D)root roster
Question
The immediate determination of the scope of the breach of confidentiality,integrity,and availability of information and information assets is called ______________________________.
Question
Match each statement with an item below.


-Provides information on the type,scope,and extent of damage caused by the incident.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Question
Incident ____________________ strategies focus on two tasks: stopping the incident and recovering control of the affected systems.
Question
A search in which the suspect never knows a search occurred,because the scene is restored to its original state is called a ____.

A)white bag operation
B)blue bag operation
C)green bag operation
D)black bag operation
Question
Match each statement with an item below.


-Process by which a mathematical algorithm turns a variable-length input into a fixed-length output.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Question
The ____ has a bank fraud investigation unit,and the Securities and Exchange Commission has investigation and fraud control units as well.

A)FBI
B)U.S.Secret Service
C)CIA
D)U.S.Treasury Department
Question
Match each statement with an item below.


-Can provide training for future generations of SIRT professionals.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Question
The ____ handles computer crimes that are categorized as felonies.

A)FBI
B)U.S.Secret Service
C)U.S.Treasury Department
D)CIA
Question
Once an incident has been contained,and system control has been regained,incident ____________________ can begin.
Question
The ____ investigates crimes involving U.S.currency,counterfeiting,and certain cases involving credit card fraud and identity theft.

A)FBI
B)U.S.Secret Service
C)U.S.Treasury Department
D)CIA
Question
Match each statement with an item below.


-Combines skills from a number of disciplines,yet has its roots in two - computer science and criminal justice.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Question
Match each statement with an item below.


-Can be used to best assess how the incident occurred and what vulnerabilities were exploited to cause the damage assessed.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Question
The ____ is a log of everyone who has had access to or possession of evidentiary material from its collection to its presentation during legal proceedings.

A)system log
B)signature log
C)chain of custody
D)attack stimulus
Question
Match each statement with an item below.


-Involves three groups of stakeholders: end users,help desk personnel,and systems administrators.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Question
____ is a process by which a mathematical algorithm turns a variable-length input into a fixed-length output.

A)Compaction
B)Hashing
C)Clustering
D)Filtering
Question
Match each statement with an item below.


-Designed to stop the incident,mitigate its effects,and provide information that facilitates recovering from the incident.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Question
Match each statement with an item below.


-May increase in scope or severity to the point that the IR plan cannot adequately handle it.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Question
The ____________________ entails a detailed examination of the events that occurred from first detection to final recovery.
Question
Match each statement with an item below.


-Uses a subset of plans that are in place to create a realistic test environment.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Question
Once an actual incident has been confirmed and properly classified,the IR team moves from the detection phase to the ____________________ phase.
Question
List seven best practices,provided by CERT,for responding to an intrusion.
Question
What are some of the questions that should be asked when reviewing the incidence response plan?
Question
What are the steps involved in analyzing evidentiary material?
Question
What are the key steps in the Protect and Forget reaction strategy?
Question
Discuss five key steps in the Apprehend and Prosecute reaction strategy.
Question
List five incident containment strategies.
Question
In formulating an incident response strategy,what are some of the factors that influence the organization's decision process?
Question
What factors should be considered when determining the costs associated with an incident?
Question
What is the three-step methodology followed by computer forensics?
Question
What conditions must be met before a private organization can search an employee's computer?
Unlock Deck
Sign up to unlock the cards in this deck!
Unlock Deck
Unlock Deck
1/50
auto play flashcards
Play
simple tutorial
Full screen (f)
exit full mode
Deck 5: Incidence Response: Reaction, Recovery, and Maintenance
1
When an incident violates civil or criminal law and the crime is not directed at or does not affect the national infrastructure,the FBI may be able to assist the organization as effectively as state or local agencies can.
False
2
Everyone should know how to handle an incident,not just the CISO and systems administrators.
True
3
A(n)____ has the first person call certain other people on the roster,who in turn call other people,and so on.

A)sequential roster
B)hierarchical roster
C)alert roster
D)alert message
B
4
____ is the coherent application of methodical investigatory techniques to solve crime cases.

A)Forensics
B)Alarm Compaction
C)Signature matching
D)Scanning
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
5
The ____ is a scripted description of the incident and consists of just enough information so that each responder knows what portion of the IR plan to implement without impeding the notification process.

A)sequential roster
B)hierarchical roster
C)alert roster
D)alert message
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
6
The first and most important part of ____ is the identification and collection of evidentiary material without damage or modification of its content.

A)site policy
B)disaster recovery
C)Alarm Compaction
D)computer forensics
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
7
The training plan should not include references to the provisioning of actual or contingent credentials needed to execute the containment and recovery steps in the plan.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
8
All changes proposed to the IR plan must be coordinated with the CPMT so that changes to the IR plan stay aligned with the use of other contingency planning documents used in the company.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
9
If properly structured and conducted,the ____ can have a positive effect on the organization's IR capacity and employee confidence in responding to incidents.

A)black bag operation
B)system backup
C)system maintenance
D)AAR
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
10
____ is information,graphics,images,or any other physical or electronic item that could have value as evidence of guilt (or innocence)in a legal proceeding,whether criminal or civil.

A)Chain of custody
B)Evidentiary material
C)Computer forensics
D)False positive material
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
11
If poorly handled,the ____ can actually reduce the organization's ability to react because individuals,especially users,may prefer to sweep potential incidents under the rug rather than risk improperly responding and having to face "the firing squad."

A)AAR
B)sequential roster
C)after-action review
D)system log
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
12
A(n)____ requires that a contact person call each and every person on the roster.

A)sequential roster
B)hierarchical roster
C)alert roster
D)root roster
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
13
____ is the determination of the initial flaw or vulnerability that allowed the incident to occur by examining the systems,networks,and procedures that were involved.

A)Hash analysis
B)Root cause analysis
C)black bag analysis
D)containment analysis
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
14
An effective ____ plan guides an organization's response when an incident occurs,enables the prompt recovery of normal operations,and assists in the smooth transition to disaster recovery or business continuity plans when needed.

A)sequential roster
B)hierarchical
C)Incident Response
D)war game
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
15
The first step in acquiring computer evidence is the establishment of ____ procedures.

A)search and seizure
B)after-action
C)incidence response
D)disaster recovery
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
16
____ involves the preservation,identification,extraction,documentation,and interpretation of computer media for evidentiary and/or root cause analysis.

A)Alarm Compaction
B)Alarm filtering
C)Computer forensics
D)Enticement
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
17
Rehearsals that closely match reality are called ____.

A)virtual reality
B)computer games
C)forensics
D)war games
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
18
AARs are conducted with all participants in attendance.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
19
At the end of the incident review,the ____ serves as a review tool,allowing the team to examine how the team responded to the incident.

A)sequential roster
B)AAR
C)hierarchical roster
D)chain of custody
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
20
A(n)____ is a document containing contact information for the individuals that need to be notified in the event of an actual incident.

A)sequential roster
B)hierarchical roster
C)alert roster
D)root roster
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
21
The immediate determination of the scope of the breach of confidentiality,integrity,and availability of information and information assets is called ______________________________.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
22
Match each statement with an item below.


-Provides information on the type,scope,and extent of damage caused by the incident.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
23
Incident ____________________ strategies focus on two tasks: stopping the incident and recovering control of the affected systems.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
24
A search in which the suspect never knows a search occurred,because the scene is restored to its original state is called a ____.

A)white bag operation
B)blue bag operation
C)green bag operation
D)black bag operation
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
25
Match each statement with an item below.


-Process by which a mathematical algorithm turns a variable-length input into a fixed-length output.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
26
The ____ has a bank fraud investigation unit,and the Securities and Exchange Commission has investigation and fraud control units as well.

A)FBI
B)U.S.Secret Service
C)CIA
D)U.S.Treasury Department
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
27
Match each statement with an item below.


-Can provide training for future generations of SIRT professionals.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
28
The ____ handles computer crimes that are categorized as felonies.

A)FBI
B)U.S.Secret Service
C)U.S.Treasury Department
D)CIA
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
29
Once an incident has been contained,and system control has been regained,incident ____________________ can begin.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
30
The ____ investigates crimes involving U.S.currency,counterfeiting,and certain cases involving credit card fraud and identity theft.

A)FBI
B)U.S.Secret Service
C)U.S.Treasury Department
D)CIA
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
31
Match each statement with an item below.


-Combines skills from a number of disciplines,yet has its roots in two - computer science and criminal justice.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
32
Match each statement with an item below.


-Can be used to best assess how the incident occurred and what vulnerabilities were exploited to cause the damage assessed.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
33
The ____ is a log of everyone who has had access to or possession of evidentiary material from its collection to its presentation during legal proceedings.

A)system log
B)signature log
C)chain of custody
D)attack stimulus
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
34
Match each statement with an item below.


-Involves three groups of stakeholders: end users,help desk personnel,and systems administrators.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
35
____ is a process by which a mathematical algorithm turns a variable-length input into a fixed-length output.

A)Compaction
B)Hashing
C)Clustering
D)Filtering
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
36
Match each statement with an item below.


-Designed to stop the incident,mitigate its effects,and provide information that facilitates recovering from the incident.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
37
Match each statement with an item below.


-May increase in scope or severity to the point that the IR plan cannot adequately handle it.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
38
The ____________________ entails a detailed examination of the events that occurred from first detection to final recovery.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
39
Match each statement with an item below.


-Uses a subset of plans that are in place to create a realistic test environment.

A)IR plan
B)After-action review
C)Interview
D)Incident
E)System log
F)Forensics
G)War game
H)Computer forensics
I)Hashing
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
40
Once an actual incident has been confirmed and properly classified,the IR team moves from the detection phase to the ____________________ phase.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
41
List seven best practices,provided by CERT,for responding to an intrusion.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
42
What are some of the questions that should be asked when reviewing the incidence response plan?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
43
What are the steps involved in analyzing evidentiary material?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
44
What are the key steps in the Protect and Forget reaction strategy?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
45
Discuss five key steps in the Apprehend and Prosecute reaction strategy.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
46
List five incident containment strategies.
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
47
In formulating an incident response strategy,what are some of the factors that influence the organization's decision process?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
48
What factors should be considered when determining the costs associated with an incident?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
49
What is the three-step methodology followed by computer forensics?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
50
What conditions must be met before a private organization can search an employee's computer?
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Unlock Deck
k this deck
locked card icon
Unlock Deck
Unlock for access to all 50 flashcards in this deck.
Examlex
Examlex
Work With Us
Policies
Download the App
Scan to downloadDownload the App
qr-code
Links
Links
Work With Us
Download the App

Scan to downloadDownload the App
qr-code

Copyright © 2025 Examlex LLC.
  • facebook-footer
  • instagram-footer
  • x-footer
  • tiktok
  • Linktree