testbankzip

Principles of Incident Response And Disaster Recovery 2nd Edition By Michael - Test Bank

Principles of Incident Response And Disaster Recovery 2nd Edition By Michael – Test Bank

$20.00

Edition:
2nd Edition
Format:
Zip File
Resource Type:
Test Bank
Duration:
Unlimited Downlaod
Delivery:
Instant Download

Description

Principles of Incident Response And Disaster Recovery 2nd Edition By Michael – Test Bank

Chapter 5: Incidence Response: Detection and Decision Making

TRUE/FALSE

1.According the to NIST definition of  an event as “any observable occurrence in a system or network,” all events are computer or network oriented.

ANS: F PTS: 1 REF: 167

2.To help make the detection of actual incidents more reliable, there are three broad categories of incident indicators that have been identified: possible, probable, and definite.

ANS: T PTS: 1 REF: 168

3.Most modern antivirus/anti-malware utilities cannot detect rootkits.

ANS: F PTS: 1 REF: 171

4.The Windows Task Manager can be used to seek out Trojan programs on Microsoft Windows computers.

ANS: F PTS: 1 REF: 176

5.Many attacks come through ports and then attack legitimate processes to allow themselves access or to conduct subsequent attacks.

ANS: T PTS: 1 REF: 197

MULTIPLE CHOICE

1.The process of evaluating the circumstances around organizational events includes determining which adverse events are possible incidents, or ____.

a.

critical violations

c.

hacker intrusions

b.

incident candidates

d.

service alarms

ANS: B PTS: 1 REF: 167

2.A(n) ____ is a sign that an adverse event is underway and has a probability of becoming an incident.

a.

precursor

c.

indication

b.

inactive system

d.

signal

ANS: C PTS: 1 REF: 168

3.A(n) ____ is a sign that an activity now occurring may signal an incident that could occur in the future.

a.

precursor

c.

indication

b.

inactive system

d.

signal

ANS: A PTS: 1 REF: 168

4.A ____ rootkit is one that becomes a part of the system bootstrap process and is loaded every time the system boots.

a.

user-mode

c.

kernel-mode

b.

memory-based

d.

persistent

ANS: D PTS: 1 REF: 170

5.In the event that a definite indicator is recognized, the corresponding ____ must be activated immediately.

a.

alarm

c.

rootkit

b.

IR plan

d.

IDPS

ANS: B PTS: 1 REF: 172

6.Most organizations will find themselves awash in incident candidates at one time or another, and the vast majority will be ____.

a.

definite indicators

c.

unusual system crashes

b.

reported attacks

d.

false positives

ANS: D PTS: 1 REF: 173

7.The ongoing activity from alarm events that are accurate and noteworthy but not necessarily significant as potentially successful attacks is called ____.

a.

confidence

c.

tuning

b.

false positive

d.

noise

ANS: D PTS: 1 REF: 184

8.A(n) ____ is the set of rules and configuration guidelines governing the implementation and operation of IDPSs within the organization.

a.

attack stimulus

c.

site policy

b.

confidence

d.

IR policy

ANS: C PTS: 1 REF: 185

9.The ____ of a hub, switch or other networking device is a specially configured connection that is capable of viewing all the traffic that moves through the entire device.

a.

monitoring port

c.

TCP/IP sensor

b.

external router

d.

IDPS console

ANS: A PTS: 1 REF: 189

10.The use of IDPS sensors and analysis systems can be quite complex. One very common approach is to use an open source software program called ____ running on an open source UNIX or Linux system that can be managed and queried from a desktop computer using a client interface.

a.

Sniff

c.

Match

b.

Snort

d.

Detector

ANS: B PTS: 1 REF: 190

11.Using a process known as ____, network-based IDPSs look for attack patterns by comparing measured activity to known signatures in their knowledge base to determine whether or not an attack has occurred or may be under way.

a.

packet sniffing

c.

traffic measurement

b.

port monitoring

d.

signature matching

ANS: D PTS: 1 REF: 191

12.In an attack known as ____, valid protocol packets exploit poorly configured DNS servers to inject false information to corrupt the servers’ answers to routine DNS queries from other systems on that network.

a.

denial-of-service (DoS)

c.

port mirroring

b.

DNS cache poisoning

d.

evasion

ANS: B PTS: 1 REF: 192

13.The ____ approach for detecting intrusions is based on the frequency with which certain network activities take place.

a.

signature-based IDPS

c.

anomaly-based IDPS

b.

knowledge-based IDPS

d.

host-based IDPS

ANS: C PTS: 1 REF: 205

Related Test Bank

Reviews

There are no reviews yet.

Be the first to review “Principles of Incident Response And Disaster Recovery 2nd Edition By Michael – Test Bank”

Your email address will not be published. Required fields are marked *