Last Updated on July 16, 2021 by InfraExam
212-89 : EC-Council Certified Incident Handler : Part 02
US-CERT and Federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 Federal Agency category?
- Within four (4) hours of discovery/detection if the successful attack is still ongoing and agency is unable to successfully mitigate activity
- Within two (2) hours of discovery/detection
Identify a standard national process which establishes a set of activities, general tasks and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site.
Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures. Which of the following policies authorizes a group of users to perform a set of actions on a set of resources?
- Access control policy
- Audit trail policy
- Logging policy
- Documentation policy
When an employee is terminated from his or her job, what should be the next immediate step taken by an organization?
- All access rights of the employee to physical locations, networks, systems, applications and data should be disabled
- The organization should enforce separation of duties
- The access requests granted to an employee should be documented and vetted by the supervisor
- The organization should monitor the activities of the system administrators and privileged users who have permissions to access the sensitive information
A threat source does not present a risk if NO vulnerability that can be exercised for a particular threat source. Identify the step in which different threat sources are defined:
- Identification Vulnerabilities
- Control analysis
- Threat identification
- System characterization
In the Control Analysis stage of the NIST’s risk assessment methodology, technical and none technical control methods are classified into two categories. What are these two control categories?
- Preventive and Detective controls
- Detective and Disguised controls
- Predictive and Detective controls
- Preventive and predictive controls
Which of the following incident recovery testing methods works by creating a mock disaster, like fire to identify the reaction of the procedures that are implemented to handle such situations?
- Scenario testing
- Facility testing
- Live walk-through testing
- Procedure testing
An incident is analyzed for its nature, intensity and its effects on the network and systems. Which stage of the incident response and handling process involves auditing the system and network log files?
- Incident recording
Which among the following CERTs is an Internet provider to higher education institutions and various other research institutions in the Netherlands and deals with all cases related to computer security incidents in which a customer is involved either as a victim or as a suspect?
- Funet CERT
One of the main objectives of incident management is to prevent incidents and attacks by tightening the physical security of the system or infrastructure. According to CERT’s incident management process, which stage focuses on implementing infrastructure improvements resulting from postmortem reviews or other process improvement mechanisms?
Risk management consists of three processes, risk assessment, mitigation and evaluation. Risk assessment determines the extent of the potential threat and the risk associated with an IT system through its SDLC. How many primary steps does NIST’s risk assessment methodology involve?
Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism. Select the technique that helps in detecting insider threats:
- Correlating known patterns of suspicious and malicious behavior
- Protecting computer systems by implementing proper controls
- Making is compulsory for employees to sign a none disclosure agreement
- Categorizing information according to its sensitivity and access rights
Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices. What is the main purpose of the reconstitution plan?
- To restore the original site, tests systems to prevent the incident and terminates operations
- To define the notification procedures, damage assessments and offers the plan activation
- To provide the introduction and detailed concept of the contingency plan
- To provide a sequence of recovery activities with the help of recovery procedures
The insider risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:
- If the insider’s technical literacy is low and process knowledge is high, the risk posed by the threat will be insignificant.
- If the insider’s technical literacy and process knowledge are high, the risk posed by the threat will be insignificant.
- If the insider’s technical literacy is high and process knowledge is low, the risk posed by the threat will be high.
- If the insider’s technical literacy and process knowledge are high, the risk posed by the threat will be high.
Which policy recommends controls for securing and tracking organizational resources:
- Access control policy
- Administrative security policy
- Acceptable use policy
- Asset control policy
Which one of the following is the correct sequence of flow of the stages in an incident response:
- Containment – Identification – Preparation – Recovery – Follow-up – Eradication
- Preparation – Identification – Containment – Eradication – Recovery – Follow-up
- Eradication – Containment – Identification – Preparation – Recovery – Follow-up
- Identification – Preparation – Containment – Recovery – Follow-up – Eradication
Organizations or incident response teams need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. EVIDENCE PROTECTION is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage:
- Network and host log records
- Forensic analysis report
Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?
- Links the appropriate technology to the incident to ensure that the foundation’s offices are returned to normal operations as quickly as possible
- Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management
- Applies the appropriate technology and tries to eradicate and recover from the incident
- Focuses on the incident and handles it from management and technical point of view
The data on the affected system must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigations of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?
- Incident recording
- Incident investigation
In a qualitative risk analysis, risk is calculated in terms of:
- (Attack Success + Criticality ) –(Countermeasures)
- Asset criticality assessment – (Risks and Associated Risk Levels)
- Probability of Loss X Loss
- (Countermeasures + Magnitude of Impact) – (Reports from prior risk assessments)