CISM : Certified Information Security Manager : Part 68

  1. Which of the following is MOST important in determining whether a disaster recovery test is successful?

    • Only business data files from offsite storage are used
    • IT staff fully recovers the processing infrastructure
    • Critical business processes are duplicated
    • All systems are restored within recovery time objectives (RTOs)

    To ensure that a disaster recovery test is successful, it is most important to determine whether all critical business functions were successfully recovered and duplicated. Although ensuring that only materials taken from offsite storage are used in the test is important, this is not as critical in determining a test’s success. While full recovery of the processing infrastructure is a key recovery milestone, it does not ensure the success of a test. Achieving the RTOs is another important milestone, but does not necessarily prove that the critical business functions can be conducted, due to interdependencies with other applications and key elements such as data, staff, manual processes, materials and accessories, etc.

  2. Which of the following is MOST important when deciding whether to build an alternate facility or subscribe to a third-party hot site?

    • Cost to build a redundant processing facility and invocation
    • Daily cost of losing critical systems and recovery time objectives (RTOs)
    • Infrastructure complexity and system sensitivity
    • Criticality results from the business impact analysis (BIA)
    The complexity and business sensitivity of the processing infrastructure and operations largely determines the viability of such an option; the concern is whether the recovery site meets the operational and security needs of the organization. The cost to build a redundant facility is not relevant since only a fraction of the total processing capacity is considered critical at the time of the disaster and recurring contract costs would accrue over time. Invocation costs are not a factor because they will be the same regardless. The incremental daily cost of losing different systems and the recovery time objectives (RTOs) do not distinguish whether a commercial facility is chosen. Resulting criticality from the business impact analysis (BIA) will determine the scope and timeline of the recovery efforts, regardless of the recovery location.
  3. A new e-mail virus that uses an attachment disguised as a picture file is spreading rapidly over the Internet. Which of the following should be performed FIRST in response to this threat?

    • Quarantine all picture files stored on file servers
    • Block all e-mails containing picture file attachments
    • Quarantine all mail servers connected to the Internet
    • Block incoming Internet mail, but permit outgoing mail
    Until signature files can be updated, incoming e-mail containing picture file attachments should be blocked. Quarantining picture files already stored on file servers is not effective since these files must be intercepted before they are opened. Quarantine of all mail servers or blocking all incoming mail is unnecessary overkill since only those e-mails containing attached picture files are in question.
  4. When a large organization discovers that it is the subject of a network probe, which of the following actions should be taken?

    • Reboot the router connecting the DMZ to the firewall
    • Power down all servers located on the DMZ segment
    • Monitor the probe and isolate the affected segment
    • Enable server trace logging on the affected segment
    In the case of a probe, the situation should be monitored and the affected network segment isolated. Rebooting the router, powering down the demilitarized zone (DMZ) servers and enabling server trace routing are not warranted.
  5. Which of the following terms and conditions represent a significant deficiency if included in a commercial hot site contract?

    • A hot site facility will be shared in multiple disaster declarations
    • All equipment is provided “at time of disaster, not on floor”
    • The facility is subject to a “first-come, first-served” policy
    • Equipment may be substituted with equivalent model
    Equipment provided “at time of disaster (ATOD), not on floor” means that the equipment is not available but will be acquired by the commercial hot site provider ON a best effort basis. This leaves the customer at the mercy of the marketplace. If equipment is not immediately available, the recovery will be delayed. Many commercial providers do require sharing facilities in cases where there are multiple simultaneous declarations, and that priority may be established on a first-come, first-served basis. It is also common for the provider to substitute equivalent or better equipment, as they are frequently upgrading and changing equipment.
  6. Which of the following should be performed FIRST in the aftermath of a denial-of-service attack?

    • Restore servers from backup media stored offsite
    • Conduct an assessment to determine system status
    • Perform an impact analysis of the outage
    • Isolate the screened subnet

    An assessment should be conducted to determine whether any permanent damage occurred and the overall system status. It is not necessary at this point to rebuild any servers. An impact analysis of the outage or isolating the demilitarized zone (DMZ) or screen subnet will not provide any immediate benefit.

  7. Which of the following is the MOST important element to ensure the successful recovery of a business during a disaster?

    • Detailed technical recovery plans are maintained offsite
    • Network redundancy is maintained through separate providers
    • Hot site equipment needs are recertified on a regular basis
    • Appropriate declaration criteria have been established
    In a major disaster, staff can be injured or can be prevented from traveling to the hot site, so technical skills and business knowledge can be lost. It is therefore critical to maintain an updated copy of the detailed recovery plan at an offsite location. Continuity of the business requires adequate network redundancy, hot site infrastructure that is certified as compatible and clear criteria for declaring a disaster. Ideally, the business continuity program addresses all of these satisfactorily. However, in a disaster situation, where all these elements are present, but without the detailed technical plan, business recovery will be seriously impaired.
  8. The business continuity policy should contain which of the following?

    • Emergency call trees
    • Recovery criteria
    • Business impact assessment (BIA)
    • Critical backups inventory
    Recovery criteria, indicating the circumstances under which specific actions are undertaken, should be contained within a business continuity policy. Telephone trees, business impact assessments (BIAs) and listings of critical backup files are too detailed to include in a policy document.
  9. The PRIMARY purpose of installing an intrusion detection system (IDS) is to identify:

    • weaknesses in network security.
    • patterns of suspicious access.
    • how an attack was launched on the network.
    • potential attacks on the internal network.
    The most important function of an intrusion detection system (IDS) is to identify potential attacks on the network. Identifying how the attack was launched is secondary. It is not designed specifically to identify weaknesses in network security or to identify patterns of suspicious logon attempts.
  10. When an organization is using an automated tool to manage and house its business continuity plans, which of the following is the PRIMARY concern?

    • Ensuring accessibility should a disaster occur
    • Versioning control as plans are modified
    • Broken hyperlinks to resources stored elsewhere
    • Tracking changes in personnel and plan assets
    If all of the plans exist only in electronic form, this presents a serious weakness if the electronic version is dependent on restoration of the intranet or other systems that are no longer available. Versioning control and tracking changes in personnel and plan assets is actually easier with an automated system. Broken hyperlinks are a concern, but less serious than plan accessibility.
  11. Which of the following is the BEST way to verify that all critical production servers are utilizing up-to- date virus signature files?

    • Verify the date that signature files were last pushed out
    • Use a recently identified benign virus to test if it is quarantined
    • Research the most recent signature file and compare to the console
    • Check a sample of servers that the signature files are current
    The only accurate way to check the signature files is to look at a sample of servers. The fact that an update was pushed out to a server does not guarantee that it was properly loaded onto that server. Checking the vendor information to the management console would still not be indicative as to whether the file was properly loaded on the server. Personnel should never release a virus, no matter how benign.
  12. Which of the following actions should be taken when an information security manager discovers that a hacker is foot printing the network perimeter?

    • Reboot the border router connected to the firewall
    • Check IDS logs and monitor for any active attacks
    • Update IDS software to the latest available version
    • Enable server trace logging on the DMZ segment
    Information security should check the intrusion detection system (IDS) logs and continue to monitor the situation. It would be inappropriate to take any action beyond that. In fact, updating the IDS could create a temporary exposure until the new version can be properly tuned. Rebooting the router and enabling server trace routing would not be warranted.
  13. Which of the following are the MOST important criteria when selecting virus protection software?

    • Product market share and annualized cost
    • Ability to interface with intrusion detection system (IDS) software and firewalls
    • Alert notifications and impact assessments for new viruses
    • Ease of maintenance and frequency of updates
    For the software to be effective, it must be easy to maintain and keep current. Market share and annualized cost, links to the intrusion detection system (IDS) and automatic notifications are all secondary in nature.
  14. Which of the following is the MOST serious exposure of automatically updating virus signature files on every desktop each Friday at 11:00 p.m. (23.00 hrs.)?

    • Most new viruses* signatures are identified over weekends
    • Technical personnel are not available to support the operation
    • Systems are vulnerable to new viruses during the intervening week
    • The update’s success or failure is not known until Monday
    Updating virus signature files on a weekly basis carries the risk that the systems will be vulnerable to viruses released during the week; far more frequent updating is essential. All other issues are secondary to this very serious exposure.
  15. When performing a business impact analysis (BIA), which of the following should calculate the recovery time and cost estimates?

    • Business continuity coordinator
    • Information security manager
    • Business process owners
    • Industry averages benchmarks
    Business process owners are in the best position to understand the true impact on the business that a system outage would create. The business continuity coordinator, industry averages and even information security will not be able to provide that level of detailed knowledge.
  16. Which of the following is MOST closely associated with a business continuity program?

    • Confirming that detailed technical recovery plans exist
    • Periodically testing network redundancy
    • Updating the hot site equipment configuration every quarter
    • Developing recovery time objectives (RTOs) for critical functions
    Technical recovery plans, network redundancy and equipment needs are all associated with infrastructure disaster recovery. Only recovery time objectives (RTOs) directly relate to business continuity.
  17. Which of the following application systems should have the shortest recovery time objective (RTO)?

    • Contractor payroll
    • Change management
    • E-commerce web site
    • Fixed asset system
    In most businesses where an e-commerce site is in place, it would need to be restored in a matter of hours, if not minutes. Contractor payroll, change management and fixed assets would not require as rapid a recovery time.
  18. A computer incident response team (CIRT) manual should PRIMARILY contain which of the following documents?

    • Risk assessment results
    • Severity criteria
    • Emergency call tree directory
    • Table of critical backup files
    Quickly ranking the severity criteria of an incident is a key element of incident response. The other choices refer to documents that would not likely be included in a computer incident response team (CIRT) manual.
  19. The PRIMARY purpose of performing an internal attack and penetration test as part of an incident response program is to identify:

    • weaknesses in network and server security.
    • ways to improve the incident response process.
    • potential attack vectors on the network perimeter.
    • the optimum response to internal hacker attacks.
    An internal attack and penetration test are designed to identify weaknesses in network and server security. They do not focus as much on incident response or the network perimeter.
  20. Which of the following would represent a violation of the chain of custody when a backup tape has been identified as evidence in a fraud investigation? The tape was:

    • removed into the custody of law enforcement investigators.
    • kept in the tape library’ pending further analysis.
    • sealed in a signed envelope and locked in a safe under dual control.
    • handed over to authorized independent investigators.
    Since a number of individuals would have access to the tape library, and could have accessed and tampered with the tape, the chain of custody could not be verified. All other choices provide clear indication of who was in custody of the tape at all times.