CISM : Certified Information Security Manager : Part 69
-
When properly tested, which of the following would MOST effectively support an information security manager in handling a security breach?
- Business continuity plan
- Disaster recovery plan
- Incident response plan
- Vulnerability management plan
Explanation:
An incident response plan documents the step-by-step process to follow, as well as the related roles and responsibilities pertaining to all parties involved in responding to an information security breach. A business continuity plan or disaster recovery plan would be triggered during the execution of the incident response plan in the case of a breach impacting the business continuity. A vulnerability management plan is a procedure to address technical vulnerabilities and mitigate the risk through configuration changes (patch management). -
Isolation and containment measures for a compromised computer has been taken and information security management is now investigating. What is the MOST appropriate next step?
- Run a forensics tool on the machine to gather evidence
- Reboot the machine to break remote connections
- Make a copy of the whole system’s memory
- Document current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/ I’DP) ports
Explanation:
When investigating a security breach, it is important to preserve all traces of evidence left by the invader. For this reason, it is imperative to preserve the memory’ contents of the machine in order to analyze them later. The correct answer is choice C because a copy of the whole system’s memory is obtained for future analysis by running the appropriate tools. This is also important from a legal perspective since an attorney may suggest that the system was changed during the conduct of the investigation. Running a computer forensics tool in the compromised machine will cause the creation of at least one process that may overwrite evidence. Rebooting the machine will delete the contents of the memory, erasing potential evidence. Collecting information about current connections and open Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports is correct, but doing so by using tools may also erase memory contents. -
Why is “slack space” of value to an information security manager as pan of an incident investigation?
- Hidden data may be stored there
- The slack space contains login information
- Slack space is encrypted
- It provides flexible space for the investigation
Explanation:
“Slack space” is the unused space between where the fdc data end and the end of the cluster the data occupy. Login information is not typically stored in the slack space. Encryption for the slack space is no different from the rest of the file system. The slack space is not a viable means of storage during an investigation. -
What is the PRIMARY objective of a post-event review in incident response?
- Adjust budget provisioning
- Preserve forensic data
- Improve the response process
- Ensure the incident is fully documented
Explanation:
The primary objective is to find any weakness in the current process and improve it. The other choices are all secondary. -
Detailed business continuity plans should be based PRIMARILY on:
- consideration of different alternatives.
- the solution that is least expensive.
- strategies that cover all applications.
- strategies validated by senior management.
Explanation:
A recovery strategy identifies the best way to recover a system in ease of disaster and provides guidance based on detailed recovery procedures that can be developed. Different strategies should be developed and all alternatives presented to senior management. Senior management should select the most appropriate strategy from the alternatives provided. The selected strategy should be used for further development of the detailed business continuity plan. The selection of strategy depends on criticality of the business process and applications supporting the processes. It need not necessarily cover all applications. All recovery strategies have associated costs, which include costs of preparing for disruptions and putting them to use in the event of a disruption. The latter can be insured against, but not the former. The best recovery option need not be the least expensive. -
A web server in a financial institution that has been compromised using a super-user account has been isolated, and proper forensic processes have been followed. The next step should be to:
- rebuild the server from the last verified backup.
- place the web server in quarantine.
- shut down the server in an organized manner.
- rebuild the server with original media and relevant patches.
Explanation:
The original media should be used since one can never be sure of all the changes a super-user may have made nor the timelines in which these changes were made. Rebuilding from the last known verified backup is incorrect since the verified backup may have been compromised by the super-user at a different time. Placing the web server in quarantine should have already occurred in the forensic process. Shut down in an organized manner is out of sequence and no longer a problem. The forensic process is already finished and evidence has already been acquired. -
Evidence from a compromised server has to be acquired for a forensic investigation. What would be the BEST source?
- A bit-level copy of all hard drive data
- The last verified backup stored offsite
- Data from volatile memory
- Backup servers
Explanation:
The bit-level copy image file ensures forensic quality evidence that is admissible in a court of law. Choices B and D may not provide forensic quality data for investigative work, while choice C alone may not provide enough evidence. -
In the course of responding 10 an information security incident, the BEST way to treat evidence for possible legal action is defined by:
- international standards.
- local regulations.
- generally accepted best practices.
- organizational security policies.
Explanation:
Legal follow-up will most likely be performed locally where the incident took place; therefore, it is critical that the procedure of treating evidence is in compliance with local regulations. In certain countries, there are strict regulations on what information can be collected. When evidence collected is not in compliance with local regulations, it may not be admissible in court. There are no common regulations to treat computer evidence that are accepted internationally. Generally accepted best practices such as a common chain-of-custody concept may have different implementation in different countries, and thus may not be a good assurance that evidence will be admissible. Local regulations always take precedence over organizational security policies. -
Emergency actions are taken at the early stage of a disaster with the purpose of preventing injuries or loss of life and:
- determining the extent of property damage.
- preserving environmental conditions.
- ensuring orderly plan activation.
- reducing the extent of operational damage.
Explanation:
During an incident, emergency actions should minimize or eliminate casualties and damage to the business operation, thus reducing business interruptions. Determining the extent of property damage is not the consideration; emergency actions should minimize, not determine, the extent of the damage. Protecting/preserving environmental conditions may not be relevant. Ensuring orderly plan activation is important but not as critical as reducing damage to the operation. -
What is the FIRST action an information security manager should take when a company laptop is reported stolen?
- Evaluate the impact of the information loss
- Update the corporate laptop inventory
- Ensure compliance with reporting procedures
- Disable the user account immediately
Explanation:
The key step in such an incident is to report it to mitigate any loss. After this, the other actions should follow. -
Which of the following actions should lake place immediately after a security breach is reported to an information security manager?
- Confirm the incident
- Determine impact
- Notify affected stakeholders
- Isolate the incident
Explanation:
Before performing analysis of impact, resolution, notification or isolation of an incident, it must be validated as a real security incident. -
When designing the technical solution for a disaster recovery site, the PRIMARY factor that should be taken into consideration is the:
- services delivery objective.
- recovery time objective (RTO).
- recovery window.
- maximum tolerable outage (MTO).
Explanation:
The length of the recovery window is defined by business management and determines the acceptable time frame between a disaster and the restoration of critical services/applications. The technical implementation of the disaster recovery (DR) site will be based on this constraint, especially the choice between a hot, warm or cold site. The service delivery objective is supported during the alternate process mode until the normal situation is restored, which is directly related to business needs. The recovery time objective (RTO) is commonly agreed to be the time frame between a disaster and the return to normal operations. It is then longer than the interruption window and is very difficult to estimate in advance. The time frame between the reduced operation mode at the end of the interruption window and the return to normal operations depends on the magnitude of the disaster. Technical disaster recovery solutions alone will not be used for returning to normal operations. Maximum tolerable outage (MTO) is the maximum time acceptable by a company operating in reduced mode before experiencing losses. Theoretically, recovery time objectives (RTOs) equal the interruption window plus the maximum tolerable outage. This will not be the primary factor for the choice of the technical disaster recovery solution. -
In designing a backup strategy that will be consistent with a disaster recovery strategy, the PRIMARY factor to be taken into account will be the:
- volume of sensitive data.
- recovery point objective (RPO).
- recovery’ time objective (RTO).
- interruption window.
Explanation:
The recovery point objective (RPO) defines the maximum loss of data (in terms of time) acceptable by the business (i.e., age of data to be restored). It will directly determine the basic elements of the backup strategy frequency of the backups and what kind of backup is the most appropriate (disk-to-disk, on tape, mirroring). The volume of data will be used to determine the capacity of the backup solution. The recovery time objective (RTO) — the time between disaster and return to normal operation — will not have any impact on the backup strategy. The availability to restore backups in a time frame consistent with the interruption window will have to be checked and will influence the strategy (e.g., full backup vs. incremental), but this will not be the primary factor. -
An intrusion detection system (IDS) should:
- run continuously
- ignore anomalies
- require a stable, rarely changed environment
- require a stable, rarely changed environment
Explanation:If an intrusion detection system (IDS) does not run continuously the business remains vulnerable. An IDS should detect, not ignore anomalies. An IDS should be flexible enough to cope with a changing environment. Both host and network based IDS are recommended for adequate detection.
-
The PRIORITY action to be taken when a server is infected with a virus is to:
- isolate the infected server(s) from the network.
- identify all potential damage caused by the infection.
- ensure that the virus database files are current.
- establish security weaknesses in the firewall.
Explanation:The priority in this event is to minimize the effect of the virus infection and to prevent it from spreading by removing the infected server(s) from the network. After the network is secured from further infection, the damage assessment can be performed, the virus database updated and any weaknesses sought.
-
Which of the following provides the BKST confirmation that the business continuity/disaster recovery plan objectives have been achieved?
- The recovery time objective (RTO) was not exceeded during testing
- Objective testing of the business continuity/disaster recovery plan has been carried out consistently
- The recovery point objective (RPO) was proved inadequate by disaster recovery plan testing
- Information assets have been valued and assigned to owners per the business continuity plan, disaster recovery plan
Explanation:Consistent achievement of recovery time objective (RTO) objectives during testing provides the most objective evidence that business continuity/disaster recovery plan objectives have been achieved. The successful testing of the business continuity/disaster recover) plan within the stated RTO objectives is the most indicative evidence that the business needs are being met. Objective testing of the business continuity/ disaster recovery plan will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning. Mere valuation and assignment of information assets to owners (per the business continuity/disaster recovery plan) will not serve as a basis for evaluating the alignment of the risk management process in business continuity/disaster recovery planning.
-
Which of the following situations would be the MOST concern to a security manager?
- Audit logs are not enabled on a production server
- The logon ID for a terminated systems analyst still exists on the system
- The help desk has received numerous results of users receiving phishing e-mails
- A Trojan was found to be installed on a system administrator’s laptop
Explanation:The discovery of a Trojan installed on a system’s administrator’s laptop is highly significant since this may mean that privileged user accounts and passwords may have been compromised. The other choices, although important, do not pose as immediate or as critical a threat.
-
A customer credit card database has been breached by hackers. The FIRST step in dealing with this attack should be to:
- confirm the incident.
- notify senior management.
- start containment.
- notify law enforcement.
Explanation:Asserting that the condition is a true security incident is the necessary first step in determining the correct response. The containment stage would follow. Notifying senior management and law enforcement could be part of the incident response process that takes place after confirming an incident.
-
A root kit was used to capture detailed accounts receivable information. To ensure admissibility of evidence from a legal standpoint, once the incident was identified and the server isolated, the next step should be to:
- document how the attack occurred.
- notify law enforcement.
- take an image copy of the media.
- close the accounts receivable system.
Explanation:Taking an image copy of the media is a recommended practice to ensure legal admissibility. All of the other choices are subsequent and may be supplementary.
-
When collecting evidence for forensic analysis, it is important to:
- ensure the assignment of qualified personnel.
- request the IT department do an image copy.
- disconnect from the network and isolate the affected devices.
- ensure law enforcement personnel are present before the forensic analysis commences.
Explanation:Without the initial assignment of forensic expertise, the required levels of evidence may not be preserved. In choice B. the IT department is unlikely to have that level of expertise and should, thus, be prevented from taking action. Choice C may be a subsequent necessity that comes after choice A. Choice D, notifying law enforcement, will likely occur after the forensic analysis has been completed.