Last Updated on October 26, 2022 by InfraExam

CISM : Certified Information Security Manager : Part 70

  1. What is the BEST method for mitigating against network denial of service (DoS) attacks?

    • Ensure all servers are up-to-date on OS patches
    • Employ packet filtering to drop suspect packets
    • Implement network address translation to make internal addresses nonroutable
    • Implement load balancing for Internet facing devices


    Packet filtering techniques are the only ones which reduce network congestion caused by a network denial of service (DoS) attack. Patching servers, in general, will not affect network traffic. Implementing network address translation and load balancing would not be as effective in mitigating most network DoS attacks.

  2. To justify the establishment of an incident management team, an information security manager would find which of the following to be the MOST effective?

    • Assessment of business impact of past incidents
    • Need of an independent review of incident causes
    • Need for constant improvement on the security level
    • Possible business benefits from incident impact reduction

    Business benefits from incident impact reduction would be the most important goal for establishing an incident management team. The assessment of business impact of past incidents would need to be completed to articulate the benefits. Having an independent review benefits the incident management process. The need for constant improvement on the security level is a benefit to the organization.

  3. A database was compromised by guessing the password for a shared administrative account and confidential customer information was stolen. The information security manager was able to detect this breach by analyzing which of the following?

    • Invalid logon attempts
    • Write access violations
    • Concurrent logons
    • Firewall logs

    Since the password for the shared administrative account was obtained through guessing, it is probable that there were multiple unsuccessful logon attempts before the correct password was deduced. Searching the logs for invalid logon attempts could, therefore, lead to the discovery of this unauthorized activity. Because the account is shared, reviewing the logs for concurrent logons would not reveal unauthorized activity since concurrent usage is common in this situation. Write access violations would not necessarily be observed since the information was merely copied and not altered. Firewall logs would not necessarily contain information regarding logon attempts.

  4. Which of the following is an example of a corrective control?

    • Diverting incoming traffic upon responding to the denial of service (DoS) attack
    • Filtering network traffic before entering an internal network from outside
    • Examining inbound network traffic for viruses
    • Logging inbound network traffic

    Diverting incoming traffic corrects the situation and, therefore, is a corrective control. Choice B is a preventive control. Choices C and D are detective controls.

  5. To determine how a security breach occurred on the corporate network, a security manager looks at the logs of various devices. Which of the following BEST facilitates the correlation and review of these logs?

    • Database server
    • Domain name server (DNS)
    • Time server
    • Proxy server

    To accurately reconstruct the course of events, a time reference is needed and that is provided by the time server. The other choices would not assist in the correlation and review of these logs.

  6. An organization has been experiencing a number of network-based security attacks that all appear to originate internally. The BEST course of action is to:

    • require the use of strong passwords.
    • assign static IP addresses.
    • implement centralized logging software.
    • install an intrusion detection system (IDS).

    Installing an intrusion detection system (IDS) will allow the information security manager to better pinpoint the source of the attack so that countermeasures may then be taken. An IDS is not limited to detection of attacks originating externally. Proper placement of agents on the internal network can be effectively used to detect an internally based attack. Requiring the use of strong passwords will not be sufficiently effective against a network-based attack. Assigning IP addresses would not be effective since these can be spoofed. Implementing centralized logging software will not necessarily provide information on the source of the attack.

  7. A serious vulnerability is reported in the firewall software used by an organization. Which of the following should be the immediate action of the information security manager?

    • Ensure that all OS patches are up-to-date
    • Block inbound traffic until a suitable solution is found
    • Obtain guidance from the firewall manufacturer
    • Commission a penetration test

    The best source of information is the firewall manufacturer since the manufacturer may have a patch to fix the vulnerability or a workaround solution. Ensuring dial all OS patches are up-to-date is a best practice, in general, but will not necessarily address the reported vulnerability. Blocking inbound traffic may not be practical or effective from a business perspective. Commissioning a penetration test will take too much time and will not necessarily provide a solution for corrective actions.

  8. An organization keeps backup tapes of its servers at a warm site. To ensure that the tapes are properly maintained and usable during a system crash, the MOST appropriate measure the organization should perform is to:

    • use the test equipment in the warm site facility to read the tapes.
    • retrieve the tapes from the warm site and test them.
    • have duplicate equipment available at the warm site.
    • inspect the facility and inventory the tapes on a quarterly basis.

    A warm site is not fully equipped with the company’s main systems; therefore, the tapes should be tested using the company’s production systems. Inspecting the facility and checking the tape inventory does not guarantee that the tapes are usable.

  9. Which of the following processes is critical for deciding prioritization of actions in a business continuity plan?

    • Business impact analysis (BIA)
    • Risk assessment
    • Vulnerability assessment
    • Business process mapping
    A business impact analysis (BIA) provides results, such as impact from a security incident and required response times. The BIA is the most critical process for deciding which part of the information system/ business process should be given prioritization in case of a security incident. Risk assessment is a very important process for the creation of a business continuity plan. Risk assessment provides information on the likelihood of occurrence of security incidence and assists in the selection of countermeasures. but not in the prioritization. As in choice B, a vulnerability assessment provides information regarding the security weaknesses of the system, supporting the risk analysis process. Business process mapping facilitates the creation of the plan by providing mapping guidance on actions after the decision on critical business processes has been made-translating business prioritization to IT prioritization. Business process mapping does not help in making a decision, but in implementing a decision.
  10. In addition to backup data, which of the following is the MOST important to store offsite in the event of a disaster?

    • Copies of critical contracts and service level agreements (SLAs)
    • Copies of the business continuity plan
    • Key software escrow agreements for the purchased systems
    • List of emergency numbers of service providers
    Without a copy of the business continuity plan, recovery efforts would be severely hampered or may not be effective. All other choices would not be as immediately critical as the business continuity plan itself. The business continuity plan would contain a list of the emergency numbers of service providers.
  11. An organization has learned of a security breach at another company that utilizes similar technology. The FIRST thing the information security manager should do is:

    • assess the likelihood of incidents from the reported cause.
    • discontinue the use of the vulnerable technology.
    • report to senior management that the organization is not affected.
    • remind staff that no similar security breaches have taken place.
    The security manager should first assess the likelihood of a similar incident occurring, based on available information. Discontinuing the use of the vulnerable technology would not necessarily be practical since it would likely be needed to support the business. Reporting to senior management that the organization is not affected due to controls already in place would be premature until the information security manager can first assess the impact of the incident. Until this has been researched, it is not certain that no similar security breaches have taken place.
  12. Which of the following is the MOST important consideration for an organization interacting with the media during a disaster?

    • Communicating specially drafted messages by an authorized person
    • Refusing to comment until recovery
    • Referring the media to the authorities
    • Reporting the losses and recovery strategy to the media
    Proper messages need to be sent quickly through a specific identified person so that there are no rumors or statements made that may damage reputation. Choices B, C and D are not recommended until the message to be communicated is made clear and the spokesperson has already spoken to the media.
  13. During the security review of organizational servers, it was found that a file server containing confidential human resources (HR) data was accessible to all user IDs. As a FIRST step, the security manager should:

    • copy sample files as evidence.
    • remove access privileges to the folder containing the data.
    • report this situation to the data owner.
    • train the HR team on properly controlling file permissions.
    The data owner should be notified prior to any action being taken. Copying sample files as evidence is not advisable since it breaches confidentiality requirements on the file. Removing access privileges to the folder containing the data should be done by the data owner or by the security manager in consultation with the data owner, however, this would be done only after formally reporting the incident. Training the human resources (MR) team on properly controlling file permissions is the method to prevent such incidents in the future, but should take place once the incident reporting and investigation activities are completed.
  14. If an organization considers taking legal action on a security incident, the information security manager should focus PRIMARILY on:

    • obtaining evidence as soon as possible.
    • preserving the integrity of the evidence.
    • disconnecting all IT equipment involved.
    • reconstructing the sequence of events.
    The integrity of evidence should be kept, following the appropriate forensic techniques to obtain the evidence and a chain of custody procedure to maintain the evidence (in order to be accepted in a court of law). All other options are pan of the investigative procedure, but they are not as important as preserving the integrity of the evidence.
  15. Which of the following has the highest priority when defining an emergency response plan?

    • Critical data
    • Critical infrastructure
    • Safety of personnel
    • Vital records
    The safety of an organization’s employees should be the most important consideration given human safety laws. Human safety is considered first in any process or management practice. All of the other choices are secondary.
  16. The PRIMARY purpose of involving third-party teams for carrying out post event reviews of information security incidents is to:

    • enable independent and objective review of the root cause of the incidents.
    • obtain support for enhancing the expertise of the third-party teams.
    • identify lessons learned for further improving the information security management process.
    • obtain better buy-in for the information security program.
    It is always desirable to avoid the conflict of interest involved in having the information security team carries out the post event review. Obtaining support for enhancing the expertise of the third-party teams is one of the advantages, but is not the primary driver. Identifying lessons learned for further improving the information security management process is the general purpose of carrying out the post event review. Obtaining better buy-in for the information security program is not a valid reason for involving third-party teams.
  17. The MOST important objective of a post incident review is to:

    • capture lessons learned to improve the process.
    • develop a process for continuous improvement.
    • develop a business case for the security program budget.
    • identify new incident management tools.
    The main purpose of a post incident review is to identify areas of improvement in the process. Developing a process for continuous improvement is not true in every case. Developing a business case for the security program budget and identifying new incident management tools may come from the analysis of the incident, but are not the key objectives.
  18. Which of the following is the BEST mechanism to determine the effectiveness of the incident response process?

    • Incident response metrics
    • Periodic auditing of the incident response process
    • Action recording and review
    • Post incident review
    Post event reviews are designed to identify gaps and shortcomings in the actual incident response process so that these gaps may be improved over time. The other choices will not provide the same level of feedback in improving the process.
  19. The FIRST step in an incident response plan is to:

    • notify- the appropriate individuals.
    • contain the effects of the incident to limit damage.
    • develop response strategies for systematic attacks.
    • validate the incident.
    Appropriate people need to be notified; however, one must first validate the incident. Containing the effects of the incident would be completed after validating the incident. Developing response strategies for systematic attacks should have already been developed prior to the occurrence of an incident.
  20. An organization has verified that its customer information was recently exposed. Which of the following is the FIRST step a security manager should take in this situation?

    • Inform senior management.
    • Determine the extent of the compromise.
    • Report the incident to the authorities.
    • Communicate with the affected customers.
    Before reporting to senior management, affected customers or the authorities, the extent of the exposure needs to be assessed.