Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 71
A possible breach of an organization’s IT system is reported by the project manager. What is the FIRST thing the incident response manager should do?
- Run a port scan on the system
- Disable the logon ID
- Investigate the system logs
- Validate the incident
When investigating a possible incident, it should first be validated. Running a port scan on the system, disabling the logon IDs and investigating the system logs may be required based on preliminary forensic investigation, but doing so as a first step may destroy the evidence.
The PRIMARY consideration when defining recovery time objectives (RTOs) for information assets is:
- regulatory’ requirements.
- business requirements.
- financial value.
- IT resource availability.
The criticality to business should always drive the decision. Regulatory requirements could be more flexible than business needs. The financial value of an asset could not correspond to its business value. While a consideration, IT resource availability is not a primary factor.
What task should be performed once a security incident has been verified?
- Identify the incident.
- Contain the incident.
- Determine the root cause of the incident.
- Perform a vulnerability assessment.
Identifying the incident means verifying whether an incident has occurred and finding out more details about the incident. Once an incident has been confirmed (identified), the incident management team should limit further exposure. Determining the root cause takes place after the incident has been contained. Performing a vulnerability assessment takes place after the root cause of an incident has been determined, in order to find new vulnerabilities.
An information security manager believes that a network file server was compromised by a hacker. Which of the following should be the FIRST action taken?
- Unsure that critical data on the server are backed up.
- Shut down the compromised server.
- Initiate the incident response process.
- Shut down the network.
The incident response process will determine the appropriate course of action. If the data have been corrupted by a hacker, the backup may also be corrupted. Shutting down the server is likely to destroy any forensic evidence that may exist and may be required by the investigation. Shutting down the network is a drastic action, especially if the hacker is no longer active on the network.
An unauthorized user gained access to a merchant’s database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?
- Shut down and power off the server.
- Duplicate the hard disk of the server immediately.
- Isolate the server from the network.
- Copy the database log file to a protected server.
Isolating the server will prevent further intrusions and protect evidence of intrusion activities left in memory and on the hard drive. Some intrusion activities left in virtual memory may be lost if the system is shut down. Duplicating the hard disk will only preserve the evidence on the hard disk, not the evidence in virtual memory, and will not prevent further unauthorized access attempts. Copying the database log file to a protected server will not provide sufficient evidence should the organization choose to pursue legal recourse.
Which of the following would be a MAJOR consideration for an organization defining its business continuity plan (BCP) or disaster recovery program (DRP)?
- Setting up a backup site
- Maintaining redundant systems
- Aligning with recovery time objectives (RTOs)
- Data backup frequency
BCP, DRP should align with business RTOs. The RTO represents the amount of time allowed for the recovery of a business function or resource after a disaster occurs. The RTO must be taken into consideration when prioritizing systems for recovery efforts to ensure that those systems that the business requires first are the ones that are recovered first.
Which of the following would be MOST appropriate for collecting and preserving evidence?
- Encrypted hard drives
- Generic audit software
- Proven forensic processes
- Log correlation software
When collecting evidence about a security incident, it is very important to follow appropriate forensic procedures to handle electronic evidence by a method approved by local jurisdictions. All other options will help when collecting or preserving data about the incident; however, these data might not be accepted as evidence in a court of law if they are not collected by a method approved by local jurisdictions.
Of the following, which is the MOST important aspect of forensic investigations?
- The independence of the investigator
- Timely intervention
- Identifying the perpetrator
- Chain of custody
Establishing the chain of custody is one of the most important steps in conducting forensic investigations since it preserves the evidence in a manner that is admissible in court. The independence of the investigator may be important, but is not the most important aspect. Timely intervention is important for containing incidents, but not as important for forensic investigation. Identifying the perpetrator is important, but maintaining the chain of custody is more important in order to have the perpetrator convicted in court.
In the course of examining a computer system for forensic evidence, data on the suspect media were inadvertently altered. Which of the following should have been the FIRST course of action in the investigative process?
- Perform a backup of the suspect media to new media.
- Perform a bit-by-bit image of the original media source onto new media.
- Make a copy of all files that are relevant to the investigation.
- Run an error-checking program on all logical drives to ensure that there are no disk errors.
The original hard drive or suspect media should never be used as the source for analysis. The source or original media should be physically secured and only used as the master to create a bit-by-bit image. The original should be stored using the appropriate procedures, depending on location. The image created for forensic analysis should be used. A backup does not preserve 100 percent of the data, such as erased or deleted files and data in slack space — which may be critical to the investigative process. Once data from the source are altered, they may no longer be admissible in court. Continuing the investigation, documenting the date, time and data altered, are actions that may not be admissible in legal proceedings. The organization would need to know the details of collecting and preserving forensic evidence relevant to their jurisdiction.
Which of the following recovery strategies has the GREATEST chance of failure?
- Hot site
- Redundant site
- Reciprocal arrangement
- Cold site
A reciprocal arrangement is an agreement that allows two organizations to back up each other during a disaster. This approach sounds desirable, but has the greatest chance of failure due to problems in keeping agreements and plans up to date. A hot site is incorrect because it is a site kept fully equipped with processing capabilities and other services by the vendor. A redundant site is incorrect because it is a site equipped and configured exactly like the primary site. A cold site is incorrect because it is a building having a basic environment such as electrical wiring, air conditioning, flooring, etc. and is ready to receive equipment in order to operate.
Recovery point objectives (RPOs) can be used to determine which of the following?
- Maximum tolerable period of data loss
- Maximum tolerable downtime
- Baseline for operational resiliency
- Time to restore backups
The RPO is determined based on the acceptable data loss in the case of disruption of operations. It indicates the farthest point in time prior to the incident to which it is acceptable to recover the data. RPO effectively quantifies the permissible amount of data loss in the case of interruption. It also dictates the frequency of backups required for a given data set since the smaller the allowable gap in data, the more frequent that backups must occur.
Which of the following disaster recovery testing techniques is the MOST cost-effective way to determine the effectiveness of the plan?
- Preparedness tests
- Paper tests
- Full operational tests
- Actual service disruption
Preparedness tests would involve simulation of the entire test in phases and help the team better understand and prepare for the actual test scenario. Options B, C and D are not cost-effective ways to establish plan effectiveness. Paper tests in a walk-through do not include simulation and so there is less learning and it is difficult to obtain evidence that the team has understood the test plan. Option D is not recommended in most cases. Option C would require an approval from management is not easy or practical to test in most scenarios and may itself trigger a disaster.
When electronically stored information is requested during a fraud investigation, which of the following should be the FIRST priority?
- Assigning responsibility for acquiring the data
- Locating the data and preserving the integrity of the data
- Creating a forensically sound image
- Issuing a litigation hold to all affected parties
Locating the data and preserving data integrity is the only correct answer because it represents the primary responsibility of an investigator and is a complete and accurate statement of the first priority. While assigning responsibility for acquiring the data is a step that should be taken, it is not the first step or the highest priority. Creating a forensically sound image may or may not be a necessary step, depending on the type of investigation, but it would never be the first priority. Issuing a litigation hold to all affected parties might be a necessary step early on in an investigation of certain types, but not the first priority.
When creating a forensic image of a hard drive, which of the following should be the FIRST step?
- Identify a recognized forensics software tool to create the image.
- Establish a chain of custody log.
- Connect the hard drive to a write blocker.
- Generate a cryptographic hash of the hard drive contents.
The first step in any investigation requiring the creation of a forensic image should always be to maintain the chain of custody. Identifying a recognized forensics software tool to create the image is one of the important steps, but it should come after several of the other options. Connecting the hard drive to a write blocker is an important step, but it must be done after the chain of custody has been established. Generating a cryptographic hash of the hard drive contents is another important step, but one that comes after several of the other options.
Which of the following is the initial step in creating a firewall policy?
- A cost-benefit analysis of methods for securing the applications
- Identification of network applications to be externally accessed
- Identification of vulnerabilities associated with network applications to be externally accessed
- Creation of an applications traffic matrix showing protection methods
Identification of the applications required across the network should be identified first. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. Having identified the applications, the next step is to identify vulnerabilities (weaknesses) associated with the network applications. The next step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems?
- User management coordination does not exist.
- Specific user accountability cannot be established.
- Unauthorized users may have access to originate, modify or delete data.
- Audit recommendations may not be implemented.
Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported.
In an organization, the responsibilities for IT security are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model?
Boards of directors and executive management can use the information security governance maturity model to establish rankings for security in their organizations. The ranks are nonexistent, initial, repeatable, defined, managed and optimized. When the responsibilities for IT security in an organization are clearly assigned and enforced and an IT security risk and impact analysis is consistently performed, it is said to be ‘managed and measurable.’
When developing a security architecture, which of the following steps should be executed FIRST?
- Developing security procedures
- Defining a security policy
- Specifying an access control methodology
- Defining roles and responsibilities
Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies will often set the stage in terms of what tools and procedures are needed for an organization. The other choices should be executed only after defining a security policy.
An organization provides information to its supply chain partners and customers through an extranet infrastructure. Which of the following should be the GREATEST concern to an IS auditor reviewing the firewall security architecture?
- A Secure Sockets Layer (SSL) has been implemented for user authentication and remote administration of the firewall.
- Firewall policies are updated on the basis of changing requirements.
- Inbound traffic is blocked unless the traffic type and connections have been specifically permitted.
- The firewall is placed on top of the commercial operating system with all installation options.
The greatest concern when implementing firewalls on top of commercial operating systems is the potential presence of vulnerabilities that could undermine the security posture of the firewall platform itself. In most circumstances, when commercial firewalls are breached that breach is facilitated by vulnerabilities in the underlying operating system. Keeping all installation options available on the system further increases the risks of vulnerabilities and exploits. Using SSL for firewall administration (choice A) is important, because changes in user and supply chain partners’ roles and profiles will be dynamic. Therefore, it is appropriate to maintain the firewall policies daily (choice B), and prudent to block all inbound traffic unless permitted (choice C).
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
- Assimilation of the framework and intent of a written security policy by all appropriate parties
- Management support and approval for the implementation and maintenance of a security policy
- Enforcement of security rules by providing punitive actions for any violation of security rules
- Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value. Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user’s education on the importance of security.