181. b. If a computer site is vulnerable, management may favor the protect-and-recover reaction strategy because it increases defenses available to the victim organization. Also, this strategy brings normalcy to the network’s users as quickly as possible. Management can interfere with the intruder’s activities, prevent further access, and begin damage assessment. This interference process may include shutting down the computer center, closing of access to the network, and initiating recovery efforts.
Protect-and-preserve strategy is a part of a protect-and-recover strategy. Law enforcement authorities and prosecutors favor the trap-and-prosecute strategy. It lets intruders continue their activities until the security administrator can identify the intruder. In the mean time, there could be system damage or data loss. Pursue-and-proceed strategy is not relevant here.
182. A computer security incident handling capability should meet which of the following?
a. Users’ requirements
b. Auditors’ requirements
c. Security requirements
d. Safety requirements
182. a. There are a number of start-up costs and funding issues to consider when planning an incident handling capability. Because the success of an incident handling capability relies so heavily on the users’ perceptions of its worth and whether they use it, it is important that the capability meets users’ requirements. Two important funding issues are personnel and education and training.
183. Which of the following is not a primary benefit of an incident handling capability?
a. Containing the damage
b. Repairing the damage
c. Preventing the damage
d. Preparing for the damage
183. d. The primary benefits of an incident handling capability are containing and repairing damage from incidents and preventing future damage. Preparing for the damage is a secondary and side benefit.
184. All the following can co-exist with computer security incident handling except:
a. Help-desk function
b. System backup schedules
c. System development activity
d. Risk management process
184. c. System development activity is engaged in designing and constructing a new computer application system, whereas incident handling is needed during operation of the same application system. For example, for purposes of efficiency and cost-savings, incident-handling capability is co-operated with a user help desk. Also, backups of system resources need to be used when recovering from an incident. Similarly, the risk analysis process benefits from statistics and logs showing the numbers and types of incidents that have occurred and the types of controls that are effective in preventing such incidents. This information can be used to help select appropriate security controls and practices.
185. Which of the following decreases the response time for computer security incidents?
a. Electronic mail
b. Physical bulletin board
c. Terminal and modem
d. Electronic bulletin board
185. a. With computer security incidents, rapid communications is important. The incident team may need to send out security advisories or collect information quickly; thus some convenient form of communication, such as electronic mail (e-mail), is generally highly desirable. With e-mail, the team can easily direct information to various subgroups within the constituency, such as system managers or network managers, and broadcast general alerts to the entire constituency as needed. When connectivity already exists, e-mail has low overhead and is easy to use.
Although there are substitutes for e-mail, they tend to increase response time. An electronic bulletin board system (BBS) can work well for distributing information, especially if it provides a convenient user interface that encourages its use. A BBS connected to a network is more convenient to access than one requiring a terminal and modem; however, the latter may be the only alternative for organizations without sufficient network connectivity. In addition, telephones, physical bulletin boards, and flyers can be used, but they increase response time.
186. Which of the following incident response life-cycle phases is most challenging for many organizations?
a. Preparation
b. Detection
c. Recovery
d. Reporting
186. b. Detection, for many organizations, is the most challenging aspect of the incident response process. Actually detecting and assessing possible incidents is difficult. Determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem is not an easy task.
