CISSP Practice полностью

The other three phases such as preparation, recovery, and reporting are not that challenging. The scope of preparation and prevention phase covers establishing plans, policies, and procedures. The scope of recovery phase includes containment, restore, and eradication. The scope of reporting phase involves understanding the internal and external reporting requirements in terms of the content and timeliness of the reports.

187. Regarding incident response data, nonperformance of which one of the following items makes the other items less important?

a. Quality of data

b. Review of data

c. Standard format for data

d. Actionable data

187. b. If the incident response data is not reviewed regularly, the effectiveness of detection and analysis of incidents is questionable. It does not matter whether the data is of high quality with standard format for data, or actionable data. Proper and efficient reviews of incident-related data require people with extensive specialized technical knowledge and experience.

188. Which of the following statements about incident management and response is not true?

a. Most incidents require containment.

b. Containment strategies vary based on the type of incident.

c. All incidents need eradication.

d. Eradication is performed during recovery for some incidents.

188. c. For some incidents, eradication is either unnecessary or is performed during recovery. Most incidents require containment, so it is important to consider it early in the course of handling each incident. Also, it is true that containment strategies vary based on the type of incident.

189. Which of the following is the correct sequence of events taking place in the incident response life cycle process?

a. Prevention, detection, preparation, eradication, and recovery

b. Detection, response, reporting, recovery, and remediation

c. Preparation, containment, analysis, prevention, and detection

d. Containment, eradication, recovery, detection, and reporting

189. b. The correct sequence of events taking place in the incident response life cycle is detection, response, reporting, recovery, and remediation. Although the correct sequence is started with detection, there are some underlying activities that should be in place prior to detection. These prior activities include preparation and prevention, addressing the plans, policies, procedures, resources, support, metrics, patch management processes, host hardening measures, and properly configuring the network perimeter.

Detection involves the use of automated detection capabilities (for example, log analyzers) and manual detection capabilities (for example, user reports) to identify incidents. Response involves security staff offering advice and assistance to system users for the handling and reporting of security incidents (for example, held desk or forensic services). Reporting involves understanding the internal and external reporting requirements in terms of the content and timeliness of the reports. Recovery involves containment, restore, and eradication. Containment addresses how to control an incident before it spreads to avoid consuming excessive resources and increasing damage caused by the incident. Restore addresses bringing systems to normal operations and hardening systems to prevent similar incidents. Eradication addresses eliminating the affected components of the incident from the overall system to minimize further damage to the overall system. Remediation involves tracking and documenting security incidents on an ongoing basis.

190. Which of the following is not a recovery action after a computer security incident was contained?

a. Rebuilding systems from scratch

b. Changing passwords

c. Preserving the evidence

d. Installing patches

190. c. Preserving the evidence is a containment strategy, whereas all the other choices are part of recovery actions. Preserving the evidence is a legal matter, not a recovery action, and is a part of the containment strategy. In recovery action, administrators restore systems to normal operation and harden systems to prevent similar incidents, including the actions taken in the other three choices.

191. Contrary to best practices, which of the following parties is usually not notified at all or is notified last when a computer security incident occurs?

a. System administrator

b. Legal counsel

c. Disaster recovery coordinator