Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
64 Cards in this Set
- Front
- Back
The three staffing models for for the SIRT are _____, Partially Outsourced, and Fully Outsourced.
|
Employees
|
|
The three staffing models for for the SIRT are Employees, _____ Outsourced, and Fully Outsourced.
|
Partially
|
|
The three staffing models for for the SIRT are Employees, Partially Outsourced, and _____ Outsourced.
|
Fully
|
|
The five typical stakeholders included on the IR planning committee are _____ of _____ (such as general management, IT management, and InfoSec management), Organizational departments (such as Legal and HR), Public Relations department, General End Users, and Other groups (such as physical security, auditing and risk management, insurance, key business partners, contractors, temporary employee agencies, and consultants).
|
Communities of interest
|
|
The five typical stakeholders included on the IR planning committee are Communities of interest (such as general management, IT management, and InfoSec management), _____ departments (such as Legal and HR), Public Relations department, General End Users, and Other groups (such as physical security, auditing and risk management, insurance, key business partners, contractors, temporary employee agencies, and consultants).
|
Organizational
|
|
The five typical stakeholders included on the IR planning committee are Communities of interest (such as general management, IT management, and InfoSec management), Organizational departments (such as Legal and HR), _____ _____ department, General End Users, and Other groups (such as physical security, auditing and risk management, insurance, key business partners, contractors, temporary employee agencies, and consultants).
|
Public Relations
|
|
The five typical stakeholders included on the IR planning committee are Communities of interest (such as general management, IT management, and InfoSec management), Organizational departments (such as Legal and HR), Public Relations department, General _____ _____, and Other groups (such as physical security, auditing and risk management, insurance, key business partners, contractors, temporary employee agencies, and consultants).
|
End Users
|
|
The five typical stakeholders included on the IR planning committee are Communities of interest (such as general management, IT management, and InfoSec management), Organizational departments (such as Legal and HR), Public Relations department, General End Users, and _____ groups (such as physical security, auditing and risk management, insurance, key business partners, contractors, temporary employee agencies, and consultants).
|
Other
|
|
General Management is an example of _____.
|
Communities of interest
|
|
IT management is an example of _____.
|
Communities of interest
|
|
Infosec management is an example of _____.
|
Communities of interest
|
|
The Legal department is an example of _____.
|
Organizational departments
|
|
The HR department is an example of _____.
|
Organizational departments
|
|
Physical security is an example of _____.
|
Other groups
|
|
Auditing and risk management are examples of _____.
|
Other groups
|
|
Insurance is an example of _____.
|
Other groups
|
|
Key business partners are examples of _____.
|
Other groups
|
|
Contractors are examples of _____.
|
Other groups
|
|
Temporary employee agencies are examples of _____.
|
Other groups
|
|
Consultants are examples of _____.
|
Other groups
|
|
Verify an actual incident is occurring is an action taken when?
|
During the Incident
|
|
Determine the extent of exposure is an action taken when?
|
During the Incident
|
|
Attempt to contain or quarantine the damage is an action taken when?
|
During the Incident
|
|
Continue to look for small “flare-ups” is an action taken when?
|
During the Incident
|
|
Stages necessary to recover from the most likely events of the incident is an action taken when?
|
After the Incident
|
|
Protection from follow-on incidents is an action taken when?
|
After the Incident
|
|
Forensics analysis is an action taken when?
|
After the Incident
|
|
Action-after review (AAR) is an action taken when?
|
After the Incident
|
|
Implement good information technology and information security practices is an action taken when?
|
Before an Incident
|
|
Implement preventative measures to manage risks is an action taken when?
|
Before an Incident
|
|
Ensure preparedness of the IR team is an action taken when?
|
Before an Incident
|
|
Presence of unfamiliar files is what type of incident indicator?
|
Possible
|
|
Presence or execution of unknown programs or processes is what type of incident indicator?
|
Possible
|
|
Unusual consumption of computing resources is what type of incident indicator?
|
Possible
|
|
Unusual system crashes is what type of incident indicator?
|
Possible
|
|
Activities at unexpected times is what type of of incident indicator?
|
Probable
|
|
Presence of new accounts is what type of incident indicator?
|
Probable
|
|
Reported attacks is what type of incident indicator?
|
Probable
|
|
Notification from an intrusion detection system (IDS) is what type of incident indicator?
|
Probable
|
|
Use of dormant accounts is what type of incident indicator?
|
Definite
|
|
Changes to logs is what type of incident indicator?
|
Definite
|
|
Presence of hacker tools is what type of incident indicator?
|
Definite
|
|
Notifications by partner or peer is what type of incident indicator?
|
Definite
|
|
Notification by hacker is what type of incident indicator?
|
Definite
|
|
Loss of availability of information or systems is an indicator of what?
|
Actual Incident Underway
|
|
Loss of integrity of data is an indicator of what?
|
Actual Incident Underway
|
|
Loss of confidentiality (leaks or disclosures) is an indicator of what?
|
Actual Incident Underway
|
|
Violation of policy is an indicator of what?
|
Actual Incident Underway
|
|
Violation of law is an indicator of what?
|
Actual Incident Underway
|
|
The failure of an intrusion detection system to react to an actual attack event. Of all failures, this is the most grievous. (Attack is happening but not Alarm has been triggered)
|
False Negative
|
|
An alarm or alert that indicates an attack is in progress or that an attack has successfully occurred, when in fact there was no attack. (No Attack yet Alarm has been triggered)
|
False Positive
|
|
Attack is happening and the IDS alarm has been triggered
|
True Positive
|
|
No Attack and No Alarm
|
True Negative
|
|
What is another term for a False Positive?
|
Noise
|
|
Legitimate activities wrongly reported as incident candidates
|
Noise
|
|
How may false positives be reduced?
|
Moving sensor to reduce noise
|
|
A network intrusion detection system that resides on a particular computer or server, known as the host, and monitors activity only on that system.
|
Host-based IDS (HIDS)
|
|
Monitors traffic on a segment of an organization's network. A NIDS looks for indications of ongoing or successful attacks and resides on a computer or appliance connected to that network segment.
|
Network-based IDS (NIDS)
|
|
An intrusion detection system that focuses its monitoring and analysis on a specific application protocol or protocols in use by the computing system.
|
Application protocol-based IDS (APIDS)
|
|
Monitors an application
|
Application-based IDS (AppIDS)
|
|
Monitors a computer or server
|
Host-based IDS (HIDS)
|
|
Monitors network traffic
|
Network-based IDS (NIDS)
|
|
The two approaches to detecting IDS events are by _____: examines data traffic in search of known patterns
Statistical anomaly-based IDS: compares stored baselines of normal activity against current activity |
Signature-based IDS (knowledge-based IDS)
|
|
The two approaches to detecting IDS events are by Signature-based IDS (knowledge-based IDS): examines data traffic in search of known patterns
_____: compares stored baselines of normal activity against current activity |
Statistical anomaly-based IDS
|