Exam (elaborations)
Certified Incident Handler (CIH) Practice Questions and Answers 2024
- Course
- Institution
Certified Incident Handler (CIH) Practice Questions
[Show more]
Content preview
Certified Incident Handler (CIH) PracticeQuestions
Which of the following terms may be defined as "a measure of possible inability to
achieve a goal, objective, or target within a defined security, cost plan and technical
limitations that adversely affects the organization's operation and revenues? - answer
Risk
A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack,
where a single system is targeted by a large number of infected machines over the
Internet. In a DDoS attack, attackers first infect multiple systems which are known as: -
answer Zombies
The goal of incident response is to handle the incident in a way that minimizes damage
and reduces recovery time and cost.
Which of the following does NOT constitute a goal of incident response? - answer
Dealing with human resources department and various employee conflict behaviors.
An organization faced an information security incident where a disgruntled employee
passed sensitive access control information to a competitor. The organization's incident
response manager, upon investigation, found that the incident must be handled within a
few hours on the same day to maintain business continuity and market competitiveness.
How would you categorize such information security incident? - answerHigh level
incident
Business continuity is defined as the ability of an organization to continue to function
even after a disastrous event, accomplished through the deployment of redundant
hardware and software, the use of fault tolerant systems, as well as a solid backup and
recovery strategy. Identify the plan which is mandatory part of a business continuity
plan? - answerBusiness Recovery Plan
Which of the following is an appropriate flow of the incident recovery steps? -
answerSystem Restoration-System Validation-System Operations-System Monitoring
A computer Risk Policy is a set of ideas to be implemented to overcome the risk
associated with computer security incidents. Identify the procedure that is NOT part of
the computer risk policy? - answerProcedure for the ongoing training of employees
authorized to access the system
,Identify the network security incident where intended authorized users are prevented
from using system, network, or applications by flooding the network with high volume of
traffic that consumes all existing network resources. - answerDenial of Service Attack
Incident handling and response steps help you to detect, identify, respond and manage
an incident. Which of the following steps focus on limiting the scope and extent of an
incident? - answerContainment
Identify the malicious program that is masked as a genuine harmless program and gives
the attacker unrestricted access to the user's information and system. These programs
may unleash dangerous programs that may erase the unsuspecting user's disk and
send the victim's credit card numbers and passwords to a stranger. - answerTrojan
Quantitative risk is the numerical determination of the probability of an adverse event
and the extent of the losses due to the event. Quantitative risk is calculated as: -
answer(Probability of Loss) X (Loss)
An incident recovery plan is a statement of actions that should be taken before, during
or after an incident. Identify which of the following is NOT an objective of the incident
recovery plan? - answerCreating new business processes to maintain profitability after
incident
An audit trail policy collects all audit trails such as series of records of computer events,
about an operating system, application or user activities. Which of the following
statements is NOT true for an audit trail policy: - answerIt helps calculating intangible
losses to the organization due to incident
Computer forensics is methodical series of techniques and procedures for gathering
evidence from computing equipment, various storage devices and or digital media that
can be presented in a course of law in a coherent and meaningful format. Which one of
the following is an appropriate flow of steps in the computer forensics process: -
answerPreparation > Collection > Examination > Analysis > Reporting
Multiple component incidents consist of a combination of two or more attacks in a
system. Which of the following is not a multiple component incident? - answerAn insider
intentionally deleting files from a workstation
Computer Forensics is the branch of forensic science in which legal evidence is found in
any computer or any digital media device. Of the following, who is responsible for
examining the evidence acquired and separating the useful evidence? -
answerEvidence Examiner/ Investigator
The network perimeter should be configured in such a way that it denies all incoming
and outgoing traffic/ services that are not required. Which service listed below, if
blocked, can help in preventing Denial of Service attack? - answerEcho service
,A US Federal agency network was the target of a DoS attack that prevented and
impaired the normal authorized functionality of the networks. According to agency's
reporting timeframe guidelines, this incident should be reported within two (2) HOURS
of discovery/detection if the successful attack is still ongoing and the agency is unable
to successfully mitigate the activity. Which incident category of the US Federal Agency
does this incident belong to? - answerCAT 2
US-CERT and Federal civilian agencies use the reporting timeframe criteria in the
federal agency reporting categorization. What is the timeframe required to report an
incident under the CAT 4 Federal Agency category? - answerWeekly
Identify a standard national process which establishes a set of activities, general tasks
and a management structure to certify and accredit systems that will maintain the
information assurance (IA) and security posture of a system or site. - answerNIACAP
Policies are designed to protect the organizational resources on the network by
establishing the set rules and procedures. Which of the following policies authorizes a
group of users to perform a set of actions on a set of resources? - answerAccess
control policy
When an employee is terminated from his or her job, what should be the next immediate
step taken by an organization? - answerAll access rights of the employee to physical
locations, networks, systems, applications and data should be disabled
A threat source does not present a risk if NO vulnerability that can be exercised for a
particular threat source. Identify the step in which different threat sources are defined: -
answerThreat identification
In the Control Analysis stage of the NIST's risk assessment methodology, technical and
none technical control methods are classified into two categories. What are these two
control categories? - answerPreventive and Detective controls
Which of the following incident recovery testing methods works by creating a mock
disaster, like fire to identify the reaction of the procedures that are implemented to
handle such situations? - answerProcedure testing
An incident is analyzed for its nature, intensity and its effects on the network and
systems. Which stage of the incident response and handling process involves auditing
the system and network log files? - answerIdentification
Which among the following CERTs is an Internet provider to higher education
institutions and various other research institutions in the Netherlands and deals with all
cases related to computer security incidents in which a customer is involved either as a
victim or as a suspect? - answerSURFnet-CERT
, One of the main objectives of incident management is to prevent incidents and attacks
by tightening the physical security of the system or infrastructure. According to CERT's
incident management process, which stage focuses on implementing infrastructure
improvements resulting from postmortem reviews or other process improvement
mechanisms? - answerProtection
Risk management consists of three processes, risk assessment, mitigation and
evaluation. Risk assessment determines the extent of the potential threat and the risk
associated with an IT system through its SDLC. How many primary steps does NIST's
risk assessment methodology involve? - answerNine
Insider threats can be detected by observing concerning behaviors exhibited by
insiders, such as conflicts with supervisors and coworkers, decline in performance,
tardiness or unexplained absenteeism. Select the technique that helps in detecting
insider threats: - answerCorrelating known patterns of suspicious and malicious
behavior
Contingency planning enables organizations to develop and maintain effective methods
to handle emergencies. Every organization will have its own specific requirements that
the planning should address. There are five major components of the IT contingency
plan, namely supporting information, notification activation, recovery and reconstitution
and plan appendices. What is the main purpose of the reconstitution plan? - answerTo
restore the original site, tests systems to prevent the incident and terminates operations
The insider risk matrix consists of technical literacy and business process knowledge
vectors. Considering the matrix, one can conclude that: - answerIf the insider's technical
literacy and process knowledge are high, the risk posed by the threat will be high.
Which policy recommends controls for securing and tracking organizational resources: -
answerAsset control policy
Which one of the following is the correct sequence of flow of the stages in an incident
response: - answerPreparation - Identification - Containment - Eradication - Recovery -
Follow-up
Organizations or incident response teams need to protect the evidence for any future
legal actions that may be taken against perpetrators that intentionally attacked the
computer system. EVIDENCE PROTECTION is also required to meet legal compliance
issues. Which of the following documents helps in protecting evidence from physical or
logical damage: - answerChain-of-Custody
Except for some common roles, the roles in an IRT are distinct for every organization.
Which among the following is the role played by the Incident Coordinator of an IRT? -
answerLinks the groups that are affected by the incidents, such as legal, human
resources, different business areas and management
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller julianah420. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $14.99. You're not tied to anything after your purchase.
Can Stuvia be trusted?
4.6 stars on Google & Trustpilot (+1000 reviews)
75323 documents were sold in the last 30 days
Founded in 2010, the go-to place to buy study notes for 14 years now