CDS348 Final Exam
One of the more commonly seen and most easily avoided incidents is the "blank" attack, where
employees are bombarded with numerous attempts to convince them to activate a link embedded in
an e-mail or respond to a request for communications with an unknown outside party, often
masquerading as a known entity - ANSWER-Phishing
a staffed control room where key security technologies, networks, and critical systems are monitored
for incidents is known as a(n) - ANSWER-security operations center
if an intruder can blank a device, then no electronic protection can deter the loss of information -
ANSWER-physical access
A(n) blank may signal an adverse event is under way and provide a notification of an incident
candidate - ANSWER-indicator
blank is the organized research and investigation of Internet addresses owned or controlled by a
target organization - ANSWER-footprinting
a series of steps that follow the stages of a cyberattack from early reconnaissance to the exfiltration
of data is known as the blank - ANSWER-cyber kill chain
A(n) blank may signal an incident that could occur in the future - ANSWER-precursor
the theft of organizational data, either physically or by extraction through the owners' networks is
called data blank - ANSWER-exfiltration
NIST SP 800-61, Rev. 1 provides a five category classification scheme for a network-based incidents
that includes each of these except - ANSWER-all of these are NIST incident classification
a set of software functionalities with capabilities that different clients can reuse for different purposes
is called a(n) blank - ANSWER-service
which of the following is not a "probable indicator" of an incident - ANSWER-presence or execution of
unknown programs or processes
the failure of a technical control to react to the intended stimulus so that it goes unreported is called
a blank - ANSWER-false negative
gathering information on and identifying network assets is known as fingerprinting - ANSWER-true
the most common detection of ransomware is via a message to a user that they have been locked out
of their computer system, and that their files and data have been encrypted - ANSWER-true
the most common detection of denial of service attack is a message to a user that they have been
locked out of their computer system, and that their files and data have been encrypted - ANSWER-
false
software designed to penetrate security controls, identify valuable content, and then encrypt files and
data in order to extort payment for the key needed to unlock the encryption is known as blackmail -
ANSWER-false
, an example of a possible indicator is if a business partner or another connected organization reports
an attack from your computing system - ANSWER-false
an indicator is an activity in progress that may signal an incident could occur in the future - ANSWER-
false
only those with advanced technical skills within a certain set of hardware and software can manually
detect signs of a(n) blank through reviews of logs, systems performance, user feedback, and system
processes and tasks - ANSWER-intrusion
the use of IDPS sensors and analysis systems can be quite complex. One very common approach is to
use an open source software program called blank running on a UNIX or Linux system that can be
managed and queried from a desktop computer using a client interface - ANSWER-snort
which is the most important factor when selecting a SIEM solution - ANSWER-the extent to which the
SIEM system provides the required features the organization needs
like the Wiretap Act's prohibition on intercepting the contents of communications, the blank creates a
general prohibition on the real time monitoring of traffic data relating to communications - ANSWER-
Pen/Trap statute
the SIEM capability of blank enables review of system activity that can identify breaches and reveal
insider misuse - ANSWER-user monitoring
blank are closely monitored network decoys that can distract adversaries from more valuable
machines on a network, provide early warning about new attack and exploitation trends; and can
allow in-depth examination fo adversaries during and after exploitation - ANSWER-honeypots
blank system use a combination of resources to detect an intrusion and then track it back to its source;
they must be used with caution to avoid illegal actions - ANSWER-trap and trace
the SIEM capability of blank enables flexible and timely reaction to attacks - ANSWER-real time
monitoring
a blank rootkit is one that becomes a part of the system bootstrap process and is loaded every time
the system boots - ANSWER-persistent
the process of classifying the attack alerts that an IDPS detects in order to distinguish or sort false
positives from actual attacks more efficiently is known as alarm blank - ANSWER-filtering
by guarding against some types of vulnerabilities, an IDPS can become an important part of an
organization's blank strategy - ANSWER-defense in depth
a unique value or pattern of an attack that enables detection is called a(n) - ANSWER-signature
the ongoing activity from alarm events that are accurate and noteworthy but not necessarily as
significant as potentially successful attacks is called blank - ANSWER-nosie
the problem with a signature based IDPS is that as new attack strategies are identified, the IDPS's
database of signatures must be continually updated - ANSWER-true
alarm condensation is a process based on frequency, similarity in attack signature, similarity in attack
target, or other similarties - ANSWER-false
tweaking is the process of adjusting an IDPS to maximize its efficiency in detecting true positives while
min false positives and false negatives - ANSWER-false
One of the more commonly seen and most easily avoided incidents is the "blank" attack, where
employees are bombarded with numerous attempts to convince them to activate a link embedded in
an e-mail or respond to a request for communications with an unknown outside party, often
masquerading as a known entity - ANSWER-Phishing
a staffed control room where key security technologies, networks, and critical systems are monitored
for incidents is known as a(n) - ANSWER-security operations center
if an intruder can blank a device, then no electronic protection can deter the loss of information -
ANSWER-physical access
A(n) blank may signal an adverse event is under way and provide a notification of an incident
candidate - ANSWER-indicator
blank is the organized research and investigation of Internet addresses owned or controlled by a
target organization - ANSWER-footprinting
a series of steps that follow the stages of a cyberattack from early reconnaissance to the exfiltration
of data is known as the blank - ANSWER-cyber kill chain
A(n) blank may signal an incident that could occur in the future - ANSWER-precursor
the theft of organizational data, either physically or by extraction through the owners' networks is
called data blank - ANSWER-exfiltration
NIST SP 800-61, Rev. 1 provides a five category classification scheme for a network-based incidents
that includes each of these except - ANSWER-all of these are NIST incident classification
a set of software functionalities with capabilities that different clients can reuse for different purposes
is called a(n) blank - ANSWER-service
which of the following is not a "probable indicator" of an incident - ANSWER-presence or execution of
unknown programs or processes
the failure of a technical control to react to the intended stimulus so that it goes unreported is called
a blank - ANSWER-false negative
gathering information on and identifying network assets is known as fingerprinting - ANSWER-true
the most common detection of ransomware is via a message to a user that they have been locked out
of their computer system, and that their files and data have been encrypted - ANSWER-true
the most common detection of denial of service attack is a message to a user that they have been
locked out of their computer system, and that their files and data have been encrypted - ANSWER-
false
software designed to penetrate security controls, identify valuable content, and then encrypt files and
data in order to extort payment for the key needed to unlock the encryption is known as blackmail -
ANSWER-false
, an example of a possible indicator is if a business partner or another connected organization reports
an attack from your computing system - ANSWER-false
an indicator is an activity in progress that may signal an incident could occur in the future - ANSWER-
false
only those with advanced technical skills within a certain set of hardware and software can manually
detect signs of a(n) blank through reviews of logs, systems performance, user feedback, and system
processes and tasks - ANSWER-intrusion
the use of IDPS sensors and analysis systems can be quite complex. One very common approach is to
use an open source software program called blank running on a UNIX or Linux system that can be
managed and queried from a desktop computer using a client interface - ANSWER-snort
which is the most important factor when selecting a SIEM solution - ANSWER-the extent to which the
SIEM system provides the required features the organization needs
like the Wiretap Act's prohibition on intercepting the contents of communications, the blank creates a
general prohibition on the real time monitoring of traffic data relating to communications - ANSWER-
Pen/Trap statute
the SIEM capability of blank enables review of system activity that can identify breaches and reveal
insider misuse - ANSWER-user monitoring
blank are closely monitored network decoys that can distract adversaries from more valuable
machines on a network, provide early warning about new attack and exploitation trends; and can
allow in-depth examination fo adversaries during and after exploitation - ANSWER-honeypots
blank system use a combination of resources to detect an intrusion and then track it back to its source;
they must be used with caution to avoid illegal actions - ANSWER-trap and trace
the SIEM capability of blank enables flexible and timely reaction to attacks - ANSWER-real time
monitoring
a blank rootkit is one that becomes a part of the system bootstrap process and is loaded every time
the system boots - ANSWER-persistent
the process of classifying the attack alerts that an IDPS detects in order to distinguish or sort false
positives from actual attacks more efficiently is known as alarm blank - ANSWER-filtering
by guarding against some types of vulnerabilities, an IDPS can become an important part of an
organization's blank strategy - ANSWER-defense in depth
a unique value or pattern of an attack that enables detection is called a(n) - ANSWER-signature
the ongoing activity from alarm events that are accurate and noteworthy but not necessarily as
significant as potentially successful attacks is called blank - ANSWER-nosie
the problem with a signature based IDPS is that as new attack strategies are identified, the IDPS's
database of signatures must be continually updated - ANSWER-true
alarm condensation is a process based on frequency, similarity in attack signature, similarity in attack
target, or other similarties - ANSWER-false
tweaking is the process of adjusting an IDPS to maximize its efficiency in detecting true positives while
min false positives and false negatives - ANSWER-false
