CCNA Cyber Ops FAQ: Introduction to Incident Response and the Incident Handling Process
Q1. What NIST special publication covers the incident response process?
A. Special Publication 800-61
B. Judiciary, private, and individual investigations
C. Public, private, and corporate investigations
D. Government, corporate, and private investigations
Q2. Which of the following is not part of the policy elements described in NIST’s Special Publication 800-61?
A. Statement of management commitment
B. Purpose and objectives of the incident response policy
C. The scope of the incident response policy
D. Definition of QoS policies in network infrastructure devices
Q3. Which of the following is NIST’s definition of standard operating procedures (SOPs)?
A. A delineation of the specific IPS signatures to be deployed in the network
B. A delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team
C. A delineation of the specific firewall rules to be deployed in the network
D. A suspect-led approach that’s mostly used in private investigations
Q4. Which of the following is not a phase of the incident response process?
A. Preparation
B. Containment, eradication, and recovery
C. Post-incident activity
D. Network monitoring phase
Q5. Incident prioritization is part of which phase of the incident response process?
A. Preparation
B. Containment, eradication, and recovery
C. Post-incident activity
D. Detection and analysis
Q6. Which of the following is not part of the post-incident activity phase?
A. Lessons learned
B. Identifying the attacking hosts
C. Using collected incident data
D. Evidence retention
Q7. Which of the following is a good example of an information-sharing community?
A. The National Institute of Security and Technology (NIST)
B. The National Institute of Standards and Technology (NIST)
C. The Cyber Services Information Sharing and Analysis Center (CSISAC)
D. The Financial Services Information Sharing and Analysis Center (FS-ISAC)
Q8. During the investigation and resolution of a security incident, you may also need to communicate with outside parties regarding the incident. Which of the following are examples of those external entities?
A. Law enforcement
B. Internet service providers (ISPs)
C. The vendor of your hardware and software products
D. Coordination centers
Q9. Which of the following is not an example of a type of incident response team?
A. Product Security Incident Response Team (PSIRT)
B. National CSIRT and Computer Emergency Response Team (CERT)
C. Incident response team of a security vendor and managed security service provider (MSSP)
D. Penetration testing team
Q10. Which of the following is not an example of the most common incident response team structures?
A. Product Security Incident Response Team (PSIRT)
B. Centralized incident response team
C. Distributed incident response team
D. Coordinating team
Q11. What is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices?
A. Exploit
B. Vulnerability
C. Threat
D. Computer security incident
Q12. What is a delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team?
A. CSIRT team plan
B. Standard operating procedure (SOP)
C. Standard incident plan (SIP)
D. Operation and incident plan (OIP)
Q13. What is any observable occurrence in a system or network?
A. Security event
B. Security incident
C. Security vulnerability
D. An exploit
Q14. Which of the following is not an example of the most common incident response team staffing models?
A. Employees
B. Partially outsourced
C. Fully outsourced
D. PSIRT
Q15. The containment, eradication, and recovery phase includes which of the following? (Choose two.)
A. Choosing a firewall to be able to block traffic proactively or during an attack
B. Choosing an intrusion prevention system to be able to block traffic proactively or during an attack
C. Choosing a containment strategy to effectively contain and eradicate the attack, as well as to be able to successfully recover from it
D. Evidence gathering and handling
Q16. Which phase in the incident response process includes lessons learned, how to use collected incident data, and evidence retention?
A. Post-incident activity (postmortem)
B. Containment, eradication, and recovery
C. The detection and analysis phase
D. The preparation phase
Q17. Which phase in the incident response process includes creating processes for incident handler communications and the facilities that will host the security operation center (SOC) and incident response team?
A. The preparation phase
B. The detection and analysis phase
C. Containment, eradication, and recovery
D. Post-incident activity (postmortem)
Q18. Which of following are examples of the most common incident response team structures? (Choose two.)
A. Centralized incident response team
B. Partially outsourced
C. Fully outsourced
D. Distributed incident response team
Q19. Which of following is not an example of the VERIS main schema categories?
A. Incident Tracking
B. Victim Demographics
C. Incident Description
D. Incident Forensics ID
Answer: D. The main five sections of the VERIS schema are:
- Incident Tracking
- Victim Demographics
- Incident Description
- Discovery & Response
- Impact Assessment
Q20. Which of following is not an example of an element in the Incident Description section of the VERIS schema?
A. Actors
B. Actions
C. Victims and Losses
D. Attributes
Answer: C. The Incident Description section of the VERIS schema includes the following elements:
- Actors
- Actions
- Assets
- Attributes
More Resources