In addition to the Legal Department, with what company function must the collection of physical evidence be coordinated if an employee is suspected?
Correct Answer: A
Section: Risk, Response and Recovery Explanation/Reference: If an employee is suspected of causing an incident, the human resources department may be involved-for example, in assisting with disciplinary proceedings. Legal Department. The legal experts should review incident response plans, policies, and procedures to ensure their compliance with law and Federal guidance, including the right to privacy. In addition, the guidance of the general counsel or legal department should be sought if there is reason to believe that an incident may have legal ramifications, including evidence collection, prosecution of a suspect, or a lawsuit, or if there may be a need for a memorandum of understanding (MOU) or other binding agreements involving liability limitations for information sharing. Public Affairs, Public Relations, and Media Relations. Depending on the nature and impact of an incident, a need may exist to inform the media and, by extension, the public. The Incident response team members could include: Management Information Security Legal / Human Resources Public Relations Communications Physical Security Network Security Network and System Administrators Network and System Security Administrators Internal Audit Events versus Incidents An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. This guide addresses only adverse events that are computer security- related, not those caused by natural disasters, power failures, etc. A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents are: An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash. Users are tricked into opening a "quarterly report" sent via email that is actually malware; running the tool has infected their computers and established connections with an external host. An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money. A user provides or exposes sensitive information to others through peer-to-peer file sharing services. The following answers are incorrect: Industrial Security. Is incorrect because it is not the best answer, the human resource department must be involved with the collection of physical evidence if an employee is suspected. public relations. Is incorrect because it is not the best answer. It would be an important element to minimize public image damage but not the best choice for this question. External Audit Group. Is incorrect because it is not the best answer, the human resource department must be involved with the collection of physical evidence if an employee is suspected. Reference(s) used for this question: NIST Special Publication 800-61
Question 843
A common way to create fault tolerance with leased lines is to group several T1s together with an inverse multiplexer placed:
Correct Answer: B
Section: Network and Telecommunications Explanation/Reference: A common way to create fault tolerance with leased lines is to group several T1s together with an inverse multiplexer placed at both ends of the connection. In fact it would be a Multiplexer at one end and DeMultiplexer at other end or vice versa. Inverse Multiplexer at both end. In electronics, a multiplexer (or mux) is a device that selects one of several analog or digital input signals and forwards the selected input into a single line. A multiplexer of 2n inputs has n select lines, which are used to select which input line to send to the output. Multiplexers are mainly used to increase the amount of data that can be sent over the network within a certain amount of time and bandwidth. A multiplexer is also called a data selector. An electronic multiplexer makes it possible for several signals to share one device or resource, for example one A/D converter or one communication line, instead of having one device per input signal. On the other hand, a demultiplexer (or demux) is a device taking a single input signal and selecting one of many data-output-lines, which is connected to the single input. A multiplexer is often used with a complementary demultiplexer on the receiving end. An electronic multiplexer can be considered as a multiple-input, single-output switch, and a demultiplexer as a single-input, multiple-output switch References: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 72. and https://secure.wikimedia.org/wikipedia/en/wiki/Multiplexer
Question 844
The "vulnerability of a facility" to damage or attack may be assessed by all of the following except:
Correct Answer: D
Source: The CISSP Examination Textbook- Volume 2: Practice by S. Rao Vallabhaneni.
Question 845
Which one of these formulas is used in Quantitative risk analysis?
Correct Answer: C
Question 846
When a possible intrusion into your organization's information system has been detected, which of the following actions should be performed first?
Correct Answer: C
Explanation/Reference: Once an intrusion into your organization's information system has been detected, the first action that needs to be performed is determining to what extent systems and data are compromised (if they really are), and then take action. This is the good old saying: "Do not cry wolf until you know there is a wolf for sure" Sometimes it smells like a wolf, it looks like a wolf, but it may not be a wolf. Technical problems or bad hardware might cause problems that looks like an intrusion even thou it might not be. You must make sure that a crime has in fact been committed before implementing your reaction plan. Information, as collected and interpreted through analysis, is key to your decisions and actions while executing response procedures. This first analysis will provide information such as what attacks were used, what systems and data were accessed by the intruder, what the intruder did after obtaining access and what the intruder is currently doing (if the intrusion has not been contained). The next step is to communicate with relevant parties who need to be made aware of the intrusion in a timely manner so they can fulfil their responsibilities. Step three is concerned with collecting and protecting all information about the compromised systems and causes of the intrusion. It must be carefully collected, labelled, catalogued, and securely stored. Containing the intrusion, where tactical actions are performed to stop the intruder's access, limit the extent of the intrusion, and prevent the intruder from causing further damage, comes next. Since it is more a long-term goal, eliminating all means of intruder access can only be achieved last, by implementing an ongoing security improvement process. Reference used for this question: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 271-289).