Self Test

1. 

Jake is responsible for six Windows 2000 servers in his organization. Jake has noticed that lately there are multiple login attempts on the main file server at about 8:00 p.m., which is after hours. How should Jake classify this issue when he brings this problem up with Sara, his CIO?

1. Call the CEO immediately because the company might be expected to lose money very shortly.

2. Bring it up as a hacker breaking into the system. It's after hours, so it must be a hacker doing it.

3. Bring it up as a possible security incident, but more analysis needs to be done quickly to make sure.

4. Ignore it; there are always login attempts on the server at this time.

2. 

Stan is the network administrator responsible for 10 Windows 2000 servers and 400 Windows XP Professional workstations, all separated geographically across four sites. Stan would like to implement two new firewalls, auditing. and enforcement of desktop lockdown procedures. What is the first step Stan should accomplish from the following?

1. Create policies that are written down and backed by management.

2. Implement the firewalls only; he needs management's approval to do auditing and lockdown of desktops.

3. Lock down the desktops and have the network engineer work on the firewalls.

4. Lock down the servers, and don't worry about the desktops; they will be okay if the servers are addressed.

3. 

Stacy is the systems engineer for the London central hub location. The hub location contains over 50 Windows 2000 servers, but only three of them are accessible through the Internet. These three servers are responsible for Web-based services such as FTP and HTTP. All the rest of the servers (all 47 of them) are located within the private LAN protected by a firewall. These 47 servers are used for applications, file, print, and database purposes. Stacy is responsible for making sure that the nightly backups are completed. What is the most important thing Stacy should think about so she can avoid a massive problem when or if a security incident arises?

1. Having an operational hot site so that data is never lost

2. Implementing a 99.999 percent uptime policy so that she only loses a few hours downtime each year

3. Verifying her backup and restore solution

4. Making sure that she uses DXT2 tapes instead of DLT or DAT tapes for extra redundancy

4. 

Peter is the administrator for a large Windows 2000 network infrastructure. He is responsible for 10 IIS servers, two Exchange servers, and 20 file and print servers. All 32 servers are internal to the LAN and serve as application, e-mail, file, and print servers for over 700 clients in five separate locations. Every week, Peter has a few changes he needs to make on the systems he administers. To minimize the possibility of an incident, what should Peter do from the following list of answers?

1. Implement the changes and then log them.

2. Implement the changes and then have his staff look them over.

3. Implement only one change at a time until he knows its okay.

4. Implement a change management solution.

5. 

Tom is the systems administrator for his company. Tom manages 10 Windows 2000 servers and all the applications installed on them to include antivirus and backup software. Tom is plagued with system crashes and has made his management team aware of the fact that they need to spend more time repairing some of the systems and scaling their hardware requirements up to current performance needs. Management does not allow for the upgrade at this time. Tom is still forced to deal with the repetitive systems crashes on a weekly basis. What form of system management does this scenario describe?

1. Proactive management

2. Reactive management

3. Disaster management

4. Business management

1. 

þ The correct answer is C. Jake should, of course, flag this event as a possible security incident, but because of the possibility of false positives, he will need to quickly assess the situation in detail to figure out if it is in fact a security incident. If it is, Jake should mention it to his superiors.

ý Answer A is incorrect because it assumes the activity is a hack and takes the wrong steps before we know pertinent facts. Answer B is incorrect because it might not be a hacker but rather a worker staying late at the office. Answer D is incorrect because security analysts should never ignore what they think could be a problem.

2. 

þ Answer A is correct. A policy is needed before you implement any security infrastructure. A policy can be a security policy, a disaster recovery policy, or a business continuity plan. Any policy you create needs to be written down, read by employees, backed by management, and updated constantly. Without a policy, you are missing the backbone of all security enforcement for your organization.

ý Answers A, B, and C are all incorrect. All three answers are misleading because if you don't have a security policy, you are weakening your own security infrastructure.

3. 

þ Answer C is correct. You should be aware of where backups are maintained, who can access them, and your procedures for data restoration and system recovery. Make sure that you regularly verify backups and media by selectively restoring data. If you don't have verifiable backups, why are you doing them in the first place? Make sure that you take care to know that your backups are safe and that they work.

ý Answers A, B, and D are all incorrect. These answers are all very misleading. Answers A and B are similar; they are just trying to steer you away from C. Both are things you could possibly implement, but they are not the appropriate answers. Answer D is completely incorrect; there is no such thing as a DXT2 tape.

4. 

þ Answer D is correct. Total control is needed over networks and systems. Security analysts must make sure that every change on the network is documented and backed up with a plan. Very often, incidents happen based on your own people making mistakes or covering things up.

ý Change management will keep Peter from getting in trouble by having his own staff create incidents for him. Answers A, B, and C are all incorrect, and although C is a proper way to implement changes, Peter still needs to have a full solution with a backout plan.

5. 

þ Answer B is correct. This situation is an example of reactive management. When a problem occurs, Tom simply reacts to it. The problem was never truly rooted out before it occurred and might even have been prevented had Tom or his staff identified the possibility that it could occur. This technique is commonly nicknamed firefighting.

ý Answers A, C, and D are all incorrect. Answer A is the reverse of reactive management. Proactive management is when you try to fix problems before they occur, not during or after, which is the definition of reactive management. Answers C and D are incorrect because they are not in the same category as proactive or reactive management.

6. 

Jake is responsible for six Windows 2000 servers in his organization. Yesterday, he noticed that a problem is spreading across the enterprise. It is very hard to contain, and Jake is concerned that it could spread all over his network via a malware program with self-replication features. What type of problem are you dealing with?

1. Worm

2. Virus

3. Trojan

4. Bug

7. 

Peter is the administrator for a large Windows 2000 network infrastructure. He is responsible for 10 IIS servers, two Exchange servers, and 20 file and print servers. All 32 servers are internal to the LAN and serve as application, e-mail, file, and print servers for over 700 clients in five separate locations. Peter has received a call from a panicky executive who is asking him what the problem is with his machine-it won't boot anymore. When Peter asks the executive what he did just before the machine wouldn't boot, he said he had downloaded a new screen saver from the Internet and when he tried to install it, it didn't seem to install. After that, the PC never seemed the same. Now it won't boot anymore. What could be the issue here, and what is the most logical problem based on this scenario?

1. Faulty screen saver

2. Buggy code

3. Trojan horse

4. Denial of service attack

8. 

Jack is the systems engineer for ABC Corporation. One part of Jack's responsibilities is to make sure that any additions to the network are managed and that a system of quality assurance is implemented so that if the new addition to the network is a failure, the network itself is not negatively impacted. From the answers that follow, what step should Jack implement to make sure that the new addition to the network doesn't do harm and, if it does, that it is quickly and easily reversed to put the network back into its original state?

1. Change the plan to reflect a secondary disaster recovery plan.

2. Implement change management solutions.

3. Test his last tape backup.

4. Implement a new business continuity plan.

9. 

Patty needs to implement systems security in the form of virus protection on 40 Windows 2000 servers and 3,000 Windows 2000 Professional clients. While installing the antivirus software on the first 10 servers, Patty found a virus. On researching it, she quickly determined that this virus has qualities that allow it to leave the contents of the host file it infected unchanged but append itself to the host in such a way that the virus code is executed first. What type of virus has Patty found?

1. Data file

2. Companion

3. Bootstrap sector

4. Parasitic

10. 

Mike needs to implement systems security in the form of virus protection on 40 Windows 2000 servers and 3,000 Windows 2000 Professional clients. While installing the antivirus software on the first 10 servers, Mike finds a virus. On researching it, Mike quickly determines that this virus has qualities that allow it to combine the functionalities of the parasitic virus and the bootstrap sector virus by infecting either files or boot sectors. What type of virus has Mike found?

1. Multipartite

2. Bootstrap sector

3. Companion

4. Link

6. 

þ The correct answer is A. A worm is a self-replicating program that does not alter files but resides in active memory and duplicates itself by means of computer networks.

ý Answer B is incorrect because a virus doesn't self-replicate. Answer C is incorrect because a Trojan is not a worm, although a Trojan can contain a worm. Answer D is incorrect because it is just a system bug and not a worm.

7. 

þ The correct answer is C. A Trojan horse closely resembles a virus but is actually in a category of its own. The Trojan horse is often referred to as the most elementary form of malicious code and could be transferred via a downloaded file from the Internet.

ý All other answers are possible, but based on the scenario, the executive most likely downloaded a Trojan that was made to crash his machine.

8. 

þ Answer B is correct. Jack should implement change management solutions. Total control is needed over networks and systems. Make sure that every change on the network is documented, and back it up with a plan.

ý Answers A, C, and D are all incorrect. Answer A has nothing to do with any step feasible for implementing change management; it is simply a distraction. Answer C is a good thing to do, but it has nothing to do with implementing change management and a solid backout plan to your change. Answer D, much like answer A, has nothing to do with change management.

9. 

þ Answer D is correct. Parasitic viruses infect executable files or programs in the computer. This type of virus typically leaves the contents of the host file unchanged but appends to the host in such a way that the virus code is executed first, before the host's code.

ý Answers A, B, and C are incorrect. Answer A refers to a data file, not a parasitic malware attack. Answer B refers to a companion, not a parasitic malware attack. Answer C refers to a bootstrap sector virus, not a parasitic malware attack.

10. 

þ Answer A is correct. Multipartite viruses combine the functionalities of the parasitic virus and the bootstrap sector virus by infecting either files or boot sectors.

ý Answers B, C, and D are all incorrect. Answer B refers to a bootstrap sector virus instead of a multipartite virus. Answer C refers to a companion malware attack, not multipartite. Answer D refers to a link virus, not multipartite.

11. 

Stan is the network administrator responsible for 10 Windows 2000 servers running IIS 5.0 and 400 Windows XP Professional workstations, all separated geographically across four sites. Stan is responsible for implementing security on his 10 Windows Web-based servers. Stan notices what he thinks are attacks on his IIS servers. Due to the nature of this problem, Stan assumes that this could be the beginning of a security incident. What should be Stan's first step in this case?

1. Make an initial assessment of the problem.

2. Act on the problem immediately and close all ports on the firewall.

3. Contact the CEO so that she knows what is going on.

4. Strike back against the attacker with a ping of death.

12. 

Kristy is responsible for 30 Windows 2000 servers in her organization. She is part of the incident response team for the Windows 2000 environment. In one incident that recently occurred, evidence was mishandled, and that cost them to lose the whole case for the incident in court. When dealing with evidence, what is the most important thing to do so that this does not become a problem?

1. Make sure that the CIO is always watching what the rest of the team is doing.

2. The team leader needs to micromanage the rest of the team when taking evidence.

3. When the evidence is computer related, it is inadmissible in court, so it doesn't really matter.

4. A chain of custody must be established to show how evidence made it from the crime scene to the courtroom.

13. 

You are the network administrator responsible for 10 Windows 2000 servers and 400 Windows XP Professional workstations, all separated geographically across four sites. In one of the remote sites, a system was exploited and data was lost. The system is thought to have been attacked from an internal resource. At the scene of the incident, a PDA is lying next to the system that was breached. It doesn't seem to belong to anyone. What is the first thing that should be done with evidence on site?

1. When collecting evidence, you start by identifying the evidence that is present and where it is located.

2. Pick up the evidence and take it with you.

3. Remove the evidence from the scene quickly, before the attacker realizes you know its there.

4. Move the evidence to another part of the room, away from the system. Document it.

14. 

Erika is the systems engineer for the Toronto central hub location. The hub location contains over 50 Windows 2000 servers, but only three of them are accessible through the Internet. These three servers are responsible for Web-based services such as FTP and HTTP. All the rest of the servers (all 47 of them) are located within the private LAN protected by a firewall. These 47 servers are used for applications, file, print, and database purposes. The manager at a remote site has phoned Erika claiming that all systems seem to have a virus. The remote site manager is worried because all but two of their systems have become inoperable. They are connected directly to the core network from a Frame Relay link. Erika needs to deal with this problem immediately. What should be her first step from the following list?

1. Call the CIO and arrange a meeting.

2. Contain the problem immediately by having the remote site manager power down infected machines.

3. Have the remote site manager call local law enforcement and tell them that there is a security breach they need to deal with.

4. Fly down to handle the problem; make travel arrangements as soon as possible.

15. 

Paul is the network administrator for his company. He manages systems and network security on 10 Windows 2000 servers and the Cisco switches that connect them to the network. If Paul plans to keep his policies up to date and well prepared, which of the following answers provides the step to accomplish this task?

1. Ask the CIO what needs to be updated.

2. After an incident, just update the logs so the incident is recorded.

3. Review the response and updating policies.

4. Move all systems to another location after an attack.

11. 

þ A is the correct answer. Making an initial assessment is critical to the plan. You need to know how to see an event and assess whether it is an incident or not. Take initial steps to determine if you are dealing with an actual incident or a false positive. Your initial assessment should be very brief.

ý Stan's first move should be to assess the situation. After that, he can do whatever is necessary based on his incident response plan. Answer B is not appropriate because Stan is essentially denying his own company service if he does this. Answer C is incorrect because Stan hasn't even assessed the problem yet, so he shouldn't call the CEO. Answer D is incorrect because Stan shouldn't strike back against an attacker.

12. 

þ Answer D is correct. Due to the importance of evidence, it is essential that its continuity be maintained and documented. A chain of custody must be established to show how evidence made it from the crime scene to the courtroom. It proves where a piece of evidence was at any given time and who was responsible for it. By documenting this trail, you can establish that the integrity of evidence wasn't compromised.

ý Answer A and B are incorrect because Kristy shouldn't have to be micromanaged to do her job. As long as the team knows that to do (follow a chain of custody), that's what would be done. Answer C is totally wrong because all evidence in one shape or form should be admissible in court.

13. 

þ Answer A is correct. Collection is a practice consisting of the identification, processing, and documentation of evidence. When collecting evidence, you start by identifying the evidence that is present and where it is located.

ý Answers B, C, and D are incorrect because they imply that you should touch or move the evidence. The first thing you need to do is identify the item as evidence and then document it.

14. 

þ Answer B is correct. Containing the damage and minimizing the risk are critical to handling an incident. For instance, if the incident in your initial assessment is a worm that is self-replicating across your network, you can contain the damage by unplugging the affected workstation from the switch or hub. This action contains the damage and minimizes the risk.

ý Answer A is incorrect because Erika needs to act on this situation and contain the problem immediately. Answer C is incorrect because it's ridiculous to call local law enforcement because of a possible worm. Answer D is incorrect because Erika will never be able to contain the problem by flying to the remote site, and it could spread in the meantime.

15. 

þ Answer C is correct. Reviewing the response and updating policies on constant or regular basis are things you need to implement as part of your strategy. A plan is no good unless its up to date and well prepared. Updating a plan after an actual response is also a good idea so that you can assess the plan and how you might have been able to do things better.

ý Answers A, B, and D are incorrect. Answer A is incorrect because Paul should not have to ask his CIO what needs to be updated if he is responsible for the updates. Answer B is incorrect because Paul needs to do a lot more than updating logs after an incident; he should make note that its important to review the incident response and update his policies as needed. Answer D is incorrect because it is ridiculous to plan system moves because of an incident.