Download Certified Incident Handler (CIH )Practice Questions With Verified Answers. and more Exams Advanced Education in PDF only on Docsity!
Certified Incident Handler (CIH
)Practice Questions With
Verified Answers
Which of the following terms may be defined as "a measure of possible inability to achieve a goal, objective, or target within a defined security, cost plan and technical limitations that adversely affects the organization's operation and revenues?
Risk
A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:
Zombies
The goal of incident response is to handle the incident in a way that minimizes damage and reduces recovery time and cost.
Which of the following does NOT constitute a goal of incident response?
Dealing with human resources department and various employee conflict behaviors.
An organization faced an information security incident where a disgruntled employee passed sensitive access control information to a competitor. The organization's incident response manager, upon investigation, found that the
incident must be handled within a few hours on the same day to maintain business continuity and market competitiveness. How would you categorize such information security incident?
High level incident
Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy. Identify the plan which is mandatory part of a business continuity plan?
Business Recovery Plan
Which of the following is an appropriate flow of the incident recovery steps?
System Restoration-System Validation-System Operations-System Monitoring
A computer Risk Policy is a set of ideas to be implemented to overcome the risk associated with computer security incidents. Identify the procedure that is NOT part of the computer risk policy?
Procedure for the ongoing training of employees authorized to access the system
Identify the network security incident where intended authorized users are prevented from using system, network, or applications by flooding the network with high volume of traffic that consumes all existing network resources.
Denial of Service Attack
gathering evidence from computing equipment, various storage devices and or digital media that can be presented in a course of law in a coherent and meaningful format. Which one of the following is an appropriate flow of steps in the computer forensics process:
Preparation > Collection > Examination > Analysis > Reporting
Multiple component incidents consist of a combination of two or more attacks in a system. Which of the following is not a multiple component incident?
An insider intentionally deleting files from a workstation
Computer Forensics is the branch of forensic science in which legal evidence is found in any computer or any digital media device. Of the following, who is responsible for examining the evidence acquired and separating the useful evidence?
Evidence Examiner/ Investigator
The network perimeter should be configured in such a way that it denies all incoming and outgoing traffic/ services that are not required. Which service listed below, if blocked, can help in preventing Denial of Service attack?
Echo service
A US Federal agency network was the target of a DoS attack that prevented and impaired the normal authorized functionality of the networks. According to agency's reporting timeframe guidelines, this incident should be reported within two (2) HOURS of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate the activity. Which
incident category of the US Federal Agency does this incident belong to?
CAT 2
US-CERT and Federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 Federal Agency category?
Weekly
Identify a standard national process which establishes a set of activities, general tasks and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site.
NIACAP
Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures. Which of the following policies authorizes a group of users to perform a set of actions on a set of resources?
Access control policy
When an employee is terminated from his or her job, what should be the next immediate step taken by an organization?
All access rights of the employee to physical locations, networks, systems, applications and data should be disabled
A threat source does not present a risk if NO vulnerability that can be exercised for a particular threat source. Identify the step in which different threat sources are defined:
Threat identification
Protection
Risk management consists of three processes, risk assessment, mitigation and evaluation. Risk assessment determines the extent of the potential threat and the risk associated with an IT system through its SDLC. How many primary steps does NIST's risk assessment methodology involve?
Nine
Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism. Select the technique that helps in detecting insider threats:
Correlating known patterns of suspicious and malicious behavior
Contingency planning enables organizations to develop and maintain effective methods to handle emergencies. Every organization will have its own specific requirements that the planning should address. There are five major components of the IT contingency plan, namely supporting information, notification activation, recovery and reconstitution and plan appendices. What is the main purpose of the reconstitution plan?
To restore the original site, tests systems to prevent the incident and terminates operations
The insider risk matrix consists of technical literacy and business process knowledge vectors. Considering the matrix, one can conclude that:
If the insider's technical literacy and process knowledge are high, the risk posed by the threat will be high.
Which policy recommends controls for securing and tracking organizational
resources:
Asset control policy
Which one of the following is the correct sequence of flow of the stages in an incident response:
Preparation - Identification - Containment - Eradication - Recovery - Follow-up
Organizations or incident response teams need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. EVIDENCE PROTECTION is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage:
Chain-of-Custody
Except for some common roles, the roles in an IRT are distinct for every organization. Which among the following is the role played by the Incident Coordinator of an IRT?
Links the groups that are affected by the incidents, such as legal, human resources, different business areas and management
The data on the affected system must be backed up so that it can be retrieved if it is damaged during incident response. The system backup can also be used for further investigations of the incident. Identify the stage of the incident response and handling process in which complete backup of the infected system is carried out?
Containment
genuineness or uncorruptness of any communication, document, or data.
Authenticity
Which of the following elements of information security guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message?
Non-repudiation
Which of the following information security elements are not covered in the CIA triad model for developing security policies?
Non-repudiation
Which of the following threats are implemented by unskilled professionals, such as script kiddies, using freely available online tools to access the target network out of curiosity rather than criminal intention?
Unstructured External Threat
Henry, a malicious hacker, discovered vulnerabilities in a company's private networks using sophisticated tools. He exploited these vulnerabilities to intrude on the company's network and steal confidential data belonging to the organization.
Identify the type of threat actor discussed in the above scenario.
Black hats
Chris, a malicious insider, was waiting for an opportunity to damage the reputation of his organization. One day, Chris plugged-in a malware-loaded USB device to the database server machine, which manipulated the company's product details.
Which of the following attack vectors is discussed in the above scenario?
Removable Media
Identify the attack vector through which an attacker attempts to trick a victim into clicking on malicious links or attachments to compromise the target.
Email
Which of the following attack vectors can be used by an attacker to compromise a target by exploiting vulnerabilities in the resources provided by a third-party vendor?
Supply Chain
Which of the following attacks involves an attacker altering hardware or software resources before installing them?
Distribution attacks
Alice, a software professional browsing the official website of an advertising company, saw a message revealing important information about the database associated with the website. Using this information, Alice can
Identify the application flaw that Steve found in the above scenario.
Improper Input Handling
George, a computer hacker, discovered a security flaw in a newly released software application. He exploited this flaw before it was identified and patched by the developers. George also injected malware into that software to maintain persistence.
Which of the following flaws has been exploited by George in the above scenario?
Zero-day attack
Identify the vulnerability that occurs in an organization due to an increased number of system or server connections without proper documentation or maintenance.
System Sprawl
Which of the following vulnerabilities can arise when a system that handles events in a sequential format is coerced to perform multiple operations simultaneously?
Race Conditions
Identify the issue that can arise when a company buys and uses poorly configured hardware or software resources from a third party.
Supply-chain risks
Jack, a professional hacker, targeted to intrude into an organization's network. For this purpose, he used an online resource to gather as much information as possible about the target prior to launching an active attack.
In which of the following phases of hacking is Jack currently in?
Footprinting
Given below are the various phases involved in system hacking.
- Escalating privileges
- Maintaining access
- Clearing logs
- Gaining access
4 -> 1 -> 2 -> 3
Jude, a professional hacker, managed to gain access to the account of a new employee in the organization. He persisted with this account for a long time and gradually increased its access to the administrator level.
Identify the system-hacking phase in which Jude increased the level of access from employee to administrator.
Escalating Privileges
Williams, a professional hacker, targeted an organization's server to manage its resources. For this purpose, Williams employed a sophisticated brute force tool against the server to crack its credentials and obtain control over the server system.
Identify the phase of system hacking discussed in this scenario.
Gaining Access
Jacob, a computer hacker, injected malware into a software application that he had already compromised. Whenever the application starts, the malware
Initial Access
Vincent, a malicious insider, gained access to the database administrator's system. He installed a specially crafted malware on the system that automatically transfers details regarding the changes made by the administrator to the database.
Which of the following phases of the MITRE ATT&CK framework is discussed in the above scenario?
Execution
Which of the following MITRE D3FEND tactics involves the identification of unauthorized access and unusual activities in a computer system or network?
Detect
Identify the MITRE D3FEND tactic in which a security analyst creates physical barriers in a computer system to prevent attackers from accessing the network.
Isolate
Which of the following MITRE D3FEND tactics is employed by the cybersecurity team to trick attackers from gaining access to an observed or controlled environment?
Deceive
Which of the following MITRE D3FEND tactics is employed by a security analyst to completely eradicate an attacker's persistence in a system or
network?
Evict
In which of the following phases of the RE&CT framework does an incident responder rehearse for incident handling through mock drills, training, and communication mapping?
Preparation
Identify the RE&CT framework phase in which incident responders provide awareness to the employees of the organization about security policies and goals of organizational assets to prevent future incidents.
Preparation
Identify the RE&CT framework phase in which incident responders restore the infected systems or devices to their pre-incident stat
Recovery
In which of the following phases of the RE&CT framework does an incident responder patch vulnerabilities and quarantine infected systems to stop the attack from spreading to other devices?
Containment
Identify the RE&CT framework phase in which incident responders attempt
Identification
Alex, an IH&R team member, was attempting to prevent malware infections from spreading through a malicious file. Therefore, he completely deleted the malicious file and changed the server authentication credentials to sanitize the system before restoring it.
Which of the following RE&CT framework phases was Alex performing in the above scenario?
Eradication
Roselyn, an IH&R team member, was assigned to prepare documentation regarding a security incident they had recently handled. She discussed the incident investigation processes with her team members and prepared documentation outlining the conclusions.
Which of the following phases of the RE&CT framework is performed by Roselyn in the above scenario?
Lessons Learned
In which of the following risk management steps does a security professional analyze the impacts of identified risks and prioritizes them according to their severity levels?
Risk assessment
Peter, a security auditor, was analyzing an incident that occurred in the company's private network. He observed that the incident would have caused serious damage to the company's network had it not been contained at the earliest possible time.
Identify the risk management stage Peter was executing in the above scenario.
Risk assessment
Identify the NIST risk management framework phase in which security analysts choose appropriate security controls to mitigate the risks on information systems.
Select Security Controls
Given below are the various phases involved in the NIST risk management framework.
- Authorize information system
- Select security controls
- Monitor security state
- Categorize information system
- Assess security controls
- Implement security controls
4 -> 2 -> 6 -> 5 -> 1 -> 3
Identify the NIST risk management framework phase in which security analysts determine whether the countermeasures employed to handle the risks are effective.
Assess security controls
Identify the type of cyber threat intelligence consumed by high-level executives and the management of an organization, such as IT management
