Question 1: What is the MOST IMPORTANT reason to have detailed documentation of what happens during an incident?
a. To improve the security posture of the organization
b. To know which member of the response team is the most valuable contributor
c. To provide proof that can be taken to court
d. To identify where the attack is coming from
Solution: To improve the security posture of the organization
Question 2: The most likely reason humans are considered the weakest link is:
a. Humans are stubborn
b. Humans have emotion
c. Humans talk too much
d. Human can't be trusted
Solution: Humans have emotion
Question 3: The success factor of an attacker could be of the following, EXCEPT
a. They use the victim's red team
b. They patiently studied their target
c. They breach and observe
d. They are persistent
Solution: They use the victim's red team
Question 4: The following could be the cause for failure in detection of threats and incidents, EXCEPT:
a. Unpatched hosts
b. Untrained users
c. Zero-day attack
d. Hiring external consultant as incident responders
Solution: Hiring external consultant as incident responders
Question 5: If an incident has happened, and you need to bring the criminal to justice, which of the following is most important for your response team?
a. The user credential of the witness or victim
b. The availability of the jury
c. The confidentiality of the court's hearing date
d. The integrity of the incident's data
Solution: The integrity of the incident's data
Question 6: The following are good location to place sensors or detectors of intrusion EXCEPT
a. The users
b. The internal network
c. The external network
d. The hosts
Solution: The users
Question 7: Why is it important to perform self assessment before defining the incident response process?
a. Threats could be stopped before it happens
b. Critical asset and resources could be defined
c. Zero-day could be prevented
d. Estimation of the time of attack could be made
Solution: Critical asset and resources could be defined
Question 8: After knowing which assets to protect, a requirement that could assist us to identify breach or incident is:
a. Knowing how much those assets costs
b. Identifying the baseline and normal occurrences of those assets
c. Installing security control that could protect the assets from risks
d. Hiring consultants to assess the assets to get a second opinion
Solution: Identifying the baseline and normal occurrences of those assets
Question 9: The best practice if we adopt the ASSUME BREACH approach in handling security incident means:
a. Form the purple team to manage the red and blue team
b. We are ready, learn and adapt for security incident
c. We use cloud computing services to distribute the security team
d. We constantly attack and defend our organization's security control
Solution: We are ready, learn and adapt for security incident
Question 10: Which of the following is an example of defense in depth implementation?
a. Defense is embedded deep within the OSI layers and technology
b. Considering security implementation from the users, hosts and systems perspective
c. Protection and defense is so strong that the asset is impenetrable to risk and threats
d. Situation where the attacker can't penetrate and harm the asset because of the layers of security defense
Solution: Considering security implementation from the users, hosts and systems perspective
