EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following is an incident tracking, reporting and handling tool:

Question2: The service organization that provides 24x7 computer security incident response services to any user, company, government agency, or organization is known as:

Question3: Which of the following incident recovery testing methods works by creating a mock disaster, like fire to identify
the reaction of the procedures that are implemented to handle such situations?

Question4: Which test is conducted to determine the incident recovery procedures effectiveness?

Question5: Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism. Select the technique that helps in detecting insider threats:

Question6: According to the Fourth Amendment of USA PATRIOT Act of 2001; if a search does NOT violate a person's "reasonable" or "legitimate" expectation of privacy then it is considered:

Question7: Identify a standard national process which establishes a set of activities, general tasks and a management
structure to certify and accredit systems that will maintain the information assurance (IA) and security posture
of a system or site.

Question8: In NIST risk assessment/ methodology; the process of identifying the boundaries of an IT system along with
the resources and information that constitute the system is known as:

Question9: Insider threats can be detected by observing concerning behaviors exhibited by insiders, such as conflicts with
supervisors and coworkers, decline in performance, tardiness or unexplained absenteeism. Select the
technique that helps in detecting insider threats:

Question10: Digital evidence must:

Question11: Bit stream image copy of the digital evidence must be performed in order to:

Question12: The person who offers his formal opinion as a testimony about a computer crime incident in the court of law is known as:

Question13: In which of the steps of NIST's risk assessment methodology are the boundary of the IT system, along with the resources and the information that constitute the system identified?

Question14: A self-replicating malicious code that does not alter files but resides in active memory and duplicates itself, spreads through the infected network automatically and takes advantage of file or information transport features on the system to travel independently is called:

Question15: The left over risk after implementing a control is called:

Question16: One of the goals of CSIRT is to manage security problems by taking a certain approach towards the
customers' security vulnerabilities and by responding effectively to potential information security incidents.
Identify the incident response approach that focuses on developing the infrastructure and security processes
before the occurrence or detection of an event or any incident:

Question17: Identify the malicious program that is masked as a genuine harmless program and gives the attacker unrestricted access to the user's information and system. These programs may unleash dangerous programs that may erase the unsuspecting user's disk and send the victim's credit card numbers and passwords to a stranger.

Question18: Contingency planning enables organizations to develop and maintain effective methods to handle
emergencies. Every organization will have its own specific requirements that the planning should address.
There are five major components of the IT contingency plan, namely supporting information, notification
activation, recovery and reconstitution and plan appendices. What is the main purpose of the reconstitution
plan?

Question19: An incident is analyzed for its nature, intensity and its effects on the network and systems. Which stage of the
incident response and handling process involves auditing the system and network log files?

Question20: To respond to DDoS attacks; one of the following strategies can be used:

Question21: Which policy recommends controls for securing and tracking organizational resources:

Question22: The type of relationship between CSIRT and its constituency have an impact on the services provided by the CSIRT. Identify the level of the authority that enables members of CSIRT to undertake any necessary actions on behalf of their constituency?

Question23: In a DDoS attack, attackers first infect multiple systems, which are then used to attack a particular target directly. Those systems are called:

Question24: Incident response team must adhere to the following:

Question25: An incident recovery plan is a statement of actions that should be taken before, during or after an incident. Identify which of the following is NOT an objective of the incident recovery plan?

Question26: An estimation of the expected losses after an incident helps organization in prioritizing and formulating their incident response. The cost of an incident can be categorized as a tangible and intangible cost. Identify the tangible cost associated with virus outbreak?

Question27: Common name(s) for CSIRT is(are)

Question28: According to the Evidence Preservation policy, a forensic investigator should make at least ..................... image
copies of the digital evidence.

Question29: An information security policy must be:

Question30: A distributed Denial of Service (DDoS) attack is a more common type of DoS Attack, where a single system is targeted by a large number of infected machines over the Internet. In a DDoS attack, attackers first infect multiple systems which are known as:

Question31: Organizations or incident response teams need to protect the evidence for any future legal actions that may be taken against perpetrators that intentionally attacked the computer system. EVIDENCE PROTECTION is also required to meet legal compliance issues. Which of the following documents helps in protecting evidence from physical or logical damage:

Question32: Risk management consists of three processes, risk assessment, mitigation and evaluation. Risk assessment determines the extent of the potential threat and the risk associated with an IT system through its SDLC. How many primary steps does NIST's risk assessment methodology involve?

Question33: The correct order or sequence of the Computer Forensic processes is:

Question34: Which among the following CERTs is an Internet provider to higher education institutions and various other research institutions in the Netherlands and deals with all cases related to computer security incidents in which a customer is involved either as a victim or as a suspect?

Question35: A software application in which advertising banners are displayed while the program is running that delivers ads to display pop-up windows or bars that appears on a computer screen or browser is called:

Question36: Identify a standard national process which establishes a set of activities, general tasks and a management structure to certify and accredit systems that will maintain the information assurance (IA) and security posture of a system or site.

Question37: The free, open source, TCP/IP protocol analyzer, sniffer and packet capturing utility standard across many
industries and educational institutions is known as:

Question38: In a qualitative risk analysis, risk is calculated in terms of:

Question39: The policy that defines which set of events needs to be logged in order to capture and review the important
data in a timely manner is known as:

Question40: Computer forensics is methodical series of techniques and procedures for gathering evidence from computing
equipment, various storage devices and or digital media that can be presented in a course of law in a coherent
and meaningful format. Which one of the following is an appropriate flow of steps in the computer forensics
process:

Question41: An information security incident is

Question42: Business continuity is defined as the ability of an organization to continue to function even after a disastrous event, accomplished through the deployment of redundant hardware and software, the use of fault tolerant systems, as well as a solid backup and recovery strategy. Identify the plan which is mandatory part of a business continuity plan?

Question43: The Linux command used to make binary copies of computer media and as a disk imaging tool if given a raw disk device as its input is:

Question44: What command does a Digital Forensic Examiner use to display the list of all open ports and the associated IP
addresses on a victim computer to identify the established connections on it:

Question45: Except for some common roles, the roles in an IRT are distinct for every organization. Which among the
following is the role played by the Incident Coordinator of an IRT?

Question46: To recover, analyze, and preserve computer and related materials in such a way that it can be presented as evidence in a court of law and identify the evidence in short time, estimate the potential impact of the malicious activity on the victim, and assess the intent and identity of the perpetrator is known as:

Question47: A security policy will take the form of a document or a collection of documents, depending on the situation or
usage. It can become a point of reference in case a violation occurs that results in dismissal or other penalty.
Which of the following is NOT true for a good security policy?

Question48: A methodical series of techniques and procedures for gathering evidence, from computing equipment and various storage devices and digital media, that can be presented in a court of law in a coherent and meaningful format is called:

Question49: A malware code that infects computer files, corrupts or deletes the data in them and requires a host file to propagate is called:

Question50: If the loss anticipated is greater than the agreed upon threshold; the organization will:

Question51: A malware code that infects computer files, corrupts or deletes the data in them and requires a host file to
propagate is called:

Question52: A living high level document that states in writing a requirement and directions on how an agency plans to protect its information technology assets is called:

Question53: The flow chart gives a view of different roles played by the different personnel of CSIRT. Identify the incident
response personnel denoted by A, B, C, D, E, F and G.

Question54: An incident is analyzed for its nature, intensity and its effects on the network and systems. Which stage of the incident response and handling process involves auditing the system and network log files?

Question55: A malicious security-breaking code that is disguised as any useful program that installs an executable
programs when a file is opened and allows others to control the victim's system is called:

Question56: They type of attack that prevents the authorized users to access networks, systems, or applications by exhausting the network resources and sending illegal requests to an application is known as:

Question57: One of the goals of CSIRT is to manage security problems by taking a certain approach towards the customers' security vulnerabilities and by responding effectively to potential information security incidents. Identify the incident response approach that focuses on developing the infrastructure and security processes before the occurrence or detection of an event or any incident:

Question58: What is the best staffing model for an incident response team if current employees' expertise is very low?

Question59: A self-replicating malicious code that does not alter files but resides in active memory and duplicates itself,
spreads through the infected network automatically and takes advantage of file or information transport
features on the system to travel independently is called:

Question60: US-CERT and Federal civilian agencies use the reporting timeframe criteria in the federal agency reporting categorization. What is the timeframe required to report an incident under the CAT 4 Federal Agency category?

Question61: Multiple component incidents consist of a combination of two or more attacks in a system. Which of the
following is not a multiple component incident?

Question62: CSIRT can be implemented at:

Question63: What is the best staffing model for an incident response team if current employees' expertise is very low?

Question64: An audit trail policy collects all audit trails such as series of records of computer events, about an operating system, application or user activities. Which of the following statements is NOT true for an audit trail policy:

Question65: Authorized users with privileged access who misuse the corporate informational assets and directly affects the
confidentiality, integrity, and availability of the assets are known as:

Question66: The free, open source, TCP/IP protocol analyzer, sniffer and packet capturing utility standard across many industries and educational institutions is known as:

Question67: CERT members can provide critical support services to first responders such as:

Question68: They type of attack that prevents the authorized users to access networks, systems, or applications by
exhausting the network resources and sending illegal requests to an application is known as:

Question69: An organization faced an information security incident where a disgruntled employee passed sensitive access
control information to a competitor. The organization's incident response manager, upon investigation, found
that the incident must be handled within a few hours on the same day to maintain business continuity and
market competitiveness. How would you categorize such information security incident?

Question70: In the Control Analysis stage of the NIST's risk assessment methodology, technical and none technical control methods are classified into two categories. What are these two control categories?

Question71: Policies are designed to protect the organizational resources on the network by establishing the set rules and procedures. Which of the following policies authorizes a group of users to perform a set of actions on a set of resources?