Page 1556 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1556
Chapter 17: Preventing and Responding to
Incidents
1. A. Containment is the first step after detecting and verifying an
incident. This limits the effect or scope of an incident.
Organizations report the incident based on policies and governing
laws, but this is not the first step. Remediation attempts to identify
the cause of the incident and steps that can be taken to prevent a
reoccurrence, but this is not the first step. It is important to protect
evidence while trying to contain an incident, but gathering the
evidence will occur after containment.
2. D. Security personnel perform a root cause analysis during the
remediation stage. A root cause analysis attempts to discover the
source of the problem. After discovering the cause, the review will
often identify a solution to help prevent a similar occurrence in the
future. Containing the incident and collecting evidence is done
early in the incident response process. Rebuilding a system may be
needed during the recovery stage.
3. A, B, C. Teardrop, smurf, and ping of death are all types of denial-
of-service (DoS) attacks. Attackers use spoofing to hide their
identity in a variety of attacks, but spoofing is not an attack by
itself. Note that this question is an example that can easily be
changed to a negative type of question such as “Which of the
following is not a DoS attack?”
4. C. A SYN flood attack disrupts the TCP three-way handshake
process by never sending the third packet. It is not unique to any
specific operating system such as Windows. Smurf attacks use
amplification networks to flood a victim with packets. A ping-of-
death attack uses oversized ping packets.
5. B. A zero-day exploit takes advantage of a previously unknown
vulnerability. A botnet is a group of computers controlled by a bot
herder that can launch attacks, but they can exploit both known
