388 Appendix ■ Answers
6 4. C. The Mitigation phase of incident response focuses on actions that can contain the
damage incurred during an incident. This includes limiting the scope and or effectiveness
of the incident.- C. At this point in the process, Ann has no reason to believe that any actual security
compromise or policy violation took place, so this situation does not meet the criteria for a
security incident or intrusion. Rather, the alert generated by the intrusion detection system
is simply a security event requiring further investigation. Security occurrence is not a term
commonly used in incident handling. - A. DNS traffic commonly uses port 53 for both TCP and UDP communications. SSH and
SCP use TCP port 22. SSL and TLS do not have ports assigned to them but are commonly
used for HTTPS traffic on port 443. Unencrypted web traffic over HTTP often uses port 80.
6 7. D. The attack described in this scenario has all of the hallmarks of a denial of service
attack. More specifically, Ann’s organization is likely experiencing a DNS amplification
attack where an attacker sends false requests to third-party DNS servers with a forged
source IP address belonging to the targeted system. Because the attack uses UDP requests,
there is no three-way handshake. The attack packets are carefully crafted to elicit a
lengthy response from a short query. The purpose of these queries is to generate responses
headed to the target system that are sufficiently large and numerous enough to overwhelm
the targeted network or system.- B. Now that Ann suspects an attack against her organization, she has sufficient evidence
to declare a security incident. The attack under way seems to have undermined the
availability of her network, meeting one of the criteria for a security incident. This is an
escalation beyond a security event but does not reach the level of an intrusion because
there is no evidence that the attacker has even attempted to gain access to systems on
Ann’s network. Security occurrence is not a term commonly used in incident handling. - D. To be admissible, evidence must be relevant, material, and competent. The laptop
in this case is clearly material because it contains logs related to the crime in question.
It is also relevant because it provides evidence that ties the hacker to the crime. It is not
competent because the evidence was not legally obtained. - C. Gordon may conduct his investigation as he wishes and use any information that is legally
available to him, including information and systems belonging to his employer. There is no
obligation to contact law enforcement. However, Gordon may not perform “hack back”
activities because those may constitute violations of the law and/or (ISC)^2 Code of Ethics. - B. Software escrow agreements place a copy of the source code for a software package in
the hands of an independent third party who will turn the code over to the customer if the
vendor ceases business operations. Service level agreements, mutual assistance agreements,
and compliance agreements all lose some or all of their effectiveness if the vendor goes out
of business. - C. Most security professionals recommend at least one, and preferably two, weeks of
vacation to deter fraud. The idea is that fraudulent schemes will be uncovered during
the time that the employee is away and does not have the access required to perpetuate a
cover-up.