1. Which of the following is NOT a member of the extended team to respond to a computer security incident?

A. Law Enforcement

B. Public Relations

C. Legal Counsel

D. Human Resources

2. Which of the following is NOT commonly used for context-based authentication?

A. Time of day

B. Device being used

C. IP address and/or IP reputation

D. Password strength

E. User roles or group membership

3. Which of the following is NOT an event that could detect identity attacks

A. Failed password attempts

B. Privilege changes

C. Account creation and modification

D. Privileged account usage

4. In what phase of the incident response process would you put the impacted systems back into production?

A. Containment

B. Recovery

C. Preparation

D. Eradication

5. Which of the following is considered two-factor authentication

A. A fingerprint and facial recognition

B. A password and a pin

C. A password and a fingerprint

D. A hardware token and a software token

6. Which of the following are three common methods to acquire credentials

A. Malware

B. Phishing

C. Compromise of other service providers

D. Brute force attacks

E. Insider threat

7. Which of the following describes a playbook for incident response?

A. Procedures that will be followed in the event of a specific type of cybersecurity incident?

B. A guide on how to have fun while working

C. A procedure that describes how an incidental played out

D. A guide on how to provide misinformation to threats.

8. Which of the following best describe a rootkit?

A. Software that is designed to provide root privileges

B. A software kit that is only available to the root user

C. Multiple malicious software tools to provide continued access to a computer while hiding their own existence.

D. Tools used to protect the root account

9. Which of the following is NOT a phase of the incident response process?

A. Preparation

B. Eradication

C. Identification

D. Counterattack

10. In which phase of the incident response process would you gather events and analyze them for anything suspicious?

A. Identification

B. Preparation

C. Lessons Learned

D. Containment

11. Which of the following are used during a tabletop exercise to describe an additional event or circumstance that requires a response or action by the incident response team?

A. Action Item

B. Scenario

C. Inject

D. Incident

12. In what phase of the incident response process would you capture forensic information to provide to law enforcement?

A. Eradication

B. Preparation

C. Identification

D. Containment

13. Which of the following describes the AAA abbreviation?

A. Access, Alter, and Audit

B. Access, Authorize, and Abort

C. Authentication, authorization, and Accounting

D. Authorize, Audit, and Access

14. Which of the following is NOT a biometric factor?

A. Last four digits of the social security number

B. Fingerprint

C. Voiceprint

D. Retina Scan

15. Which of the following best describes a tabletop exercise?

A. Discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during an emergency and their responses to a particular emergency situation.

B. Training sessions for incident responders where the participants will learn how to use the tools involved in incident response.

C. In-person exercises that in performed in a classroom setting where incident responders respond to a live incident.

D. Mock scenarios that are created in a temporary environment with the purpose of performing hands on exercises to prepare for an incident.

16. Which of the following are common types of authentication factors or methods

A. Possession factors

B. Knowledge factors

C. Relational factors

D. Biometric factors

17. In what phase would an incident response process would you restore from backups

A. Containment

B. Eradication

C. Recovery

D. Lessons Learned