Explanation: If the incident response team determines that a crime has been carried out, senior management should be informed immediately. If the suspect is an employee, a human resources representative must be called right away.

Explanation: The evidence lifecycle does not include destruction. The evidence needs to be preserved.

Explanation: This was a "potential" intrusion, so we begin by identifying the extent of compromise. If the event is determined to be a real incident, it is identified and classified. Once we understand the severity of the incident taking place, we move on to the next stage, which is investigation. Investigation involves the proper collection of relevant data, which will be used in the analysis and following stages. The goals of these stages are to reduce the impact of the incident, identify the cause of the incident, resume operations as soon as possible, and apply what was learned to prevent the incident from recurring.

Explanation: A Polymorphic virus produces varied but operational copies of itself in an attempt to evade anti-virus software.

Explanation: Availability is one of the main themes behind business continuity planning, in that it ensures that the resources required to keep the business going will continue to be available to the people and systems that rely upon them. With the CIA Triad, primary goals and objectives of security, are the three essential security principles of confidentiality, integrity, and availability. Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles.

Explanation: In database design, the cardinality or fundamental principle of one data table with respect to another is a critical aspect. The relationship of one to the other must be precise between each other in order to explain how each table links together. In the relational model, tables can be related as any of "one-to-many" or "many-to-many." This is referred to as the cardinality of a given table in relation to another.

Explanation: Whenever possible, analyze a replica of the compromised resource, not the original, thereby avoiding inadvertently tamping with evidence

Explanation: Certification and accreditation processes are performed before a system can be formally installed in the production environment. Certification is the technical testing and evaluation of a system while accreditation is the formal authorization given by management to allow a system to operate in a specific environment. The accreditation decision is based upon the results of the certification process. This occurs during the acceptance phase.

Explanation: For evidence to be admissible in court, it needs to be relevant, sufficient, and reliable.

Explanation: In the Orange Book, covert channels in operating systems are not addressed until security level B2 and above because these are the systems that would beholding data sensitive enough for others to go through all the necessary trouble to access data in this fashion.B2: Structured Protection: The security policy is clearly defined and documented, and the system design and implementation are subjected to more thorough review and testing procedures. This class requires more stringent authentication mechanisms and well-defined interfaces among layers. Subjects and devices require labels, and the system must not allow covert channels. A trusted path for logon and authentication processes must be in place, which means the subject communicates directly with the application or operating system, and no trapdoors exist. There is no way to circumvent or compromise this communication channel.

Explanation: The earlier in the process that security is planned for and implement the cheaper it is. It is also much more efficient if security is addressed in each phase of the development cycle rather than an add-on because it gets more complicated to add at the end. If security plan is developed at the beginning it ensures that security won't be overlooked.

Explanation: Port Address Translation (PAT) maps one internal IP address to an external IP address and port number combination. PAT can theoretically support 65,536 simultaneous communications from internal clients over a single external leased IP address. A company can save a substantial amount of money by using PAT, because the company needs to buy only a few public IP addresses, which are used by all systems in the network.

Explanation: Both SET and S-HTTP provide application layer security.

Explanation: Eavesdropping is not a countermeasure, it is a type of attack where you are collecting traffic and attempting to see what is being sent between entities communicating with each other. Counter measures to traffic analysis are similar to the countermeasures to crypto attacks, like padding messages, sending noise, or transmitting non-informational data elements mixed in with real information to disguise the real message

Explanation: A demilitarized zone (DMZ) is a network segment located between the protected private network and unprotected public network, such as the Internet.

Explanation: Proxy servers act as an intermediary between the clients that want access to certain services and the servers that provide those services. The proxy server sends an independent request to the destination on behalf of the user, masking the origin of the data.

Explanation: Encrypted authentication is a firewall feature that allows users on an external network to authenticate themselves to prove that they are authorized to access resources on the internal network. Encrypted authentication is convenient because it happens at the transport layer between a client software and a firewall, allowing all normal application software to run without hindrance.

Explanation: The RARP protocol translates MAC (Ethernet) address to IP addresses.

Explanation: Packet filtering was the first generation of firewalls and it is the most rudimentary type of all of the firewall technologies.

Explanation: When information is encrypted using a public key, it can only be decrypted by using the associated private key. As the recipient is the only person with the private key, the recipient is the only person who can decrypt the message. This provides a form of authentication in that the recipient's identity can be positively verified by the sender. If the receiver replies to the message, the sender knows that the intended recipient received the message.

Explanation: A vulnerability is the absence of a countermeasure or a weakness in an in-place countermeasure, and can therefore be exploited.

Explanation: Lucifer was adopted and modified by the U.S. National Security Agency (NSA) to establish the U.S. Data Encryption Standard (DES) in 1976.

Explanation: Interference interrupts the flow of an electrical current, and fluctuations can actually deliver a different level of voltage than what was expected. Other types of voltage fluctuations include power excess: spike, surge or power loss: fault, blackout or power degradation: sag/dip, brownout, inrush.

Explanation: Denial-of-service (DoS) attacks are attacks that prevent a system from processing or responding to legitimate traffic or requests for resources and objects, which makes the system unavailable.

Explanation: Information security is made up of the following primary attributes: Availability - Prevention of loss of, or loss of access to, data and resources Integrity - Prevention of unauthorized modification of data and resources Confidentiality - Prevention of unauthorized disclosure of data and resources.

Explanation: Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classification of an object.

Explanation: With Electronic Code Book (ECB) Mode, a 64-bit data block is entered into the algorithm with a key, and a block of ciphertext is produced. The same block of ciphertext will always result from a given block of plaintext and a given key.

Explanation: In cryptography, key clustering is said to occur when two different keys generate the same ciphertext from the same plaintext, using the same cipher algorithm. A good cipher algorithm, using different keys on the same plaintext, should generate a different ciphertext, regardless of the key length.

Explanation: Firewalls filter traffic based on a defined set of rules. The rules must be configured correctly for the firewall to provide the intended security.

Explanation: When properly configured, database mirroring provides transaction-level protection on a hot standby server, ensuring minimal recovery latency. Electronic vaulting involves shipping data to an offsite location, resulting in some delay in recovery. Transaction log backups and read-only database replica provide potential transaction-level recovery, but with manual effort involved.

Explanation: A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system through a single IP address.

Explanation: All the employees should be monitored, not only a few.

Explanation: A parallel test is one in which some systems are actually run at the alternate site. A Full Interruption Test is the most intrusive to regular operations and business productivity. The original site is actually shut down, and processing takes place at the alternate site.

Explanation: Senior management is ultimately responsible for all phases of the plan, and who should be most concerned about the protection of its assets. They must sign off on all policy issues. They will also be held liable for overall success or failure of a security solution.

Explanation: A database can be defined as a persistent collection of interrelated data items. Persistency is obtained through the preservation of integrity and the use of nonvolatile storage media. A database is a schema and a Data Description Language (DDL) defines the schema.

Explanation: If you can't restore lost files from your backup system then your backup plan is useless. You could have the best backup system and plan available but if you are unable to restore files then the system cannot assure data availability. Develop an effective disaster recovery plan and include in that plan a good backup strategy that meets the needs of your organization. Be sure to include periodic recovery practice operations to prove the effectiveness of the system.

Explanation: The primary key is the attribute that is used to make each row or tuple in a table unique.

Explanation: The "human error" is due to poor programming by the software developer. A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. When a programmer writes a piece of software that will accept data, this data and its associated instructions will be stored in the buffers that make up a stack, and code must validate data submitted can fit into the buffer.

Explanation: There are two risk assessment methodologies: quantitative and qualitative. Quantitative risk analysis assigns real dollar figures to the loss of an asset. Once you develop a list of threats, you must individually evaluate each threat and its related risk.

Explanation: The database management system (DBMS) is a software suite that is used to manage access to the database and provides data integrity and redundancy. Databases are generally managed by a database administrator (DBA).

Explanation: A cold site is less expensive compared to a warm site or a hot site. A cold site is a leased or rented facility that supplies the basic environment, electrical wiring, air conditioning, plumbing, and flooring, but none of the equipment or additional services. A cold site is essentially an empty data center.

Explanation: The computer system should not be changed, while the incident handling is ongoing. System development should not occur during incident handling.

Explanation: The first normal form (1NF) requires that we create separate tables for each group of related data and identify each row with a unique column identified as the primary key. The second normal form (2NF) requires that we move data that is only partially dependent on the primary key to another table. The third normal form(3NF) requires that we remove data that do not depend only on the primary key. The process of conforming with the normal form us called normalization.

Explanation: An incremental backup is fast because it copies only the files that have been modified since the previous backup.

Explanation: The Data Definition Language (DDL) is similar to a computer programming language and is used for defining data structures, such as database schemas, database tables, and other database objects.

Explanation: The domain of a relation is the set of allowable values that an attribute can take, composed of values that can be entered in a column (attribute) of a table (relation).

Explanation: The Differential backup method backs up the files that have been modified since the last full backup, but does not change the archive bit value.

Explanation: In a full backup all data are backed up and saved to some type of storage media. From this baseline differential and incremental backups can later be made.

Explanation: A foreign key is an attribute in one table that matches the primary key of another table and is used to cross-reference tables.

Explanation: Aggregation is the act of combining information from separate sources. The combination of the data forms new information, which the subject does not have the necessary rights to access. The combined information has a sensitivity that is greater than that of the individual parts.