Domain 4: Incident Response and Recovery

What is the first phase of the incident response lifecycle?

Preparation — defining roles, training, policies, and tools.

What phase involves detecting incidents using monitoring tools like IDS and SIEM?

Detection and Analysis.

During which phase is the impact of an incident limited by isolating systems or blocking traffic?

Containment.

What phase involves removing the root cause of an incident?

Eradication.

What phase restores affected systems to normal operation after an incident?

Recovery.

What phase includes lessons learned and updating policies after an incident?

Post-Incident Activities.

What is the primary purpose of the preparation phase?

To ensure readiness through defined roles, training, and tools.

What type of monitoring tool detects suspicious activity but does not block it?

Intrusion Detection System (IDS).

What type of monitoring tool detects and actively blocks threats?

Intrusion Prevention System (IPS).

What legal system deals with disputes between private parties in cybersecurity?

Civil Law.

What is the burden of proof in civil law?

Preponderance of evidence (more likely than not).

What legal system addresses offenses against the state like hacking and fraud?

Criminal Law.

What is the burden of proof in criminal law?

Beyond a reasonable doubt.

Which law governs regulatory compliance enforced by government agencies (e.g., HIPAA, GDPR)?

Administrative Law.

What ethical principle requires protecting forensic data and findings?

Confidentiality.

What ethical principle requires investigators to remain unbiased?

Impartiality.

What ethical principle requires evidence collection and reporting to be accurate and untampered?

Integrity.

Who is responsible for securing the scene and avoiding contamination in forensic investigations?

First Responder.

What is the term for prioritizing evidence collection and preservation in investigations?

Triage.

What documentation ensures evidence handling is tracked and admissible in court?

Chain of Custody.

What is the legal requirement for evidence to be accepted in court?

Admissibility.

What challenge arises when cyber incidents cross multiple countries?

Cross-Jurisdictional Challenges.

What does BCP stand for?

Business Continuity Plan.

What does DRP stand for?

Disaster Recovery Plan.

What type of backup copies all data?

Full Backup.

What backup copies data changed since the last backup, full or incremental?

Incremental Backup.

What backup copies data changed since the last full backup?

Differential Backup.

What is an RTO in disaster recovery?

Recovery Time Objective — maximum allowable downtime.

What is an RPO in disaster recovery?

Recovery Point Objective — maximum acceptable data loss.

What is MTD in disaster recovery?

Maximum Tolerable Downtime — total outage limit.

What type of disaster recovery site is fully equipped and operational for immediate failover?

Hot Site.

What type of disaster recovery site is partially equipped and ready with data backups?

Warm Site.

What type of disaster recovery site has no equipment and requires setup time?

Cold Site.

What is a tabletop disaster recovery test?

A scenario-based discussion and role-play of recovery plans.

What is a walkthrough disaster recovery test?

Step-by-step review of plans by team members.

What is a simulation disaster recovery test?

A realistic test of recovery without disrupting operations.

What is a parallel disaster recovery test?

Running recovery systems alongside production without impact.

What is a full interruption disaster recovery test?

Shutting down production systems to test recovery.

What is the purpose of containment during incident response?

To limit the damage caused by an incident.

What does eradication focus on during incident response?

Removing the cause of the incident.

What is the importance of recovery in incident response?

Restoring affected systems and services to normal operation.

What is a critical activity after recovery in incident response?

Monitoring for signs of incident recurrence.

Why is post-incident documentation important?

To record the incident details and improve future response.

What role does training play in incident response preparation?

Ensures team readiness and awareness of roles.

What is the difference between IDS and IPS?

IDS detects and alerts; IPS detects and blocks threats.

What is the significance of chain of custody in forensic investigations?

It preserves the integrity and admissibility of evidence.

What is the goal of business continuity planning?

To ensure essential business functions continue during and after a disruption.

What is the main focus of disaster recovery planning?

To restore IT systems and data after an incident.

What is the difference between incremental and differential backups?

Incremental backs up changes since last backup; differential backs up changes since last full backup.

Why are disaster recovery tests important?

They verify the effectiveness of recovery plans and preparedness.