CCST - Cisco Certified Support Technician Security Incident Handling Process Questions and Answers

Question 1

Which of the following activities is a critical component of the 'Preparation' phase of the security incident handling process, according to the NIST framework?

Accepted Answer

Establishing and training a Computer Security Incident Response Team (CSIRT).

Answer

The 'Preparation' phase involves all the proactive steps taken before an incident occurs to ensure the organization is ready to respond. Establishing and training a CSIRT is a fundamental preparatory step, along with creating policies, acquiring necessary tools, and performing risk assessments.

Question 2

A support technician observes alerts from a SIEM tool indicating multiple failed login attempts on a critical server, followed by a successful login from an unrecognized IP address. Which phase of the incident handling process has just begun?

Accepted Answer

Detection and Analysis

Answer

The 'Detection and Analysis' phase begins when potential signs of an incident are discovered. This involves detecting anomalies (the alerts) and then analyzing them to determine if a security incident has actually occurred, which is the immediate next step for the technician.

Question 3

During a malware outbreak, a security analyst instructs a technician to immediately disconnect the infected computers from the corporate network. This action is a primary example of which incident response phase?

Accepted Answer

Containment

Answer

Containment strategies are actions taken to stop the incident from causing further damage and to prevent it from spreading to other systems. Disconnecting affected machines is a classic short-term containment step to isolate the threat.

Question 4

After a security incident has been contained and the immediate threat is neutralized, a technician is tasked with re-imaging an affected workstation from a known good gold image and ensuring all security patches are applied. This activity belongs to which two connected phases of the incident response lifecycle?

Accepted Answer

Eradication and Recovery

Answer

This action serves two purposes. 'Eradication' involves removing the root cause of the incident (the malware is wiped out by re-imaging). 'Recovery' involves restoring the affected systems back to normal operation so business can resume, which includes applying patches to prevent reinfection.

Question 5

A company has just recovered from a major data breach. The management team holds a meeting with the IT and security staff to review the incident timeline, discuss what went well, identify weaknesses in the response, and update the incident response plan. In which phase of the incident handling process does this activity occur?

Accepted Answer

Post-Incident Activity (Lessons Learned)

Answer

The Post-Incident Activity, or Lessons Learned, phase is a critical final step where the team analyzes the incident and the response to it. The goal is to improve security controls and the incident handling process itself to prevent or better handle future incidents.

(CCST) Cisco Certified Support Technician Practice Test

(CCST) Cisco Certified Support Technician Practice Test

CCST - Cisco Certified Support Technician Security Incident Handling Process Questions and Answers