CSIRM Assignment - 2

Q.1 Multiple Choice Questions (Only For Exam)

1. What is the first step in recovering from a cybersecurity incident?

a) Eradication
b) Containment
c) Post-incident review
d) Notification

2. Which of the following is not typically affected during a cybersecurity incident?

a) Business operations
b) IT systems
c) Legal contracts
d) Sports data

3. What is the purpose of containment in incident response?

a) Eliminate the attacker
b) Prevent further damage
c) Notify users
d) Create backups

4. What should be done before removing malware or infected systems?

a) Reboot the system
b) Gather and preserve evidence
c) Delete logs
d) Inform the attacker

5. Which process involves identifying the source of a cyberattack?

a) Recovery
b) Assessment
c) Attack host identification

6. Why is post-incident analysis important?

a) To punish attackers
b) To learn and improve future responses
c) To report to HR
d) To recover costs

7. Which of the following is essential during evidence handling?

a) Maintaining chain of custody
b) Destroying infected systems
c) Isolating non-critical systems
d) Notifying the public immediately
8. What does "eradication" refer to in incident response?
a) Containing the threat
b) Completely removing the threat
c) Notifying the media
d) Rebooting systems

9. What helps determine how quickly and in what order systems should be restored?
a) Prioritization
b) Risk assessment
c) Evidence gathering
d) Log analysis

10. Which of the following should be retained for legal or future use?
a) System updates
b) Incident evidence
c) Temporary backups
d) Antivirus reports

11. What is the goal of using incident analytics in cybersecurity?

a) To store old data
b) To predict and prevent future incidents
c) To reduce hardware usage
d) To avoid backups

12. What does a risk assessment primarily help with?

a) Identifying and evaluating security threats
b) Creating user accounts
c) Running antivirus software
d) Configuring hardware

13. Which of the following improves host security?

a) Regular system updates and patches
b) Increasing hard drive size
c) Installing games
d) Disabling firewalls

14. What is a key aspect of network security?

a) Formatting the drive
b) Using firewalls and intrusion detection systems
c) Hiding the router
d) Rebooting servers

15. Which of these helps in malware prevention?

a) Sharing unknown files
b) Using weak passwords
 c) Installing antivirus and anti-malware software
d) Disabling security alerts

16. What is the best method to raise user awareness in cybersecurity?

a) Conducting regular security training sessions
b) Blocking users
c) Hiding logs
d) Updating software silently

17. What is phishing primarily aimed at?

a) Stealing user credentials
b) Destroying hardware
c) Sending spam
d) Improving performance

18. Why is comparing cost of control vs cost of incident impact important?

a) To reduce employee wages
b) To make informed security investment decisions
c) To decrease backups
d) To delete logs

19. What is a proactive security measure?

a) Ignoring alerts
b) Applying preventive controls before incidents happen
c) Formatting hard drives
d) Delaying updates

20. Which of the following is a best practice in cybersecurity?

a) Using strong, unique passwords for each system
b) Disabling antivirus
c) Sharing credentials
d) Ignoring software updates

21. What type of attack floods a DNS server with excessive requests?
a) Phishing
b) DoS (Denial of Service)
c) Ransomware
d) SQL Injection

22. Which of the following is most likely used as part of a DDoS attack?
a) Firewall
b) Antivirus
c) Botnet or Worm
d) VPN
23. In a scenario where classified military documents are stolen by an insider, what kind of
threat is this?
a) Insider threat
b) External threat
c) Malware infection
d) DoS attack

24. Unauthorized access to payroll records is a violation of which principle of information

security?
a) Availability
b) Confidentiality
c) Integrity
d) None

25. What is the best protection against Wi-Fi hacking at home?

a) Use of strong WPA2/WPA3 encryption and password
b) Hiding SSID only
c) Using open networks
d) Installing games on router

26. Which attack involves multiple computers attacking a single target?

a) Virus
b) Keylogger
c) DDoS (Distributed Denial of Service)
d) Trojan

27. What should be prioritized when biometric data is stolen by cyberwar groups?
a) Rebooting systems
b) National data security and legal response
c) Clearing browser cache
d) Creating strong passwords

28. Which type of attack involves malware spreading from one computer to others
automatically?
a) Worm
b) Trojan
c) Phishing
d) Backdoor

29. If someone gains access to your cloud files without permission, it is a breach of:
a) Availability
b) Confidentiality and possibly Integrity
c) Encryption
Page 4 of 5d) Authentication
 30. What type of cybercrime involves remote control over smart home devices?
a) IoT hacking
b) DDoS
c) SQL Injection
d) Adware
Q.2 Very Short Answer Type Questions

1. What is meant by containment in incident response?

Answer:

Containment is the phase in incident response where actions are taken to limit the scope,
spread, and impact of a cybersecurity incident. It helps isolate affected systems while
maintaining essential business functions.

• Short-Term Containment – Immediate actions like isolating infected devices or

disabling compromised accounts to prevent further damage
• Long-Term Containment – More stable solutions such as applying patches, firewall
rules, or rerouting traffic while systems are cleaned and monitored.

Effective containment is critical for preventing escalation and protecting unaffected systems
during the response phase.

2. Name any two types of resources that can be affected by a cybersecurity

incident.
Answer:
Cybersecurity incidents can compromise various organizational assets, affecting both
technical and business functions.
• Information Assets – Includes sensitive data such as personal information, customer
databases, financial records, and intellectual property that may be stolen, altered, or
deleted.
• Network and System Resources – Servers, switches, firewalls, and applications
may become inoperative, misconfigured, or used as a platform for further attacks
Damage to these resources can lead to operational downtime, financial loss, and reputational
damage if not mitigated quickly.

3. What is the purpose of post-incident analysis?

Answer:
Post-incident analysis is the final phase in the incident response lifecycle, aimed at
evaluating the response and identifying lessons learned.
• Root Cause Identification – Determines how the incident originated and what
vulnerabilities were exploited.
• Process Review – Evaluates the effectiveness of detection, containment, and recovery
procedures.
• Recommendations – Suggests improvements to prevent similar future incidents.

This analysis helps organizations improve security posture, update response plans, and
educate stakeholders for better preparedness.
 4. Define risk assessment in the context of cybersecurity.
Answer:
Risk assessment in cybersecurity is the process of identifying, evaluating, and prioritizing
risks associated with digital assets and operations.
• Threat and Vulnerability Analysis – Recognizes internal and external threats and
evaluates system weaknesses that could be exploited.
• Impact Evaluation – Estimates potential consequences such as data loss, financial
damage, or reputational harm.
• Risk Mitigation Planning – Recommends safeguards like firewalls, access controls,
or encryption.
A well-structured risk assessment informs decision-makers about necessary security controls
and helps reduce the likelihood of incidents.

5. Mention two common malware prevention techniques.

Answer:
Malware prevention is essential for securing systems from unauthorized access, data theft, or
system damage caused by malicious code.
• Up-to-date Antivirus and Anti-malware Tools – These tools detect, quarantine,
and remove known malware using signature and behavior-based methods.
• Patch Management and Updates – Keeping software and operating systems
updated helps fix known vulnerabilities that malware exploits.
Additional practices include email filtering, restricted downloads, and endpoint protection
platforms. A layered defense significantly reduces malware risks in enterprise environments.

6. What is a DDoS attack and how does it differ from a DoS attack?
Answer:
A DDoS (Distributed Denial of Service) attack involves overwhelming a target system with
traffic from multiple sources, causing service disruption.
• DDoS Attacks – Use a network of infected machines (botnet) to flood servers with
traffic, making services unavailable.
• DoS Attacks – Originates from a single device and is easier to detect and block.
DDoS attacks are harder to mitigate due to their distributed nature and can severely impact
availability and business operations.

7. Define insider threat in cybersecurity.

Answer:
An insider threat refers to a security risk that originates from within an organization,
typically involving current or former employees, contractors, or business partners.
• Malicious Insider – Intentionally steals data or sabotages systems for personal or
financial gain.
• Unintentional Insider – Causes damage through careless actions like clicking
phishing links or misconfiguring access controls.
Insider threats are dangerous because they involve individuals with legitimate access and
knowledge of internal systems, making them harder to detect and prevent.
 8. What is the role of strong passwords in protecting cloud storage?
Answer:
Strong passwords are a vital part of access control for cloud storage systems, preventing
unauthorized data access and breaches.
• Prevents Unauthorized Access – Complex passwords using letters, numbers, and
symbols reduce the chances of brute-force or dictionary attacks.
• Supports Multi-Factor Authentication (MFA) – Strong passwords combined with
MFA create a powerful barrier against intrusion.
• Protects Sensitive Data – Safeguards stored documents, backups, and critical
business files in cloud environments.
Consistent use of strong, unique passwords across accounts helps prevent large-scale
compromise of cloud infrastructure.
Q.3 Short Answer Type Questions

1. Explain the steps involved in containment, eradication, and recovery during a

cyber incident.
Answer:

Containment, eradication, and recovery are critical phases in the cybersecurity incident
response process aimed at controlling and resolving security breaches effectively.
• Containment – Focuses on isolating affected systems and limiting incident spread to
prevent further damage, using methods like network segmentation and disabling
compromised accounts.
• Eradication – Involves identifying and removing the root cause of the incident, such
as deleting malware, closing vulnerabilities, and applying patches.
• Recovery – Restores systems and services to normal operation, verifying integrity
through testing and monitoring for any signs of residual threats.
• Validation and Monitoring – Continuous observation ensures the threat has been
fully eliminated and systems remain secure post-recovery.
These steps collectively minimize damage, restore business functions, and strengthen
security to prevent recurrence.

2. How do you assess the impact of a cybersecurity incident on business and IT

operations?
Answer:
Assessing the impact of a cybersecurity incident is essential to understand the extent of
damage and prioritize response and recovery efforts.
• Operational Impact – Evaluates downtime, service disruption, and degradation
affecting business processes and customer experience.
• Data Loss and Integrity – Measures the loss, theft, or corruption of sensitive data
and its consequences on compliance and trust.
• Financial Consequences – Estimates direct costs like remediation and indirect costs
such as reputational damage and regulatory fines.
• Legal and Compliance Risks – Assesses potential violations of data protection laws
and contractual obligations.
Comprehensive impact assessment guides effective incident management and resource
allocation for recovery
3. Explain how incident analytics can be used to improve proactive security.
Answer:

Incident analytics involves collecting and analyzing data from past security events to
enhance an organization’s proactive defense capabilities.
• Pattern Recognition – Identifies recurring attack vectors and trends to anticipate
future threats.
• Threat Intelligence Integration – Enriches analytics with external data to improve
detection accuracy and context.
• Improved Detection Rules – Refines security monitoring tools and alerts based on
insights from incident data.
 • Resource Optimization – Prioritizes security efforts by focusing on high-risk areas
identified through analytics.
Incident analytics empowers organizations to shift from reactive to proactive security,
reducing incident frequency and impact.

4. Describe the importance of network security in preventing cyber attacks.

Answer:
Network security is fundamental to protecting an organization’s data and systems from
unauthorized access, attacks, and breaches.
• Perimeter Defense – Uses firewalls, intrusion detection/prevention systems to block
unauthorized traffic and malicious activities.
• Access Controls – Enforces policies to restrict network access to authorized users
and devices only.
• Traffic Monitoring – Continuously inspects network traffic to detect anomalies and
potential threats in real-time.
• Segmentation and Isolation – Divides the network to contain breaches and limit
attacker movement.
Robust network security reduces attack surfaces, detects threats early, and preserves
confidentiality, integrity, and availability of information assets.

5. What are the key elements of a cybersecurity awareness and training program?
Answer:

A cybersecurity awareness and training program educates employees about security best
practices and promotes a security-conscious culture to reduce risks.
• Awareness Campaigns – Regular communication through emails, posters, and
seminars to keep security top-of-mind.
• Role-Based Training – Customized training tailored to job functions and risk
exposure, such as phishing awareness for all staff and secure coding for developers.
• Simulation Exercises – Phishing simulations and incident response drills to test
employee readiness and reinforce learning.
• Policy Education – Clear explanation of organizational security policies, acceptable
use, and incident reporting procedures.
• Continuous Improvement – Regular updates based on emerging threats and
feedback to keep training relevant.
Effective programs empower employees to act as the first line of defense against cyber
threats, significantly reducing organizational risk.

6. Explain the impact of a DoS attack on a DNS server with an example scenario.
Answer:
A Denial of Service (DoS) attack on a DNS server disrupts the resolution of domain names
to IP addresses, crippling internet services.
• Service Disruption – Overloads the DNS server with excessive queries, preventing
legitimate user requests from being processed.
• Website Inaccessibility – Users cannot access websites as domain names fail to
resolve, impacting e-commerce, email, and other services.
 • Example Scenario – An attacker floods the DNS server of a popular online retailer
with bogus queries, causing site outages during peak shopping hours, leading to
revenue loss and reputational damage.
DoS attacks on DNS infrastructure can cause widespread service outages, highlighting the
need for robust mitigation strategies.

7. How can a worm infection lead to a large-scale DDoS attack?

Answer:
Worm infections can rapidly spread across networks, turning infected machines into bots for
large-scale Distributed Denial of Service (DDoS) attacks.
• Self-Propagation – Worms autonomously replicate and infect numerous systems
without user interaction.
• Botnet Creation – Infected devices become part of a botnet controlled by an attacker.
• Coordinated Attack – The botnet floods a target with traffic from multiple infected
hosts, overwhelming resources and causing service denial.
• Amplification Effect – The sheer volume and distribution make mitigation difficult
and increase attack severity.
Worm-induced botnets amplify the scale and impact of DDoS attacks, making early
detection and containment critical.

8. Describe how personal files in the cloud can be compromised and how to prevent
it.
Answer:
Personal files stored in the cloud are vulnerable to compromise due to unauthorized access,
data breaches, or misconfigurations.
• Unauthorized Access – Weak passwords, stolen credentials, or phishing attacks
allow attackers to access cloud accounts.
• Misconfigured Permissions – Incorrect sharing settings can expose files publicly or
to unauthorized users.
• Data Breaches – Cloud service provider vulnerabilities can result in mass data
exposure.
• Prevention Measures – Use strong, unique passwords with multi-factor
authentication, regularly review sharing permissions, encrypt sensitive files, and keep
cloud applications updated.
Implementing robust security controls and user vigilance are essential to safeguarding
personal cloud data from compromise.
Q. 4. Long Answer Type Questions

1. Discuss in detail the process of recovering from a cybersecurity incident.

Answer:
Recovery from a cybersecurity incident focuses on restoring systems, data, and operations
to normal. It is a critical step in the incident response lifecycle that ensures the organization
returns to a secure and functional state while reducing the risk of reinfection or further
damage.
• Damage Assessment – The first step involves identifying affected systems,
understanding the type of attack, and determining data or service loss.
• Restoration from Backup – Clean and verified backups are used to restore systems
and data, ensuring no malicious code is reintroduced.
• System Rebuilding – In severe cases, systems may need to be reinstalled,
reconfigured, and patched to eliminate vulnerabilities used in the attack.
• Security Enhancements – Additional controls such as MFA, updated antivirus, and
firewalls are applied to strengthen defenses post-recovery.
• Validation and Testing – Systems are tested for integrity and security, and normal
operations are validated before going live.
• User Communication – Stakeholders are informed about recovery progress, changes
in protocols, or required actions, such as password resets.
• Monitoring Post-Recovery – Continuous monitoring is implemented to detect any
lingering threats or signs of re-compromise.
Recovery is not just about restoring systems but also reinforcing them to prevent recurrence.
A well-executed recovery ensures business continuity and builds long-term resilience.

2. Describe the role of incident notification structure and how communication is

managed during an incident.
Answer:
Incident notification structures define how communication flows during a cyber incident.
Effective communication is essential to ensure timely response, clarity, and coordination
between teams and stakeholders.
• Defined Communication Paths – Clear escalation and reporting channels allow quick
notification of incidents to the right teams.
• Notification Tiers – Roles and responsibilities determine who gets informed—from
technical teams to executives, legal teams, and regulatory bodies.
• Secure Messaging Tools – Tools like encrypted email, dedicated hotlines, and
incident tracking systems ensure secure and traceable communication.
• Internal Coordination – Technical and business teams coordinate closely to manage
containment, response, and recovery without causing confusion.
• External Communication – Customers, partners, and media are handled by public
relations or legal teams to ensure consistent messaging and maintain trust.
• Compliance Management – Timely notification to regulators, especially under laws
like GDPR or HIPAA, helps avoid penalties and ensures transparency.
A structured incident notification framework ensures that the right people act at the right
time. It reduces confusion, ensures compliance, and improves incident response efficiency.
 3. What is post-incident analysis? Explain its components and significance with
an example.
Answer:
Post-incident analysis is a retrospective review done after handling a cybersecurity incident.
It helps organizations identify root causes, assess the response effectiveness, and strengthen
future defense strategies.
• Root Cause Identification – Analyzes how the breach occurred, such as a phishing
email or an unpatched vulnerability.
• Timeline Review – Evaluates the sequence of events from detection to recovery,
identifying delays or missteps.
• Impact Evaluation – Determines the financial, operational, and reputational
consequences of the incident.
• Response Assessment – Reviews containment and eradication strategies, noting what
worked and what didn’t.
• Lessons Learned – Compiles insights into process improvements, training needs, or
technological upgrades.
• Example – A ransomware attack reveals weak backup systems and slow response
time. Post-incident actions include improving backup policies and training staff on
phishing awareness.
Post-incident analysis transforms incidents into learning opportunities. It closes the loop in
incident response and helps in building more resilient cybersecurity strategies.

4. Explain how to determine the amount of time and resources needed to recover
from a cybersecurity incident.
Answer:
Estimating the time and resources for recovery is crucial for planning and managing a
cybersecurity incident efficiently. This process ensures swift restoration without
overwhelming personnel or exceeding budgets.
• Scope of Impact – Analyze the number of affected systems, the nature of the attack,
and the extent of data loss or damage.
• Critical System Dependencies – Identify which business operations rely on the
affected systems to prioritize recovery.
• Business Impact Analysis (BIA) – Determine acceptable downtime (RTO) and data
loss limits (RPO) to shape recovery targets.
• Available Resources – Evaluate the expertise, technology, tools, and vendor support
required for system restoration.
• Existing Recovery Plans – Recovery is faster when tested recovery plans, updated
backups, and pre-defined roles are in place.
• Coordination and Communication – Cross-team collaboration affects how efficiently
resources are used and how quickly recovery proceeds.
Accurately estimating time and resource needs helps balance speed, cost, and efficiency in
incident recovery. It’s a critical factor in minimizing operational disruption and guiding post-
incident actions.
 5. Discuss in detail the preventive measures that can be taken to stop
cybersecurity incidents.
Answer:
Preventive cybersecurity measures focus on reducing the chances of threats before they
cause harm. These proactive steps form the first line of defense against unauthorized access,
data breaches, and system compromise.
• Regular Software Updates – Keeping systems and applications patched ensures
known vulnerabilities are fixed and cannot be exploited.
• Firewall and Antivirus Protection – These tools monitor and block suspicious traffic
and malicious software in real-time.
• Access Control Mechanisms – Implementing role-based access and using the
principle of least privilege limits exposure of sensitive data.
• Multi-Factor Authentication (MFA) – Adds an extra layer of verification, making it
harder for attackers to compromise accounts.
• Network Segmentation – Dividing the network into segments helps contain threats
and prevents lateral movement of attackers.
• Regular Backups – Secure, offline backups ensure data can be recovered in case of
ransomware or deletion.
• Security Awareness Training – Educating users on phishing, social engineering, and
safe practices reduces human-related vulnerabilities.
Preventive measures must be layered and continuously updated. A well-rounded defense
strategy significantly reduces the risk of cybersecurity incidents and builds resilience.

6. Explain the components and benefits of a thorough risk assessment process.

Answer:
Risk assessment in cybersecurity identifies, analyzes, and prioritizes risks to systems and
data. It helps organizations allocate resources wisely and prepare effective mitigation
strategies.
• Asset Identification – Lists all critical assets including hardware, software, and data
repositories.
• Threat and Vulnerability Analysis – Evaluates potential attack vectors and
weaknesses in systems.
• Impact Assessment – Estimates consequences if an asset is compromised, including
financial and reputational damage.
• Likelihood Estimation – Assesses the probability of threat occurrence based on
historical data and threat intelligence.
• Risk Prioritization – Risks are ranked by severity to focus efforts on the most critical
issues first.
• Mitigation Planning – Security controls are proposed or adjusted based on assessed
risks.

Benefits
• Informed Decision-Making – Helps leaders allocate security budgets and resources
effectively.
• Improved Compliance – Supports adherence to regulations like GDPR, HIPAA, or
ISO 27001.
 • Enhanced Preparedness – Strengthens the organization’s ability to respond and
recover from incidents.
A robust risk assessment process is essential for proactive cybersecurity. It minimizes
threats, supports compliance, and enhances overall organizational resilience.

7. How does user training help prevent cybersecurity threats? Illustrate with
real-world examples.
Answer:
User training is a critical defense against social engineering and user-based security
breaches. It empowers employees to recognize and respond to threats effectively.

• Phishing Awareness – Training helps users detect suspicious emails, avoiding

credential theft and malware infections.
• Password Hygiene – Users learn to create strong, unique passwords and use
password managers to reduce reuse risks.
• Device and Data Handling – Educates users on secure file sharing, device
encryption, and avoiding public Wi-Fi for sensitive tasks.
• Incident Reporting Culture – Encourages early reporting of suspicious activity,
enabling quick response.

Real-World Examples
• Target Data Breach (2013) – Attackers compromised third-party credentials due to
lack of awareness.
• Google’s Internal Training – "Phishing quizzes" significantly reduced successful
phishing attacks among employees.

8. Create a scenario where antisocial propaganda is spread via a compromised

home Wi-Fi network. Discuss how it could be detected and stopped.
Answer:
Home Wi-Fi networks can be exploited to spread malicious or antisocial content when
security is weak. Attackers may hijack connected devices or redirect users to harmful
websites.

Scenario
An attacker breaches a home Wi-Fi router with a default password. They modify DNS
settings to redirect users to fake news portals pushing antisocial propaganda. The attacker
also hijacks a smart TV to display hate messages and schedules auto-posts via compromised
social media accounts on the home network.

• Detection Techniques
– Unusual Traffic Monitoring – Intrusion detection systems (IDS) or Wireshark can
reveal unknown DNS redirects and traffic to malicious domains.
– Device Behavior – Slower performance, unknown pop-ups, or unusual activity (like
TV screens or lights turning on) can signal compromise.
– Network Scan – Tools like Nmap can detect unknown devices or open ports
exploited by attackers.
• Prevention and Mitigation
– Change Default Router Credentials – Use strong admin passwords and update
firmware regularly.
– Enable Network Encryption (WPA3) – Prevent unauthorized access with strong
encryption.
– Parental and DNS Controls – Use trusted DNS like Cloudflare or Google DNS to
block harmful content.
– Reset and Reconfigure Router – Wipe malicious settings and monitor devices post-
reset.

Home networks are often overlooked in cybersecurity. Securing them with basic hygiene
practices can prevent serious misuse, including the spread of antisocial content.