In the context of incident handling phases, which two activities fall under scoping? (Choose two.)
A. determining the number of attackers that are associated with a security incident
B. ascertaining the number and types of vulnerabilities on your network
C. identifying the extent that a security incident is impacting protected resources on the network
D. determining what and how much data may have been affected
E. identifying the attackers that are associated with a security incident
Question 67 is a duplicate to this one.
Identification
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
I say answers are C & D based on this article.
I mean to say, D & E.
According to this text from NIST SP800-61r2: “When the team believes that an incident has occurred, the team should rapidly perform an initial analysis to determine the incident’s scope, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring (e.g., what tools or attack methods are being used, what vulnerabilities are being exploited). The initial analysis should provide enough information for the team to prioritize subsequent activities, such as containment of the incident and deeper analysis of the effects of the incident.”, the right answers could be C & E. D is tempting but it looks like something that may not be determined at the beginning.
From Logic’s explanation, I’d choose C and D. Scoping doesn’t really involve finding the attacker, does it?
Correct D & E
the information below was taken from NIST SP800-61 r2 Page 38
When the team believes that an incident has occurred, the team should rapidly perform an initial analysis
to determine the incident’s scope, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring (e.g., what tools or attack methods are being used, w
hat vulnerabilities are being exploited). The initial analysis should provide enough information for the team to prioritize
subsequent activities, such as containment of the incident and deeper analysis of the effects of the
incident.
But option D only mentions data and C mentions all protected resources. Maybe it is C&E?
What you mentioned is listed under section 3.2.4 Incident Analysis. Answer E (identifying the attackers) is mentioned in section 3.3.3 Identifying the Attacking Host. Sooo… Scope doesnt not include answer D. The correct answer is CD
Nope its D,E
IS this not C&D?