DOMAIN 7 Security Operations

Containment Strategy evaluation

1 damage potential 2 evidence preservation 3 service availability 4 resource requirements 5 expected effectiveness 6 solution time segmentation is a common network security technique

Bruce is seeing quite a bit of suspicious activity on his network. After consulting records in his SIEM, it appears that on outside entity is attempting to connect all of his systems using TCP connection on 422. What type of scanning is the outsider likely engaging in? a FTP scanning b Telnet scanning c SSH scanning d http scanning

C. SSH - port 422 FTP - 20/21 Telnet - 23 HTTP - 80

Media management

The process of collecting, storing, organizing, copying, and moving source media files like hardware assets

question 15

abc

(QUESTION 31)

c huhhhh

quesiton 47

a

question 12

a

64

a DNS 53 HTTP 80 SSH/SCP SSL/TLS

Timber industries recently got into a dispute with a customer. During a meeting with his account representative, the customer stood up and declared." there is no other solution. We will have to take this matter to to court" he then left the room. When does timber industries have an obligation to begin preserving evidence? a Immediately b Upon receipt of a notice of litigation from opposing attorney's c Upon receipt of subpoena d Upon receipt of a court order

a Immediately preservation -> collection -> production a memo, system administration must suspend automatic deletion of relevant logs -> security teams often assist, attorneys decide tho. file servers, endpoints, email in cloud of servers, enterprise cloud -> records are presented, heavy lifting begins, share it with other side most litigation holds never move forward to production phase

Allen is assessing the potential for using machine learning and artificial intelligence in a cyber security program. Which of the following activities is most likely to benefit from this technology? a Intrusion detection b Account provisioning c Firewall rules modification d Media sanitization

a Intrusion detection all have the potential to shine, this really helps PATTERN DETECTION and ANOMALY DETECTION PROBLEMS

Harold recently completed leading the postmortem review of a security incident. What documentation should he prepare next? a a lessons learned document b. a risk assessment c. a remediation list d. a mitigation checklist

a a lessons learned document

Darcy is a computer security analyst, who is assisting with the prosecution of a hacker. The prosecutor request that Darcy give testimony in court about whether her opinion the logs and other hackers in a case or indicative of a hacking attempt. What type of evidence is Darcey being asked to provide? a Expert opinion b Direct evidence c Real evidence d Documentary evidence

a expert opinion

Lydia is processing access control requests for her organization. She comes across a request where the user does have he required security clearance, but there is no business justification for the access. Lydia denies this request. What security principle is she following? a need to know b last privilege c. separation of duties d. two-person control

a need to know

Scott is responsible for disposing of disk drives that have been pulled from his company's san as they are retired. Which of the following options should he avoid if the data on the SAN is considered highly sensitive by his organization? a. Destroy them physically b sign a contract with the SAN c. reformat each drive before it leaves the organization d. use a secure wipe tool like DBAN

a. Destroy them physically

As the CIO of a large organization, Clara would like to adopt standard processes for managing IT activates. Which one of the following frameworks focuses on IT service management and includes topics such as change management, configuration management, and service-level agreement? a. ITIL b. PMBOK c. PCI DSS d. TOGAF

a. ITIL - IT Infrastructure Library - IT service managment PMBOK provides common core of project TOGAF - The Open Group Architecture Framework focuses on IT architecture issues

Jim would like to identify compromised systems on his network that may be participating on his network that may be participating in a botnet. He plans to do this by watching in a botnet. He plans to do this by watching for connections made to known command-and-control servers. Which one of the following techniques would be most likely to provide this information if Jim has access to a list of known servers? a. NetFlow records b. IDS logs c. authentication logs d. RFC logs

a. NetFlow records - contain entry for every network communication session that has taken place on a network. can be compared to a list of known malicious hosts. (IP addresses ports/ timestamp/ amount of data) routers and firewalls IDS logs may contain relevant info but is less likely becasue they would create log entries only if the traffic triggers the IDS, vs netflow which shows allll traffic

Anne wants to gather information about security settings as well as build an overall view of her organization assets by gathering data about a group of Windows 10 workstations spread throughout her company. What Windows tool is best suited to this type of configuration management task? a. SCCM b. Group Policy c. SCOM d. A custom PowerShell script

a. SCCM - System Center Configuration Manager - provides this capability and is designed to allow admins to evaluate the configuration status of windows workstations nd servers and asset management. SCOM - System Center Operations Manager - monitor health and performance Group Policy- deploying settings, software, custom PowerShell scripts

Which on the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer? a. SLA b. OLA c. MOU d. SOW

a. SLA - SERVICE level agreement OLA - operational level of agreement MOU - memorandum of understanding - not formal SOW - statement of work

John deploys his website to multiple regions using load balancers around the world through his cloud infrastructure as a service provider. What availability concept is he using? a. a multiple processing sites b. warm sites c. cold sites d. honeyet

a. a multiple processing sites - also can provide continuity, disaster recovery and help against denial of service.

Tom is responding to a recent security incident and is seeking information on the approval process for a recent modification to a system's security settings. Where would he most likely find this information? a. change log b. system log c. security log d. application log

a. change log

Which one of the following is an example of a computer security incident? (select all that apply) a. failure of a backup to complete properly b. system access recorded in a log c. unauthorized vulnerability scan of a file server d. update of antivirus signatures

a. failure of a backup to complete properly & c. unauthorized vulnerability scan of a file server security incidents affect CIA triad of information or assets or violate security policy unauthorized scans of a file server violates sec policy and mat negatively affect the security of that system.

During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting? a. interview b. interrogation c. both an interciew and an interrogation d. neither an interview nor an interrogation

a. interview

Amanda is configuring her organization's firewall to implement egress filtering. Which one of the following traffic types should be blocked by her organization's egress filtering policy? (select all that apply) a. traffic rapidly scanning many IP addresses on port 22 b. traffic with a broadcast destination c. traffic with a source address from an external network d traffic with a destination address on an external network

a. traffic rapidly scanning many IP addresses on port 22 b. traffic with a broadcast destination c. traffic with a source address rom an external network egress filters outbound traffic for potential security policy violations

Which of the following events would constitute a security incident? (select all that apply) a.an attempted network intrusion b. a successful database intrusion c. a malware infection d. a successful attempt to access a file e. a violation of a confidentiality policy f. an unsuccessful attempt to remove information from a secured area

a.an attempted network intrusion b. a successful database intrusion c. a malware infection e. a violation of a confidentiality policy f. an unsuccessful attempt to remove information from a secured area any attempt to undermine the security of an org or violation of sec policy is a incident

software forensics

analyze software-used to determine cause; either accidental or intentional can be used to recover lost code

endpoint security practices

application whitelisting application blacklisting quarantine technology access controls

66

b

question 11

b

question 13

b

Dylan believes that a database server in his environment was compromised using a SQL injection attack. Which one of the following actions with Dylan most likely take during the remediation phase of the attack? a Rebuilding the database from backups b Adding input validation to a Web application c Reviewing firewall logs d Reviewing database logs

b Adding input validation to a Web application - web app was open to SQL injection adding input validation remediates rebuild is a recovery log is done as detection and response

What type of disaster recovery test activate the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running? a Full interruption test b Parallel test c Checklist review d Tabletop exercise

b Parallel test

Derom is conducting a forensic investigation is reviewing database server logs investigate query contacts for evidence of SQL injection attacks. What type of analysis is he performing? a Hardware analysis b Software analysis c Networking analysis d Media analysis

b Software analysis

Tim is a forensic analyst who is attempting to retrieve information from a hard drive. It appears that the user attempted to erase the data, and Tim is trying to reconstruct it. What type of forensic analysis is Tim performing? a. Software analysis b media analysis c. embedded device analysis d. network analysis

b media analysis embedded device analysis look at computers included in other large systems such as automobiles or security systems software analysis analyzes apps and logs network analysis looks at network traffic and logs

What technique can application developers use to test applications in an isolated virtualized environment before allowing them on a production network? a Penetration testing b sandboxing c White box testing d Blackbox testing

b sandboxing

Sally is building a new server for use in her environment and plans to implement RAID level one as a storage availability control. What is the minimum number of physical hard disk that she needs to implement this approach a One b Two c Three d Five

b two - RAID level 1 is disk mirroring- two identical disks that contain identical information

Florian is building a disaster recovery plan for his organization and would like to determine the amount of time that a particular IT service may be down without causing serious damage to business operations. What variable is Florian calculating? A. RTO b. MTD c RPO d. SLA

b. MTD - Max Tolerable Down Time RTO - Recovery Time Objective - amount of time expected for IT to operate after failure RPO - Recovery Point Objective - max amount of data, measured in time, that may be lost during recovery effort

Matt wants to ensure that critical network traffic from systems throughout his company is prioritized over web browsing and social media use at his company. What technology can he use do do this? a. VLANS b. Qos c. VPN d. ISDN

b. Qos - quality of service feature found on routers and other network devices to prioritize specific network traffic. ISDN is a set of communications standards

Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs? a. ASLR b. Sandboxing c. Clipping d. Process isolation

b. Sandboxing ASLR - Address space layout randomization - for OS clipping refers to signal processing process isolation keeps processes from impacting each other

Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated? a. entitlement b. aggregation c. transitivity d. isolation

b. aggregation - privilege creep

When one of employees of Alice's company calls in for support, she uses a code word that the company agreed to use if employees were being forced to perform an action. What is this scenario called? a. social engineering b. duress c. force majeure d. Stockholm syndrome

b. duress - banks, jewelry stores, other orgs where am attacker might force employee to perform actions

Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business? a. SLA b. escrow agreement c. mutual assistance agreement d pci dss compliance agreement

b. escrow agreement - a place a copy of source code for a software package in the hands of an independent third party who will turn the code over to the customer if vendor will ceases business operations

Javier is verifying that only IT system administrators have the ability to log on to servers used for administrative purposes. What principle of information security is he enforcing? a. need to know b. least privilege c. two-person control d transitive trust

b. least privilege transitive trust is A trust C because A trust b and b trust c

Which one of the following individuals poses the greatest risk to security in most well-defended organizations? a. political activist b. malicious insider c. script kiddie d. thrill attacker

b. malicious insider

Which one of the following is not an example of a backup tape rotation scheme? a. grandfather/father/son b. meet in the middle c. tower of Hanoi d. six cartridge weekly

b. meet in the middle grandfather/father/son, tower of hanoi, six catridge weekly are all different approaches to rotating back up media meet-in-the-middle is a cryptographic attack against 2DES encryption

Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allowed him to gain root access to that server. What type of attack took place? a. denial of service b. privilege of escalation c. reconnaissance d. brute-force

b. privilege of escalation

Colin is responsible for managing his organization's use cybersecurity deception technologies. Which one of the following should he use on a honeypot system to consume an attacker's time while alerting administrators? a. honeynet b. pseudoflaw c. warning banner d. darknet

b. pseudoflaw - false vulnerability in a system that may distract attacker honeynet is a network of multiple honey pots that creates an environment for intruders to explore rather than a feature colin could use on a honey pot darknet is a segment of unused network address space that should have no network activity and can be monitored for illegal activity

When designing an access control scheme, Hild set up roles so that the same person does not have the ability to provision a new user account and assign the superuser privileges to an account. What information security principle s Hilda following? a. least privilege b. separation of duties c. job rotation d. security through obscurity

b. separation of duties

Toni responds to the desk of a user who reports slow system activity. upon checking outbound network connections from that system, Toni notices a large amount of social media traffic originating from the system. The user does not use social media, and when Toni checks the accounts in question, they contain strange messages that appear encrypted. What is the most likely cause of this traffic? a. other users are relaying social media requests through the user's computer b. the user's computer is part of a botnet c. the user is lying about her use of social media d. someone else is using the user's computer when she is not present.

b. the user's computer is part of a botnet - social media is commonly used at a C2C for botnet activity

Helen is implementing a new security mechanism for granting employees administrative privileges in the accounting system. She designs the process so that both the employee's manager and the accounting manager must approve the request before the access is granted. What information security principle is Helen enforcing? a least privilege b. two person control c. job rotation d. separation of duties

b. two person control

Staff from Susan's company often travel internationally and require connectivity to corporate systems for their work. Susan believes that these users may be targeting for corporate espionage actives because of the technologies that her company is developing and wants to include advice in the security training provided to international travelers. What practice should Susan recommend that they adopt for connecting to networks while they travel? a only connect to public WiFi b. use a VPN for all connections c. only use websites that support TLS d. do not connect to networks while traveling

b. use a VPN for all connections

Which one of the following tools, health system administrators by providing a standard, secure a template of configuration settings for operating systems and applications? a security guidelines b Security policy c Baseline configuration d Running configuration

c Baseline configuration - starting point for configin secure systems and applications running config is already on it

Caroline is concerned that users on her network maybe storing sensitive information such as Social Security numbers on the hard drives without proper authorization or security controls. What third-party security system can she implement the best attack this activity? a IDS b IPS c DLP d TLS

c DLP

Quigley computing regularly ships tapes of backup data across the country to a secondary facility. What type contain confidential information. What is the most important security control that Quigley can use to protect these tapes? a Lock shipping containers b Private couriers c Data encryption d Medial rotation

c Data encryption

During which phase of the incident response process would an analyst receive an intrusion detection system alert, and verify its accuracy? a Response b Mitigation c Detection d Reporting

c Detection

Gina is a firewall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network, traffic, she checked the intrusion detection system, which reported that a SYN Flood attack was underway. What firewall configuration can Gina make the most effectively preventative this attack? a block SYN from known IP's b Block SYN from unknown IP's c Enable SYNACK spoofing at the firewall d Disable TCP

c Enable SYNACK spoofing at the firewall huh!?

Brynn is reviewing the controls that will protect her organization in the event of a sustained power loss. Which one of the following solutions would best meet her needs? a Redundant servers b Uninterruptible power supply c Generator d RAID

c Generator

Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within IaaS environment. Which one of the following would most likely be the responsibility of Rogers firm? a Configuring network firewall b Applying hypervisor updates c Patching operating systems d Wiping drives parts of disposal

c Patching operating systems Iaas vendor is responsible for hardware/network responsibilities. (network firewalls/maintain hypervisor/ managing physical equipment) customer retains responsibilit to patch operating systems on its VM machine instances

Gavin is the disaster recovery team leader for his organization which is currently in the response phase of an incident that has severe customer impact. Gavin just received a phone call from reporter, asking for details on the root cause and an estimator recovery time. Gavin has his information as fingertips. What should he do? a Provide the information to the reporter b Request a few minutes to gather the information and return the call c Refer the matter to public relations department d Refuse to provide any information

c Refer the matter to public relations department

Kevin is developing a continuous security monitoring strategy for his organization. Which of the following is not normally used when determining assessment and monitoring frequency? a Threat intelligence b System categorization/impact level c Security control operational burden d Organizational risk tolerance

c Security control, operational burden NIST SP 800-137 orgs should use the following factors to determine assessment and monitoring frequency: security volatility system categorization level specific assessment objects providing critical functions security controls with identified weakness org risk tolerance threat info vuln information risk assessment results out of monitoring strategy reviews reporting requirements

Brian is developing the training program for his organization's disaster recovery program and would like to make sure that participants understand when disaster activity concludes. Which one of the following events marks the completion of a disaster recovery process? a. securing property and life safety b. restoring operations in an alternate facility c restoring operations in the primary facility d. standing down first responders

c restoring operations in the primary facility - the end goal of disaster recovery process

question 63

c why an incident vs event

Gordon suspects that a hacker has penetrated a system belonging to his company. The system does not contain any regulated information, and Gordon wants to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation .Which of the following statement is true? a Gordon is legally required to contact law enforcement before beginning the investigation b. Gordon may not conduct his own investigation c. Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company d. Gordon may ethically perform "hack back" activities after identifying the perpetrator

c. Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company

Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident? a. NIDS b. Firewall c. HIDS d. DLP

c. HIDS - may be able to detect unauthorized processes running on a system NIDS, firewalls, dlp are network based and may not notice rogue processes.

Which one of the following security tools is not capable of generating an active response to a security event? a. IPS b. firewall c. IDS d. antivirus software

c. IDS

Roland is a physical security specialist in an organization that has a large amount of expensive lab equipment that often moves around the facility. Which one of the following technologies would provide the most automation of an inventory process in a cost effective manner? a. IPS b. WIFI c. RFID d. ethernet

c. RFID could use wifi for same purpose but its expensive

Which of the following would normally be classified as zero-day attacks? (select all that apply) a an attacker who is new to the world of hacking b. database attack that places the date 00/00/0000 c. an attack previously unknown to the security community d. an attack that sets the operating system date and time to 00/00/0000 and 00:00:00

c. an attack previously unknown to the security community

Patrick was charged with implementing a threat hunting program for his organization. Which one of the following is the basic assumption of a threat hunting program that he should use as he plans his work? a. security controls were designed using a defense-in-depth strategy. b audits may uncover control deficiencies. c. attackers may already be present on the network. d. defense mechanisms may contain unpatched vulnerabilities

c. attackers may already be present on the network.

Veronica is considering the implementation of a data base recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an off-site location each night. What type of database recovery technique is the consultant describing? a. remote journaling b. remote mirroring c. electronic vaulting d. transaction logging

c. electronic vaulting - automated tech moves database backups from primary database server to remote site remote journaling - transfers transaction logs to remote site more frequently than EV remote mirroring maintains a live data base at backup site and mirrors all transactions at primary site on server

Helen is tasked with implementing security controls in her organization that might be used to deter fraudulent insider activity. Which one of the following mechanisms would be LEAST useful to her work? a. job rotation b. mandatory vacations c. incident response d. two-person control

c. incident response

Tim is configuring a privileged account management solution for his organization. Which of one of the following is not privileged administrative activity that should be automatically sent to a log of superuser actions? a. purging log entries b. restoring a system from backup c. logging into a workstation d. managing user accounts

c. logging into a workstation while most orgs would want to log attempts to log in workstation, this is not considered a privileged administrative activity

During what phase of the incident response process do administrators take action to limit the effect or scope of an incident? a. detection b. response c. mitigation d. recovery

c. mitigation

Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation? a two days b. four days c. one week d. one month

c. one week - 1-2 weeks of vacation.

Connor's company recently experienced a denial of service attack that Connor believes came from an inside source. If true, what type of event has the company experienced? a. espionage c. confidentiality breach c. sabotage d. integrity breach

c. sabotage

Frank is considering the use different types of evidence in an upcoming criminal matter. Which one of the following is not a requirement for evidence to be admissible in court? a. the evidence must be relevant b. the evidence must be material c. the evidence must be tangible d. the evidence must be competently acquired

c. the evidence must be tangible evidence must be relevant-material to case at hand and obtained competently.

Lauren wants to ensure that her users only run software that her organization has approved. What technology should she deploy? a. blacklisting b. configuration management c. whitelisting d. graylisting

c. whitelisting

fire extinguisher

class a common combustibles (wood, cloth) class b flammable (liquids gasoline) class c electrical fires class d heavy metal fires class k kitchen (fats and oils) building-wide suppression system often use water but risky wet pipe - filed with water constantly dry pipe - keep water out of equation until fire alarm chemical systems deprive fires of oxygen, use with care FDS (fire detection systems) temps, smoke, incipient stage flooding, locate data center away from flooding, and moisture sensors electro magnetic interference (EMI) faraday cages protect against electromagnetic interference0

Sanitization technique

clearing - overwriting purging - cryptographic -degaussing destroying - shred, melt, pulverize, burn

privileged accounts for system engineers, app admins, and sensitive users

Privileged access management password vault automatically creates the password and locks it away and when user needs to log into it, the user logs into vault the the vault logs into system privileged access mangers provide proxy for commands PAMs also log who was doing what PAMs rotates passwords and access keys and make an emergency access workflow

Change Management

Process of making sure changes are made smoothly and efficiently and do not negatively affect systems reliability, security, confidentiality, integrity, and availability. Request for Change (RFC) - any individual write sin description of change expected impact risk assessment rollback plan identity of those involved schedule configuration items affected Changes must be approved by authority or CHANGE ADVISOR BOARD routine changes might be pre-approved like storage engineers replace back up tapes every month - still submit RFC

Evidence Types

Real - tangible evidence everyone can see and examine Documentary -information in written or digital must be authenticated by testimony - like a signature on contract - chain of custody for digital - BEST EVIDENCE/original vs copy Parol evidence - cant be changed testimonial - witness statement DIRECT vs EXPERT OPINION - cant be hearsay

RFC- Request for change

Request for Change (RFC) - any individual write sin description of change expected impact risk assessment rollback plan identity of those involved schedule configuration items affected

Data Center Environmental Controls

cooling requirements - on roofs - expensive - 64.4F - 80.6F expanded envelope 64.4-80.6 high humidity - leads to condensation low humidity - static electricity dew point range 41.9-50

question 14

d

question 52

d

You are working to evaluate the risk of flood to an area as part of a business continuity planning (BCP) effort. You consult the flood maps from the Federal Emergency Management Agency (FEMA). According to those maps, the area lies within a 200-year flood pain. What is the annualized rate of occurrence (ARO) of a flood in that region? a. 200 b. 0.01 c 0.02 d 0.005

d ARO once every 200 years. 1/200 = .005

SOAR (security orchestration, automation, and response)

SEIM on steroids correlate and respond to logs Playbooks - process-focused, human + automated actions - ties directly to policies and procedures Runbooks - automated responses to security events that execute immediately and aid investigators

email headers

SPF/DKIM/DMARC travel from linked server to my server MXtool box parser meta data of evidence

Barry is a CIO of an organization that recently suffered a serious operational issue that required activation of the disaster recovery plan. He would like to conduct a lessons learned session to review the incident. Who would be the best facilitator for the session? a Barry as a chief information officer b Chief information security officer c Disaster, recovery team leader d External consultant

d External consultant - encourage honest and open feedback - unbias

Pauline is reviewing your organizations emergency management plans. What should be the highest priority when creating these plans? a Protection of Mission critical data b Preservation of operational c Collection of evidence d Preservation of safety

d Preservation of safety

Which one of the following techniques is not commonly used to remove unwanted remnant data from magnetic tapes? a Physical destruction b Degaussing c Overriding d Reformatting

d Reformatting magnetic is degaussing, overwriting w non sensitive data, physical destruction

65

d bot nets and denail of service

Which one of the following terms is often used to describe a collection to unrelated patches released in a large collection? a hotfix b update c security fix d service pack

d service pack - collections of many different updates that serve as a major update hotfix - update - security fix are all synonyms for a single patch

Ricky is seeking a list of information security vulnerabilities in applications, devices, and operating systems. Which one of the following threat intelligence sources would be most useful to him? a. OWASP b. Bugtraq c. Microsoft Security Bulletins d. CVE

d. CVE - Common Vulnerabilities and Exposures OWASP contains general guidance on web app sec issues - but does not track specific vulnerabilities or go beyond web apps Bugtraq mailing list and Microsoft security bulletins are good sources of vul info but are not comprehensive databases of known issues.

Hunter is reviewing his organizations monitoring strategy and identifying new technologies that they might deploy. His assessment reveals that the firm is not doing enough to monitor employee activity on endpoint devices. Which one of the following technologies would best meet his needs? a EDR d IPS c IDS d UEBA

d. UEBA all have potential to monitor user behavior. realize the emphasis on USER tho. IDS/IPS focus on network and host behavior endpoint detection systems focus on endpoint User and entitiy behavior analytics solution focus on the suer

Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crim, but the court ruled that the search of the apartment that resulted in police finding the laptop was unconstutional. What admissibility criteria prevents Frank form introducing the laptop as evidence? a. materiality b. relevance c. hearsay d. competence

d. competence materiality - computer has material relevance - logs relevant as evidence to crime

Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack? a. implement intrusion detection and prevention systems b. maintain current patch levels on all operating systems and applications c remove unnecessary accounts and services. d. conduct forensic imaging of all systems

d. conduct forensic imaging of all systems - done in incident response IPS/IDS/patches/remove accounts and services

What term is used to describe the default set of privileges assigned to a user when a new account is created? a. aggregation b. transitivity c. baseline d. entitlement

d. entitlement - refers to the privileges granted to users when an account is first provisioned

Richard is experiencing issues with the quality of network service on this organization's network. The primary symptom is that packets are consistently taking too long to travel from their source o their destination. What term describes the issues Richard is facing? a. Jitter b. packet loss c. interference d. latency

d. latency jitter - variation in the latency for different packet interference is the electrical noise or other disruptions

Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts? a. read only b. editor c. administrator d. no access

d. no access least privilege, he needs to start w no access. then add the necessary permissions for their job. Read only, editor and admin may be necessary for one or more but those permissions should be assigned based upon business need and not by default.

Grant is collecting records as part of the preparation for possible lawsuit and is worried that his team may be spending too much time collecting information that may be irrelevant. What concept from the Federal Rules of Civil Procedure (FCRP) helps to ensure that additional time and expense are not incurred as part of electronic discovery when the benefit does not outweigh the costs? a. tool-assisted review b. cooperation c. spoilation d. proportionality

d. proportionality

Jordan is preparing to bring evidence into court after a cybersecurity incident investigation. He is responsible for preparing the physical artifacts, including affected servers and mobile devices. What type of evidence consists entirely of tangible items that may be brought into a court of law? a. documentary of evidence b. parole evidence c. testimonial evidence d. real evidence

d. real evidence Documentary -information in written or digital must be authenticated by testimony - like a signature on contract - chain of custody for digital - BEST EVIDENCE/original vs copy Parol evidence - cant be changed testimonial - witness statement DIRECT vs EXPERT OPINION - cant be hearsay

Which one of the is an example of a non-natural disaster? a. hurricane b. flood c. mudslide d. transformer explosion

d. transformer explosion - failure of human made component

monitoring process NIST

define - based on RISK TOLERANCE of company establish - outlining metrics and assessment frequencies implement - build reports analyze/report - from collecting data respond accept/transfer/ review/update - adjust strategy and capabilites anomaly/heuristic analysis - checks for crazy shit that don't make sense - heuristic analysis - good to establish a baseline or compare to known known bad behavior trend - historic over time behavioral analysis - signature or heuristic analysis - learn omar logs in normally at 8am, if i log in at 10 that's odd -investigate availability analysis - compares against SLAs UEBA - uses machine learning to build models' and flags deviations

Read-throughs - checklist reviews

distribute copies of the current plan team members provide feedback

hashing helps with forensics

hashing evidence - hasnt been altered digitial signatures added to hashes for repudiation

two-person control

The organization of a task or process so that at least two individuals must work together to complete it. Also known as dual control. like nnaji and missles vs one making an account for customers and another person making one for vendors. preventing fraud. emergency access procedures require two separate authorities to limit fruad and abuse

Configuration Management

The process of ensuring that only authorized changes are made to a system. OS and inventory of software stored on devise - from provisioning of system to disposal baseline provides configuration snapchat running system to a baseline and compare to change configuration versioning version.update.minorupdate

Incident communication efforts

initial notification of key stakeholders (CIO, director of cybersecurity, response teams, system owners, attorneys, public relations, business owners) US- CERT for federal government agencies Formal incident report (nature of incident, timeline, containment/eradications/recovery, lessons learned)

Post incident activies

lesson learned - reflect on individual roles- improve future trained facilitator time is key, memories are lost evidence retention - check for legal action pending before discarding indicator of compromise generation look for IoC's for adding to SEIM or SOAR

recovery

linked with eradication attackers compromised systems rebuild or reimage machine or reset network devices and aplliances to factory resets but build it differently, with new patch, or secure accounts before they go live

eradication

linked with recovery removes all traces of an incident secure compromised accounts - systems/devices configurations needs to be secured

IR team

management information security SME legal counsel PR HR physical security team IR Service Provider - complements your team (ex: forensic capabilities - retain an IRSP- BE PROACTIVE!)

enterprise security controls

modify firewall rules mobile device management (MDM) - lockdown smartphones data loss prevention (DLP) - prevent exfiltration of data URL and content filtering - malicious sites update or revoke

Walk-through - table top

more effective - gettogether

Match each of the number or types of recover capabilities, to the corrected letter, definition: Terms 1Hot side 2Cold site 3Warm site 4Service bureau Definitions a. Organization that can provide on site or offsite IT services in the event of a disaster. b. Site with dedicated storage in real time. Data replication often with shared equipment that allows restoration of service in a very short c. Site that relies on shared storage in back up for recovery. d. Rent a space with power cooling and connectivity that can accept equipment as part of a recovery effort.

1-b 2-d 3-c 4-a

Match each of the number terms, with its correct letter, definition; Terms 1 Honey pot 2 honey nut 3 pseudo flaw 4 darknet Definitions a intentionally designed vulnerability used to lure in an attacker b network set up with intention of vulnerabilities c a system set up with intentional vulnerabilities d monitored network without network connectivity

1-c 2-b 3-a 4-d

Order of Volatility

1. Network traffic 2. Memory contents 3. System and process data 4. Files 5. Logs 6. Archived Records

Incident Response Process

1. Preparation 2. Detection and Analysis (Identification) 3. Containment - isolation - quarantine 3a identification/notification/escalation 3b mitigation - ends with stability 4. Eradication 5. Recovery 6. Document/Lessons learned

Beth is creating a new cyber security incident response team (CSIRT) and would like to determine the appropriate team membership. Which of the following groups would she normally include? (select all that apply) a. information security b. law enforcement c. senior management d. public affairs

A,C,D

Nancy is leading an effort to modernize her organizations anti-malware protection, and would like to add endpoints detection and response (EDR) capabilities. Which of the following actions are normally supported by EDR systems? Select all that apply. a Analyzing and point memory file system, and network activity for signs of malicious activity b Automatically isolating possible malicious activity to contain the potential damage c Conducting simulated fishing campaigns d Integration with threat intelligence sources

ABD EDR does not do phishing campaigns they do however analyze endpoint memory filesystem network activity for signs of malicious activity; isolating possible malicious activity to contain the potential damage, integrate with threat intelligence sources and other IR mechanisms

Which of the following would normally be considered an example of a disaster when performing disaster recovery planning? (Select all that apply) a. hacking incident b. flood c. fire d. terrorism

All of the above - disaster is anything that disrupts normal IT operations. natural or manmade.

You are performing an investigation into a potential bot infection on your network and want to perform a forensic analysis of the information that passed between different systems on your network on those on the Internet. You believe that the information was likely encrypted. You are beginning your investigation after the activity concluded, would be the best and easiest way to obtain the source of this information? A package captures B NetFlow data c intrusion detection system logs d Centralize authentication

B NetFlow data contains info on source, destination and size of all network communications. packet capture would provide relevant info, but it must be captured during suspicious activity and cannot be re-created after the fact. unless it was doing 100% packet capture which is rare. IDS would not contain relevant info because it is encrypted traffic and would not match IDS signatures centralized authentication records would not contain info about network traffic

Tonya is collecting evidence from a series of systems that were involved in a cyber security incident. A colleague suggests that she use a forensic disk controller for the collection process. What is the function of this device? a. Masking error conditions reporting by the storage device. b. transmitting write commands to the storage device c. intercepting and modifying or discarding commands sent to the storage device d. preventing data from being returned by a read operation sent to the device.

C - forensic disk controller performs four functions 1. write blocking (intercept write commands and prevents modification) 2. returning data requested by a read operation 3. returning access-significant information from device 4. reporting errors from device to host

Allie is responsible for reviewing authentication logs on her organization's network. She does not have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool? A. Sampling B. Random selection C. Clipping D. Statistical analysis

C. Clipping sampling uses statistical techniques clipping uses threshold values to select those records

Glenda would like to conduct a disaster recovery test and is seeking a test that will allow a review of the plan with no disruption to normal information system activities and as minimal a commitment of time as possible. What type of test should she choose? A. Tabletop exercise B. Parallel test C. Full interruption test D. Checklist review

D. Checklist review - least disruptive table top they come together and can impact operations parallel test, the team actually activates the disaster recovery site for testing, but the real site remains operational full interruption test is self explanatory

incident data sources

IDS/IPS Firewalls Authentication systems integrity monitors vulnerability scanners system event logs NetFlow records Antimalware packages

Kandace is designing a back up strategy for her organization file server. She would like to perform a back up every weekday that has the smallest possible storage footprint. What type of back up so she perform a Incremental backup b Full backup c Differential back up d Transaction log back up

Incremental backup - only data modified since the most recent incremental a differential back up all data modified since last full backup transaction log back up is for database servers and not for file servers

lessons learned

NIST has questions how well did staff and mgt perform were documented procedures followed were those procedure adequate? did any actions inhibit recovery effort? what would staff do differently? how could info sharing improve what could precent similar incidents what should the org watch for what tools should be used for future incidents facilitator and leader should document and approve changes incident summary report more technical report

asset management

request hardware from IT team inventory once it is placed matches to inventory and adds serial numbers some on is assigned to it then possessed by someone old one to someone else update inventory DATA is critical IT management systems automate comparing to the network

Segmentation vs isolation

segmentation moves to diff vlans isolation moves to an entire different network removal is not connected to network - most secure but attacker knows

embedded deices

special purpose computers found in smart devices, businesses and industrial settings CARS dozens to 100s of embedded systems climate control, GPS, wealth of information thermostat for time of death

Mobile Device Forensics

Preservation and analysis of cell phones, smart phones, and satellite navigation (GPS) systems mobile devices are typically protected by strong encryption

Incident response plan elements

statement of purpose strategies and goals for incident response approach to incident response (who is responsible and authority) communication iwth other groups senior leadership approval

simulation

they discus how they respond

validation process

verify the secure configuration of every system - can be automated run vulnerability scans perform account and permission reviews verify that system are logging and communicating information to the SIEM