I&A 8
"What are the three states of the data lifecycle in which data requires protection?"
"In storage, in transit, and during processing"
A(n) ____________________ is an attack that always maintains a primary focus on remaining in the network, operating undetected, and having multiple ways in and out
Advanced persistent threat (APT)
___________________ is the act of gathering information specifically targeting the strategic intelligence effort of another entity.
Counterintelligence gathering
____________________ consists of the documents, verbal statements, and material objects that are admissible in a court of law.
Evidence
Which rule applies to evidence obtained in violation of the Fourth Amendment of the Constitution?
Exclusionary rule
How do most advanced persistent threats (APTs) begin?
Most APTs begin through a phishing or spear phishing attack
What two components are necessary for successful incident response?
Knowledge of one's own systems and knowledge of the adversary
"____________________ is a process of isolating an object from its surroundings, preventing normal access methods."
Quarantine
"Which term refers to the examination of machines to determine what operating systems, services, and vulnerabilities exist?"
Scanning
What is a software bomb?
Software that can destroy or modify files when commands are executed on the computer
Which infection method involves planting malware on a Web site that the victim employees will likely visit?
Watering hole attack
Which of the following has the least volatile data?
hard disk
The hashing algorithm applies mathematical operations to a data stream (or file) to calculate some number, the ____________________, that is unique based on the information contained in the data stream (or file).
hash
"A(n) ____________________ is any event in an information system or network where the results are different than normal."
incident
Once you realize you need to preserve evidence, you must use a(n) ____________________, or litigation hold, process by which you properly preserve any and all digital evidence related to a potential case.
legal hold
The term __________ describes a series of digits near the beginning of the file that provides information about the file format.
magic number
If the characteristics of an incident include a large number of packets destined for different services on a machine, a(n) ____________________ is occurring.
port scan
Tangible objects that prove or disprove fact are what type of evidence?
real evidence
A(n) ____________________ is calculated by measuring system time with an external clock such as a Network Time Protocol (NTP) server.
record time offset
Evidence that is material to the case or has bearing on the matter at hand is known as __________.
relevant evidence
Which attack involves the planting of software in the victim's network, creating network backdoors and tunnels to allow stealth access to its infrastructure?
remote administration trojan(RAT) attack
An administrator looking at a machine at the behest of management can completely obfuscate any data that could be recovered, a process called
spoliation
"Evidence that is convincing or measures up without question is known as __________."
sufficient evidence
Microsoft produced a forensic tool for law enforcement called ____________________.
Computer Online Forensics Evidence Extractor
The term ____________________ relates to the application of scientific knowledge to legal problems.
forensics
"Which statement applies to a low-impact exposure incident?"
A low-impact exposure incident only involves repairing the broken system.
The term ____________________ is the targeting of specific steps of a multistep process to a cyber incident, with the expressed purpose of disrupting the attack.
Cyber Kill Chain
Which indicator of compromise (IOC) standard is a method of information sharing developed by MITRE?
Cyber Observable eXpression (CybOX)
___________________ is a standardized schema for the communication of observed data from the operational domain.
Cyber Observable eXpression (CybOX)
____________________ is a standardized schema for the communication of observed data from the operational domain.
Cyber Observable eXpression (CybOX)
What is the first rule of incident response investigation?
Do not harm
Business records, printouts, and manuals are which type of evidence?
Documentary evidence
In an "old school" attack, which step is a listing of the systems and vulnerabilities to build an attack game plan.
Enumeration
"The ____________________ Amendment to the U.S. Constitution precludes illegal search and seizure.
Fourth
Clusters that are marked by the operating system as usable when needed are referred to as __________.
Free space
"Evidence offered by a witness that is not based on the personal knowledge of the witness, but is being offered to prove the truth of the matter asserted, falls under which rule of evidence?"
Hearsay rule
___________________ refers to the analysis of a specific system, including the analysis of file systems and artifacts of the operating system.
Host Forensics
____________________ refers to the analysis of a specific system, including the analysis of file systems and artifacts of the operating system.
Host forensics
Which indicator of compromise (IOC) standard is an XML format specified in RFC 5070 for conveying incident information between response teams, both internally and externally with respect to organizations?
Incident Object Description Exchange Format (IODEF)
____________________ is a term used to describe the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system.
Incident response
A(n) ____________________ is an artifact left behind from computer intrusion activity.
Indicators of Compromise (IOC)
"____________________ is defined as the relative importance of specific information to the business."
Information criticality
Which term refers to a key measure used to prioritize actions throughout the incident response process?
Information criticality
Which initiative is a comprehensive effort, including registries of specific baseline data, standardized languages for the accurate communication of security information, and formats and standardized processes to facilitate accurate and timely communications?
MITRE's Making Security Measurable
What tool is the protocol/standard for the collection of network metadata on the flows of network traffic?
NetFlow
____________________ forensics consists of capturing, recording, and analyzing network events to discover the source of network problems or security incidents.
Network
"What should an incident response team do when they are notified of a potential incident?"
The team should confirm the existence, scope, and magnitude of the event and then respond accordingly.
Which indicator of compromise (IOC) standard is an open source initiative established by Mandiant that is designed to facilitate rapid communication of specific threat information associated with known threats?
OpenIOC
Physical memory storage devices can be divided into a series of containers; each of these containers is called a(n) ____________________.
Partition
What is a key item to consider when designing incident response procedures?
To design the incident response procedures to include appropriate business personnel
What are the two components comprising information criticality?
data classification and the quantity of data involved
Which term implies the concept of "don't keep what you don't need"?
data minimization
