Principles of Computer Security Ch3, AIS Ch 10, Security+ Chapter 8, ITSY 2442 MID TERM, HIPAA overview, Computer Security Chapter 18, Computer Security Chapter 19, Computer Security Chapter 25, HIPAA Privacy Rule, CIST 1130: Operating Systems Concep...
To convict someone who has used a computer to commit fraud, the value of the resulting loss must exceed what value?
$5000
What are some of the challenges that a forensic specialist faces? Select 3 a. Lack of tools b. Increasing workload c. Constrained resources d. Lack of professionalization e. Hearsay
(b,c, & d) b. Increasing workload c. Constrained resources d. Lack of professionalization
app attacks -- SMTP Relay
**Simple Mail Transfer Protocol** feature that allows email servers to forward mail to other email servers protects actual email server from direct attacks may be target of DoS caused by spam
Form Design
- All sources documents should be sequentially pre-numbered. - This makes sure nothing is missing - System should recognize if there are double numbers - Turnaround document is a record of company data sent to an external party and then returned by the external party to the system as input. - Turnaround documents improve accuracy by eliminating the potential for input errors when entering data manually
What amount of time must covered entities retain an accounting of disclosures?
3 years
Why do many large organizations justify the cost of internal forensic investigation to prevent litigation involving the company?
A single lawsuit can cost hundreds of thousands of dollars, regardless who wins
Biometrics
Access control mechanisms in which a physical characteristic, such as a fingerprint or the geometry of an individual's hand, is used to uniquely identify users are called __________.
Least privilege
An individual should be granted only the bare minimum number of privileges needed to perform their job.
Which of the following involves sending an e-mail message to an anonymizer, which then strips identifying information from the e-mail before forwarding it with the mailing computer's IP address?
Anonymous remailing
When is testing best accomplished?
As early as possible in the process.
Which attack is the result of failing to validate user input?
Both A and B
The two main problems with encryption are both related to what?
Key
Which of the following is a network that covers a small physical area, such as an office or a building?
LAN
How might you capture temporary data on a running machine?
Live analysis
______ is the analysis of machines that remain in operation as you examine them
Live system analysis
Standards
Mandatory elements regarding the implementation of a policy. They are accepted specifications that provide specific details on how a policy is to be enforced.
Protected H Info
PROTECTED HEALTH INFORMATION 1. PHI includes information about a person's physical health, mental health, provided care and payment for that care 2. All PHI is considered confidential under HIPAA such as: Name Address Social Security Number Birth Date Names of Relatives
Which of the following is a control that can be used to verify the accuracy of information transmitted over a network?
Parity bits ( a communication control that counts the number of bits in order to verify the integrity of data sent and received.)
Patient right to record access
Patient has right to access or obtain record copies
What is the best way to capture phone data offline?
SIM cloning
Biometrics
Something unique about the individual; a fingerprint. The Something-you-are; Physical Access Control
Cancellation and storage of course document
Source documents that have been entered into the system should be canceled so they cannot be inadvertently or fraudulently reentered into the system. For paper documents Stamped "paid"
__________ is the term for withholding, hiding, alteration, or destruction of evidence relevant to a legal proceeding.
Spoilation
What information does not need to be accounted for in the accounting of disclosures?
TPO information (if the provider does not have an EHR), disclosure to the patient themselves, any disclosure incidental to another proper disclosure, any for the facility directory, any for national security, for law enforcement officials, or part of a limited data set.
What is one of the primary purposes of NIST's Computer Forensic Reference Data Sets (CFReDS)?
Test forensic tools
What is the term for evidence supplied by a witness? This type of evidence is subject to the perceived reliability of the witness.
Testimonial evidence
which of the following is a biometric used for authentication? A.) Wasteline B.) Haircolor C.) Eye retina D.) Fingernail dimensions
C
Which of the following involves linking computers into local area networks (LANs) to improve performance, availability, and security while reducing costs?
Cluster computing
U S Treasury
Collect monetary fines imposed by by penalities
Physical security policies and procedures relate to which two distinct areas? - Internal and external - Equipment and data - Computers and users - Countermeasures and response
Computers and users
What important process for forensic labs ensures all updates made to forensic equipment are recorded?
Configuration management
Using a(n) __________ should be a routine part of system maintenance. It protects against file system software bugs and storage hardware design incompatibilities
Consistency checker
Which of the following is a data recovery technique that involves scanning the logical structure of the disk and checking to make sure that it is consistent with its specifications?
Consistency checking
What are the two main techniques used to recover data after logical damage?
Consistency checking & Zero-knowledge analysis
Physical Security
Consists of all mechanisms used to ensure that physical access to the computer systems and networks is restricted to only authorized users.
What is a benefit of isolating a suspect's computer?
Containment
Which of the following is the definition of chain of custody?
Continuity of evidence that make it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.
Although involving some of the same skills and software as _____________ system forensics is a much more complex undertaking
Data Recovery
What is the proper initial response to the discovery that data has been lost or corrupted?
Determine what data has been lost
What is one of the first tasks that an incident response team must accomplish when an incident is suspected?
Determine whether an incident has occurred.
While gambling over the internet is a violation of U.S. Law, there are many exceptions to the Unlawful Internet Gambling Enforcement Act. Which statement below is not TRUE:
Each state can regulate access for minors and persons outside the state
Which of the following could be considered hearsay?
Emails
You should always work on the suspect hard drive rather than a backup, a duplicate, a copy, or an image
False
GLBA (Gramm Leach Bliley)
Financial Services Modernization Act of 1999. Applies to nonpublic personal information collected by a financial institution that is provided by, results from, or is otherwise obtained relating to consumers and customers who obtain financial products or services primarily for personal, family, or household purposes from a financial institution. requires financial institutions - companies that offer consumers financial products or services like loans, financial or investment advice, or insurance - to explain their information-sharing practices to their customers and to safeguard sensitive data.
The benefit of fire detection equipment over fire suppression devices is:
Fire detection equipment will often catch fires at a much earlier stage meaning that the fire can be addressed before significant damage can occur.
A ___________ is set of hardware and software components that protect system resources from attack by intercepting and checking network traffic.
Firewall
Which of the following is not an example of a network-related attack?
Firewall attack
What term is used to describe information such as e-mails, text messages, word processing documents, digital photos, and other records that are transmitted or stored electronically?
Human-generated information
What is the name of the numeric label that identifies each device on a network and provides a location address:
IP address
A document that outlines specific procedures to follow in the even of a security incident is the definition of:
Incident response plan
You have an old server on a segment of your network that is used for testing purposes only. A new service you recently enabled was insecure and now the test server is under attack. You have an image of the server stored on a different segment of the network. What is the best course of action?
Turn the server off, reinstall the image, and make a note to avoid using the insecure service
A Dos attack, a packet mistreating attacks, and a router table poisoning attack are examples of what?
Types of router attacks
What is the most likely cause of the error message: "Bad Command or File name"? (CH 4)
Typos on the command line (CH 4)
The U.S. department that coordinated and supervises agencies and functions of the government related to national security and the U.S. armed forces is the
U.S. Department of Defense (DOD)
One of the most fundamental rules to good coding practice is :
Validate all inputs
Mirroring is ___________
a data backup option
A system forensics professional should be able to successfully perform complex evidence recovery procedures. Which of the following tasks should such a specialist be able to perform? (Select three.) A. Expert witness services B. Data recovery C. Data dump D. Document searches
a, b, d
Which types of evidence are used in court? Select 3 a. Documentary evidence b. Forensic evidence c. Real evidence d. Testimonial evidence e. Hearsay
a, c, d ( Documentary, Real & Testimonial evidence)
Which of the following cost should a computer forensics lab budge include? Select 3 a. Facility costs b. Hardware costs c. Software costs d. Law enforcement costs e. Cleaning costs
a,b,c facility, hardware & software costs
Which of the following is a batch file that handles drivers for all the devices hooked up to the controllers and ports?
a. AUTOEXEC.BAT
1. What is the distinction between a hazard and an accident?
a. Accident: An unplanned event or sequence of events which results in human death or injury, damage to property, or to the environment. An overdose of insulin is an example of an accident. b. Hazard: A condition with the potential for causing or contributing to an accident. A failure of the sensor that measures blood glucose is an example of a hazard.
Which of the following statements is not true about contracts and agreements associated with computer backup facilities? a. Small vendors do not need contracts due to their size. b. Governmental organizations are not exempted from contract requirements. c. Nothing should be taken for granted during contract negotiations. d. All agreements should be in writing.
a. All vendors, regardless of their size, need written contracts for all customers, whether commercial or governmental. Nothing should be taken for granted, and all agreements should be in writing to avoid misunderstandings and performance problems.
1. What are the four principal dependability properties?
a. Availability b. Reliability c. Safety d. Security
A forensic workstation should be set up in a secure room in a forensics lab. What are some important features for such a room? Select 3 a. Large room b. Floor-to-ceiling walls c. Locking doors d. Fireproof doors e. Secure containers that lock
b,c,e floor-to-ceiling walls, locking doors & secure containers that lock
Why is it so important to create a bit stream copy of a disk drive or another type of storage media?
b. A bit stream copy exactly replicates all sectors on the storage device, including all files and ambient data storage areas
Regarding BCP and DRP, if MAO is maximum allowable outage, BIA is business impact analysis, RTO is recovery time objective, MTBF is mean-time-between-failures, RPO is recovery point objective, MTTR is mean-time-to-repair, and UPS is uninterruptible power supply, which one of the following is related to and compatible with each other within the same choice? a. MAO, BIA, RTO, and MTBF b. BIA, RTO, RPO, and MAO c. MAO, MTTR, RPO, and UPS d. MAO, MTBF, MTTR, and UPS
b. A business impact analysis (BIA) is conducted by identifying a system's critical resources. Two critical resource measures in BIA include recovery time objective (RTO) and recovery point objective (RPO). The impact in BIA is expressed in terms of maximum allowable outage (MAO). Hence, BIA, RTO, RPO, and MAO are related to and compatible with each other. MTBF is mean-time-between-failures, MTTR is mean-time-to-repair, and UPS is uninterruptible power supply, and they have no relation to BIA, RTO, RPO, and MAO because MAO deals with maximum time, whereas MTTF and MTTR deals with mean time (i.e., average time).
Which of the following tools provide information for reaching people during a disaster? a. Decision tree diagram b. Call tree diagram c. Event tree diagram d. Parse tree diagram
b. A call tree diagram shows who to contact when a required person is not available or not responding. The call tree shows the successive levels of people to contact if no response is received from the lower level of the tree. It shows the backup people when the primary person is not available. A decision tree diagram shows all the choices available with their outcomes to make a decision. An event tree diagram can be used in project management, and a parse tree diagram can be used in estimating probabilities and the nature of states in software engineering.
The major threats that a disaster recovery contingency plan should address include: a. Physical threats, software threats, and environmental threats b. Physical threats and environmental threats c. Software threats and environmental threats d. Hardware threats and logical threats
c. Physical and environmental controls help prevent contingencies. Although many of the other controls, such as logical access controls, also prevent contingencies, the major threats that a contingency plan addresses are physical and environmental threats, such as fires, loss of power, plumbing breaks, or natural disasters. Logical access controls can address both the software and hardware threats.
Which of the following tasks is not a part of business continuity plan (BCP)? a. Project scoping b. Impact assessment c. Disaster recovery procedures d. Disaster recovery strategies
c. Tasks are different between a business continuity plan (BCP) and disaster recovery planning (DRP) because of timing of those tasks. For example, disaster recovery procedures come into play only during disaster, which is a part of DRP.
To minimize risk of system downtime
controls: Preventive maintenance, fault tolerance, data center location and design, training, patch management and antivirus software
$100,000; 5 years prison
criminal penalties for failure to comply -commit offense under false pretenses
$250,000; 10 years prison
criminal penalties for failure to comply -intent to sell PHI or client lists for personal gain or malicious harm
$50,000; 1 year prison
criminal penalties for failure to comply -knowingly or wrongfully disclosing or receiving PHI
disclosure limitations FERPA
disclosure is permitted if one of the following: information is not personally identifiable, information is directory info whose release the student has not blocked, student provided consent, disclosure is made to the student himself. exceptions: employees, campus police records, alumni records created after graduation
preemption TSR
does not preempt state law
Preemption GLBA
does not preempt stricter state laws
Preemption (HIPAA)
does not preempt stronger state laws
Delivering the transactions to the computer operation department for processing
each batch is checked for proper authorization and recorded in a control log
In some labs, each computer forensics investigator should have a private office where he or she can manage cases, conduct interviews, and communicate without
eavesdropping concerns
Notice of Privacy Practices required elements
effective date of the notice description of grievance process list of individual rights per HIPAA privacy rule
ECPA
electronic communications privacy act of 1986. extends ban on interception to electronic communications. does not preempt stricter state privacy laws.
A software program used to compose and read e-mail messages is referred to as _______.
email client
_______ examine the e-mail header and other information to determine the route the e-mail has traveled and the sender's identity. ________ tracing programs and services can be used to resolve problems with sexually harassing e-mail, cyberstalking, and other unwanted Internet and intranet communications.
email tracing
use case
employed to compare program responses to known inputs and then comparing the output to the desired output
employee video monitoring
employer must have legitimate business reason for conducting surveillance. some states require notice. in absence of state law, employees may be able to bring tort for invasion of privacy.
Cold site
empty building prewired for necessary telephone and internet access ; contract with vendor to supply needed equipment within a specified period of time
EU-US Safe Harbor
enabled transatlantic data flows using EC approved model contracts or implementing binding corporate rules (BCRs). struck down oct 2015 Schrems v. Facebook
application software
enabling users to apply the computer to specific tasks, such as email, word processing and stock control Examples: Microsoft Word , Microsoft Excel , Microsoft PowerPoint , iTunes , Media Player , World of Warcraft, Adobe Photoshop
Size check
ensure that the input data will fit into the assigned field
FERPA
family education rights and privacy act of 1974. addresses condition under which organizations can disclose student records and who can have access to student records.
The FBI, The Secret Service, ICE, the U.S. Postal Inspection Service, and the ATF have local offices for reporting ____________
federal crime or crimes.
Live Response is designed for use by a ____________, to acquire volatile data, such as Internet history, screen capture, and memory. The _______ can move this data from a suspect system onto a USB thumb drive.
forensic examiner
To be __________ data must be complete and materially unaltered.
forensically complete
To be _______, data must be complete and materially unaltered.
forensically sound
Using a series of malformed input to test for conditions such as buffer overflows is called
fuzzing
A _______ is a tool used to identify unknown strings of text by searching for values between "completely true" and "completely false"
fuzzy logic
A ________ is a tool used to identify unknown strings of text by searching for values between "completely true" and "completely false".
fuzzy logic
middle (business logic)
handles the business rules of an application, it can consist of many classes to process forms, evaluate user roles, make calculations and validate data input. This code is locked from display, its main purpose is to interact between the presentation and data users. Common technologies: Java, C#, PHP, COBOL, C++, C
backend (data access)
handles transactions between a web application and its data store (usually a database). Hides the complexity of the data store from the application web server and provides a centralized location for interacting with data. Common technologies: ORMs (Hibernate, iBatis), JDBCs, ADO, .Net
A _________ is a nonvolatile storage device that magnetically encodes digital data
hard disk drive
Effects of cloud computing
has both positive and negative effects on availability. it utilizes banks of redundant servers in multiple locations, thereby reducing the risk that a single catastrophe could result in system downtime and loss of all data.
spiral model
has steps in phases that execute in a spiral fashion, repeating at different levels with each revolution of the model
privacy rule (HIPAA)
has to do with giving notice, getting authorization from individuals making sure that the minimum necessary is collected for patients in order to help facilitate treatment and payment.
covered entities (HIPAA)
health plans, health care clearinghouses, health care providers who conduct financial and administrative transactions electronically
Early testing
helps resolve errors at an earlier stage and results in cleaner code
Full backup
is an exact copy of the entire database; time consuming
A forensic specialist faces many challenges. Among them are lack of a defined career path, ______, and an increasing workload with constrained resources
lack of standards
The _________ is like an electronic post office: It send and receives electronic mail.
mail server
Data transmission controls
organizations also need to implement controls designed to minimize the risk of data transmission errors
personal information
personally identifiable information, PII: information that can identify an individual
A hard disk with a crashed head or failed motor is an example of _________
physical damage
_____________ are high-level statements made by management that lay out the organization's position on some issue.
policies
Which of the following should NOT be reported to a law enforcement agency some sort?
port scans, which are often precursors to cyberattacks
HIPAA
regulates use and disclosure of PHII and collection, use or maintenance. applies to covered entities and business associates
Privacy Shield
response to shut down of safe harbor. imposes strong obligations on companies handling data. decision to join is entirely voluntary
In ___________________, the attacker hopes to convince the target to initiate contact.
reverse social engineering
___________ involves four key elements: the backup device, the network, the backup window, and the backup storage devices
successful data backup and recovery
Batch totals
summarize important values for a batch of input records
Financial total
sums a field that contains monetary values, such as the total dollars amount of all sales for a batch of sales transactions.
privacy
the right of an individual to keep his/her individual health information from being disclosed
A system forensics __________ is a good way for you to keep up with the latest tools and trends.
user group
User review
users in the shipping and billing departments perform a limited review of documents for incomplete data or other obvious deficiencies
Permissible purpose FCRA
users must have permissible purpose to obtain credit report. pre employment counts
Enforcement FCRA
violations handled by FTC, CFPB, SAG. damages can exceed 100k in addition to statutory damages
bodily privacy
concerned with person's physical being and any invasion thereof
The ideal time for an organization to learn how to respond to security incidents is after suffering an attack
False
Illegal characters for a DOS file name? (CH 4)
/ (CH 4)
Bootstrap Loader (Key Terms: CH 4)
After the Power-On-Self-Test (POST) the ___, a small program in the ROM BIOS, loads the boot sector from a disk. (CH 4)
What is a step-by-step procedure that a computer follows to solve a problem?
Algorithm
A number of issues in system forensics raise questions about Fourth Amendment rules. Which issue does NOT apply?
All apply
requirements of FCRA
CRAs must provide consumers with access to the information contained in their consumer reports as well as the opportunity to dispute any inaccurate information. must also take reasonable steps to ensure the maximum possible accuracy of the information in the consumer report, must not report negative outdated information. must keep track of who requests.
CWE-20: Improper input Validation refers to a(n)
CWE/SANS top 25 most dangerous software error
One drawback to water-based fire suppression systems is that they - Can be toxic to humans - Can cause more damage to equipment - Are the most expensive type of suppression system - Are not useful against type A fires
Can cause more damage to equipment
which of the following is not related to a buffer overflow?
Canonicalization error
Which of the following is not related to a buffer overflow?
Canonicalization error. A form of name resolution error, not a buffer overflow error.
A(n)____causes an application to malfunction due to a misrepresented name for a resource
Canonicialization errors
Why is documentation so important in forensic investigations?
Courts are unlikely to accept investigative results without documentation
What term is used to describe a technique for passing information between computers on a network, without being detected by a firewall or an intrusion detection system.
Covert channel
If you are setting up a multi-monitor system, what Display option will let you put different windows and other objects on each multiple display, giving you more work space? (CH 6)
Extend these displays (CH 6)
Preemption of State Laws
FACTA, CAN-SPAM preempts but not to the extent laws prohibit false or deceptive activity. others do not
The 8.3 file naming convention is a feature and a limitation of DOS and the ____________. (CH 4)
FAT File System (CH 4)
What is a FreeDOS configuration file? (CH 4)
FDCONFIG.SYS (CH 4)
What is the last step of preparation before actually recovering data from a system?
Prepare a data recovery plan
The approach that believes that a suspect computer should be carefully shut down immediately after the computer is secured. This school recommends a number of specific shutdown procedures.
The Safe Shutdown School of Thought
Action Center (Definition: CH 6)
The Windows ___ ___, represented by the small flag icon on the right of the toolbar, will briefly display a message balloon when there is a problem with your security programs and backup. Then it will quietly sit there with a white "x" against a red circle until you resolve the problem. (CH 6 Pg. 201)
Syntax (Key Terms: CH 4)
The ___ for a DOS command is a set of rules for correctly entering a specific command at the command line. (CH 4)
High availability
The ability to maintain availability of data and operational processing despite a disrupting event.
Incidental use and disclosure
The accidental release of PHI during the course of proper patient care
What actions must be taken if the amendment is granted?
The amendment must be linked to the original entry, and the amendment must be sent to whomever the patient requests.
Mean time to restore (or mean time to recovery)
The average time that it will take to restore a system to an operational status (to recover from any failure).
What information must be given to the patient is their request for amendment is denied?
The basis for denial, their right to submit a statement disagreeing with the denial (and how to submit this), that the request for amendment and denial will accompany any new requests for information, and a contact person who they can complain to.
Fire detection equipment will often catch fires at a much earlier stage meaning that the fire can be addressed before significant damage can occur.
The benefit of fire detection equipment over fire suppression devices is:
What is the inherent limitation of a disaster recovery planning exercise? a. Inability to include all possible types of disasters b. Assembling disaster management and recovery teams c. Developing early warning monitors that trigger alerts and responses d. Conducting periodic drills
a. Because there are many types of disasters that can occur, it is not practical to consider all such disasters. Doing so is cost-prohibitive. Hence, disaster recovery planning exercises should focus on major types of disasters that occur frequently. One approach is to perform risk analysis to determine the annual loss expectancy (ALE), which is calculated from the frequency of occurrence of a possible loss multiplied by the expected dollar loss per occurrence.
Regarding contingency planning, which of the following is susceptible to potential accessibility problems in the event of an area-wide disaster? 1. Alternative storage site 2. Alternative processing site 3. Alternative telecommunications services 4. Remote redundant secondary systems a. 1 and 2 b. 2 and 3 c. 3 only d. 1 and 4
a. Both alternative storage site and alternative processing site are susceptible to potential accessibility problems in the event of an area-wide disruption or disaster. Explicit mitigation actions are needed to handle this problem. Telecommunication services (ISPs and network service providers) and remote redundant secondary systems are located far away from the local area, hence not susceptible to potential accessibility problems.
For business continuity planning/disaster recovery planning (BCP/DRP), business impact analysis (BIA) primarily identifies which of the following? a. Threats and risks b. Costs and impacts c. Exposures and functions d. Events and operations
a. Business impact analysis (BIA) is the process of identifying an organization's exposure to the sudden loss of selected business functions and/or the supporting resources (threats) and analyzing the potential disruptive impact of those exposures (risks) on key business functions and critical business operations. Threats and risks are primary and costs and impacts are secondary, where the latter is derived from the former. The BIA usually establishes a cost (impact) associated with the disruption lasting varying lengths of time, which is secondary.
1. What are the three principal threats to the security of a system?
a. Confidentiality b. Integrity - corrupted/damaged software c. availability
Redundant array of independent disk (RAID) technology does not use which of the following? a. Electronic vaulting b. Mirroring c. Parity d. Striping
a. Redundant array of independent disk (RAID) technology uses three data redundancy techniques such as mirroring, parity, and striping, not electronic vaulting. Electronic vaulting is located offsite, whereas RAID is placed at local servers where the former may use the latter.
Which of the following is a backup that creates copies or snapshots of a file system at a particular point in time
a. Image backup
Which of the following is not a best practice in preserving data for future computer forensics examination?
a. Immediately turn on and attempt to examine the suspect computer
6 years; april 14, 2003
accounting of disclosures: -time frame: ______ -clock starts: ____________
1. Explain how a relatively unreliable system can provide a high level of availability.
a. So long as system failures can be repaired quickly and does not damage data, some system failures may not be a problem.
Which of the following is an operational control and is a prerequisite to developing a disaster recovery plan? a. System backups b. Business impact analysis c. Cost-benefit analysis d. Risk analysis
a. System backups provide the necessary data files and programs to recover from a disaster and to reconstruct a database from the point of failure. System backups are operational controls, whereas the items mentioned in the other choices come under management controls and analytical in nature.
1. Give three reasons why a system's dependability is more important than its detailed functionality.
a. Systems that are not dependable and are unreliable, unsafe or insecure may be rejected by their users. b. Undependable systems may cause information loss with a high consequent recovery cost. c. System failures may have widespread effects with large numbers of people affected by the failure.
Contingency planning integrates the results of which of the following? a. Business continuity plan b. Business impact analysis c. Core business processes d. Infrastructural services
b. Contingency planning integrates and acts on the results of the business impact analysis. The output of this process is a business continuity plan consisting of a set of contingency plans —with a single plan for each core business process and infrastructure component. Each contingency plan should provide a description of the resources, staff roles, procedures, and timetables needed for its implementation.
Which of the following is a critical benefit of implementing an electronic vaulting program? a. It supports unattended computer center operations or automation. b. During a crisis situation, an electronic vault can make the difference between an organization's survival and failure. c. It reduces required backup storage space. d. It provides faster storage data retrieval.
b. For some organizations, time becomes money. Increased system reliability improves the likelihood that all the information required is available at the electronic vault. If data can be retrieved immediately from the off-site storage, less is required in the computer center. It reduces retrieval time from hours to minutes. Because electronic vaulting eliminates tapes, which are a hindrance to automated operations, electronic vaulting supports automation.
An information system's recovery time objective (RTO) considers which of the following? 1. Memorandum of agreement 2. Maximum allowable outage 3. Service-level agreement 4. Cost to recover a. 1 and 3 b. 2 and 4 c. 3 and 4 d. 1, 2, 3, and 4
b. The balancing point between the maximum allowable outage (MAO) for a resource and the cost to recover that resource establishes the information system's recovery time objective (RTO). Memorandum of agreement is another name for developing a service-level agreement (SLA).
Port numbers are divided into three ranges. Which of the following is not one of the ranges? a. Well-known ports b. Open ports c. Registered ports d. Dynamic ports
b. Open ports
An effective element of damage control after a disaster occurs is to: a. Maintain silence. b. Hold press conferences. c. Consult lawyers. d. Maintain secrecy.
b. Silence is guilt, especially during a disaster. How a company appears to respond to a disaster can be as important as the response itself. If the response is kept in secrecy, the press will assume there is some reason for secrecy. The company should take time to explain to the press what happened and what the response is. A corporate communications professional should be consulted instead of a lawyer due to the specialized knowledge of the former. A spokesperson should be selected to contact media, issue an initial statement, provide background information, and describe action plans, which are essential to minimize the damage. The company lawyers may add restrictions to ensure that everything is done accordingly, which may not work well in an emergency.
Which of the following does Windows use on a system as a "scratch pad" to write data when additional RAM is needed?
b. Swap file
A _____________ is an avenue that can be used to access a system while circumventing normal security mechanisms.
backdoor
Recalculation of batch total
batch total should be recomputed as each transaction record is process, and the total for the batch should then be compared to the value in trailer records.
All validations of client-to-server data need to
be done on the server side, for this is the security controllable side of the communication
Regarding BCP and DRP, which of the following establishes an information system's recovery time objective (RTO)? a. Cost of system inoperability and the cost of resources b. Maximum allowable outage time and the cost to recover c. Cost of disruption and the cost to recover d. Cost of impact and the cost of resources
b. The balancing point between the maximum allowable outage (MAO) and the cost to recover establishes an information system's recovery time objective (RTO). Recovery strategies must be created to meet the RTO. The maximum allowable outage is also called maximum tolerable downtime (MTD). The other three choices are incorrect because they do not deal with time and cost dimensions together.
app attacks -- LDAP Vulnerabilities
buffer overflows may make LDAP server vulnerable to execution of malicious code unauthorized access may be achieved by exploiting format string vulnerabilities DoS attacks may be initiated by illicitly formatted requests
the use of an enhanced lifecycle development process to include security elements will
build security into the product
Which of the following should be consistent with the frequency of information system backups and the transfer rate of backup information to alternative storage sites? 1. Recovery time objective 2. Mean-time-to-failure 3. Recovery point objective 4. Mean-time-between-outages a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 2 and 4
b. The frequency of information system backups and the transfer rate of backup information to alternative storage sites should be consistent with the organization's recovery time objective (RTO) and recovery point objective (RPO). Recovery strategies must be created to meet the RTO and RPO. Mean-time-to-failure (MTTF) is most often used with safety-critical systems such as airline traffic control systems (radar control services) to measure time between failures. Mean-time-between-outages (MTBO) is the mean time between equipment failures that result in loss of system continuity or unacceptable degradation. MTTF deals with software issues, whereas MTBO measures hardware problems.
Which of the following uses both qualitative and quantitative tools? a. Anecdotal analysis b. Business impact analysis c. Descriptive analysis d. Narrative analysis
b. The purpose of business impact analysis (BIA) is to identify critical functions, resources, and vital records necessary for an organization to continue its critical functions. In this process, the BIA uses both quantitative and qualitative tools. The other three choices are examples that use qualitative tools. Anecdotal records constitute a description or narrative of a specific situation or condition.
A _________ can help justify the acquisition of newer and better resources to investigate computer forensics cases.
business case
Check digit verification
by using the first 9 digits to calculate the tenth digit each time an id number is entered.
In transaction-based systems, which of the following are mechanisms supporting transaction recovery? 1. Transaction rollback 2. Transaction journaling 3. Router tables 4. Compilers a. 1 only b. 1 and 2 c. 3 and 4 d. 1, 2, 3, and 4
b. Transaction rollback and transaction journaling are examples of mechanisms supporting transaction recovery. Routers use router tables for routing messages and packets. A compiler is software used to translate a computer program written in a high-level programming language (source code) into a machine language for execution. Both router tables and compilers do not support transaction recovery.
Which of the following is the name for the process of making date unreadable to anyone except those who have the correct key? a. compression b. encryption c. decryption d. jailbreaking
b. encryption
With respect to BCP/DRP, single point of failure means which of the following? a. No production exists b. No vendor exists c. No redundancy exists d. No maintenance exists
c. A single point of failure occurs when there is no redundancy in data, equipment, facilities, systems, and programs. A failure of a component or element may disable the entire system. Use of redundant array of independent disks (RAID) technology provides greater data reliability through redundancy because the data can be stored on multiple hard drives across an array, thus eliminating single points of failure and decreasing the risk of data loss significantly.
Which of the following statements is not true? Having a disaster recovery plan and testing it regularly: a. Reduces risks b. Affects the availability of insurance c. Lowers insurance rates d. Affects the total cost of insurance
c. Both underwriters and management are concerned about risk reduction, availability of specific insurance coverage, and its total cost. A good disaster recovery plan addresses these concerns. However, a good plan is not a guarantee for lower insurance rates in all circumstances. Insurance rates are determined based on averages obtained from loss experience, geography, management judgment, the health of the economy, and a host of other factors. Total cost of insurance depends on the specific type of coverage obtained. It could be difficult or expensive to obtain insurance in the absence of a disaster recovery plan. Insurance provides a certain level of comfort in reducing risks but it does not provide the means to ensure continuity of business operations.
Which of the following is not a step in the process of collecting and analyzing evidence? a. Identifying the evidence b. Preserving the evidence c. Creating the evidence d. Analyzing the evidence e. Presenting the evidence
c. Creating the evidence
Which of the following IT contingency solutions requires a higher bandwidth to operate? a. Remote journaling b. Electronic vaulting c. Synchronous mirroring d. Asynchronous mirroring
c. Depending on the volume and frequency of the data transmission, remote journaling or electronic vaulting could be conducted over a connection with limited or low bandwidth. However, synchronous mirroring requires higher bandwidth for data transfers between servers. Asynchronous mirroring requires smaller bandwidth connection.
Which of the following is data that has been processed and assembled so that it is relevant to an investigation? a. Data b. Forensic data c. Information d. Evidence
c. Information
Which of the following is not a factor that makes it easy to conduct cybercrime? a. It's easy for criminals to use the Internet to research and plan crimes. b. Many systems connected to the Internet are vulnerable. c. No one ever finds out because hiding electronic evidence is easy. d. Numerous cybercrime tools are readily available online, many for free
c. No one ever finds out because hiding electronic evidence is easy
deprecated function
developing and maintaining a series of _____ _____ and prohibiting their use in new code, while removing them from old code when possible, is a proven path toward more secure code
Regarding business continuity planning (BCP) and disaster recovery planning (DRP), which of the following contingency solutions for wide-area networks (WANs) increases vulnerability to hackers? a. Redundant communication links b. Multiple network service providers c. Multiple Internet connections d. Redundant network connecting devices
c. It is true that multiple Internet connections increase a network's vulnerability to hackers. But at the same time, multiple Internet connections provide redundancy, meaning that if one connection were to fail, Internet traffic could be routed through the remaining connection. So, there is a trade-off between security and availability. The other three choices are not vulnerable to hackers. Redundant communication links can include two T-1 connections or the backup link. Multiple network service providers (NSPs) and the Internet service providers (ISPs) providing a robust and reliable service from their core networks. Redundant network connecting devices such as routers, switches, and firewalls can create high availability.
Which of the following is not an important characteristic of a forensic specialist? a. A sound knowledge of computing b. Careful methodology of approach c. Law degree d. Access to and skill in the use of appropriate utilities
c. Law degree
When an organization is determining the damage it has sustained. It should consider both ________ and ________ costs.
direct and Indirect
Which of the following governs whether, when, how, and why proof of a legal case can be placed before a judge or jury? a. Forensic soundness b. Computer-generated evidence c. Rules of evidence d. Human-generated evidence
c. Rules of evidence
Which of the following is the smallest unit of storage on a computer?
c. Sector
The business continuity planning (BCP) process should focus on providing which of the following? a. Financially acceptable level of outputs and services b. Technically acceptable level of outputs and services c. Minimum acceptable level of outputs and services d. Maximum acceptable level of outputs and services
c. The business continuity planning (BCP) process should safeguard an organization's capability to provide a minimum acceptable level of outputs and services in the event of failures of internal and external mission-critical information systems and services. The planning process should link risk management and risk mitigation efforts to operate the organization's core business processes within the constraints such as a disaster time.
The business impact analysis (BIA) should critically examine the business processes and which of the following? a. Composition b. Priorities c. Dependencies d. Service levels
c. The business impact analysis (BIA) examines business processes composition and priorities, business or operating cycles, service levels, and, most important, the business process dependency on mission-critical information systems.
The first step in successfully protecting and backing up information in distributed computing environments is to determine data: a. Availability requirements b. Accessibility requirements c. Inventory requirements d. Retention requirements
c. The first step toward protecting data is a comprehensive inventory of all servers, workstations, applications, and user data throughout the organization. When a comprehensive study of this type is completed, various backup, access, storage, availability, and retention strategies can be evaluated to determine which strategy best fits the needs of an organization.
What command establishes a new shell is Windows?
cmd.exe
Modifying a SQL statement through false input to a function is an example of
code injection
Regarding BCP and DRP, critical measurements in business impact analysis (BIA) include which of the following? a. General support system objectives b. Major application system objectives c. Recovery time objectives and recovery point objectives d. Uninterruptible power supply system objectives
c. Two critical measurements in business impact analysis (BIA) include recovery time objectives (RTOs) and recovery point objectives (RPOs). Usually, systems are classified as general support systems (for example, networks, servers, computers, gateways, and programs) and major application systems (for example, billing, payroll, inventory, and personnel system). Uninterruptible power supply (UPS) system is an auxiliary system supporting general systems and application systems. Regardless of the nature and type of a system, they all need to fulfill the RTOs and RPOs to determine their impact on business operations.
What name is given to a technique for analyzing problems and developing solutions using the combined efforts of a number of individuals focused on a particular issue?
collaborative computing
Validity check
compares the ID code or account number in transaction data with similar data in the master file to verify that the account exist
Cross-footing balance test
compares the results produces by each method to verify accuracy
information privacy
concerned with establishing rules that govern collection and handling of personal information
spatial privacy
concerned with limits on ability to intrude into another's environment
Regarding BCP and DRP, which of the following is not an element of risk? a. Threats b. Assets c. Costs d. Mitigating factors
c. Whether it is BCP/DRP or not, the three elements of risk include threats, assets, and mitigating factors. Risks result from events and their surroundings with or without prior warnings, and include facilities risk, physical and logical security risk, reputation risk, network risk, supply-chain risk, compliance risk, and technology risk. Threat sources include natural (for example, fires and floods), man-made attacks (for example, social engineering), technology-based attacks (DoS and DDoS), and intentional attacks (for example, sabotage). Assets include people, facilities, equipment (hardware), software, and technologies. Controls in the form of physical protection, logical protection, and asset protection are needed to avoid or mitigate the effects of risks. Some examples of preventive controls include passwords, smoke detectors, and firewalls and some examples of reactive/recovery controls include hot sites and cold sites. Costs are the outcomes or byproducts of and derived from threats, assets, and mitigating factors, which should be analyzed and justified along with benefits prior to the investment in controls.
Which of the following does a forensics lab not need to stock? a. workstations b. operating systems c. legal manuals d. hard drives
c. legal manuals
Top 25 list
can be updated periodically as the treat landscape changes
Fuzz testing
can find a wide range of errors
What security feature is even more common than a lock?
card reader
User review of output
carefully examine system output to verify that it is reasonable, that it is complete, and that they are intended recipient.
app attacks -- Buffer Overflows
cause app to crash by sending more data than memory buffer can handle - data overflows to adjacent memory - processes crash/return other undesired results exploit poor programming & code review common web server attack
Numerous organizations offer _________ programs for system forensics.
certification
closed-loop verification
check the accuracy of input data by using to retrieve and display other related information
The ________ is a detailed list of what was done with original copies and systems after they were seized
checklist
Which of the following computer backup alternative sites is the least expensive method and the most difficult to test? a. Nonmobile hot site b. Mobile hot site c. Warm site d. Cold site
d. A cold site is an environmentally protected computer room equipped with air conditioning, wiring, and humidity control for continued processing when the equipment is shipped to the location. The cold site is the least expensive method of a backup site, but the most difficult and expensive to test.
All of the following are key stakeholders in the disaster recovery process except: a. Employees b. Customers c. Suppliers d. Public relations officers
d. A public relations (PR) officer is a company's spokesperson and uses the media as a vehicle to consistently communicate and report to the public, including all stakeholders, during pre-crisis, interim, and post-crisis periods. Hence, the PR officer is a reporter, not a stakeholder. Examples of various media used for crisis notification include print, radio, television, telephone (voice mail and text messages), post office (regular mail), the Internet (for example, electronic mail and blogs), and press releases or conferences. The other stakeholders (for example, employees, customers, suppliers, vendors, labor unions, investors, creditors, and regulators) have a vested interest in the positive and negative effects and outcomes, and are affected by a crisis situation, resulting from the disaster recovery process.
Which of the following can be called the disaster recovery plan of last resort? a. Contract with a recovery center b. Demonstration of the recovery center's capabilities c. Tour of the recovery center d. Insurance policy
d. According to insurance industry estimates, every dollar of insured loss is accompanied by three dollars of uninsured economic loss. This suggests that companies are insured only for one-third of the potential consequences of a disaster and that insurance truly is a disaster recovery plan of last resort.
Which of the following is of least concern in a local-area network contingency plan? a. Application systems are scheduled for recovery based on their priorities. b. Application systems are scheduled for recovery based on the urgency of the information. c. Application systems are scheduled for recovery based on a period of downtime acceptable to the application users. d. Application systems are scheduled for recovery based on a period of downtime tolerable to the application programmers.
d. An alternative location is needed to ensure that critical applications can continue to be processed when the local-area network (LAN) is unavailable for an extended period of time. Application systems should be scheduled for recovery and operation at the alternative site, based on their priority, the urgency of the information, and the period of downtime considered acceptable by the application users. It does not matter what the application programmers consider acceptable because they are not the direct users of the system.
Which of the following is the best form of a covered loss insurance policy? a. A basic policy b. A broad policy c. A special all-risk policy d. A policy commensurate with risks
d. Because insurance reduces or eliminates risk, the best insurance is the one commensurate with the most common types of risks to which a company is exposed. The other three choices are incorrect. A basic policy covers specific named perils including fire, lightning, and windstorm. A broad policy covers additional perils such as roof collapse and volcanic action. A special all-risk policy covers everything except specific exclusions named in the policy.
What is the name of the organization that is involved with the DoD investigations that require computer forensics supports to detect, enhance, or recover digital media? a. U.S. Army b. U.S. law enforcement c. DoD Digital Media Center (DDMC) d. DoD Cyber Crime Center (DC3)
d. DoD Cyber Crime Center (DC3)
All the following are objectives of emergency response procedures except: a. Protect life b. Control losses c. Protect property d. Maximize profits
d. Emergency response procedures are those procedures initiated immediately after an emergency occurs to protect life, protect property, and minimize the impact of the emergency (loss control). Maximizing profits can be practiced during nonemergency times but not during an emergency.
External data reconciliation
database totals should periodically be reconciled with data maintained outside the system
Which of the following commonly used system forensics tools is a fuzzy logic tool employed for data sampling?
d. Filter_G
Which of the following commonly used system forensics tools is a fuzzy logic tool employed for data sampling? a. AnaDisk b. CopyAM Plus c. TextSearch Plus d. Filter_G
d. Filter_G
Which of the following is not an example of procedure-oriented disaster prevention activity? a. Backing up current data and program files b. Performing preventive maintenance on computer equipment c. Testing the disaster recovery plan d. Housing computers in a fire-resistant area
d. Housing computers in a fire-resistant area is an example of a physically oriented disaster prevention category, whereas the other three choices are examples of procedure-oriented activities. Procedure-oriented actions relate to tasks performed on a day-to-day, month-tomonth, or annual basis or otherwise performed regularly. Housing computers in a fire-resistant area with a noncombustible or charged sprinkler area is not regular work. It is part of a major computer-center building construction plan.
Which of the following is the most important outcome from contingency planning tests? a. The results of a test should be viewed as either pass or fail. b. The results of a test should be viewed as practice for a real emergency. c. The results of a test should be used to assess whether the plan worked or did not work. d. The results of a test should be used to improve the plan.
d. In the case of contingency planning, a test should be used to improve the plan. If organizations do not use this approach, flaws in the plan may remain hidden or uncorrected. Although the other three choices are important in their own way, the most important outcome is to learn from the test results in order to improve the plan next time, which is the real benefit.
Which of the following is a prerequisite to developing a disaster recovery plan? a. Business impact analysis b. Cost-benefit analysis c. Risk analysis d. Management commitment
d. Management commitment and involvement are always needed for any major programs, and developing a disaster recovery plan is no exception. Better commitment leads to greater funding and support. The other three choices come after management commitment.
Which of the following disaster recovery plan testing approaches is not recommended? a. Desk-checking b. Simulations c. End-to-end testing d. Full-interruption testing
d. Management will not allow stopping of normal production operations for testing a disaster recovery plan. Some businesses operate on a 24x7 schedule and losing several hours of production time is tantamount to another disaster, financially or otherwise.
Which of the following is not one of the key elements of data backup?
d. Mirroring
Which of the following should not be reported to a law enforcement agency of some sort? a. Intrusions or attacks on networks that deal with sensitive data b. Cases of suspected industrial espionage c. Cases involving child pornography d. Port scans, which are often precursors to cyberattacks
d. Port scans which are often precursors to cyberattacks
Which of the following is a court order than requires a person or an organization that owns subject equipment to release it for analysis? a. Voluntary surrender b. Search warrant c. Arrest warrant d. Subpoena e. Trial
d. Subpoena
Which of the following is the correct sequence of events when surviving a disaster? a. Respond, recover, plan, continue, and test b. Plan, respond, recover, test, and continue c. Respond, plan, test, recover, and continue d. Plan, test, respond, recover, and continue
d. The correct sequence of events to take place when surviving a disaster is plan, test, respond, recover, and continue.
Which of the following disaster scenarios is commonly n o t considered during the development of disaster recovery and contingency planning? a. Network failure b. Hardware failure c. Software failure d. Failure of the local telephone company
d. Usually, telephone service is taken for granted by the recovery team members that could negatively affect Voice over Internet Protocol (VoIP) services. Consequently, it is not addressed in the planning stage. However, alternative phone services should be explored. The other three choices are usually considered due to familiarity and vendor presence.
Which of the following information technology (IT) contingency solution for servers minimizes the recovery time window? a. Electronic vaulting b. Remote journaling c. Load balancing d. Disk replication
d. With disk replication, recovery windows are minimized because data is written to two different disks to ensure that two valid copies of the data are always available. The two disks are called the protected server (the main server) and the replicating server (the backup server). Electronic vaulting and remote journaling are similar technologies that provide additional data backup capabilities, with backups made to remote tape or disk drives over communication links. Load balancing increases server and application system availability.
When is the best time to notify law enforcement when dealing with a breach? a. immediately after the breach is suspected b. after the evidence collection has begun c. after the attacker is identified d. it depends on the circumstances of the case
d. it depends on the circumstances of the case
A _________ should identify the types of data to be collected and describe the expected source for the data. It should also list any anticipated problems as well as recommended strategies to deal with those strategies.
data analysis plan
tape & disk
data are first backed up to a disk, for speed, then transferred to tape
A company's vital records program must meet which of the following? 1. Legal, audit, and regulatory requirements 2. Accounting requirements 3. Marketing requirements 4. Human resources requirements a. 1 only b. 1 and 2 c. 1, 3, and 4 d. 1, 2, 3, and 4
d. Vital records support the continuity of business operations and present the necessary legal evidence in a court of law. Vital records should be retained to meet the requirements of functional departments of a company (for example, accounting, marketing, production, and human resources) to run day-to-day business operations (current and future). In addition, companies that are heavily regulated (for example, banking and insurance) require certain vital records to be retained for a specified amount of time. Also, internal auditors, external auditors, and third-party auditors (for example, regulatory auditors and banking/insurance industry auditors) require certain vital records to be retained to support their audit work. Periodically, these auditors review compliance with the record retention requirements either as a separate audit or as a part of their scheduled audit. Moreover, vital records are needed during recovery from a disaster. In other words, vital records are so vital for the long-run success of a company. First, a company management with the coordination of corporate legal counsel must take an inventory of all records used in a company, classify what records are vital, and identify what vital records support the continuity of business operations, legal evidence, disaster recovery work, and audit work; knowing that not all records and documents that a company handles everyday are vital records. Some records are on paper media while other records are on electronic media. An outcome of inventorying and classifying records is developing a list of "record retention" showing each document with its retention requirements in terms of years. Then, a systematic method is needed to preserve and store these vital records onsite and offsite with rotation procedures between the onsite and offsite locations. Corporate legal counsel plays an important role in defining retention requirements for both business (common) records and legal records. IT management plays a similar role in backing up, archiving, and restoring the electronic records for future retrieval and use. The goal is to ensure that the current version of the vital records is available and that outdated backup copies are deleted or destroyed in a timely manner. Examples of vital records follow: Legal records: General contracts; executive employment contracts; bank loan documents; business agreements with third parties, partners, and joint ventures; and regulatory compliance forms and reports. Accounting/finance records: Payroll, accounts payable, and accounts receivable records; customer invoices; tax records; and yearly financial statements. Marketing records: Marketing plans; sales contracts with customers and distributors; customer sales orders; and product shipment documents. Human resources records: Employment application and test scores, and employee performance appraisal forms.
________ assists federal civilian agencies in their incident-handling efforts. It analyzes the information provided by all agencies to identify trends and precursors of attacks.
US-CERT
A newer portable media that provides new obstacles is a(n) - Access token - USB drive - CD-ROM - CCTV
USB drive
Employees may innocently introduce viruses into a network from their home computer on a ______. When they plug the _____ into the work computer, the virus infects it.
USB thumb drive
What retail edition of Windows 7 includes BitLocker? (CH 6)
Ultimate (CH 6)
You have Windows Vista Ultimate edition and want to upgrade to Windows 7. What edition is your only choice for doing an in-place installation of Windows Vista Ultimate? (CH 6)
Ultimate (CH 6)
________ is the area of a hard drive that has never been allocated for file storage, or the leftover area that the computer regards as unallocated after file deletion
Unallocated space
System forensics specialists must keep in mind certain technical data collection considerations. Which does not apply?
Understanding the data's source code
What is meant by script kiddies?
Unsophisticated hackers who use point-and-click software rather than program their own software
What type of empty space is the space left after a file has been deleted?
Unused space
A live system forensics technique in which an investigator acquires a physical memory dump of the compound system and transmits it to the data collection system for analysis is:
Volatile memory analysis
Which of the following is not a challenge when working with volatile data?
Volatile memory may contain evidence not found in nonvolatile sources
Say that two partitions are filled with data. When you delete one of them, the date is not actually deleted. Instead, it is hidden. This referred to as ____________
Volume Slack
Which term describes permission from the owner of a computer or other equipment to search and/or seize equipment
Voluntary surrender
Consent Prompt (Key Terms: CH 6)
When an administrator attempts to do something requiring administrator-level privileges, a/an ___ will display, requiring the user to click Yes. (CH 6)
Mastered (Definition: CH 6)
When burning a disc in Windows 7, use this option when you want to be able to use a CD or DVD in a conventional CD or DVD player or in any computer (older Apple Macs or PCs). The downside is that each item you select to copy to the PC is stored temporarily in available hard disk space (in addition to the space used by the original file) until you finish selecting all yo wish to cop, and then they are copied in one operation. This makes it difficult to copy files from a hard drive when you have very little free hard drive space on any hard drive in your computer. (CH 6 Pg. 225)
When are information related to fundraising activities okay to use?
When it is disclosed to a BA or institutionally related foundation, only the demographic information and dates of healthcare are provided, they are given the chance to opt out, and they were notified of the use in the NPP.
What are exceptions when a CE can make "paid" communications with the patient?
When it is in regards to a prescribed drug where the payment was "reasonable" or it is from a BA on behalf of the CE. If payment was accepted it must always be prominently stated and have the option to opt out.
When is a CE allowed to market a certain group of individuals?
When it may be beneficial to them, it is explained why they are being targeted, and how the service relates to them.
When should a human security guard be used for physical access control?
When necessary to avoid issues such as piggybacking, which can occur with electronic access controls
When necessary to avoid issues such as piggybacking, which can occur with electronic access controls
When should a human security guard be used for physical access control?
When does the privacy rule apply to CEs?
When they are directly or indirectly involved with transmitting or performing any electronic transactions specified in the act (i.e. in regards to health claims, insurance coverage, etc.).
Upgrade Advisor (Key Terms: CH 5)
When unsure about hardware and software compatibility before upgrading, use the Windows XP CD to run the Windows XP ___ on the computer. (CH 5)
Cleaning crews are allowed unsupervised access because they have a contract.
Which of the following is a physical security threat?
Which of the following methods allow e-mail only from known and trusted senders?
Whitelisting
______ is a network that connect multiple LANs and can span very large areas, including multiple countries.
Wide area network (WAN)
After you complete a multi-boot installation, you will see this special menu at every restart. (CH 6)
Windows Boot Manager (CH 6)
What anti-spyware program comes bundled with Windows? (CH 6)
Windows Defender (CH 6)
Editions (Definition: CH 6)
Windows Vista and Windows 7 are versions of Windows with major differences between them. Microsoft sells each of these versions as several separate products, called ___. (CH 6 Pg. 194)
Which version of Windows XP is for general business users? (CH 5)
Windows XP Professional (CH 5)
Personal Folders (Key Terms: CH 5)
Windows creates ___ for each user for storing desktop configuration and preference information as well as data created by the user. (CH 5)
_____________ is a local area network that links devices wirelessly
Wireless local area networks (WLAN)
A amended 1968 act that governs real-life interception of the contents of a communication is the definition of:
Wiretap Act
app attacks -- Javascript
self-contained program that can be downloaded & executed to control/manipulate browser settings compiled&executed in client env client OS & browser version must be considered w/ vulnerability risks Javascript vulnerabilities - unauthorized file access - cache access - uploads - email exposure
Additional batch processing data entry control
sequence check, error log, batch totals: financial total, hash total, record counts
HTTP is based on a request and respond standard. A client request a resource, such as text, an image, or a multimedia file from the server. The ________ responds with a status line and additional information.
server
software
set of instructions written in a specialized code that controls the operation of the computer and how it communicates with other computers
requirements phase
should define the specific security requirements if there is any expectation of them being designed into the project
Computer software or hardware that can intercept and log traffic passing over a digital network is called ________.
sniffer
While router logs are useful, some evidence exist only inside data packets to review the contents of packets, you can capture network traffic by using a _________.
sniffer
web applications
software that uses a web server to get delivered to the users. ex) google apps, webex, web office)
consumer GLBA
someone who has obtained a financial product or service but does not have an ongoing relationship with the institution
Keyword filters, IP database block lists, whitelists, and graylist are examples of methods used to prevent or reduce _______
spamming
Business Continuity Plan
specifies how to resume IT operations AND all other business processes, including relocating to new offices and hiring temporary replacements if a disaster destroys an orgs data center AND its main headquarters
An absolute indication of the use of steganography is the discovery of ________
steganography software
Procedures
step-by-step instructions that describe exactly how employees are expected to act in a given situation or to accomplish a specific task.
Which of the following is NOT a typical cause of logical damage?
storing the file system in a clean room
Hash total
sums a nonfinancial numeric field, such as the total of quantity ordered field in a batch of sales transaction
The requirements phase is
the most important part of the software engineering process since it outlines the project's future requirements, thus defining its scope and limitations
In a digital forensic investigation, e-mail tracing can help an investigator determine ________.
the physical location of the device a perpetrator used to send e-mail
social engineering
the process of convincing an authorized individual to provide confidential information or access to an unauthorized individual
Network Forensics is:
the process of examining network traffic, including transaction logs and real-time monitoring, using sniffers and tracing.
Update master file
the sales transaction file is process against customer and inventory databases or master file
Procedures
the step-by-step instructions on how to implement policies in the organization
Prepare batch totals
the sum of all sales amounts is calculated as financial total and record on batch control forms that accompany each group of sales documents
Sort and edit the transaction file
the transaction file is now sorted by customer account number
fuzzing
the use of large quantities of data to test an interface against security vulnerabilities
Write-protection mechanisms
these protect against overwriting or erasing of data files stored on magnetic media
If a file or metadata folder in the file system changes after the operating system has read the metadata, but before it acquires the data, what happens to the metadata and data sectors?
they may not totally agree
Windows Defender (Definition: CH 6)
A free built-in anti-spyware product now integrated into the Windows 7 Action Center where you can configure spyware scanning and updates. (CH 6 Pg. 202)
Workforce member
A healthcare employee, volunteer, student, or trainee; responsible for protecting patients&; health information
Restore Point (Definitions: CH 5)
A snapshot of Windows, its configuration, and all installed programs. If your computer has nonfatal problems after you have made a change, you can use System Restore to roll it back to a ___ ___. (CH 5 Pg. 149)
Bootstrap Loader (Definitions: CH 4)
A small ROM-BIOS program that searches for a boot sector on disk. Once it finds one, it loads it into memory. The boot sector program then looks on the disk from which it was loaded for operating system files, which it will then load into memory. (CH 4 Pg. 137)
Gadget (Definition: CH 6)
A small program represented by an icon on the Windows Vista Sidebar, or, in Windows 7, anywhere on the desktop. A ___ performs some small function---usually involving keeping information handy in a small screen object. (CH 6 Pg. 219)
What is meant by unallocated space?
A type of empty space on a computer that is the unused portion of the hard drive is not allocated to any volume. Also known as free space
Windows Easy Transfer (WET) (Definition: CH 6)
A utility that will transfer your data, e-mail, and settings for the Windows desktop and your applications from an old installation of Windows to Windows 7. (CH 6 Pg. 207)
Backup Utility (Definitions: CH 5)
A utility that you can use to back up system data files. Beginning with Windows XP, you can also use the Windows ___ ___. (CH 5 Pg. 182)
Windows 7 Upgrade Advisor (Definition: CH 6)
A utility you can run on a Windows computer to discover any hardware or software incompatibilities. (CH 6 Pg. 207)
Application (Key Terms: CH 4)
A word processor is an example of a/an ___ program. (CH 4)
Reverse social engineering involves:
An attacker attempting to somehow convince the target to initiate contact in order to avoid questions about authenticity
BitLocker To Go (Definition: CH 6)
An enhanced feature in Windows 7 Bitlocker that includes encryption of removable devices. (CH 6 Pg. 202)
Image (Definitions: CH 5)
An exact duplicate of the entire hard drive contents, including the OS and all installed software, that is used to install copies of an OS and associated applications on multiple computers. (CH 5 Pg. 151)
Shortcut (Definitions: CH 5)
An icon that represents a link to an object, such as a file or program. Activating a ___ (by clicking on it) is a quick way to access an object or to start a program from any location without having to find the actual location of the object on your computer. (CH 5 Pg. 147)
Whom should a company perform background checks on? A.) System administrators only B.) Contract personnel only C.) All individuals who have unescorted physical access D.) Background checks are not needed outside of the military
C
which one is not a unique biometric? A.) Eye retina B.) Hand geometry C.) Shoulder-to-waist geometry D.) Fingerprint
C
why is access to an ethernet jack a risk? A.) Wireless traffic can find its way onto the local area network. B.) An attacker can use it to create a door card entry for himself. C.) It allows access to the internal network. D.) A special plug can be used to short out the entire Ethernet system.
C
What information must be included in the accounting of disclosures?
Date, name and address of requestee, and brief statement of the purpose of disclosure.
Data corruption and system downtime (therefore causing revenue loss); new criminal techniques that leave law enforcement techniques outdated; and criminals resorting to the widespread use of cryptography, are among the problems associated with what?
Dead System Forensics
________ is analysis of machines that have been shut down
Dead system analysis
A ____________ develops and delivers computer investigation training courses for government and law enforcement organizations, and is accredited through the Council of Occupational Education (CCE). ________ is a government organization dedicated to computer investigations training, development, and delivery It uses state-of-the-art equipment, classrooms, and technologies to train students in digital forensics techniques
Defense Cyber Investigations Training Academy (DCITA)
Why is it important for a forensic specialist to have legal licenses of any forensic software he uses?
Defense lawyers can discredit any investigator using illegal software
In which backup strategy are only those portions of the files and software that have changed since the last backup backed up?
Delta.
What type of evidence is helpful to explain to a jury how an attacker carried out a complex attack?
Demonstrative
Information that helps explain other evidence, such as a chart that explains a technical concept to the judge and jury, is the definition of
Demonstrative evidence
Among the most widespread cybercrimes, ______ occurs when an attacker deprives people of the services they are entitled to access or provide, or when an attacker floods the bandwidth of the victim's network, or fills an individual's email box with spam mail
Denial of service (DoS) and distributed denial of service attacks (DDoS)
__________ occur when an attacker deprives people of the services the are entitled to access or provide
Denial of service (DoS)/Distributed denial of service attack (DDoS)
The ______ is the department of the U.S. federal government that coordinates and supervises agencies and functions of the government related to the national security and the U.S. armed forces
Department of Defense (DoD)
Dump File (Definitions: CH 5)
In Windows, a file to which memory contents are copied (dumped) when a stop error occurs. You can use the information in a ___ ___ when debugging stop errors. You can also send this file to Microsoft for evaluation of a problem. (CH 5 Pg. 186)
What is the first step in collecting and analyzing evidence?
Identify the evidence
A business impact assessment (BIA) is conducted to:
Identify the most critical functions for an organization.
Compatibility Wizard (Key Terms: CH 5)
If a program written for an older version of Windows does not run under Windows XP, use the ____. (CH 5)
What happens to data from a deleted file if a new file is created in the same sector?
If the old file was larger than the new file, part of the old file is still on the disk
Live CD (Key Terms: CH 4)
If you have a/an ___ you can boot an OS, without having it installed on the local hard disk. (CH 4)
Which of the following terms means the process of creating a complete sector-by-sector copy of a disk drive?
Imaging
During which step of the policy lifecycle does training of users take place?
Implement the plans
The largest class of errors in software engineering can be attributed to
Improper input validation
The largest class of errors in software engineering can be attributed to:
Improper input validation.
Jump List (Definition: CH 6)
In Windows 7, a list of recently opened items such as files, folders, and Web sites that appear when you right-click on a program on the Start menu or taskbar. (CH 6 Pg. 198)
Consent Prompt (Definition: CH 6)
In Windows Vista or Windows 7, if a program is trying to perform something for which it needs administrator permissions, and you are logged on as an administrator, a User Account Control ___ ___ will appear asking if you trust the source. (CH 6 Pg. 231)
Personal Folders (Definitions: CH 5)
In Windows, a set of special folders saved on disk for each user who logs on. (CH 5 Pg. 167)
What name is given to a common cybercrime that includes the theft of trade secrets, material that is copyrighted, or other information to which an individual or a company has a right?
Intellectual property theft
________ is a protocol that allows an e-mail client to access e-mail on a remote mail server.
Internet Message Access Protocol (IMAP)
In a forensic investigation, look for file fragments or portions of any e-mail that contain specific references to the offending message. For example, if the suspect were using Hotmail, you could check the browser's ________, which shows where the user has been online.
Internet cache
A cryptographically random number sequence is characterized by:
Intersequence randomness.
Windows XP Mode (Definition: CH 6)
Introduced in Windows 7, Windows, Virtual PC with a free and legal Windows XP VM preinstalled. (CH 6 Pg. 203)
_______________ are step-by-step instructions that describe exactly how employees are expected to act in a given situation or to accomplish a specific task.
Procedures
Step-by-step instructions on how to implement the policies
Procedures can be described as:
It is no longer sufficient for a forensic investigator to be a self-taught technician. Further, a forensic specialist must be able to demonstrate knowledge and capability through independent sources. Which of the following are methods for demonstrating this knowledge and capability?
Professionalization & Certification
Which of the following does not represent a skill or qualification an expert witness much possess?
Programming background
What does a digital forensics certification accomplish>
Promotes competency
Additional online data entry controls
Prompting, closed-looped verification, a transaction log
Without ___________, a forensic specialist will have difficulty presenting findings, or have courts accept investigative results.
Proper documentation
What is PHI?
Protected Health Information - individually identifiable health information that is transmitted by electronic media, maintained in any electronic medium, or maintained in any other form or medium.
HIPAA's Privacy Rule
Protects patients information so it is available to those who need to see it, while protecting that information from those who should not
What sort of trace analysis captures network interactions?
Protocol analysis
Embedded Systems (Definitions: CH 4)
ROM-based operating systems running on a computer embedded in a device such as a handheld computer or a smart kitchen appliance. (CH 4 Pg. 108)
Which common network protocols provide encryption for Application layer protocols, such as HTTPS?
SSL/TLS
The primary factor(s) behind data-sharing compliance between U.S. and European companies is/are?
Safe Harbor Provision, European Data Privacy Laws, U.S. FTC enforcement actions.
What term is used to describe fringe data that remains on the physical track of storage media after deletion, sweeping or scrubbing?
Shadow data
Uninterruptible Power Supply (UPS)
Should be considered for critcal systems so that a loss of power will not halt processing.
When to do a Privacy Impact Assessment
Should be done early and upon changes in methods in which data handled or whenever significant changes to the environment
Terminate and Stay Resident (TSR) (Definitions: CH 4)
The characteristic of some small DOS programs that stay loaded in memory when inactive but can be quickly activated when needed. (CH 4 Pg. 111)
Security administrators should be concerned about security guards and custodial crews because:
These individuals have access to facilities at times when nobody else is around to view their activities.
A legal representative, a media representative and an HR representative, play what role on an incident response team?
They are specialists
Which of the following statements about risk is true?
The risk itself doesn't really change. However, actions can be taken to reduce the impact of the risk.
Which of the following correctly defines residual risk?
The risks still remaining after an iteration of risk management
What do you learn from the syntax of a command? (CH 4)
The rules for entering the command at the command line (CH 4)
How are penalty amounts set up?
They are tiered according to intent and extent of violation: Unknowing violations < Violations due to a reasonable cause < Willful Neglect < Uncorrected Violations
TEMPEST
Transient ElectroMagnetic Pulse Emanation STandard - describes both a program in the military to control electronic emanations from electrical equipment and the actual process for controlling the emanations.
Which of the following is involved with a code injection error?
SQL statement building, Input validation, JavaScript.
Which of the following are common methods of faking e-mails?
Spoofing Anonymous remailing Spamming
What repository is the most important type of ambient data?
Swap file
_________ is digital documents stored on computer hard disk drives, CDs, flash drives, and other types of computer storage media that is authentic, accurate, complete, and convincing to juries and conforms to all applicable laws to be admissible in court
System Forensic Evidence
The process of methodically examining computer media as well as network components, software, and memory for evidence, including evidence on hard disks, tapes, compact disk (CDs) and other optical disks, flash drives, and other media, is:
System Forensics
The process of methodically examining computer media as well as network components, software, and memory for evidence, including evidence on hard disks, tapes, compact disks (CDs) and other optical disk, flash drives, and other media, is:
System Forensics
A _______ should provide an opinion of the system layout, the file structures discovered, and any discovered data and authorship information
System Forensics Specialist
A _____________ should provide an opinion of the system layout, the file structures discovered, and any discovered data and authorship information.
System forensic specialist
_______ was originally called computer forensics because it focused on hard drives and storage devices.
System forensics
__________ is digital documents stored on computer hard disk drives, CDs, flash drives, and other types of computer storage media that is authentic, accurate, complete, and convincing to juries, and conforms to al applicable laws to be admissible in court.
Systems forensics evidence
Private Rights of action
TCPA, FCRA, TSR
The military program to control electronic emanations from electrical equipment is called _______________.
TEMPEST
disclose
release or divulgence of information by an entity to persons or organizations outside of that entity
deceptive practice
representation, omission, or practice misleads or is likely to mislead a customer; a consumer's interpretation of the representation, omission, or practice is considered reasonable; and misleading representation, omission, or practice is material.
60
requests for access to PHI by consumers must be responded to by the facility within __ days
The ____ is the first opportunity to address security functionality during a project
requirement pahse
GLBA Safeguards rule
requires financial institutions to develop and implement a comprehensive information security program. program must contain administrative, technical, and physical safeguards to protect info
effective change control
requires regular monitoring for unauthorized changes and sanctioning anyone who intentionally introduce such change.
good change control
results in overall better operating performance: careful testing prior to implementation reduces the likelihood of making changes that cause system downtime and thorough documentation facilitate quicker trouble shooting and resolution of any problems that do occur. Less likely to suffer financial or reputational harm from security incidents.
Input: Source data preparation and authorization; source data collection and entry; accuracy, completeness, and authenticity checks.
risk: Invalid, unauthorized, incomplete, inaccurate Controls: form design, cancellation and storage of documents, authorization and segregation of duties control, visual scanning, data entry controls
A ________ is software that prevents users from seeing all items or directories on a computer
rootkit
Intruders deploy ______ to conceal malware and gain undetected access to systems
rootkits
A ________ is a hardware or software device that forwards data packets across a network to a destination network.
router
minimum necessary requirement
rule that does not require the consent of the patient to transfer records to a facility for follow up care.
unfair trade practice
scope of term unfairness clarified in 1980 policy statement. Any unfair trade practice is any commercial conduct that causes substantial injury not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition
What is the name for wireless local area network (LAN) standards for computer communication in the 2.4, 3.6, and 5 GHZ frequency band?
802.11
Which IEEE family of standards defines communication protocols for wireless LANs?
802.11
How many breaches justify a web posting or use of media to inform the public?
9
A small software update designed to address an urgent or specific problem is called a... A.) Hotfix B.) Service pack C.) Patch D.) None of the above
A
Which legal term refers to a defendant's mental state in committing a crime?
Criminal intent
What is the primary target of cyberwarfare attacks?
Critical infrastructure
A unique, alphanumeric identifier assigned to each user is called what? A.) A userID B.) Privilege C.) Single sign-on D.) Nickname
A
Why are drop ceilings generally undesirable for a computer forensic lab?
Drop ceilings may hide alternate access to the lab
DOS Prompt (Definitions: CH 4)
- Has a simple command-line interface - The user interface of DOS, also called the command prompt. It includes, at minimum, the current drive letter followed by a blinking cursor, indicating that the command interpreter is ready for input. (CH 4 Pg. 106)
app attacks -- types
- XSS - cross-site request forgery - SQL injection - XML injection - LDAP injection - Directory traversal/command injection - arbitrary/remote code execution - buffer overflow - integer overflow - locally shared objects - zero-day - cookies & attachments - malicious add-ons - session hijacking - SMTP relays
app attacks -- SQL Injection
- served side attack: SQL statements are used to map out entire database & possibly modify entries - attacker can combine table & column names to get actual data stored in the database; attacker can add/update records in the database
What are the administrative requirements of the HIPAA Privacy Rule?
1) A Privacy Officer and contact person for receiving complaints be designated, 2) All workforce members are given privacy training (with documentation showing such), 3) There are safeguards and mechanisms in place to safeguard information (administrative, technical, and physical safeguards), 4) There are written policies and procedures (and ongoing review of such) that comply with all standards and specifications.
What are the 12 public interest and benefit situations where PHI may be disclosed without patient consent? (First 6)
1) As required by law, 2) For public health activities, 3) To disclose PHI regarding victims of abuse, neglect, and domestic violence, 4) For health oversight activities, 5) For judicial and administrative proceedings, 6) For law enforcement purposes (6 situations),
What are the permitted uses and disclosures of PHI without written patient consent, but where the patient has the right to object?
1) Patient directory, and 2) Notification to relatives and friends.
What are the 2 key goals of the Privacy Rule?
1) Provide and individual with greater rights with respect to his or her health information, and 2) Provide greater protections for one's health information.
What are the permitted uses and disclosures of PHI without written patient consent where the patient cannot choose to object?
1) Public interest and benefit (12 situations), 2) TPO purposes, 3) To the individual, 4) Incidental disclosures, and 5) Use in limited data sets.
What are the 6 situations where PHI can be disclosed without authorization for law enforcement purposes?
1) Pursuant to legal process or otherwise required by law, 2) In response to request for identifying/locating a suspect, fugitive, material witness, or missing person, 3) In response to an official request about someone who is, or suspected to be a victim of a crime, 4) About a deceased person that may have happened from criminal conduct, 5) When it is believed in good faith that criminal conduct occurred on the CE's premises, and 6) In response to a medical emergency.
How can a CE properly ensure the de-identification of information?
1) Strip it of all identifying information (name, SSN, locations, dates, etc.), or 2) Have an expert apply scientific and scientific principles to minimize the identification risk.
What are the 3 types of situations in which PHI is handled?
1) Use - internal to a covered entity or its business associate, 2) Disclosure - the dissemination of PHI from a CE or its BA, 3) Requests - those made by a CE or its BA.
When is the use or disclosure of PHI required, even without patient authorization?
1) When the patient or their representative requests access or accounting of disclosures (with exceptions), 2) When HHS is conducting an investigation, review, or enforcement action.
Who is authorized to see information?
1. Access is based on a Need-to-know basis 2. Not all members that contribute to the quality of care need to see patient information 3. Interns never record information they may hear about the patient if it pertains to their medical condition; doing so may be a HIPAA violation
How is Patient Information Used?
1. Billing Departments Use the information to bill patients and insurance companies 2. Quality Control Personnel Review the information for the purpose of monitoring patient care 3. Caregivers Use information to determine the care treatments patients will receive 4. Other uses are not allowed!!!!
Two FACTA rules
1. Disposal Rule 2. Red Flags Rule
Patient Rights
1. HIPAA requires that patients be made aware of their rights and how to protect their information 2. Health care providers are required to post notices for patients telling them how their health care information is used
Input control
1. If the data entered into a system are inaccurate, incomplete, or invalid, the output will be too. 2. Forms, designs, cancellation and storage of source documents and automated date entry controls are needed to verify the validity of input data
Patient Identification
1. Patient's Nurse 2. Patient's chart 3. White Board 4. Wrist Band 5. Open-ended question NOTE: USE AT LEAST TWO PATIENT IDENTIFIERS
operational process
1. Plan (adjust) 2. Implement 3. Monitor 4. Evaluate
Principles of a well design change control
1. all changes request should be documented and follow a standardize format that clearly identifies the nature of the change, the reason for the request, the date of the request, and the outcome of the request 2. all changes should be approved by appropriate levels of management. approval should be clearly documented to provide an audit trail. 3. to assess the impact of the propose change on all five principles of reliability, changes should be thoroughly tested prior to implementation in a separated, non production environment, not the system actually used for daily business processes 4. all documentation should be updated to reflect authorized changes to the system 5. emergency changes or deviation from standard operation policies must be documented and subject to a formal review and approval process as soon after implementation as practicable 6. backout plan need to be developed for reverting to previous configurations in case approved changes need to be interrupted or abandoned 7. user right and privileges must be carefully monitored during the changes process to ensure that proper segregation of duties is maintained
GLBA privacy rule
1. provide clear conspicuous notice of financial institution info sharing policies and practices, 2. the right to opt out of having non public personal info shared with third parties; 3. refrain from disclosing to any non affiliated third party marketer other than a CRA any account numbers; 4. comply with regulatory standards to protect confidentiality
common design features
1. raised floors provide protection from flooding 2. fire detection and suppression devices reduce the likelihood of fire 3. adequate air-conditioning systems reduce the likelihood of damage to computer equipment due to overheating or humidity 4. cables with special plugs that cannot be easily removed reduce the risk of system damage due to accidental unplugging of the device 5. surge-protection device provide protection against temporary power fluctuations that might otherwise cause computers and other network equipment to crash 6. an uninterruptible power supply a system that provides protection in the event of a prolonged power outage; uses battery power to enable the system to operate long enough to back up critical data and safely shut down 7. physical access control reduce the risk of theft or damages
A forensics lab work area requires approximately ___ square feet.
150
In what year did the U.S. Congress make identity theft a crime?
1998
definition
1st Phase of Software Development Lifecycle (SDLC) Stating goals and objectives for a development project. (Associated job title: Project Manager)
front (presentation)
1st tier of a web application, this is what the user sees when he opens a web application on a PDA, mobile phone or desktop computer. The only code visible to a user is the HTML used to layout the page. Common technologies: HTML, CSS, JavaScript
When using FDISK to prepare a primary partition for MS-DOS 6.22, what is the maximum size you can create? (CH 4)
2 GB (CH 4)
What are the 12 public interest and benefit situations where PHI may be disclosed without patient consent? (last 6)
7) Regarding decedents (i.e. to coroner or ME), 8) For cadaver organ, eye, or tissue donation, 9) For research (with limitations), 10) To prevent or lessen serious threat to health or safety, 11) For essential government functions, 12) For workers comp.
When did Microsoft introduce Windows XP as a new product? (CH 5)
2001 (CH 5)
analysis
2nd Phase of Software Development Lifecycle (SDLC) Determine specific problem to be solved. A lot of time is spent with the client determining what the existing system does and what it should do. (Associated job title: Business Analyst)
You have just installed Windows XP Professional and did not choose to activate it when prompted during the installation process. How long do you have to activate it before Windows XP stops working? (CH 5)
30 Days (CH 5)
How long does a CE have to provide requested information?
30 days and up to 30 days more if written notice is given as to way and expected date of availability (60 days if the info is stored off-site).
design
3rd Phase of Software Development Lifecycle (SDLC) This is the phase where it is decided how the system should be developed. (Associated job title: Architect)
programming
4th Phase of Software Development Lifecycle (SDLC) Breaks the problem down into instructions for the computer to follow in order to accomplish a task. There are several sub-phases involved in Programming. (Associated job titles: Developer/Programmer)
How many items that require corrective action appear on a typical ASCLD assessment findings report?
5 to 15
test
5th Phase of Software Development Lifecycle (SDLC) Once the program has been developed, it is tested to see how it works, how it integrates with the system and whether or not it handles data correctly. (Associated job titles: Tester or QA)
How much minimum free disk space is required when you install MS-DOS 6.22 or IBM PC-DOS 2000 onto the hard drive of a computer? (CH 4)
6 MB (CH 4)
How long does a CE have to produce an accounting of disclosures?
60 days and an extension of 30 days if notification is given to the patient
How long does a CE have to respond to a request for amendment to information?
60 days and up to 30 more if given a written notice as to why/ETA.
implementation
6th Phase of Software Development Lifecycle (SDLC) Once the testing phase is complete, the system is installed or "rolled-out" according to the user's needs. (Associated job title: Project Manager and Business Analyst)
An attack conducted by supplying more data than is expected is called: A.) A buffer overflow B.) Relaying C.) Smurfing D.) Access list trashing
A
For organizations that draw a distinction between a BCP and a DRP, which of the following is true? A.) The BCP will detail the functions that are most critical and outline the order that critical functions should be returned to service to maintain business operations. B.) The BCP will be a subset of the DRP. C.) The DRP will outline the minimum set of business functions required for the organization to continue functioning. D.) The DRP will always be developed first and the BCP will normally be an attachment to this document.
A
Microsoft's way of bundling updates, fixes, and new functions into a large, self-installing package is called a.... A.) Service pack B.) Hotfix C.) Upgrade D.) Firmware update
A
Secure Shell provides for... A.) Secure remote access channels B.) Implementing a VPN connection C.) An open source method of implementing encryption technology D.) AAA functions in an enterprise
A
TCP wrappers do what? A.) Help secure the system by restricting network connections B.) Help prioritize network traffic for optimal throughput C.) Encrypt outgoing network traffic D.) Strip out excess input to defeat buffer overflow attacks
A
What is the commonest threat to token-based access controls? A.) Loss or theft of the token B.) Demagnetization of the strip C.) A system crash D.) Forgetting the password
A
Which of the following correctly defines documentary evidence? A.) Evidence in the form of business records, printouts, manuals, and other items B.) The knowledge of these facts is obtained through the five senses of the witness. C.) Used to aid the jury and may be in the form of a model, experiment, chart, or other item and be offered to prove an event occurred D.) Physical evidence that links the suspect to the scene of a crime
A
Which of the following correctly defines evidence as being relevant? A.) The evidence is material to the case or has a bearing on the matter at hand B.) The evidence is presented in the form of business records, printouts, or other items. C.) The evidence is convincing or measures up without question. D.) The evidence is legally qualified and reliable
A
Why is it important that security exercises be conducted? A.) To provide the opportunity for all parties to practice the procedures that have been established to respond to a security incident. B.) Determine if the organization's plan and the individuals involved perform as they should during a simulated security incident. C.) Determine if processes developed to handle security incidents are sufficient for the organization. D.) All of the above
A
Why is physical security so important to maintain good network security? A.) Because physical access defeats almost all network security measures B.) Because the majority of attacks are performed by company insiders C.) Because the attacker can now steal all the biometric identities D.) Because encryption is not involved
A
a security feature even more common than a lock is a? A.) Physical barrier B.) Card reader C.) Hand geometry reader D.) Security guard
A
biometrics are access controls that employ? A.) Something physically unique about the individual. B.) Something physical that the user has (such as a key). C.) Something that the user knows. D.) The location of the user.
A
which of the following is not an asset? A.) equipment failure B.) hardware C.) inventory D.) cash
A
Live CD (Definitions: CH 4)
A CD or DVD from which you can boot an OS without requiring any part of the OS to be resident on a hard disk. (CH 4 Pg. 114)
Internal Command (Key Terms: CH 4)
A DOS command that is part of the COMMAND.COM program and is always available when DOS is running is called a/an ___. (CH 4)
Security Policy
A High level statement produced by senior management that outlines both what security means to the organization and the organization's goals for security.
_________ is an individual who performs general management tasks for a computer forensics lab, such as promoting group consensus in decision making, maintaining fiscal responsibility for lab needs, and enforcing ethical standards among staff members.
A Lab Manager
Startup Repair (Definition: CH 6)
A Window's recovery tool that will scan for problems with missing or damaged system files and attempt to replace the problem files. (CH 6 Pg. 203)
Aero Snap (Definition: CH 6)
A Windows Aero feature that lets you manipulate windows quickly. For instance, to maximize a window drag it until its title bar touches the top edge of your display. Restore a maximized by dragging it away from the top of the display. (CH 6 Pg. 196)
Aero Shake (Definition: CH 6)
A Windows Aero feature that lets you quickly minimize all but one window by giving that window a quick shake. (CH 6 Pg. 198)
Flip 3D (Definition: CH 6)
A Windows Aero feature that lets you switch through your open windows as if they were in a stack of cards or photos. (CH 6 Pg. 195)
Windows Update (Definitions: CH 5)
A Windows program that allows you to interactively connect to the Windows Update Web page. (CH 5 Pg. 148)
Device Manager (Definitions: CH 5)
A Windows recovery tool that aids in troubleshooting device problems. This Windows Control Panel applet displays the list of hardware and the status and properties of each device. Use this to disable a device or to update of roll back a device driver. (CH 5 Pg. 149)
Windows Memory Diagnostic Tool (Definition: CH 6)
A Windows recovery tool that tests the system's RAM because RAM problems can prevent Windows form starting. (CH 6 Pg. 203)
System Image Recovery (Definition: CH 6)
A Windows recovery tool that will let you restore a complete PC Image backup, providing you created one. This is a replacement for the Automated System Recovery (ASR) tool previously found in Windows XP. (CH 6 Pg. 203)
Last Known Good (LKG) Configuration (Definitions: CH 5)
A Windows start-up option for start-up failures due to a configuration change. It lets you restore the system to a single restore point (not called that), and you only have a narrow window of opportunity in which you can use ___ --- on the first reboot after making a configuration change, and before logging on. (CH 5 Pg. 149)
Automatic Update (Definitions: CH 5)
A Windows utility that you can configure to automatically connect to the Microsoft site and download updates. (CH 5 Pg. 148)
Program Compatibility Wizard (Definitions: CH 5)
A Windows wizard that enable you to set compatibility options for an older application that will "trick" the older program into thinking that the OS is actually the earlier version of Windows required by the application (such as Windows 95). You can also set these options manually from the properties of the application's shortcut or program file. (CH 5 Pg. 188)
Restore Point (Key Terms: CH 5)
A ___ is like a snapshot of Windows XP settings at a certain point in time. (CH 5)
The Morris worm exploited:
A buffer overflow in UNIX.
HIPAA definition
A catalyst for change in American health care Federal legislation focused on healthcare reform A complex and far-reaching set of healthcare regulatory requirements
What is the EnCase Certified (EnCe) Examiner Certification?
A certification offered by Guidance Software, the creator of the EnCase software. The certification is open to the public and private sectors. This certification focuses on the use and mastery of systems forensics analysis using EnCase
Recovery Console (Definitions: CH 5)
A character-mode boot-up environment with a command-line interface, accessed either from the installation disk or from the hard drive if you installed it from the disk. You can enter advanced command-line commands to attempt to recover from a major OS failure. (CH 5 Pg. 149)
Legacy computer systems were commonly sold as bundled products. What are bundled products?
A collection of hardware, software, maintenance, and support sold for a single price.
Operator (Definitions: CH 4)
A command line operator is a symbol, such as the vertical bar(I) and the greater-than sign (>), that affects the behavior of commands. (CH 4 Pg. 125)
External Command (Definitions: CH 4)
A command program stored on disk, rather than within the operating system code that remains in memory. MS-DOS looks for an external command program on disk if it cannot find it in memory. (CH 4 Pg. 122)
Internal Command (Definitions: CH 4)
A command program within the operating system code that remains in memory. MS-DOS internal commands are stored within COMMAND.COM. (CH 4 Pg. 122)
Upgrade Advisor (Definitions: CH 5)
A compatibility checker that you can run from the Windows XP CD by selecting Check System Compatibility on the Welcome To Microsoft Windows XP screen that runs automatically (autorun) or after invoking the Setup program. (CH 5 Pg. 150)
File Attribute (Definitions: CH 4)
A component of file or directory entries that determines how an operating system handles the file or directory. In the FAT file system, the attributes, are read only, archive, system, hidden, volume label, and directory. (CH 4 Pg. 128)
Privacy notice
A covered entity's written policies and procedures for protecting its patients PHI
What is meant by protocol bending?
A covert channel technique that involves the use of a network protocol for some unintended purpose
What is meant by consistency checking?
A data recovery technique that involves scanning the logical structure of the disk and checking to make sure it is consistent with its specification
Subdirectory (Definitions: CH 4)
A directory contained within another directory. It is sometimes called a child directory. (CH 4 Pg. 129)
Boot Drive (Definitions: CH 4)
A drive containing the files required to load an OS into memory (the boot files). (CH 4 Pg. 108)
BitLocker (Definition: CH 6)
A feature in the Enterprise and Ultimate editions of Windows Vista and Windows 7 for encrypting the drive on which the Windows OS resides and (beginning in Windows 7) other drives beyond the system drive. ____ is off by default. ____ works with a Trusted Platform Module chip in the computer so that if the drive is removed, it cannot be decrypted. (CH 6 Pg. 202)
Pinning (Definition: CH 6)
A feature introduced in Windows 7 that allows you to place icons for applications and destinations on the taskbar and Start menu. Once _____, an item's icon remains on the toolbar regardless of whether the program is open or closed. Simply click it to open the application or destination. (CH 6 Pg. 198)
Library (Definition: CH 6)
A feature introduced in Windows 7, in which a library is a special folder with pointers to disk folders that can be in many locations, but will all appear to be in the same ____. (CH 6 Pg. 201)
Live File System (Definition: CH 6)
A file format used by Windows 7 to burn discs that will only be used on newer Apple Macs and newer PCs (Windows XP or newer OS). Using ___ ___ ___ you can directly copy items to the drive without requiring extra hard drive space. You can copy items individually, over time-- either by leaving the disc int he drive or reinserting the disc multiple times. (CH 6 Pg. 226)
A member of an incident response team testifies that she identified the computer program that deleted customer records at a specified date and time. This is an example of:
A forensic specialist providing testimony to support the conclusions of their analysis
Business Partnership Agreement (BPA)
A legal agreement between partners establishing terms, conditions, and expectations on the relationship between the partners.
Memorandum of Understanding (MOA)
A legal document used to describe a bilateral agreement between two parties. It is a written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal.
Which of the following correctly defines a Gantt chart?
A management tool for diagramming schedules, events, and activity duration
Which of the following is not a viable option when dealing with risk?
A manager can take action to increase risk.
Activation (Definitions: CH 5)
A method of combating software piracy, intended to ensure the each software license is used solely on a single computer. Many vendors now use ___. Microsoft's implementation of activation is Microsoft Product ___ (MPA). (CH 5 Pg. 152)
Cold Boot (Definitions: CH 4)
A method of starting up a computer by turning on the power switch. (CH 4 Pg. 137)
Protected Mode (Definitions: CH 4)
A mode of modern processors that allows the processor and the OSs to access vast amounts of memory addresses. This mode also supports multitasking, a basic feature of today's Windows, OS X, and Linux OSs. (CH 4 Pg. 109)
What is a bit stream backup?
A more thorough method of backing up data than a standard backup
Which of the following best describes the RCFL Program?
A national network of forensic laboratories and training centers
Which of the following is the definition of topologies?
A network design that specifies the devices, locations, and cable installation as well as how data is transferred in the network.
What is meant by server-based network?
A network in which a central server manages which users have access to which resources through a database called a directory. This is the best option when an organization has 10 or more network users.
AppLocker (Definition: CH 6)
A new feature in Windows 7 for controlling which applications each user can run, reducing the chance of malware running on the user's computer. Administer ___ with Group Policy, centrally managed through a Windows Active Directory domain. (CH 6 Pg. 202)
What is the notice of privacy practices?
A notice explaining how an individual's PHI will be used or disclosed, along with their rights, and the CE's legal duties.
Extended Partition (Definitions: CH 4)
A partition type that can contain one or more logical drives, each of which can use a portion of the partition. FDISK can create only two partitions on a physical drive; only one can be primary, and one can be extended. MS-DOS will boot from a primary partition, but not from an extended partition. (CH 4 Pg. 112)
Primary Partition (Definitions: CH 4)
A partition type that can only have one logical drive, which is assigned to the entire space defined by the partition. MS-DOS and Windows 9x can only have a single ___ partition, while Windows NT/2000/XP can have up to four ___ partitions. (CH 4 Pg. 112)
What are business associates?
A person or organization, other than a member of a covered entity's workforce, that performs functions or activities on behalf of or to a covered entity that involves the use or disclosure of PHI (i.e. consultants, billing companies, transcription companies, accounting firms, and law firms).
What is meant by real evidence?
A physical object that someone can touch, hold, or directly observe, such as a laptop with a suspect's fingerprints on the keyboard, or a hard drive, or a universal serial bus (USB) drive, or a handwritten note
which of the following is not involved with a code injection error
A pointer in the C language
Incident Response Policy
A policy outlining how an organization will prepare for security incidents and respond to them when they occur
Logical Drive (Definitions: CH 4)
A portion of a physical hard drive that is treated as a separate drive letter assigned to it. (CH 4 Pg. 111)
Task Manager (Definitions: CH 5)
A program for removing errant programs. This Windows utility allows you to see the state of the individual processes running on the computer and to stop one of them, if necessary. (CH 5 Pg. 149)
Utility (Definitions: CH 4)
A program that allows you to perform handy tasks, usually computer management functions or diagnostics such as upgrading the program in your computer's ROM-BIOS or looking for errors on your disk. (CH 4 Pg. 109)
Which of the following is the definition Hypertext Transfer Protocol (HTTP)?
A protocol that is involved in requesting and transmitting files over the Internet or another network; a protocol used for most Web browser/Web server communication
What is meant by log file?
A record that a network device keeps of a person's activities on a system or network.
System Restore (Definitions: CH 5)
A recovery tool that creates restore points, which are snapshots of Windows, its configuration, and all installed programs. If your computer has nonfatal problems after you have made a change, you can use ___ ___ to roll it back to a restore point. (CH 5 Pg. 149)
Warm Boot (Key Terms: CH 4)
A restart of DOS that does not require a power-down/power-up computer cycle is a ___. (CH 4)
Privacy Impact Assessment
A risk management tool to help develop and advance strategy by identifying gaps in privacy coverage and determining how to address them
What is an evidence storage room?
A room that stores large computer components, such as computers, monitors, and other peripheral devices. It may or may not be within the lab itself
What is the minimum necessary standard and who does it apply to?
A rule that applies to individuals who work for an organization (providers and other CEs) that they must limit the use, disclosure, and requests of PHI to only the amount needed to accomplish the intended purpose (excludes TPO).
Windows Preinstallation Environment (PE) (Definition: CH 6)
A scaled-down Windows operating system. Much like the old Windows Setup program, it has limited drivers for basic hardware and support for the NTFS file system, TCP/IP, certain chipsets, mass storage devices, and 32-bit and 64-bit programs. Windows PE supports the Windows Setup GUI, collecting configuration information. (CH 6 Pg. 208)
Add Printer Wizard (Definitions: CH 5)
A series of onscreen instructions that guide you through the installation of a printer's driver and utilities. (CH 5 Pg. 166)
In the United States, company responses to data disclosures of PII are regulated by:
A series of state statutes.
Syntax (Definitions: CH 4)
A set of rules for correctly entering a specific command at the command line. The rules include the placement of the command name and the parameters that you can use to modify the behavior of the command. (CH 4 Pg. 124)
The term waterfall is associated with which of the following?
A software engineering process model.
Environment (Definitions: CH 4)
A special area of memory used to store messages to DOS and other programs. (CH 4 Pg. 136)
Interconnection Security Agreement (ISA)
A specialized agreement between organizations that have interconnected IT systems, the purpose of which is to document the security requirements for the interconnection.
Safe Mode (Definitions: CH 5)
A start-up mode in which Windows starts without using all of the drivers and components that would normally be loaded. Use ___ ___ when your Windows computer will not start normally. (CH 5 Pg. 149)
_________ automates the data collection process by using scripts and data collection software whenever possible. Automation provides the advantages of faster collection and error-free execution of the procedure.
A toolkit
Which of the following is the definition of Moore's Law?
A trend I which the number of transistors on an integrated circuit doubles every two years
Which of the following are important factors in maintaining the chain of custody? Select 3 a. Keeping evidence within an investigator's possession or control at all times b. Locking the evidence in an airtight chamber c. Documenting the collection and movement of evidence d. Securing the evidence appropriately so it can't be tampered with e. Videotaping all data collection
A, C & D
1. An organization needs to improve fault tolerance to increase data availability. However, the organization has a limited budget. Which of the following is the BEST choice to meet the organization's needs? A. RAID B. Backup system C. Cluster D. UPS
A. A redundant array of inexpensive disks (RAID) system would provide fault tolerance for disk drives and increase data availability if drives fail. A backup system improves data availability because you can restore data after data is lost or corrupt. However, a backup system does not provide fault tolerance. A cluster provides fault tolerance at the server level and ensures a service continues to operate even if a server fails. However, a cluster is more expensive than a RAID. An uninterruptible power supply (UPS) provides short-term power after a power failure but does not directly increase data availability.
5. Your organization hosts a high-volume web site, which generates a significant amount of revenue. You are asked to recommend a method to increase the availability of this web site. Which of the following choices is the BEST choice? A. Load balancing B. Hot site C. WAF D. UTM
A. Load balancing adds additional servers to a service and shares the load among the servers. This increases availability because a single server is not overloaded and additional servers can be added as needed. A hot site supports operations at an alternate site after a disaster, but it is very expensive and not the best choice if you only want to increase the availability of a web site. A web application firewall (WAF) and a unified threat management (UTM) device both provide security, but they do not directly address availability.
20. Which of the following is an environmental control? A. EMI shielding B. Fencing C. Video surveillance D. Motion detection
A. Electromagnetic interference (EMI) shielding provides protection against interference from electromagnetic sources such as fluorescent lights. Fencing, video surveillance, and motion detection are all physical security controls.
19. An attacker was able to sneak into your building but was unable to open the server room door. He bashed the proximity badge reader with a portable fire extinguisher and the door opened. What is the MOST likely reason that the door opened? A. The access system was designed to fail-open. B. The access system was designed to fail-close. C. The access system was improperly installed. D. The portable fire extinguisher included a proximity badge.
A. In this scenario, the most likely reason that the door opened was because the access system was designed to fail-open for personnel safety. If the system was designed to fail-close, then employees would be trapped inside during a fire or other disaster. Nothing in the scenario indicates the system was improperly installed. A fire extinguisher would not include a proximity badge, and it wouldn't work if the proximity reader was destroyed.
Which of the following are types of intellectual property theft? (Select two) A. Piracy B. Extortion C. Theft of trade secrets D. Identity theft E. Phishing
A. Piracy & C. Theft of trade secrets
2. Your organization hosts a web site with a back-end database server. During a recent power outage, the server crashed, resulting in a significant amount of lost data. Which of the following can your organization implement to prevent this loss from occurring again? A. Redundancy B. Disaster recovery procedures C. Warm site D. Higher RTO
A. Server redundancy solutions such as a failover cluster would prevent this type of loss. Additionally, a power redundancy solution such as an uninterruptible power supply (UPS) would prevent this. Disaster recovery procedures help restore the systems after a disaster, but they wouldn't prevent the incident. A warm site is as an alternate site, but it wouldn't prevent data loss. The recovery time objective (RTO) identifies the time period when you plan to restore a system after an outage, but it doesn't prevent a loss.
9. You are helping implement your company's business continuity plan. For one system, the plan requires an RTO of five hours and an RPO of one day. Which of the following would meet this requirement? A. Ensure the system can be restored within five hours and ensure it does not lose more than one day of data. B. Ensure the system can be restored within one day and ensure it does not lose more than five hours of data. C. Ensure the system can be restored between five hours and one day after an outage. D. Ensure critical systems can be restored within five hours and noncritical systems can be restored within one day.
A. The recovery time objective (RTO) identifies the maximum amount of time it should to take to restore a system after an outage. The recovery point objective (RPO) refers to the amount of data you can afford to lose. RTO only refers to time, not data. RPO refers to data recovery points, not time to restore a system.
Add Printer Wizard (Key Terms: CH 5)
A/an ___ belongs to just one group, Local Users. (CH 5)
Library (Key Terms: CH 6)
A/an ___ folder contains pointers to multiple locations on your local computer and network, allowing you to work with these files as if they were all stored in a single location. (CH 6)
Gadget (Key Terms: CH 6)
A/an ___ is a small program that performs some small function, usually displaying information in a small screen object. (CH 6)
File Attribute (Key Terms: CH 4)
A/an ___ is one of a special set of file directory entries that indicate certain properties, such as read-only, archive, system, or hidden. (CH 4)
Primary Partition (Key Terms: CH 4)
A/an ___ is the only hard disk partition type from which you can start MS-DOS. (CH 4)
Which term describes extra streams within a file some criminals use to hide data or embed executable malware?
ADS
______ can be modified to embed executable malware
ADS
The asset value of a small distribution warehouse is $5 million, and this warehouse serves as a backup facility. Its complete destruction by a disaster would take away about 1/5 of the capability of the business. Which of the following is the calculated annualized loss expectancy (ALE)?
ALE = $20,000
Who is subject to breach regulations under ARRA? Under the FTC?
ARRA - HIPAA covered entities and business associates FTC - noncovered entities and non-BAs (i.e. PHR vendors)
What act allows patients to request restrictions of PHI (for TPO purposes) and in what circumstances?
ARRA unless a patient pays completely out of pocket and the CE entity agrees (not required to do so).
Which organization provides extensive guidelines for managing a forensics lab?
ASCLD
HIPAA requires the following controls for medical records:
Administrative, technical, and physical controls.
HIPAA Security Rule
Administrative; Technical; Physical Safeguards
What all-powerful user account built into Windows is disabled by default? (CH 6)
Administrator (CH 6)
Which rule of evidence ensures that evidence can be used in court?
Admissibility
What term is used to describe an event with negative consequences, such a system crash, network packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malicious code that destroys data?
Adverse events
This Winodws Vista an Windows 7 feature requires a video card that supports (at a minimum) DirectX 9.0 and Shader Model 2.0. (CH 6)
Aero (CH 6)
What is the name for the desktop feature in Windows 7 that allows you to quickly minimize all bust the current window with a simple mouse movement? (CH 6)
Aero Shake (CH 6)
Regarding ADS, which statement is most true?
All are true
To which of the domains in the typical IT infrastructures does systems forensics apply?
All domains
Full backup
All files are backed up onto a storage media.
Taking which measure will ensure that the work of a forensic specialist will be admissible in any court proceedings?
All forensic investigations should be conducted using strict rules of evidence and maintaining the chain of custody
Cloud computing presents numerous challenges for forensic specialists. Which does not apply?
All of the above
Many types of devices may be able to capture and store data useful in a digital forensic investigation Which of the following is an example?
All of the above
Today, system forensics is also referred to as:
All of the above
least privilege applies to
All resource requests from applications to other entities
Least privilege applies to:
All resource requests from applications to other entities.
After booting up a suspect system, do the following:
All the above
Gaining access to digital data is often difficult. A forensic specialist may not be able gain access to data for a number of reasons. Which item below does NOT apply?
All these reasons apply
What is the term for data stored in the Windows swap file, unallocated space, and file slack? (It includes e-mail fragments, word processing fragments, directory tree snapshots, and potentially almost anything that has occurred on the subject computer.)
Ambient computer data
What is ARRA and when was it signed into law?
American Recovery and Reinvestment Act (2009)
HVAC
An Environmental issue related to the availability of a computer system or network.
Once an organization's security policies have been established, the single most effective method of countering potential social engineering attacks is:
An active security awareness program
Clean Installation (Definitions: CH 5)
An installation of an OS onto a completely empty new hard drive or one from which all data is removed during the installation. (CH 5 Pg. 151)
Upgrade (Definition: CH 6)
An installation of an OS that installs directly into the folders in which a previous version was installed, preserving all your preferences and data. (CH 6 Pg. 206)
Multi-Boot (Definition: CH 6)
An installation that leaves an old OS in place, installing a new OS in a separate location. This allows you to select the OS you wish to boot into every time you start the computer. (CH 6 Pg. 206)
Which of the following describes the American Society of Crime Laboratory Directors (ASCLD)?
An organization that provides guidelines for managing a forensics lab. ASCLD also certifies computer forensics labs.
What is a breach?
An unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information.
Which certification is considered vendor-specific, that is, it focuses on a certain forensics tool offered by a vendor?
EnCase Certified Examiner
To search a hard drive for forensic evidence, an investigator should prepare a list of keywords to search for. What are the three main areas of a system that should be searched for those keywords? Select 3 a. C:drives b. Swap file c. Recycle Bin d. File slack e. Unallocated space
B, D, & E
What are examples of covered entities?
Healthcare providers, health plans, and healthcare clearinghouses.
Which of the following does not represent a commercial forensic tool?
Helix
Who may be penalized for HIPAA/Privacy Rule violations?
CEs, BAs, and employees of these
The process of going through a target's trash in hopes of finding valuable information that might be used in a penetration attempt is known as:
Backdoor
How does multiple-factor authentication improve security? A.) It denies access to the attacker multiple times. B.) By using a combination of authentications, it is more difficult to gain access by pretending to be an authorized user. C.) By using biometrics, no other person can authenticate. D.) It restricts users to smaller spaces.
B
What term is used to describe a copy of data that can be used to restore data if it is lost or corrupted?
Backup
Last Known Good (LKG) only works within a narrow window of time that ends when what occurs? (CH 5)
Any user logs on. (CH 5)
What is a simple initial test to determine if a hard disk drive has suffered a catastrophic failure?
Attach the drive to a test system, boot the computer, and list for sounds of a spinning drive
Most challenges to computer evidence in court relate to what aspect of evidence?
Authenticity
Data destruction, data hiding data transformation, data contraception, data fabrication and file system alteration are all examples of:
Anti-forensic activities
A suspect utilizing a tool to wipe the slack space of his computer is an example of which of the following?
Anti-forensics
What are actions that perpetrators take to conceal their location, activities, or identity?
Anti-forensics
Protected health information (PHI)
Any identifiable patient health information regardless of the form in which it is stored
CA breach law
Any person or business that owns or licenses computerized data that includes personal information To disclose and breach of the security of that system to all California residents Whose unencrypted personal information was acquired by an unauthorized person
Protected Health Information
Any piece of information that identifies or could be used to identify a specific individual is referred to in the healthcare setting
Health care provider
Any professional who provides health care services
Covered entity
Any provider, health plan, or clearinghouse to which the Privacy Rule applies-
A prominent argument among system forensics specialist is whether to conduct analysis on a dead system or a live system. Regardless of the mode that's used, it's advisable to keep in mind the "three A's". Which of the following is NOT one of the recommended "three A's"?
Apply hardware fingerprinting
Information that needs to be stored securely for 10 years or more would most likely be stored in which type of file?
Archive
User Habits
Are a front-line security tool in engaging the workforce to improve the overall security posture of an organization.
Evidence an investigator needs may be located on a business critical system. In this case, the investigator should:
Arrange to image the dries during off-hours rather than disrupt the business functions
Data that an attacker leaves behind when compromising a system--such as code fragments, trojaned programs, running processes, or sniffer log files in the definition of
Artifact
Disclosure
As defined by HIPAA, the sharing of information between health care professionals working in separate entities, or facilities, in the course of caring for a patient
Use
As defined by HIPAA, the sharing of information between people working in the same health care facility for the purpose of caring for a patient means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information
Workforce
As defined in the HIPAA law, includes everyone involved with a covered entity whether or not they are full time and whether or not they get paid. an employee within a Covered Entitity any member of a service contracted with a facility that does not make use of PHI, ex. laundry, cleaning services, etc.
when is testing best accomplished ?
As early as possible in the process
How long does a CE have to inform an individual that their PHI has been breached?
As quickly as possible and within 60 days is there is "imminent misuse."
During which phase of an incident response plan is the determination made whether the incident is a true incident of a false positive?
Assessment
Single loss expectancy (SLE) can best be defined by which of the following equations? A.) SLE = annualized loss expectancy × annualized rate of occurrence B.) SLE = asset value × exposure factor C.) SLE = asset value × annualized rate of occurrence D.) SLE = annualized loss expectancy × exposure factor
B
When discussing privilege management, MAC stands for: A.) Media Access Control B.) Mandatory Access Control C.) Mandatory Availability Criteria D.) Modified Access Credentials
B
Which of the following correctly defines qualitative risk management? A.) The process of objectively determining the impact of an event that affects a project, program, or business. B.) The process of subjectively determining the impact of an event that affects a project, program, or business. C.) The loss that results when a vulnerability is exploited by a threat. D.) To reduce the likelihood of a threat occurring.
B
Which of the following is a step-by-step set of instructions that describe exactly how employees are expected to act in a given situation or to accomplish a specific task? A.) Policy B.) Procedure C.) Guideline D.) Standard
B
Which of the following is a technology risk? A.) Contract management B.) Security and privacy C.) Environmental risk management D.) Revenue management
B
Which of the following is the name for a partially configured environment usually having the peripherals and software that the normal processing facility contains that can be operational within a few days? A.) Hot site B.) Warm site C.) Online storage system D.) Backup storage facility
B
Which of the following statements about risk is true? A.) A manager can accept the risk, which will reduce the risk B.) The risk itself doesn't really change. However, actions can be taken to reduce the impact of the risk. C.) A manager can transfer the risk, which will reduce the risk. D.) A manager can take steps to increase the risk
B
Why should security guards get cross-training in network security? A.) They are the only people in the building at night. B.) They are the eyes and ears of the corporation when it comes to security. C.) They have the authority to detain violators. D.) They are more qualified to know what a security threat is
B
social engineering attacks work so well because the individual who is the target of the attempted attack? A.) Is usually too busy with other things to worry about security. B.) Often either genuinely wants to help or is trying to avoid a confrontation, depending on the specific approach the attacker is taking. C.) Was specifically chosen by the attacker because they are new to the organization and can't tell that the story they are being fed is bogus. D.) Knows the attacker.
B
when a biometric device has a false positive, it has? A.) Generated a positive charge to the system that needs to be compensated for. B.) Allowed access to a person that is not authorized. C.) Denied access to a person that is authorized D.) Failed, forcing the door it controls to be propped open.
B
when should a human security guard be used for physical access control? A.) When other electronic access control mechanisms will not be accepted by employees B.) To avoid issues such as piggybacking, which can occur with electronic access controls C.) When other access controls are too expensive to implement D.) When the organization wants to enhance its image
B
7. A business continuity expert is creating a BIA. Which of the following elements is MOST likely to be omitted from the BIA? A. List of critical systems and functions B. Recommended solutions C. Critical downtime limit D. Potential loss
B. A business impact analysis (BIA) does not include recommended solutions. It does identify critical systems and functions, dependencies, critical downtime limits, potential scenarios causing a loss, and the potential loss.
8. After a recent attack causing a data breach, an executive is analyzing the financial losses. She determined that the attack is likely to cost at least $1 million. She wants to ensure that this information is documented for future planning purposes. Where is she MOST likely to document it? A. DRP B. BIA C. COOP D. RTO
B. A business impact analysis (BIA) includes information on potential losses and is the most likely document of those listed where this loss would be documented. A disaster recovery plan (DRP) includes methods used to recover from an outage. Continuity of operations planning (COOP) includes methods, such as alternate sites, used to keep an organization operational after an outage. The recovery time objective (RTO) identifies the time period when you plan to restore a system after an outage; it is not a document.
18. Without adequate physical security controls, attackers can cause significant damage to systems within a data center. Which of the following could an attacker manipulate to cause extensive physical damage? A. Video surveillance systems B. Environmental controls C. Firewall ACLs D. IDS settings
B. An attacker could manipulate environmental controls to change the temperature or humidity within a data center and cause significant damage. An attacker could block video surveillance by manipulating a video surveillance system, but this wouldn't cause extensive physical damage. Modifying the firewall access control lists (ACLs) or intrusion detection system (IDS) settings might allow remote attacks, but not physical damage.
What term is used to describe a server that is used to manage the policies, schedules, media catalogs, and indexes associated with the systems it is configured to back up?
Backup server
17. Your organization is evaluating replacement HVAC systems and is considering increasing current capacities. Which of the following is a potential security benefit of increasing the HVAC capabilities? A. Lower MTBF times of hardware components due to lower temperatures B. Higher MTBF times of hardware components due to lower temperatures C. Lower MTTR times of hardware components due to lower temperatures D. Higher MTTR times of hardware components due to lower temperatures
B. Increasing the heating, ventilation, and air conditioning (HVAC) capacity results in higher mean time between failures (MTBF) times by keeping systems at lower temperatures. Lower MTBF times indicate more failures. Mean time to recover (MTTR) is unrelated to failures or HVAC systems.
13. A BCP includes a chart listing roles within the organization along with their matching responsibilities during a disaster. It also includes a chain of command. What is the purpose of this chart? A. IT contingency planning B. Succession planning C. COOP D. RTO
B. Succession planning clarifies who can make decisions during a disaster and can be documented in a chart listing roles and responsibilities along with a chain of command. IT contingency planning focuses on recovery of IT systems. Continuity of operations planning (COOP) identifies methods, such as alternate sites, that an organization can implement after a disaster. Recovery time objective (RTO) identifies the maximum amount of time it should to take to restore a system after an outage.
Biometrics are not 100 percent accurate, having some level of misidentifications.
Biometric access controls are typically used in conjunction with another form of access control because:
Access control mechanisms in which a physical characteristic, such as a fingerprint or the geometry of an individual's hand, is used to uniquely identify users are called ________________________.
Biometrics
Biometric access controls are typically used in conjunction with another form of access control because:
Biometrics cannot be copied.
What term is used to describe a back up that involves the copying of every bit of data on a computer hard disk drive or another type of storage media; a backup that exactly replicates all sectors on the storage device, so all files and ambient data storage areas are copied?
Bit stream backup
What kind of copy is a drive image? - Bit-by-bit copy - File-by-file copy - Partition copy - A copy of all images on the drive
Bit-by-bit copy
Which open source forensic tool allows an investigator to view and manipulate data on many mobile phones?
BitPim
_______________ is a wireless technology designed as a short-range (approximately ten meters) personal area network (PAN) cable-replacement technology that may be built into a variety of devices such as mobile phones, PDAs, and laptop computers.
Bluetooth
Which of the following are wireless technologies?
Bluetooth & 802.11
What names is given to a process that starts an operating system when the user turns on a computer system?
Boot process
Which type of forensic activity is file residue analysis?
Both A and B
While containing an incident in which a company server is under attack, why might you avoid letting the attacker know you're aware of the incident?
Both A and B
_______ is the term used to describe a collection of software robots that create and send out spam extremely quickly.
Botnet
Input validation is important to prevent what?
Buffer overflow
Virus and worm propagation can be achieved through exploiting:
Buffer overflows A primary exploit of buffer overflows is to execute unauthorized code on a machine, bypassing the normal code loading process.
Input validation is important to prevent what?
Buffer overflows can be detected before occurrence through proper input validation.
What are some major issues HITECH deals with in regards to Privacy?
Business associate agreements, minimum necessary requirements, individual rights, breach notification, personal health record vendors, marketing/fundraising/sale of information, and increased enforcement and penalties for noncompliance.
Which of the following is a technology risk?
Business continuity management
Authentication is the process of... A.) Verifying the correctness of data being transmitted B.) Determining specific user access based on identity C.) Verifying a user's identity D.) Implementing a lattice-based access control
C
If a user only has to provide their credentials once (userID and password) and can then access multiple resources and applications without having to authenticate again, this is known as: A.) Privilege management B.) Centralized user accounts C.) Single sign-on D.) Access control
C
The asset value of a small distribution warehouse is $5 million, and this warehouse serves as backup capability. Its complete destruction by a disaster would take away about 1/5 of the capability of the business. Also assume that this sort of disaster is expected to occur about once every 50 years. Which of the following would be the calculated annualized loss expectancy (ALE)? A.) ALE = $50,000 B.) ALE = $1 million C.) ALE = $20,000 D.) ALE = $50 million
C
The asset value of a small distribution warehouse is $5 million, and this warehouse serves as backup capability. Its complete destruction by a disaster would take away about 1/5 of the capability of the business. Also assume that this sort of disaster is expected to occur about once every 50 years. Which of the following would be the calculated single loss expectancy (SLE)? A.) SLE = $25 million B.) SLE = $1 million C.) SLE = $2.5 million D.) SLE = $5 million
C
What common network access point is often forgotten when considering network electronic perimeter defenses? A.) Web sites which provide the largest presence from an electronic commerce standpoint B.) An organization's Internet service provider (ISP) C.) The Public Switched Telephone Network accessible via modems D.) Extranets connected to corporate partner
C
What is the first phase in incident response? A.) Detection of an incident B.) Containment and eradication C.) Preparation D.) Recovery
C
Which of the following correctly defines annualized rate of occurrence? A.) How much an event is expected to cost per year B.) A measure of the magnitude of loss of an asset C.) On an annualized basis, the frequency with which an event is expected to occur D.) The resources or information an organization needs to conduct its business
C
Which of the following correctly defines the hearsay rule? A.) The evidence is legally qualified and reliable. B.) Tangible objects that prove or disprove a fact. C.) Evidence not gathered from the personal knowledge of the witness. D.) Evidence in the form of business records, printouts, manuals, or other items.
C
Which of the following correctly defines the process of acquiring evidence? A.) Power down the system, dump the memory, create an image of the system, and analyze the image. B.) Create an image of the system, analyze the image, dump the memory, and power down the system. C.) Dump the memory, power down the system, create an image of the system, and analyze the image. D.) Dump the memory, analyze the image, power down the system, and create an image of the system.
C
Which of the following is NOT a viable option when dealing with risk? A.) A manager can take action to mitigate risk. B.) A manager can take action to transfer risk. C.) A manager can take action to increase risk. D.) A manager can take action to accept risk.
C
12. Your organization is updating its disaster recovery documents. You're asked to review the communication plans for possible updates. Which of the following should you ensure is included in the communication plan? A. A list of test plans and procedures B. The succession plan C. Methods used to communicate with response team members, employees, suppliers, and customers D. List of scenarios with potential loss statements
C. A communication plan includes methods used to communicate with response team members, employees, suppliers, and customers. Although not available as a possible answer, it would also include methods used to respond to media requests, including basic templates. None of the other answers are part of a communication plan. Both DRPs and BCPs might include a list of test plans and procedures. Succession planning clarifies who can make decisions during a disaster. A BIA typically includes a list of scenarios with potential loss statements.
6. Your backup policy for a database server dictates that the amount of time needed to perform backups should be minimized. Which of the following backup plans would BEST meet this need? A. Full backups on Sunday and full backups every other day of the week B. Full backups on Sunday and differential backups every other day of the week C. Full backups on Sunday and incremental backups every other day of the week D. Differential backups on Sunday and incremental backups every other day of the week
C. A full/incremental backup strategy is best with one full backup on one day and incremental backups on the other days. A full backup every day would require the most time every day. Differential backups become steadily larger as the week progresses and take more time to back up than incremental backups. Backups must start with a full backup, so a differential/incremental backup strategy is not possible.
10. An organization is considering an alternate location as part of its business continuity plan. It wants to identify a solution that provides the shortest recovery time. What will it choose? A. Cold site B. Warm site C. Hot site D. Succession site
C. A hot site has the shortest recovery time, but it is also the most expensive. Cold sites have the longest recovery time, and warm sites are shorter than cold sites but not as quick as hot sites. Succession site isn't a valid type of alternate location.
14. The BCP coordinator at your organization is leading a meeting on-site with key disaster recovery personnel. The purpose of the meeting is to perform a test. What type of test is this? A. Functional exercise B. Full-blown test C. Tabletop exercise D. Simulation to perform steps of a plan
C. A tabletop exercise is discussion-based and is typically performed in a classroom or conference room setting. Because this is a meeting led by the business continuity plan (BCP) coordinator, it is a tabletop exercise. Functional exercises are hands-on exercises and include simulations and full-blown tests.
rulemaking authority FCRA
CFPB is rulemaking authority
Which of the following are forms of fraud? (Select two) a. Spamming b. Hacking c. Phishing d. Identity theft e. Malware
C. Phishing & D. Identity theft
NIST established which project to develop standards to ensure reliable results during forensic investigations?
CFTT
11. Your organization is working on its business continuity plan. Management wants to ensure that documents provide detailed information on what technicians should do after an outage. Specifically, they want to list the systems to restore and the order in which to restore them. What document includes this information? A. HVAC B. BIA C. DRP D. Succession plan
C. The disaster recovery plan (DRP) typically includes a hierarchical list of critical systems that identifies what to restore and in what order. Heating, ventilation, and air conditioning (HVAC) is not a document. The business impact analysis (BIA) identifies critical systems and components but does not include recovery methods or procedures. Succession planning refers to people, not systems, and it clarifies who can make decisions during a disaster.
Which of the following is a 2003 act that covers unsolicited commercial e-mail messages?
CAN-SPAM Act
Output controls
Careful checking of system output provide additional control over processing integrity. Controls: User review of output, reconciliation procedure, external data reconciliation, data transmission control (check sum and parity bits)
What name is given to the data that is used to hide secret data in steganography. Today, multimedia files, such as pictures or sound, are most commonly used for this purpose.
Carrier file
Code review by a second party is helpful to do what?
Catch errors early in the programming process
Code review by a second party is helpful to do what?
Catch errors early in the programming process.
____________ is a designation that recognizes a person's qualification to perform a job or task. Many _________ are earned based on experience and passing an exam. Professional bodies provide ________ to safeguard the public interest.
Certification
Which basic IACIS certification requires students to pass a written exam after completing a two-week training course?
Certified Electronic Evidence Collection Specialist (CEECS)
Which term describes the continuity of evidence that makes it possible to account for all that has happened to evidence since it was collected?
Chain of custody
What name is given to an executive who is focused on scientific and technical issues in an organization.
Chief Technology Officer (CTO)
One of the main functions of the Cyber Crimes Center (C3) is to stop the spread of ______ over the internet.
Child pornography
The best fire extinguisher for an wood, paper and cloth fires is a - Class A - Class B - Class C - Class D
Class A
The best fire extinguisher for petroleum products is a - Class A - Class B - Class C - Class D
Class B
The best fire extinguisher for an electrical fire is a - Class A - Class B - Class C - Class D
Class C
Which of the following is a physical security threat?
Cleaning crews are allowed unsupervised access because they have a contract.
________ is a form of on-demand Internet-based computing. Users share resource, software, and information stored on the Internet, using their own computers and other devices.
Cloud computing
Which disaster recovery strategy involves contracting for use of physical site to which all necessary computing equipment will be deliver within 24 to 36 hours?
Cold site
Which technique involves using combined efforts of individuals focused on a particular issue?
Collaborative computing
System forensics is a discipline that _____. Which does not apply?
Collects and analyzes data based on protocols established by The Digital Forensic Investigation League
Mobilyze was designed to forensically analyze iPhone, iPod Touch, and iPad devices This for-sale product is capable of analyzing multiple devices simultaneously, easing the time and effort of consolidating findings into one comprehensive report. What kind of forensic software is Mobilyze?
Commercial
EnCase, Forensic Toolkit (FTK), Helix and AnaDisk Disk Analysis Tool are types of _______
Commonly used system forensic tools
How does the privacy rule define marketing?
Communication about a product or service that encourages the recipient to purchase or use that product or service.
What does not qualify as marketing, and therefore requires no authorization?
Communications to describe health-related products and services, communication for treatment of the individual, and case management or care coordination for the individual.
What common utility or infrastructure is important to consider when developing your recovery plans?
Communications.
What mode, selectable from the properties of a shortcut or program file, allows you to run an old program in an environment that emulates an older version of Windows? (CH 5)
Compatibility mode (CH 5)
What is the process of encoding information with fewer bits that the unencoded information would use?
Compression
___________ can be used to hide or disguise sensitive data.
Compression programs
During Windows Setup one account is created for the user of that computer, and you provide a name and password for it. What type of account is this? (CH 6)
Computer Administrator (CH 6)
What is the main federal law addressing cybercrime?
Computer Fraud and Abuse Act (CFAA)
What was the first piece of federal legislation that identified computing crimes as distinct offenses?
Computer Fraud and Abuse Act (CFAA)
The Disk Management node exists in this console utility. (CH 6)
Computer Management (CH 6)
What organization enables discussions on high-tech crime, investigative strategies, and tools. It includes members of federal, state, and local law enforcement. It also includes members from corporate security, educational institutions, and the computer science community. Web site access is available to members only. And membership is free.
Computer Technology Investigators Network (CTIN)
What is flash memory media?
Computer memory chips or cards that retain data without being connected to a power source
A violation or an imminent threat of violation of computer security policies, acceptable use policies, or standard security practices is the definition of:
Computer security incident
Which of the following is a violation of computer security policies, acceptable use policies, or standard security practices?
Computer security incident
Records that are produced by a computing device, including logs, content analysis, packet captures, and reconstructed artifacts is:
Computer-generated information
Which of these, according to this chapter, is not a step that can be taken to help mitigate physical security risk? - All users need security training. - Electronic physical security systems need to be protected from network-based attacks. - Authentication systems should use multiple factors when feasible. - Constant monitoring of all employees by camera
Constant monitoring of all employees by camera
Service Level Agreement (SLA)
Contractual agreements between entities that describe specified levels of service that the servicing entitiy agrees to guarentee for the customer.
What term is used to describe a 2003 act that covers unsolicited commercial e-mail messages?
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act
Processing control
Controls are also needed to ensure that data is processed correctly. Important processing controls include the following: Data matching, file label, recalculating of batch total, cross-footing and zero balance tests, write protection mechanisms, and concurrent update controls
What device should be used only by organizations to protect sensitive equipment from fluctuations in voltage? A) A surge protector B) An uninterruptible power supply C) A backup power generator D) A redundant array of inline batteries (RAIB)
Correct Answer is: A
What security feature is even more common than a lock? A) Physical barrier B) Card reader C) Hand geometry reader D) Security guard
Correct Answer is: A
Which of the following is a physical security threat? A) *Cleaning crews are allowed unsupervised access because they have a contract. B) Employees undergo background criminal checks before being hired. C) All data is encrypted before being backed up. D) All the above.
Correct Answer is: A
During which step of the policy lifecycle does training of users take place? A) Plan for security B) Implement the plans C) Monitor the implementation D) Evaluate for effectiveness.
Correct Answer is: B
Procedures can be described as: A) High-level, broad statements of what the organization wants to accomplish B) Step-by-step instructions on how to implement the policies C) Mandatory elements regarding the implementation of a policy D) Recommendations relating to a policy
Correct Answer is: B
The benefit of fire detection equipment over fire suppression devices is: A) Fire detection equipment is regulated while fire suppression equipment is not. B) Fire detection equipment will often catch fires at a much earlier stage meaning that the fire can be addressed before significant damage can occur. C) Fire detection equipment is much more reliable than fire suppression equipment. D) There is no advantage of fire detection over fire suppression other than the cost of fire detection equipment is much lower than fire suppression equipment.
Correct Answer is: B
When should a human security guard be used for physical access control? A) When other electronic access control mechanisms will not be accepted by employees B) When necessary to avoid issues such as piggybacking, which can occur with electronic access controls C) When other access controls are too expensive to implement D) When the organization wants to enhance its image
Correct Answer is: B
Biometric access controls are typically used in conjunction with another form of access control because: A) Biometrics are still expensive. B) Biometrics cannot be copied. C) Biometrics are not always convenient to use. D) Biometrics are not 100 percent accurate, having some level of misidentifications.
Correct Answer is: D
HVAC systems are important in which of the following locations? A) Large cubical farms where many people work in rooms without windows B) Network equipment closets C) Server rooms D) All the above
Correct Answer is: D
What technique can be used to protect against electromagnetic eavesdropping (known as the van Eck phenomenon)? A) Provide sufficient distance between the potential target and the nearest location an attacker could be. B) Put the equipment that you are trying to protect inside a shielded room. C) Purchase "TEMPEST approved" equipment. D) All of the above.
Correct Answer is: D
What should you do ahead of time to help you recover in the event you forget your Windows XP password? (CH 5)
Create a Password Reset disk. (CH 5)
For either a multi-boot or clean installation, select this installation type choice in Windows setup. (CH 6)
Custom (CH 6)
Which of the following is not PII?
Customer ID number.
_________ is criminal activity that pertains to wrongfully taking information, causing damage to information, and/or causing an information system or resources to be unavailable to authorized users when needed.
Cybercrime
What name is given to an individual who uses a computer or network technology to plan or perpetrate a violation of the law?
Cybercriminal
The ________ is a 1999 act designed to stop people from registering domain names that are trademarks that belong to other entities.
Cybersquatting
What is the bad-faith registration of a domain name that is a registered trademark or trade name of another entity?
Cybersquatting
________ refers to using the Internet, e-mail, or other electronic communications devices to repeatedly harass or threaten another person?
Cyberstalking
A perfect bit-by-bit copy of a drive is called a... A.) Drive-copy B.) Drive-picture C.) Drive-partition D.) Drive-image
D
In which backup strategy are only those portions of the files and software that have changed since the last backup saved? A.) Full B.) Differential C.) Incremental D.) Delta
D
Picking the first letter of each word in a sentence to create a password is a... A.) Baseline B.) Password policy C.) Wrapper D.) Passphrase
D
Probably the simplest physical attack is... A.) Accessing an Ethernet jack to attack the network. B.) Using an imitation to fool a biometric authenticator. C.) Installing a virus on the CCTV system. D.) Outright theft of the computers.
D
Which of the following correctly defines real evidence? A.) The evidence is convincing or measures up without question. B.) The evidence is material to the case or has a bearing on the matter at hand. C.) Used to aid the jury and may be in the form of a model, experiment, chart, or other item and be offered to prove an event occurred. D.) Tangible objects that prove or disprove a fact.
D
Which of the following correctly defines risk? A.) The risks still remaining after an iteration of risk management. B.) The loss that results when a vulnerability is exploited by a threat. C.) Any circumstance or event with the potential to cause harm to an asset. D.) The possibility of suffering harm or loss.
D
Which of the following correctly defines slack space? A.) The space on a disk drive that is occupied by the boot sector B.) The space located at the beginning of a partition C.) The remaining sectors of a previously allocated file that are available for the operating system to use D.) The unused space on a disk drive when a file is smaller than the allocated unit of storage (as in a sector)
D
Which of the following is a consideration in calculating the cost of a backup strategy? A.) The cost of the backup media B.) The storage costs for the backup media C.) The frequency with which backups are created D.) All of the above
D
Which of the following is one of the major reasons security problems exist with wireless? A.) Implementing security for wireless devices is cost prohibitive. B.) Users of wireless devices constitute such a varied cross-section of the public that it is impossible to provide technology that all can understand. C.) The frequency spectrum in which wireless is broadcast is such that it does not permit effective encryption to take place. D.) The fact that wireless transmissions can often be picked up in areas outside of your organization.
D
the traditional type of access token was a? A.) Smart card B.) Handwriting sample C.) PDA D.) Key
D
What is the process of salvaging data from damaged, failed, corrupted, or inaccessible primary storage media when it cannot be accessed normally?
Data recovery
16. Humidity controls in your data center are failing. You need to convince management of the importance of these. What would you tell them? A. Failing humidity controls can cause damage from EMI and ESD. B. Failing humidity controls can cause damage from temperature variations and EMI. C. Failing humidity controls can cause damage from condensation and poor ventilation. D. Failing humidity controls can cause damage from ESD and condensation.
D. Failing humidity controls can cause damage from electrostatic discharge (ESD) if humidity is too low and water damage from condensation if humidity gets too high. Humidity controls do not provide any protection against electromagnetic interference (EMI), temperature, or ventilation.
4. Your company's web site experiences a large number of client requests during certain times of the year. Which of the following could your company add to ensure the web site's availability during these times? A. Fail-open cluster B. Certificates C. Web application firewall D. Load balancing
D. Load balancing shifts the load among multiple systems and can increase the site's availability by adding additional nodes when necessary. A failover cluster also provides high availability, but there is no such thing as a fail-open cluster. Certificates help ensure confidentiality and integrity, but do not assist with availability. A web application firewall helps protect a web server against attacks, but it does not increase availability from normal client requests.
What is meant by obscured data?
Data that are difficult to collect and analyze because it is encrypted, compressed, or in a proprietary format
3. A network administrator configured several servers to work together to increase the processing capabilities for a web application. What does the administrator MOST likely implement? A. Failover clustering B. RAID-6 C. EMI shielding D. Load balancing
D. The administrator most likely implemented servers to work together in a load-balancing configuration. Load balancing shifts the load between multiple servers to increase the number of clients the application can handle, ultimately increasing the overall processing capabilities. Failover clustering adds one or more servers for high availability and a redundant array of inexpensive disks 6 (RAID-6) provides fault tolerance for the disk subsystem, but neither increases processing capabilities. Electromagnetic interference (EMI) shielding is an environmental control that can protect against intermittent problems due to EMI.
15. Personnel within your organization turned off the HR data server for over six hours to perform a test. Which of the following is the MOST likely purpose of this? A. BIA B. Succession planning C. Tabletop exercises D. COOP
D. The most likely reason for personnel to turn off a server for testing is to test elements of continuity of operations planning (COOP). This helps determine if the organization can continue to operate despite the outage. A business impact analysis (BIA) is performed before creating business continuity plans, not to test them. Succession planning identifies a chain of command during a disaster. Tabletop exercises are discussion-based exercises and do not include manipulating any systems.
Which of the follow statement is true? a. Emergency changes need to be document once the problem is resolved b. Changes should be tested in a system separate from the on used to process transactions c. Changes controls are necessary to maintain adequate segregation of duties d. All of the above are true
D. all the above are true
Which one of the following MS-DOS commands would you use to delete a directory and its contents, including subdirectories, in one pass? (CH 4)
DELTREE (CH 4)
enforcement (HIPAA)
DHHS. fines for non compliance can be as much as 250k per incident, especially bad infractions could bring jail time
What DOS product did Novell own at one time? (CH 4)
DR-DOS (CH 4)
Includes raw numbers, pictures, and other "stuff" that may or may not have relevance to a particular event or incident under investigation, is:
Data
Although involving some of the same skills and software as ________ system forensics is a much more complex undertaking.
Data Recovery
What type of plan should all forensic specialists develop that includes a list of the types of data to be collected and describes the expected source for the data?
Data analysis plan
Sometimes evidence alteration is unavoidable. For example, in photo enhancement, the software changes the original bit patterns in the picture. In these cases, which remedy does NOT apply?
Deploy the dead man's switch
Which technique is NOT used by a forensic investigator to find evidence of the use of steganography?
Deploying Kerckhoff's Principle
What must a valid authorization form contain?
Description of the info being disclosed, people authorized to request the data, who can make the disclosure of data, expiration date, statement of the right to revoke authorization, statement that info is subject to redisclosure, signature/date, and a representatives right to sign (if applicable)
What information must be included to an individual for a breach notification?
Description of what occurred (the date and date it was discovered), the types of PHI involved, steps the individual may take to protect themselves, what the entity is doing to prevent/rectify the situation, and contact info for any questions.
Bluetooth
Designed as a short-range (approx 10 meter) personal area network (PAN)
An ionization fire detection device - Provides advanced warning for smoldering fires - Detects fast burning fires - Detects heat - Detects smoke
Detects fast burning fires
As with a forensic investigation, data recovery should be a planned effort. Which of the following steps to recover data should NOT be in your plan?
Determine where to locate the clean room
A privacy impact assessment:
Determines the gap between a company's privacy practices and required actions.
Which of the following is not a steganographic embedded method?
Digital watermarking
You must examine the logical file and ________ to reconstruct what the user was doing with his or her computer.
Directory structure
Which type of common business plan helps a lab restore its equipment to their original condition after a catastrophic failure?
Disaster Recovery Plan
________ is a plan that helps a lab restore its workstations and file servers to their original condition after a catastrophic failure occurs
Disaster Recovery Plan
Which of the following provides detailed procedures to resolve the problems resulting from a flash flood that completely destroys a company's data center?
Disaster recovery plan
What type of information does a breach not include?
Disclosures to unauthorized persons if they would not reasonably be able to retain the info, or unintentional access by an employee or BA if it was in good faith/within the scope of employment. It must also pose a "risk of harm" (financial or reputation). Does not apply if the information is encrypted, only if it is unsecured PHI.
Every incident has lessons that the team can learn from by evaluating what happened and how the response progressed. what step in an incident response plan could lead to an updating of security policies or a modification of the response plan?
Document and review
How should an investigator handles any changes to evidence?
Document the nature, extent, and reasons for any changes.
E-mail messages are which type of evidence?
Documentary
Data is stored as written or printed matter or using information technology and includes memory-resident data and computer files such as logs, databases, e-mail messages, photographs, and telephone call detail records; investigators much authenticate documentary evidence. This is:
Documentary evidence
In a _________ attack, the attacker uses one of three approaches the attacker can damage the router's ability to operate, overflow the router with too many open connections at the same time, or use up the bandwidth of the router's network. In this kind of attack, the attacker usually floods the network with malicious packets, preventing legitimate network traffic from passing.
Dos
What is a complete copy of every bit of memory or cache?
Dump
Attaching a hard drive to the specimen computer and using it as an imaging system is an approach to use when:
Duplicating a suspect computer
What is the primary drawback to completely duplicating all hard drives on a suspect's computer?
Duplicating large hard drives can take a long time
Implement the plans
During which step of the policy lifecycle does training of users take place?
What does the U.S. Department of Defense's TEMPEST program study?
EMR
European privacy laws are built upon:
EU Data Protection Directive.
Access Control Entry (ACE) (Definition: CH 6)
Each Access Control List has at least one ____ ____ ____, which is like a record in this tiny ACL database that contains just one user or group account name and the permissions assigned to this account for that file or folder. (CH 6 Pg. 232)
Access Control List (ACL) (Definition: CH 6)
Each file and folder on an NTFS volume has an associated ___ ___ ___, which is a table of users and/or groups and their permissions to access the file or folder. (CH 6 Pg. 232)
Editions (Key Terms: CH 6)
Each version of Windows comes in several ___, which differ mainly in the included components, with each targeted to specific users. (CH 6)
Why was the field of system forensics originally called computer forensics?
Efforts originally focused on disk drives and storage drives
What name is given to a file such as a picture, document, audio file, program, or video that is attached to an e-mail message?
Email attachment
Which of the following do attackers use to hide secret data in steganography?
Embedded file
Which of the following is another name for running a steganography algorithm?
Embedding
What are workforce members?
Employees, volunteers, student interns, trainees, and on-site contractors/vendors whom the covered entity is responsible for their actions.
________ is a commercial software package that has the ability to make bit-level images and then mount them for analysis.
EnCase
________ is a commercial software package that has the ability make bit-level images and then mount them for analysis
Encase
Which of the following is not a common step in the live acquisition process?
Encrypt the volatile data to prevent it from changing
Which source of hidden data presents the greatest technical challenge?
Encrypted archives
Which of the following could be referred to as obscured data?
Encrypted files
You captured a bit-by-bit image of a suspect's hard disk. Which of the following could prevent you from examining the data?
Encryption
Which of the following is a business risk?
Environmental risk management
Which of the following is not an asset?
Equipment failure
Company XYZ has experienced three security breaches recently because IT personnel are not following or do not understand system operating procedures and controls. Which of the following measures can help resolve this situation?
Establish and enforce security policies and procedures
What name is given to a model for forensic investigation that has five phases: readiness, deployment, physical crime scene investigation, digital crime scene investigation, and presentation?
Event-Based Digital Forensic Investigation Framework
How often should a forensics lab replace its computers?
Every 1 to 4 years
Information that supports a specific finding or determination is the definition of:
Evidence
Which term defines a significant problem that results in digital evidence changing or being destroyed between collection and presentation in court?
Evidence dynamics
Why is evidence preservation so important?
Evidence is fragile
What term is used to describe evidence that clears or tends to clear someone of guilt?
Exculpatory evidence
Which type of evidence clears or tends to clear someone of guilt?
Excuplpatory
What is the default file system used by the installation program for FreeDOS 1.0 Final when it formats a hard drive? (CH 4)
FAT32 (CH 4)
enforcement TCPA
FCC. administrative proceeding for civil forfeiture (up to 16k violation); private right of action 500-1500 per violation. treble damages
TSR
FTC Telemarketing Sales Rule. places legal limits on the ways organizations can call individuals for marketing and fundraising purposes.
enforcement of GLBA
FTC enforcement
enforcement HITECH
FTC has regulatory oversight, SAG given enforcement authority
enforcement CAN-SPAM
FTC. when authorized to sue, act provides injunctive relief and damages up to 250 per violation, max award of 2 mil. treble damages
FCRA
Fair Credit Reporting Act. Mandates accurate and relevant data collection, provides consumers with the ability to access and correct their information and limits the use of consumer reports to defined permissible purposes. private right of action
FACTA
Fair and Accurate Credit Transaction Act of 2003. amended FCRA to add provisions to improve accuracy of credit related records. allows consumers to request free credit report once a year. certain types of info must be removed/redacted
Which of the following is not a broad test that should be applied to forensic evidence?
Fairness
A digital forensics specialist will deal only with desktops, laptops, and servers.
False
A false negative is when an unauthorized person is denied access. True or False
False
All cybercrimes should be reported to the FBI
False
An access token is an example of "something you know," in relation to authentication. True or False
False
An investigator should set the clock on a suspect system to the GMT time zone
False
An organization should try to let attackers know that the organization is aware of their activities.
False
Creating a computer virus is a crime
False
Drive imaging is the term used for copying all the image files from one drive to another. True or False
False
In a forensic investigation, speed is more important than throughness
False
It is almost impossible to use forensics technology to find evidence on flash memory media
False
It is not as important to avoid contaminating evidence in live system forensics as it is in dead system forensics
False
Law enforcement agencies do not have to be as careful as corporations about preserving evidence
False
Log files provide good forensic information, but they can't be used in court.
False
Microsoft Outlook, Windows Mail, Gmail, Yahoo! Mail, Hotmail, and AOL are examples of mail servers.
False
Never store system logs on a remote server
False
Only very large computers forensics labs need a lab manager
False
Perpetrators have found that using technology to commit or support a crime increases the risk of getting caught.
False
Photoelectric detectors are good at detecting heat from a fire. True or False
False
Physical damage always causes at least data loss, but it does not affect the logical structures of the file system
False
Steganography is another name for cryptography
False
Steganography is the science of extracting secret data from nonsecret data
False
System forensics is the same as data recovery
False
The best type of fire extinguisher for putting out common, combustible fires is a class C. True or False
False
The motives of cybercriminals are different from the motives of traditional criminals
False
The only way to defeat steganography is to use steganalysis
False
Your weight is a biometric. True or False
False
When the system denies access to someone who is authorized it is called a - False negative - False positive - True negative - True positive
False negative
When a biometric is scanned and allows access to someone who is not authorized that is called a - False negative - False positive - True negative - True positive
False positive
BA (business architect)
Helps define problems, monitors effectiveness and ensures the smooth integration of a project. Responsible for gathering and documenting functional business requirements.
judicial redress act
Feb 2016, congress passed judicial redress act giving additional civil remedies for citizens of eu member states. allows citizens of ally countries and organizations to bring civil actions for unlawful disclosure of personal records by us govt agencies.
The Freedom of Information Act applies to:
Federal government documents, with a few enumerated restrictions.
The U.S. Privacy Act of 1974 applies to:
Federal records containing PII.
Which of the following are examples of the concept of layered access in physical security? - Firewall, IDS, CCTV - Fences, gates, mantrap, doors - CCTV, walls, antivirus - RFID, biometrics, personal firewalls
Fences, gates, mantrap, doors
Which data entry application control would detect and prevent entry of alphabetic characters as the price of an inventory item?
Field check
Data entry controls
Field check, sign checks, limit check, range check, size check, completeness check, validity check, reasonableness test, check digit
Which of the following is not a legal consideration in investigating e-mail?
Fifth Amendment
Tables that store associations between files and the cluster assigned to them is the definition of
File allocation tables
If you write a 1 KB file to a disk that has a cluster size of 4 KB, the last 3 KB of the cluster is wasted. This unused space between the logical end-of-file and the physical end-of-file is known as ________
File slack
________ is a type of empty space that is the unused space created between the end-of-file marker and the end of the hard drive cluster in which the file is stored. Also known as slack space.
File slack
__________ is/are computer memory chips or cards that retain data without being connected to a power source.
Flash memory media
The process of collecting data about a specific network environment, usually for the purpose of finding ways to attack the target, is:
Footprinting
Backup Utility (Key Terms: CH 5)
For ___ to work, you must have a set of disks that includes a system backup to back up media and a special floppy disk that can boot up the computer and start the new recovery. (CH 5)
During the _________, protecting the subject computer system from any possible alteration, damage, data corruption, or virus introduction.
Forensic Examination
"Account for any change--changes sometimes occur to evidence during a forensic examination. In such cases, a forensic specialist should note the nature, extent, and reason for the changes." This is one of the criteria for:
Forensic soundness
When data remains complete and materially unaltered and the evidence is what a forensic specialist says is unchanged since collection, that is _________
Forensic soundness
Complete and materially unaltered data is a characteristics of which of the following?
Forensically sound evidence
Which of the following terms describes the process of methodically examining computer media for evidence?
Forensics
One of the first questions that can be asked in computer seizure law is when exactly the search occurs. The ____ Amendment to the U.S. Constitution deals with search and seizure.
Fourth
What is the first step a forensic specialist should take to begin an investigation?
Freeze the crime scene
What term is used to describe a data collection method that involves taking a snapshot of a system in its compromised state and notifying the necessary authorities?
Freezing the scene
In an e-mail header, which of the following shows the e-mail's source?
From: line
A system forensics specialist should be able to use this to identify evidence in file slack, unallocated file space, and Windows swap files:
Fuzzy Logic Tool
Clock, Weather, Calendar, and CPU Meter are all examples of what types of desktop programs in Windows 7? (CH 6)
Gadgets (CH 6)
Procedures
Generally, these are step-by-step instructions on how to implement policies in the organization. They describe exactly how employees are expected to act in a given situation or to accomplish a specific task.
GINA
Genetic Information Nondiscrimination Act of 2008. expands PHI to include genetic information. employers cannot use genetic info to discriminate against employees or potential candidates.
_______________ are recommendations relating to a policy that are not mandatory steps.
Guidelines
Violations and Consequences
HIPAA Violations 1. Fines and civil penalties can be filed against any individual that negligently discloses or knowingly & willfully obtains, discloses or uses medical information 2. Fines can be brought against an institution for failing to prevent/report unauthorized access, use or disclosure of medical information HIPAA Consequences Civil Penalties: Range from $100 per violation to annual maximum of $1.5 million for repeated violations. Amount of penalty is based on reasonable cause for HIPAA violation, willful neglect and corrective steps taken Criminal Penalties: Consists of a fine up to $250,000 as well as a prison sentence of up to 10 years
What is administration simplification?
HIPAA's attempt to streamline and standardize the healthcare industry's nonuniform and seemingly chaotic business practices, such as billing.
Which common network protocol do Web browsers use to communicate with Web servers?
HTTP
Which of the following is the most common protocol for regular Web pages?
HTTP
All of the above
HVAC systems are important in which of the following locations?
The illegal intrusion into a computer system without the permission of the computer owner or user, is the definition of:
Hacking
The following are examples of clean-agent fire suppression systems EXCEPT: - Carbon dioxide - Argon - Halon - Inergen
Halon
Checking to determine what hardware is present on a system is:
Hardware fingerprinting
HITECH
Health Information Technology for Economic and Clinical Health 2009. expands HIPAA to all business associates
What is HIPAA?
Health Insurance Portability and Accountability Act 1. HIPAA makes it illegal for information to be released to inappropriate parties 2. Intended to make it easier for patients to move from one insurance plan to another 3. Establishes a standard format for health care organizations to share medical information
HIPAA
Health Insurance Portability and Accountability Act created to improve continuity of health insurance coverage and the administration of health care services
Individually identifiable health information (IIHI)
Health care data that can be connected to a specific person
What organization offers the following levels of certification? Certified Computer Crime Investigator, Basic Certified Computer Crime Investigator, Advance Certified Computer Forensic Technician, Basic Certified Computer Forensic Technician, Advanced
High Tech Crime Network (HTCN)
Which organization offers basic and advanced levels of the Certified Computer Crime Investigator and Certified Computer Forensic Technician certifications?
High Tech Crime Network (HTCN)
Policies
High-level, board statements of what the organization want to accomplish. Made by management when laying out the organization's position on some issue.
Policies
High-level, broad statements of what the organization wants to accomplish. They are made by management when laying out the organization's position on some issue. Policies are mandatory but are not specific in their details. Policies are focused on the result, not the methods for achieving that result.
A data collection process that involves creating a replica system and luring the attacker into it for further monitoring is the definition of:
Honeypotting
Which of the following does not apply to evidence analysis?
Honeypotting
Which practice involves creating a replica system and luring an attacker into it to monitor their activities?
Honeypotting
An area on a hard drive where data can be hidden, the _________________was designed as an area where computer vendors could store data that is protected from user activities and operating system utilities, such as delete and format.
Host Protected Area (HPA)
The model under which an organization obtains software is important to forensic analysis because it affects four areas of an investigation. Which area below does NOT apply?
How much did the software cost to install
When containing an incident, which of the following is most important to protect?
Human life and safety
Three types of forces act on evidence. Which combination is correct?
Human, Natural and Incidental
Software that automates the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents and attempting to stop detected possible incidents is known as _____.
IDS
The set of standards for wireless networks that is well suited for the LAN environment and whose normal mode is to have computers with network cards communicating with a wireless access point is _______________.
IEEE 802.11
Root Directory (Definitions: CH 4)
In a FAT file system, a ___ with special characteristics. It is at the top level of the directory hierarchy, and it is the only ___ created automatically when a logical drive is formatted. (CH 4 Pg. 129)
Conventional Memory (Definitions: CH 4)
In real mode, the first 640 KB of RAM that can be used as the workspace for the operating system, application programs, and data. (CH 4 Pg. 109)
What alternative term correctly describes an upgrade of an operating system? (CH 6)
In-place installation (CH 6)
An organization's ___________ outlines specific procedures to follow in the event of a security incident.
Incident Response Plan
Which member of an incident response team is responsible for a particular incident or set of related security incidents?
Incident lead
Which critical document outlines specific procedures to follow in the event of a security incident?
Incident response plan
Which of the following statements is true?
Incremental daily backups are faster to perform than differential daily backups, but restoration is slower and more complex
Evidence that shows, or tends to show, a person's involvement in an act, or evidence that can establish guilt.
Incriminating evidence
According to the CAN-SPAM Act, commercial e-mail message senders must meet certain requirements. Which statement below is NOT a requirement of that act?
Inform message recipients how they can sign up for e-coupon
Which of the following is the best definition of the term "evidence"?
Information that supports a specific finding
QA
Involved during and after development to check code as it is being written. Automated Testing is often used to test multiple functions at once. Manual Testers work from scripts that clearly define a series of steps to take to test different functions.
Which of the following DOES NOT apply: a computer can play one of these roles in a computer crime:
It can solve the crime
Why use DOS today? (CH 4)
It does not need much memory or storage space. (CH 4)
How does steganography conceal data?
It hides data within files
Which of the following is not true of steganalysis?
It hides secret data within nonsecret data
How was ARRA important?
It included significant funding for HIT, provided important changes for the HIPAA Privacy Rule/implemented the HITECH Act (Health Information Technology for Economic and Clinical Health Act)
When discussing qualitative risk assessment versus quantitative risk assessment, which of the following is true?
It is impossible to conduct a purely quantitative risk assessment, but it is possible to conduct a purely qualitative risk assessment.
Which of the following are drawbacks of dead system analysis?
It leads to corruption of evidence It leads to corruption of the original data It leads to system downtime
Digital Investigation, International Journal of Digital Crime and Forensics (IJDCF), International Journal of Digital Evidence (IJDE), Journal of Digital Forensic Practice, Journal of Digital Forensics, Security and Law (JDFSL) and Journal of Forensic Sciences are what kind of system forensic resources?
Journals
Like any other evidence, system forensic evidence must be authentic, accurate, complete, and convincing to _________
Juries
HVAC systems are important in which of the following locations?
Large cubical farms where many people work in rooms without windows Network equipment closets Server rooms
Cluster sizes vary in length, depending on the operating system and the size of the logical partition. What sizes have more forensic value?
Larger
_________ use(s) forensics to gather digital evidence for a variety of crimes, including child pornography, fraud, terrorism, extortion, cyberstalking, money laundering, forgery, and identity theft.
Law Enforcement
The International Association of Computer Investigative Specialist (IACIS) limits membership to which to the following?
Law enforcement personnel
When collecting data, if you find that you are out of your depth, it's recommended that you _______
Learn more before continuing
using an administrator level account for all function is a violation of the principle of ____
Least privilege
What new feature of Windows 7 appears to be something it isn't, but allows you to organize and work with data from various locations as if they were together in one place? (CH 6)
Library (CH 6)
Which of the following records is not protected from disclosure by U.S. law?
Library loan records from your public library.
Many laptops and desktop personal computers (PCs) in corporations and government agencies run on Windows operating systems. Which of the following is NOT a Windows operating system?
Linux
What is an NTFS permission that only applies to folders? (CH 5)
List Folder Contents (CH 5)
Which of the following data collection tools focuses on dynamic link libraries?
ListDLLs
An operating system designed to run the entire machine from an optical disc is referred to as a - Boot floppy - Live CD - Installation CD - Bootable thumbdrive
Live CD
The _______, as its name suggests, recommends leaving a suspect computer turned on and working on it immediately after securing it
Live analysis
The _________, as its name suggests, recommends leaving a suspect computer turned on and working on it immediately after security it. This school recommends attaching a Small Computer System Interface (SCSI) device or using an open network connection to get results for the commands.
Live analysis school of thought
What are two possible techniques for approaching a compromised system using live system forensics?
Live response & Volatile memory analysis
Which type of forensics includes searching a computer's memory in real time?
Live system forensics
________ is an area of system forensics that is used to search memory in real time, typically for working with compromised hosts or to identify system abuse
Live system forensics
Which techniques of forensic analysis are discussed in this chapter? Select 3
Live, Physical & Logical Analysis
Which law enforcement agency should a forensic specialist call first when reporting a serious cybercrime?
Local law enforcement agency
________ states that when two objects come into contact, there is always transference of material from each object onto the other. In other words, every contact leaves a trace.
Locard's Exchange Principal
The assumption that it is impossible for a criminal to act without leaving traces of his or her presence and that "with contact between two items, there will be an exchange" is known as:
Locard's Exchange Prinicipal
What term is used for analysis using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data? It looks for thing that are visible, known about, and possibly controlled by the user.
Logical analysis
Which analysis method involves using the native operating system to peruse the data?
Logical analysis
__________ is caused primarily by power outages that prevent file system structures from being completely written to the storage medium
Logical damage
Which of the following is a widely known ICMP covert channel tool?
Loki
Which of the following involves hiding an e-mail's orgin and having someone else's mail server send the message?
Mail relaying
If a __________ is not configured properly, it becomes vulnerable to a wide variety of remote access programs.
Mail server
How might you capture drive date for offline analysis?
Make bit copy of source disk
Architect
Makes high-level technical decisions about how the development of a project is going to be accomplished. Creates very detailed technical specifications and guides the work of specific developers towards the accomplishments of the final goal.
All of the following are ways to prevent a computer from booting up from a bootable floppy EXCEPT: - Taking out the floppy drive. - Removing the a drive from the boot sequence. - Setting a bios password. - Making sure the floppy is not the first drive in the boot sequence.
Making sure the floppy is not the first drive in the boot sequence.
An incident response team should place all emergency system information in a central, offline location. Which of the following is not a type of information that falls into this category?
Malicious code
What term best describes the logon to Windows XP Professional? (CH 5)
Mandatory (CH 5)
Which of the following are examles of steganography software? (Select three)
MandelSteg, EzStego & Snow
How could simply opening a document in Microsoft Word damage evidence?
Microsoft Word write temporary files and updates the document's metadata
Why must you activate Windows XP after installation? (CH 5)
Microsoft requires it to protect itself against software piracy. (CH 5)
Microsoft Product Activation (MPA) (Definitions: CH 5)
Microsoft's method of combating software piracy, intended to ensure that each software license is used solely on a single computer. After installing Microsoft software, ___ will attempt to contact Microsoft's site to confirm the product is authentic. Normally, during activation the user is prompted to enter a product code, found on the packaging. Many other software vendors use activation. (CH 5 Pg. 152)
Windows Aero (Definition: CH 6)
Microsoft's name for a group of GUI desktop features and visual themes introduced in Windows Vista. (CH 6 Pg. 195)
_______ is physical replication of all data, with two copies of the data kept online at all time
Mirroring
Why is it recommended to use state-of-the-art automated forensic text search tools to help find the relevant evidence?
Modern hard drives are voluminous. It is impossible for a computer specialist to manually view and evaluate every file on a computer hard drive.
Which of the following laws states that the number of transistors on an integrated circuit will double every two years?
Moore's law
You can bump into a few problems when using log files. Which statement below is NOT among these problems?
Most wireless LANs are well secured
Using a token and a password to authenticate is an example of - Single sign-on - Multifactor authentication - Tokenizing - Dual access control
Multifactor authentication
Developer
Plans and writes the code that will become the finished application. Often, many developers will work on one project with each taking on responsibility for a specific area
Automated System Recovery (ASR) (Definitions: CH 5)
New in Windows XP, this replaces the Emergency Repair process of Windows NT and Windows 2000. ___ is available from the Windows Backup program (NTBACKUP.EXE). (CH 5 Pg. 149)
Does HIPAA preempt state laws?
No, it only serves as a federal floor or minimum on privacy requirements - stricter state laws still prevail.
Standards are:
None of the above. Standards are mandatory elements regarding the implementation of a policy. They are accepted specifications that provide specific details on how a policy is to be enforced.
What are the 3 key documents of the Privacy Rule?
Notice of Privacy Practices (required), authorization (required), and consent (optional).
HIPAA Privacy Rule
Notice of Privacy Practices and authorization for disclosures of PHI
Safe Harbor principles include:
Notice, Choice, Onward Transfer, Enforcement, Security, Data Integrity.
The ___________ divides networking into seven layers that provide services to and receive services from the layers directly above and below.
OSI Reference Model
Which of the following is the definition of physical analysis?
Offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system, looking for things that may have been overlooked, or are invisible, to the user
Which of the following correctly defines annualized rate of occurrence?
On an annualized basis, the frequency with which an event is expected to occur
Privacy is defined as:
One's ability to control information about himself or herself.
What marketing activities do not require authorization?
Ones that occur face-to-face with the CE or they concern a promotional gift of nominal value to the patient.
Autopsy Forensic Browser, The Sleuth Kit and BitPim are examples of what kind of forensic software tool?
Open source
Which type of log contains certain events, such as the use of devices errors, and reboots?
Operating system log
The chance for a cybercriminal to attack, which can include affordability, acceptable, attractiveness, availability, and anonymity, is the definition of:
Opportunity
Covered entities
Organizations that access the personal health information of patients. They include health care providers, health plans, and health care clearinghouses.
When investigating e-mails, one of the most important pieces of information to obtain from an email's detailed header is the __________.
Originating IP address
Acceptable Use Policy (UAP)
Outlines what the organization considers to be the appropriate use of company resources, such as computer systems, email, Internet Access, and networks
In the 1980s, IBM sold OEM MS-DOS under this product name. (CH 4)
PC DOS (CH 4)
PHI
PHI or not PHI -account numbers -device identifiers and serial numbers -medical record numbers -health plan beneficiary numbers -clinical test results -medication prescription -counseling session start/stop times
not PHI
PHI or not PHI -education records -health information in your personnel record -workman's comp records -psychotherapy notes
What BIOS-based program performs diagnostics as a computer powers up? (CH 4)
POST (CH 4)
The leftover sectors in a data block when the total number of sectors in a partition is not a multiple of the block size and can't be accessed through typical means, creating a good place to hide data is:
Partition Slack
HIPAA consent
Patient's agreement to use or disclosure for TPO purposes
What term is used to describe a network in which 1. each user manages his or her own resources and 2. configures who may access the user's computer resources and how?
Peer-to-peer (P2P) network
Which types of files are of the greatest forensic value because they hold larger amounts of information for longer periods of time?
Permanent swap file
The following are items associated with privacy and health records except:
Personal Health Information.
The "security problem" can be summarized in the following statement: - Physical access negates all other security - measures. - A stitch in time saves nine. - The more secure it is, the less functional it is. - No good deed goes unpunished.
Physical access negates all other security measures
What term is used to describe offline analysis conducted on an evidence disk or forensic duplicated after booting from a CD or another system?
Physical analysis
What term is used to describe damage to storage media such as broken tapes or CDs or hard disks damaged by fire or water?
Physical damage
The simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a room or building is called:
Piggybacking
_________________ is the simple tactic of following closely behind a person who has just used their access card or PIN to gain physical access to a room or building.
Piggybacking
To defeat copy protection in order to copy software or other files is:
Piracy
Common cryptographic failures include which of the following ?
Poor encryption protocols
Common cryptographic failures include which of the following?
Poor encryption protocols. Proprietary and poorly tested algorithms, thought to ensure privacy through secrecy, have been shown to occasionally fail.
What does the "P" stand for in the law known as CAN-SPAM?
Pornography
Four Stages of a Privacy Impact Assessment
Preparation - determine whether PIA required by law or best practice. Identify staffing resources and time for completion Data Analysis - Analyse and document handling of personal information. Data flow diagrams helpful in documenting where data is collected, who accesses it and whether shared externally Privacy Assessment - identify and document risks and vulnerabilities to privacy, including legal and regulatory requirements. Reporting - Evaluate discovered risks and vulnerabilities and try to identify remedies. Document in report reason for any selected courses of action
What is the first phase in an incident response policy?
Preparation is the first phase. This phase involves providing the technology processes, and training so that the other phases will be successful. Without preparation, the other phases will be conducted in an ad hoc manner and will not be as effective.
What is the last step in collecting and analyzing the evidence?
Present the evidence
This is a widely used encryption program for protecting the privacy of e-mail and other computer files. It uses two keys and an NIST- certified algorithm
Pretty Good Privacy (PGP)
You have installed Windows XP Professional on a 15 GB partition created during installation. You are now creating a second partition in the remaining 65 GB of available space on the hard disk. The computer is not configured for dual-boot. What type of partition and which file system should you choose (is preferred) for this new partition? (CH 5)
Primary partition with NTFS (CH 5)
The Manage Documents printer permission allows all but one of the following actions on a printer. What is not allowed? (CH 5)
Print (CH 5)
What type of documentation always requires authorization for use/disclosure (except for TPO)?
Psychotherapy notes
Patient denied Access
Psychotherapy treatment. Patient must be communicated in writing
What is the term used in the Windows Firewall control panel to refer to Wi-Fi networks at coffee shops and other retail locations? (CH 6)
Public networks (CH 6)
_________ is a form of encryption that uses a pair of cryptographic keys: one public, the other private. the public key is freely distributed and is used to encrypt the information to be sent. The recipient hold the private key and uses it to decrypt the received information.
Public-key cryptography
What was the most common method used to hide data on 5-1/4" floppy disk?
Put data in tracks above 80
What technique can be used to protect against electromagnetic eavesdropping (known as the van Eck phenomenon)?
Put the equipment that you are trying to protect inside a shielded room.
Which Intel processor mode can MS-DOS use? (CH 4)
Real (CH 4)
What is the term for evidence that speaks for itself, without relying on anything else? Examples include a visitors' log, the physical presence of a server or desktop, or the date of a letter validated by a third party, such as the U.S. Postal Service.
Real evidence
Which type of evidence comes from an inanimate object that can be examined by the court?
Real evidence
Which type of evidence is a visitors' log that visitors use to sign in when they arrive and sign out when they leave?
Real evidence
The actual time during which a process takes place:
Real time
In an e-mail header, anything up to the topmost _______ can be spoofed.
Received: line
In an e-mail header, which of the following lists every point the e-mail passed through on its journey, along with the date and time?
Received: line
Guidelines
Recommendations relating to a policy
What is the primary use of system forensic evidence?
Reconstruct past events or activities
Which of the following measures the amount of data that might be potentially lost as a result of a system failure?
Recovery point objective (RPO) (measures the time between the last data backup and the occurrence of a problem
Due Diligence
Refers to the standard of care a business is expected to exercise in preperation for a business transaction.
Due Care
Refers to the standard of care a reasonable person is expected to exercise in all situations.
Ports from 1024 through 49151 are called ________. These are loosely bound to services, which means that although numerous services are "bound" to these ports, these ports are also used for many other purposes that have nothing to do with the official servers.
Registered ports
Activation (Key Terms: CH 5)
Registration is optional, but ___ is mandatory. (CH 5)
Which of the following should trigger a response under the Red Flag Rule?
Request for credit from a customer with a credit freeze on his credit reporting record.
PM
Responsible for overseeing one or more Technology projects from start to finish. Set project timetables, goals, deliverables, budgets and hiring plans.
Warm Boot (Definitions: CH 4)
Restarting a computer without a power-down and power-up cycle, by using a key combination (for example, CTRL-ALT-DELETE) or a hardware reset button. (CH 4 Pg. 137)
Minimum necessary
Reveal only the smallest amount of information required to accomplish the task and no more when using any PHI, a covered entity must generally make reasonable efforts to limit itself to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request
What individual rights does the HIPAA Privacy Rule provide?
Right of access, right to request amendment of PHI, right to accounting of disclosures, right to request restrictions of PHI, right to request confidential communications, and right to complain of Privacy Rule violations.
The Basel Committee defines operational risk as which of the following?
Risk from disruption by people, systems, processes, or disasters
Processing: processing integrity and validity
Risk: errors in output and store data Controls: data matching, file labels, batch totals, cross-footing and zero-balance tests, write-protection mechanisms, database processing integrity controls
Output: output review, reconciliation and error handling; transaction authenticity and integrity
Risk: use of inaccurate or incomplete reports; unauthorized disclosure of sensitive information; loss, alteration, or disclosure of information in transit Controls: reviews and reconciliations, encryption and access controls, parity checks, message acknowledgement techniques
Admissibility, authenticity, completeness, reliability and believability are called the
Rules of evidence
What governs whether, when, how, and why proof of a legal case can be placed before a judge or jury?
Rules of evidence
Which of the following is the definition of Rules of Evidence?
Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. the rules vary depending on the type of court and the jurisdiction
Which common architecture in today's organizations contains a separate network for storage devices that appear to be locally connected to each workstation?
SAN
amendments to CA law
SB 570 amends required content of security breach notices; AB 964 defines encrypted as rendered unusable, unreadable, or indecipherable to an unauthorized person through technology or methodology generally accepted in the field of information security
The asset value of a small distribution warehouse is $5 million, and this warehouse serves as a backup facility. Its complete destruction by a disaster would take away about 1/5 of the capability of the business. Which of the following is the calculated single loss expectancy (SLE)?
SLE = $1 million
Single loss expectancy (SLE) can best be defined by which of the following equations?
SLE = asset value * exposure factor
What term is used to describe a principle that attempts to provide security through the use of secrecy of design, implementation, and so on.
Security through obscurity
Which of the following is the definition of remailing?
Sending an email message to an anonymizer to strip identifying information from the email message before forwarding it with the mailing computer's IP address.
A savvy cybercriminal ensures that bills for falsely obtained credit cards or bank statements showing unauthorized withdrawals are:
Sent to an address other than the victim's
Sequence check test
Sequence check test whether a batch of input data is in the prober numerical or alphabetical sequences
IEEE 802.11
Set of Wireless Standards, well suited for the local area network
_____________________ is a procedure in which attackers position themselves in such a way as to be able to observe an authorized user entering the correct access code.
Shoulder surfing
Which of the following is an acceptable PII disposal procedure?
Shredding, Burning, Electronic destruction per military data destruction standards.
Mutual aid agreement
Similar organizations agree to assume the processing for the other party in the event a disaster occurs.
Credentials Prompt (Definition: CH 6)
Similar to a Consent Prompt for those logged in as a standard user. The User Account Control ___ ___ will appear if a program is trying to perform something for which it needs administrator privileges and it will ask the user for an administrator password. (CH 6 Pg. 231)
________ is a protocol that mail servers use to send and receive mail messages. E-mail clients use _______ to send messages to a mail server for relaying.
Simple Mail Transfer Protocol (SMTP)
What term is used to describe an image that results from acquiring a file system while it is being updated or changed by a program in process?
Slurred image
Which term refers to the result of acquiring a file as it is being updated?
Slurred image
Which of the following are drawbacks of live system forensics?
Slurred images can result Data can be modified It leads to dada consistency problems
The FTC disposal rule applies to:
Small businesses using consumer reporting information, Debt collectors, Individuals using consumer reporting information.
What name is given to the technique of monitoring network data using a self-contained software program or a hardware device?
Sniffing
__________ is an area of system forensics that is most often used to examine malicious code
Software Forensics
What term is used to describe the process of examining malicious code?
Software Forensics or Malware Forensics
Software that a provider licenses to customers as a service on demand, through a subscription model, is:
Software as a service (SaaS)
What is the name fore software that a provider licenses to customers as a service on demand, through a subscription model?
Software as a service (SaaS)
Like any other evidence, system forensics evidence must be authentic, accurate, complete, and convincing to _________
Software forensics
What term is used to describe the process of examining malicious code?
Software forensics or Malware forensics
In a digital forensic investigation, what is an issue of concern with Software as a Service (SaaS)?
Software ownership
Application (Definitions: CH 4)
Software that allows you to perform useful functions and create results you can use in your personal or business life, such as writing a report or calculating a budget. (CH 4 Pg. 109)
Which of the following is the definition of TEMPEST Program?
Special computer-emission shielding form the U.S. Department of Defense that's used to shield sensitive computing systems and labs and prevent electronic eavesdropping on any computer emissions.
What term refers to the withholding, hiding, alteration, or destruction of evidence relevant to a legal proceeding?
Spoliation
Which of the following is the names for making an e-mail message appear to come from someone or someplace other than the real sender or location?
Spoofing
What are some elements that must be included in the NPP?
Standard header, description of how information will be used for TPO and for other purposes,statement that other disclosures will only be made with the patients consent, statement of the individual's rights, how to make complaints and the contact person to do so, and effective date.
HIPAA Electronic HealthCare Transactions
Standardized Code Sets
_______________ are accepted specifications providing specific details on how a policy is to be enforced.
Standards
Which of the follow are examples of steganalysis software? (Select three)
StegAlyzerAS, Stegdetect, & Stegbreak
How might you discover if a file contains hidden data?
Steganalysis
The process of hiding secret data within nonsecret data is:
Steganography
______ is the name for separating an embedded message from a stego message
Stego Analysis
In steganography, what name is given to, the message that results from the embedding practice?
Stego message
Procedures can be described as:
Step-by-step instructions on how to implement the policies
When documenting a forensic investigation, the investigator should include which of the following considerations?
Steps in collecting and analyzing evidence
What is the correct term for what we know as the Blue Screen of Death (BSOD)? (CH 5)
Stop Screen (CH 5)
A _______ is a court order that requires the person or organization that owns the equipment to release it for analysis
Subpoena
Which type of court order requires a person or organization that owns equipment to release it for analysis?
Subpoena
Which of the following s an example of the kind of batch total called a has total?
Sum of the purchase order field in set of purchase order
Mantraps are a good countermeasure against - Dumpster diving - Shoulder surfing - Tailgating - Phishing
Tailgating
What is considered an issue with long-term storage of magnetic media, as discussed in the chapter?
Tape media can be used a limited number of times before it degrades, Software and hardware evolve, and the media stored may no longer be compatible with current technology.
What term is used to describe data that an operating system creates and overwrites with the computer user taking a direct action to save this data?
Temporary data
Batch File (Definitions: CH 4)
Text files that contain commands that you could type at the command prompt, but which you choose to put in a batch file. (CH 4 Pg. 128)
For organizations that draw a distinction between a BCP and a DRP, which of the following is true?
The BCP details the functions that are most critical and outlines the order in which critical functions should be returned to service to maintain business operations.
_________ made spamming a crime in 2003, sets the rules for commercial e-mail, establishes requirements for commercial messages, and gives recipients the right to have a business stop e-mailing them.
The CAN-SPAM Act
Passed in 1984, it was first piece of federal legislation that identified computer crimes as distinct offenses. The CFAA criminalizes the act of causing certain types of damage to a protected computer. This is the:
The Computer Fraud and Abuse Act (CFAA)
A nonprofit, volunteer organization, whose goal is to enhance the sharing of knowledge and ideas about digital forensics research, and sponsors annual conferences, technical working groups, and challenges to help drive the direction of research and development, is:
The Digital Forensics Research Workshop (DFRWs)
What is the name of one of the oldest professional system forensics oranizations? (Hint: it was created by police officers who wanted to formalize credentials in computing investigations and limits membership to law enforcement personnel and government employees working as system forensics examiners).
The International Association of Computer Investigative Specialists (IACIS)
What are the considerations in calculating the cost of a backup strategy?
The cost of the backup media, The storage costs for the backup media, The frequency with which backups are created.
A good backup plan will include:
The critical data needed for the organization to operate, Any software that is required to process the organization's data, Specific hardware to run the software or to process the data.
Recovery time objective
The goal an organization sets for the time within which it wants to have a critical service restored after a disruption in service occurs.
What is the designated record set?
The health records, billing records, and various claims records that are used to make decisions about an individual.
What does individually identifiable mean?
The information must either identify the person or provide a reasonable basis to believe the person could be identified from the information.
In completing an analysis, forensic specialists face variations. Which does not apply?
The location of the crime scene
In the early stages of an investigation, which of the following groups should not be notified?
The media
TEMPEST
The military program to control electronic emanations from electrical equipment
Real Mode (Definitions: CH 4)
The mode in which an Intel processor starts when the computer is first turned on. It is very limited, offers the operating system just a small amount of memory to work with, and does not allow for multitasking, protection of the hardware from other software, or support for virtual machines (CH 4 Pg. 109)
The password dilemma refers to the fact that:
The more difficult we make it for attackers to guess our passwords, and the more frequently we force password changes, the more difficult the passwords are for authorized users to remember and the more likely they are to write them down.
Root Directory (Key Terms: CH 4)
The only directory created when DOS formats a disk is the ___. (CH 4)
Individual
The person who is seeking medical care; the person whose information we are protecting
Of the criteria listed below, which one IS NOT needed to convict someone who has used a computer of fraud:
The person's computer must belong to a corporation, not the individual
Which of the following correctly defines risk?
The possibility of suffering harm or loss.
Mean time to failure (or mean time between failures)
The predicted average time that will elapse before failure (or between failures) of a system (generally referring to hardware components).
Windows Explorer (Definition: CH 6)
The primary tool for copying, moving, renaming, and deleting files in Windows. (CH 6 Pg. 224)
Backout planning
The process of planning a return to an earlier release of a software application in the event that a new release causes either a partial or complete failure.
Which of the following correctly defines qualitative risk management?
The process of subjectively determining the impact of an event that affects a project, program, or business.
A forensic investigator can find copies of e-mail messages in a number of places. Which of the following are some of them?
The recipient's computer The e-mail header The sender's mail server
Disclosure
The release, transfer, or sharing of health information with another individual or entity outside the healthcare organization holding this information
It's most important to define security requirements during:
The requirements phase is the best time to define any requirements and prioritize them all together rather than later in a piecemeal fashion.
its most important to define security requirements during:
The requirements phase of the project
Security requirements are best defined in:
The requirements phase.
Local Security (Definition: CH 6)
The security options available and limited to a local computer. In Windows, this includes local security accounts and local security for files and folders, Windows BitLocker drive encryption, Windows Defender anti-spam protection, and Windows Firewall. (CH 6 Pg. 228)
IEEE 802.11
The set of standards for wireless networks that is well suited for the LAN environment and whose normal mode is to have computers with network cards communicating with a wireless access point
What is Volume Slack?
The space that remains on a hard drive if the partitions do not use all available space
Real evidence, testimonial evidence, and hearsay are _________
The three types of forensic evidence recognized in legal proceedings
Conventional Memory (Key Terms: CH 4)
The type of memory in which DOS, its drivers, and applications can run is called ___. (CH 4)
Which of the following is the definition of data consistency?
The validity, accuracy, usability, and integrity of data. This is an issue in live system forensics. When data is not acquired at a unified moment it is inconsistent.
When providing expert testimony, the investigator may be asked to provide information about which of the following?
The way evidence was handled
What is an business associate agreement?
The written contract that BAs of CEs must assign to agree to abide by the covered entity's requirements to protect the information's security and confidentiality.
Why is that text search programs can't identify text data stored in encrypted, compressed, and graphics files formats?
These formats store data in binary format
The reason for not allowing users to install new hardware or software without the knowledge of security administrators is:
They may inadvertently install more than just the hardware or software; they may accidentally install a backdoor into the network.
A PC that uses little of its computing capability, functioning much like a dumb terminal, is the definition of:
Thin client
Business impact assessment (BIA)
This document evaluates the critical operations of a company .
Business continuity plan (BCP)
This focuses on continued operation of a business in extenuating circumstances.
Fault tolerance
This has the goal of uninterrupted access to data and services. It's accomplished by the mirroring of data and systems.
Differential backup
This is a backup of files that have changed since last full backup.
Delta backup
This is a backup of the portions of files that have changed since last backup.
Service level agreement (SLA)
This is a contractual agreement between entities describing specified levels of service that the servicing entity agrees to guarantee for the customer. These agreements not only clearly lay out expectations in terms of the service provided and support expected, but also generally include penalties should the described level of service or support not be provided.
Due care
This is a detail for how employees are expected to treat equipment and data.
Hot site
This is a fully configured alternative environment that can be operational immediately.
Warm site
This is a partially configured alternative site, but it lacks more expensive computing components.
Separation of duties
This is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone.
Cold site
This is a site with basic environmental controls, but that has few computing components.
Disaster recovery plan (DRP)
This is intended to minimize the impact of a disaster. It defines the data, resources, and necessary steps to restore critical organizational processes.
Incremental backup
This is the backup of files that have changed since the last full or incremental backup.
Due diligence
This is the process that an organization goes through to ensure that all options were considered in development of security policies and procedures related to due care directives.
Incident response policy
This outlines how an organization will prepare for security incidents, and respond to them when they occur.
Acceptable use policy (AUP)
This outlines what the organization considers to be the appropriate use of company resources, such as computer systems, e-mail, telephones, Internet access, and networks.
Load balancing
This technique is designed to distribute the processing load over two or more systems.
Clustering
This technique links a group of systems so they work together, functioning as a single system.
Federal agencies
Those entitities to whom the Federal Privacy Act of 1974 applied
What type of document can help relate log files to reconstruct the vents that led to corruption of a system?
Timeline
What title of HIPAA is most relevant to HIT?
Title II, which contains info on 1) Preventing Health Care Fraud and Abuse, 2) Medical Liability Reform, and 3) Administration Simplification.
Why should you install updates for Windows XP? (CH 5)
To correct general problems and security problems with the program code. (CH 5)
What is the goal of assessing a suspect's means?
To determine whether a suspect had the knowledge and expertise to commit a crime
Why must a forensic lab facility be physically secure?
To keep evidence from being lost, corrupted, or destroyed
What are consents for?
To obtain (optional) consent from patients for TPO purposes before treatment is given.
What is one of the most compelling reasons for organizations to learn from breaches?
To prevent future breaches using the same techniques
Why is it important that security exercises be conducted?
To provide the opportunity for all parties to practice the procedures that have been established to respond to a security incident.
Why would you use the ClearType option in Display Properties | Appearance | Effects? (CH 5)
To smooth the edges of screen fonts. (CH 5)
________/________ refers to a set of protocols used to send messages between computers over the Internet, with the _______ handling data, call packets, in a message
Transmission Control Protocol/Internet Protocol (TCP/IP)
What is TPO?
Treatment, Payment, and Operations (the exceptions to the release of PHI).
What type of malicious software appears to perform a useful function but also performs unauthorized functions?
Trojan horse
A computer can play one of three roles in a computer crime: It can be the target of the crime, it can be the instrument of the crime, or it can serve as an evidence repository that stores valuable information about the crime.
True
A false positive is when a biometric is scanned and allows access—when it was not the person who has authorization. True or False
True
A mantrap is used to prevent piggybacking. True or False
True
As a general precaution, it is a good idea to back up a workstation once a month.
True
As an e-mail is routed through one or more mail servers, each server adds its own information to the message header.
True
Besides physically securing your computers, there is little you can do to prevent drive imaging. True or False
True
Common obstacles that prevent organizations from regularly backing up all their data include the backup window, network bandwidth, system throughput, and lack of resources
True
Cybercrimes are committed by individuals, groups, and even countries.
True
Data recovery is the process of salvaging data from damaged, failed, corrupted, or inaccessible primary storage media when it cannot be accessed normally
True
Every organization should strive to make its lab a TEMPEST-qualified lab facility.
True
Evidence dynamics is anything that changes, moves, obscures, or obliterates evidence, regardless of intent.
True
Evidence storage containers should store only current evidence. Evidence for closed cases should be moved to a secure offsite facility.
True
Forensic investigators should never use originals. Instead, they should use verified deplicates.
True
In a P2P network, each user manages his or her own resources and configures who may access the user's computer resources and how. On a P2P network, each computer is configured individually.
True
It is possible to reconstruct the journey of an e-mail message by reading the e-mail header from top to bottom.
True
No two investigations are the same
True
The benefits of NTFS volumes far outweigh the potential risks of ADS, as long as system administrators are aware of streams and have the security tools to handle them
True
The incident response team performs most actions in response to an incident. However, all levels of IT staff should be aware of how to report incidents internally.
True
The main problem with mirroring is that it doesn't protect against user error and replication of bad data
True
The primary defense against a majority of physical attacks are doors, walls, gates, and fences. True or False
True
With PKS, the send and receiver share a secret key called the stego key. Only a possessor of the stego key can detect the presence of an embedded message
True
How can you remove Windows components? (CH 5)
Use the Windows Components Wizard. (CH 5)
Mastered (Key Terms: CH 6)
Use the ___ format when you burn a disc to be used in a conventional CD or DVD player or in any computer including old Apple Macs or PCs. (CH 6)
Live File System (Key Terms: CH 6)
Use the ___ to burn a disc when you will use the disc only on newer Apple Macs and newer PCs (Windows XP and newer support it, but older PCs may not). (CH 6)
How can you reference an ADS in Windows?
Use the general syntax filename:ADS
Parse (Definitions: CH 4)
Used in the context of an operating system's treatment of a command entered at the command line, ____ means to divide the command into its components. DOS's command interpreter parses an entry based on special delimiter characters, such as the space character. (CH 4 Pg. 122)
enterprise applications
Used to describe applications or software that would use to assist the organization and typically designed to interface or integrate with other applications used within an organization.ie: PeopleSoft Apps
Which of the following are considered good practices for password security?
Using a combination of upper- and lowercase characters, a number, and a special character in the password itself Not writing the password down Changing the password on a regular basis
One of the most fundamental rules to good coding practice is:
Validate all inputs. The earlier that code can be reviewed by another programmer, the sooner errors can be found and corrected.
Which of the following controls would prevent entry of a nonexistent customer number in a sales transaction?
Validity check
What is the first step to take after booting a suspect system?
Verify the date and time
HIPAA Privacy Rule
Violation of this rule included failure to provide patients with a Notice of Privacy Practices.
What term is used to describe a software implementation of a computer that executes programs as if it were a physical computer?
Virtual machine
Which of the following is a software implementation of a computer that executes programs as if it were a physical computer?
Virtual machine
effects of virtualization
Virtual machine is just a collection of software files. virtualization significantly reduce the time need to recover from hardware problems. can also used to support tea time mirroring in which two copies of each virtual machine are run in tandem on two separate physical hosts.
You can use live system forensics to acquire one type of data that dead system forensics can't acquire. What type of data is this?
Volatile
What type of data is lost whenever a system is used and should therefore be collected first to minimize corruption or loss?
Volatile data
Regardless of the specific software engineering process model used
security can be included in the normal process by being input as requirements
The Internet is an example of which of the following types of networks?
WAN
What is the name for a partially configured environment that has the peripherals and software that the normal processing facility contains and that can be operational within a few days?
Warm site.
Two of the easiest thing to extract during physical analysis are a list of all ________ and a list of all e-mail addresses on the computer. The user may have attempted to delete these, but you can reconstruct them from various places on the hard drive.
Web site URLS
Which range of communication ports includes ports 0 through 1023?
Well-known
Ports from 0 through 1023 are known as _______. Usually, traffic on one of these ports clearly indicated the protocol for that service.
Well-known ports
A surge protector
What device should be used only by organizations to protect sensitive equipment from fluctuations in voltage?
Physical barrier
What security feature is even more common than a lock?
All of the above
What technique can be used to protect against electromagnetic eavesdropping (known as the van Eck phenomenon)?
Multifactor authentication is all of these, EXCEPT: - What you are - What you have - What you know - What you calculate
What you calculate
When must the secretary of HHS be contacted along with a media outlet to provide breach notification?
When 500+ people are affected
Credentials Prompt (Key Terms: CH 6)
When a standard user attempts to do something requiring administrator-level privileges, a/an ____ will display, requiring the user to provide the credentials for an administrator. (CH 6)
What are valid grounds for denying access to to personal PHI?
Without opportunity to appeal, any records that are: psychotherapy notes, compiled for legal proceedings, subject to CLIA, about an inmate and could cause harm, subject of research to which denial of access has been agreed, subject to Privacy Act, or obtained from someone in confidence. With opportunity to review: any records where a licensed professional determines access may endanger life or safety, or there is reference to another person and access could cause harm.
Automated System Recovery (ASR) (Key Terms: CH 5)
You can find a recovery tool that backs up the system partition in the Advanced Mode of the Windows XP ___. (CH 5)
What is true about installing MS-DOS? (CH 4)
You can use the DOS install setup program. (CH 4)
Why should you analyze the firewall logs in depth to look for decoy addresses originating from the same subnets?
You may be able to see that the attacker has connected recently, whereas the decoyed addresses have not.
A file system repair technique in which a recovery specialist assumes very little about the state of the file system to be analyzed, uses any hints that any undamaged file system structures might provide, and rebuilds the file system from scratch is the definition of:
Zero-knowledge analysis
Which of the following is a file system repair technique in which a recovery specialist assumes very little about the state of the file system to be analyzed, uses any hints that any undamaged file system structures might provide and rebuilds the file system from scratch?
Zero-knowledge analysis
You can use _________ to recover data even when the logical structure are almost completely destroyed
Zero-knowledge analysis
System Restore (Key Terms: CH 5)
___ allows you to return you computer to a previous working state. (CH 5)
Recovery Console (Key Terms: CH 5)
___ is a character-mode boot-up environment that has a command-line interface where you can enter advanced command-line commands to attempt to recover from a major OS failure. (CH 5)
Flip 3D (Key Terms: CH 6)
___ is a feature that lets you switch through your open windows as if it were a stack of cards or photos. (CH 6)
Windows PE (Key Terms: CH 6)
___ is a scaled-down Windows operating system that supports the Windows Setup GUI. (CH 6)
Windows Aero (Key Terms: CH 6)
___ is the name for a group of GUI desktop features and visual themes in Windows Vista and Windows 7. (CH 6)
Policies
_____________ are high-level statements made by management that lay out the organizations position on some issue.
Uninterruptible Power Supplies
_________________ is a device designed to provide power to essential equipment for a period of time when normal power is lost.
The commonest coding error is
a buffer-overflow condition
customer GLBA
a consumer who has an ongoing relationship with the institution
Archive
a copy of a database, master file, or software that is retained indefinitely as a historical record to satisfy legal and regulatory requirements; rarely encrypted
Hybrid entity
a facility that performs both covered and non-covered functions under the HIPAA privacy rule. ex. University Medical Clinic
white-box testing
a form of testing where the tester has knowledge of the inner workings of a system
grey-box testing
a form of testing where the tester has limited or partial knowledge of the inner working of a system
black-box testing
a form of testing where the tester has no knowledge of the inner workings of a mechanism
CWE/SAS Top 25 Most Dangerous Software Errors
a list created by MITRE and SANS due to the fact that some weaknesses are more prevalent than others
waterfall model
a multi-step process in which steps follow each other in a linear, one-way fashion, like water over a waterfall
zero-day
a name given to a vulnerability whose existence is known, but not to the developer of the software, hence it can be exploited before patches are developed and released
Business Associate
a person or business who, on behalf of the Covered Entitiy utilizes and/or discloses protected health information
Which of the following commonly used system forensics tools is utilized primarily to scan for anomalies that identify odd formats, extra tracks, and extra sectors?
c. AnaDisk
telemarketing
a plan, program, or campaign which is conducted to induce the purchase of goods or services or a charitable contribution, by use of one or more telephones and which involves more than one interstate telephone call
secure development lifecycle (SDL) model
a process model to include security function consideration as part of the build prcess of software in an effort to reduce attack surfaces and vulnerabilities
application program
a program designed to perform a specific function directly for the user or, in some cases, for another application program ex.) include word processors, database programs, Web browsers, development tools, drawing, paint, image editing programs, and communication programs. use the services of the computer's operating system and other supporting applications
cryptographically random
a random number that is derived from a nondeterministic source, thus knowing one random number provides no insight into the next
least privilege
a security principle in which a user is provided with the minimum set of rights and privileges that he or she needs to perform required functions, the goal is to limit the potential damage that any user can cause
agile model
a software development mode built around the idea of man small iteration that continually yield a "finished" product at the completion of each iteration
buffer overflow
a specific type of software coding error that enables user input to overflow the allocated storage area and corrupt a running program
Common Vulnerabilities and Exposures (CVE)
a structured language (XML) schema used to describe known vulnerabilities in software
Common Weakness Enumeration (CWE)
a structured language (XML) schema used to describe known weakness patterns in software that can result in vulnerabilities
What device should be used only by organizations to protect sensitive equipment from fluctuations in voltage?
a surge protector
app attacks -- Arbitrary/Remote Code Execution
a weakness in program/service allows the running of code not intended by programmer **key to exploiting a vulnerability** allows attacker to run their own code locally or remotely often w/ the same permission as the exploited program - privilege escalation
Bluetooth
a wireless technology designed as a short-range (approximately ten meters) personal area network (PAN) cable-replacement technology that may be built into a variety of devices such as mobile phones, PDAs and laptop computers.
Which of the following commonly used system forensics tools is utilized primarily to scan for anomalies that identify odd formats, extra tracks, and extra sectors? a. EnCase b. FTK c. AnaDisk d. CopyQM Plus e. Filter_G
c. AnaDisk
A(n) ________ is any event that violates an organization's security polices.
security incident
All the following are misconceptions about a disaster recovery plan except: a. It is an organization's assurance to survive. b. It is a key insurance policy. c. It manages the impact of LAN failures. d. It manages the impact of natural disasters.
a. A well-documented, well-rehearsed, well-coordinated disaster recovery plan allows businesses to focus on surprises and survival. In today's environment, a local-area network (LAN) failure can be as catastrophic as a natural disaster, such as a tornado. Insurance does not cover every loss. The other three choices are misconceptions. What is important is to focus on the major unexpected events and implement modifications to the plan so that it is necessary to reclaim control over the business. The key is to ensure survival in the long run.
Which of the following items is usually not considered when a new application system is brought into the production environment? a. Assigning a contingency processing priority code b. Training computer operators c. Developing computer operations documentation d. Training functional users
a. An application system priority analysis should be performed to determine the business criticality for each computer application. A priority code or time sensitivity code should be assigned to each production application system that is critical to the survival of the organization. The priority code tells people how soon the application should be processed when the backup computer facility is ready. This can help in restoring the computer system following a disaster and facilitate in developing a recovery schedule.
Regarding contingency planning, system-level information backups do n o t require which of the following to protect their integrity while in storage? a. Passwords b. Digital signatures c. Encryption d. Cryptographic hashes
a. Backups are performed at the user-level and system-level where the latter contains an operating system, application software, and software licenses. Only user-level information backups require passwords. System-level information backups require controls such as digital signatures, encryption, and cryptographic hashes to protect their integrity.
What is the purpose of a business continuity plan (BCP)? a. To sustain business operations b. To recover from a disaster c. To test the business continuity plan d. To develop the business continuity plan
a. Continuity planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on continuity planning is based on the distribution of computer use and support throughout an organization. The goal is to sustain business operations.
Which of the following IT contingency solutions provides recovery time objectives (RTOs) ranging from minutes to several hours? a. Synchronous mirroring b. Asynchronous shadowing c. Single location disk replication d. Multiple location disk replication
a. Disk replication can be implemented locally or between different locations. Disk replication techniques are classified as synchronous or asynchronous. With synchronous mirroring, the recovery time objectives (RTOs) can be minutes to several hours (for shorter time periods), and hence should be used for applications that can accept little or no data loss. With asynchronous shadowing, the RTO can range from several hours to a day (for longer time periods), depending on the time that is required to implement the changes in the unapplied logs. Disk replication involves two different disks to ensure that two valid copies of the data are always available. 7. The IT operations management of KPQ Corporation is concerned about the reliability and availability data for its four major, mission-critical information systems that are used by business end-users. The KPQ corporate management's goal is to improve the reliability and availability of these four systems in order to increase customer satisfaction both internally and externally. The IT operations management collected the following data on downtime hours that include scheduled maintenance hours and uptime hours for all these systems. Assume 365 operating days per year and 24 hours per day for all these systems. The KPQ functional management thinks that the security goal of availability is more important in ensuring the continuity of business operations than the confidentiality and integrity goals. This is because the availability goal will ensure timely and reliable access to and use of system-related data and information, as it is an indicator of quantity of service. System Downtime, hours Uptime, hours 1 200 8,560 2 150 8,610 3 250 8,510 4 100 8,660 Which of the following systems has the highest availability in a year expressed in percentages and rounded up? a. System 1 b. System 2 c. System 3 d. System 4 ## d. System 4 has the highest availability percentage. Theoretically speaking, the lower the downtime for a system, the higher the availability of that system, and higher the reliability of that system, and vice versa. In fact, this question does not require any calculations to perform because one can find out the correct answer just by looking at the downtime and uptime data given in that the lower the downtime hours, the higher the uptime hours, and the higher the availability of the system, and vice versa. System Availability, percent Reliability, percent 1 97.7 97.7 2 98.3 98.3 3 97.1 97.1 4 98.9 98.9 Calculations for System 1 are shown below and calculations for other systems follow the System 1 calculations. Availability for System 1 = [Uptime/(Uptime + Downtime)] × 100 = [(8,560/8,760)] × 100 = 97.7% Reliability for System 1 = [1 - (Downtime/Downtime + Uptime)] × 100 = [1 - (200/8,760)] × 100 = 97.7% Check: Reliability for System 1 = 100 - (100 - Availability percent) = 100 - (100 - 97.7) = 97.7% This goes to say that the availability and reliability goals are intrinsically related to each other, where the former is a component of the latter.
Explain the difference between a system fault and a system failure.
a. Failures are a usually a result of system errors that are derived from faults in the system.
Which of the following statements is not true about the critical application categories established for disaster recovery planning purposes? a. Predefined categories need not be followed during a disaster because time is short. b. Each category has a defined time frame to recover. c. Each category has a priority level assigned to it. d. The highest level category is the last one to recover.
a. It is important to define applications into certain categories to establish processing priority. For example, the time for recovery of applications in category I could be less than 8 hours after disaster declaration (high priority). The time frame for recovery of category IV applications could be less than 12 hours after disaster declaration (low priority).
Regarding BCP and DRP, which of the following determines the recovery cost balancing? a. Cost of system inoperability and the cost of resources to recover b. Maximum allowable outage and the cost to recover c. Cost of disruption and the cost to recover d. Cost of impact and the cost of resources
a. It is important to determine the optimum point to recover an IT system by balancing the cost of system inoperability against the cost of resources required for restoring the system. This is called recovery cost balancing, which indicates how long an organization can afford to allow the system to be disrupted or unavailable. The other three choices are incorrect because they do not deal with the recovery cost balancing principle.
Which of the following must be defined to implement each contingency plan? a. Triggers b. Risks c. Costs d. Benefits
a. It is important to document triggers for activating contingency plans. The information needed to define the implementation triggers for contingency plans is the deployment schedule for each contingency plan and the implementation schedule for the replaced mission-critical systems. Triggers are more important than risks, costs, and benefits because the former drives the latter.
Regarding contingency planning, strategic reasons for separating the alternative storage site from the primary storage site include ensuring: 1. Both sites are not susceptible to the same hazards. 2. Both sites are not colocated in the same area. 3. Both sites do not have the same recovery time objectives. 4. Both sites do not have the same recovery point objectives. a. 1 and 2 b. 1, 2, and 3 c. 1, 2, and 4 d. 1, 2, 3, and 4
a. It is important to ensure that both sites (i.e., alternative storage site and primary storage site) are not susceptible to the same hazards, are not colocated in the same area, have the same recovery time objectives (RTOs), and have the same recovery point objectives (RPOs).
Which of the following is the name for a suspect's ability to commit a crime? a. Means b. Motive c. Opportunity
a. Means
Which of the following phases in the contingency planning and emergency program is most difficult to sell to an organization's management? a. Mitigation b. Preparedness c. Response d. Recovery
a. Mitigation is a long-term activity aimed at eliminating or reducing the probability of an emergency or a disaster occurring. It requires "up-front" money and commitment from management. Preparedness is incorrect because it is a readiness to respond to undesirable events. It ensures effective response and minimizes damage. Response is incorrect because it is the first phase after the onset of an emergency. It enhances recovery operations. Recovery is incorrect because it involves both short- and long-term restoration of vital systems to normal operations.
From an evidence standpoint, filenames, creation dates, and last modified dates and times can be relevant. Therefore, it is important to _______ all allocated and "erased" files.
search
1. What is the most important difference between the two classes of safety-critical system?
a. Primary safety-critical systems i. Embedded software systems whose failure can cause the associated hardware to fail and directly threaten people. Example is the insulin pump control system. b. Secondary safety-critical systems i. Systems whose failure results in faults in other (socio-technical)systems, which can then have safety consequences. For example, the MHC-PMS is safety-critical as failure may lead to inappropriate treatment being prescribed.
1. List two other system properties that are sometimes considered to be dependability properties.
a. Repairability b. Maintainability c. Survivability d. Error tolerance
Regarding contingency planning, information system backups require which of the following? 1. Both the primary storage site and alternative storage site do not need to be susceptible to the same hazards. 2. Both operational system and redundant secondary system do not need to be colocated in the same area. 3. Both primary storage site and alternative storage site do not need to have the same recovery time objectives. 4. Both operational system and redundant secondary system do not need to have the same recovery point objectives. a. 1 and 2 b. 1, 2, and 3 c. 1, 2, and 4 d. 1, 2, 3, and 4
a. System backup information can be transferred to the alternative storage site, and the same backup can be maintained at a redundant secondary system, not colocated with the operational system. Both sites and both systems must have the same recovery time objectives (RTOs) and same recovery point objectives (RPOs). This arrangement can be activated without loss of information or disruption to the operation.
A major risk in the use of cellular radio and telephone networks during a disaster include: a. Security and switching office issues b. Security and redundancy c. Redundancy and backup power systems d. Backup power systems and switching office
a. The airwaves are not secure and a mobile telephone switching office can be lost during a disaster. The cellular company may need to divert a route from the cell site to another mobile switching office. User organizations can take care of the other three choices because they are mostly applicable to them, and not to the telephone company.
Physical disaster prevention and preparedness begins when a: a. Data center site is constructed b. New equipment is added c. New operating system is installed d. New room is added to existing computer center facilities
a. The data center should be constructed in such a way as to minimize exposure to fire, water damage, heat, or smoke from adjoining areas. Other considerations include raised floors, sprinklers, or fire detection and extinguishing systems and furniture made of noncombustible materials. All these considerations should be taken into account in a cost-effective manner at the time the data (computer) center is originally built. Add-ons will not only be disruptive but also costly.
An organization's effective presentation of disaster scenarios should be based on which of the following? a. Severity and timing levels b. Risk and impact levels c. Cost and timing levels d. Event and incident levels
a. The disaster scenarios, describing the types of incidents that an organization is likely to experience, should be based on events or situations that are severe in magnitude (high in damages and longer in outages), occurring at the worst possible time (i.e., worst-case scenario with pessimistic time), resulting in severe impairment to the organization's ability to conduct and/or continue its business operations. The planning horizon for these scenarios include short-term (i.e., less than one month outage) and long-term (i.e., more than three month outage), the severity magnitude levels include low, moderate, and high; and the timing levels include worst possible time, most likely time, and least likely time. The combination of high severity level and the worst possible time is an example of high-risk scenario. The other three choices are incorrect because they are not relevant directly to the disaster scenarios in terms of severity and timing levels except that they support the severity and timing levels indirectly.
The most effective action to be taken when a hurricane advance warning is provided is to: a. Declare the disaster early. b. Install an uninterruptible power supply system. c. Provide a backup water source. d. Acquire gasoline-powered pumps.
a. The first thing is to declare the disaster as soon as the warning sign is known. Protecting the business site is instrumental in continuing or restoring operations in the event of a hurricane. Ways to do this include an uninterruptible power supply (batteries and generators), a backup water source, and a supply of gasoline-powered pumps to keep the lower levels of the facility clear of floodwaters. Boarding up windows and doors is good to protect buildings from highspeed flying debris and to prevent looting.
The focus of disaster recovery planning should be on: a. Protecting the organization against the consequences of a disaster b. Probability that a disaster may or may not happen c. Balancing the cost of recovery planning against the probability that a disaster might actually happen d. Selecting the best alternative backup processing facilities
a. The focus of disaster recovery planning should be on protecting the organization against the consequences of a disaster, not on the probability that it may or may not happen.
All the following need to be established prior to a crisis situation except: a. Public relationships b. Credibility c. Reputation d. Goodwill
a. The other three choices (i.e., credibility, reputation, and goodwill) need to exist in advance of a crisis situation. These qualities cannot be generated quickly during a crisis. They take a long time to develop and maintain, way before a disaster occurs. On the other hand, public (media) relationships require a proactive approach during a disaster. This includes distributing an information kit to the media at a moment's notice. The background information about the company in the kit must be regularly reviewed and updated. When disaster strikes, it is important to get the company information out early. By presenting relevant information to the media, more time is available to manage the actual day-to-day aspects of crisis communications during the disaster.
1. Briefly define what availability means?
a. The probability that the system will be up and running and able to deliver useful services to users.
Which of the following is the name for actions that perpetrators take to conceal their locations, activities, or identity? a. Obscured data b. Documentary evidence c. Anti-forensics d. Evidence dynamics e. Voluntary surrender
c. Anti-forensics
Staff members in a computer forensics lab should have sufficient training to perform their tasks. Necessary skill sets include all except which of the following? a. Hardware knowledge b. Software knowledge c. Background as an attorney d. Deductive reasoning
c. Background as an attorney
Which of the following IT contingency solutions is useful over larger bandwidth connections and shorter physical distances? a. Synchronous mirroring b. Asynchronous shadowing c. Single location disk replication d. Multiple location disk replication
a. The synchronous mirroring mode can degrade performance on the protected server and should be implemented only over shorter physical distances where bandwidth is larger that will not restrict data transfers between servers. The asynchronous shadowing mode is useful over smaller bandwidth connections and longer physical distances where network latency could occur. Consequently, shadowing helps to preserve the protected server's performance. Both synchronous and asynchronous are techniques and variations of disk replication (i.e., single and multiple location disk replication).
Which of the following forensic tools is a standalone device capable of acquiring data from a mobile device? a. UFED b. Device Seizure c. The Zdziarski technique d. EnCase
a. UFED
Which of the following forensic tools is a standalone device capable of acquiring data from mobile devices?
a. UFED
Which of the following IT contingency solutions for servers provides high availability? a. Network-attached storage b. System backups c. Redundant array of independent disks d. Electronic vaulting
a. Virtualization network-attached storage (NAS) or storage-area network (SAN) provide high availability because it combines multiple physical storage devices into a logical, virtual storage device that can be centrally managed. System backups provide low availability. A redundant array of independent disks and electronic vaulting provide availability levels between high and low.
Which of the following is the process of encoding information using few bits than the unencoded information would use?
a. compression
Which of the following is the process of encoding information using fewer bits than the unencoded information would use? a. compression b. encryption c. decryption d. jailbreaking
a. compression
Which of the following is not a broad test that should be applied to forensic evidence? a. fairness b. authenticity c. Completeness d. Freedom from interference and contamination
a. fairness
consent order
absence of prior enforcement action against the company, consent will NOT involve fines, payments to consumers, corrective advertising, or independent assessment. Decrees are posted publicly on the FTC website.
Standards
accepted specifications providing specific details on how a policy is to be enforced.
app attacks -- Local Shared Objects (LSO)
aka flash cookies similar to http cookies but associated w/ adobe flash associated w/ games stores more than user info - stores large amounts of data -applications -user files **disable in adobe flash**
PHI (protected health information)
all individually identifiable health information and other information on treatment and care that is transmitted or maintained in any form or medium
physical security
all mechanisms used to ensure that physical access to the computer systems and networks is restricted to only authorized users
During which phase(s) of the evidence life cycle must you document a chain of custody?
all of the above
Examples of ambient computer data are:
all of the above
Monitoring network traffic can be useful for many reasons. Which apply?
all of the above
Piracy includes:
all of the above
System forensics ________
all of the above
The forensic specialist must:
all of the above
Numerous organization offer certification programs for system forensics. Which type of organization listed below does NOT offer certification programs?
all of the above offer certification programs
Numerous organizations off certification programs for system forensics. Which type of organization listed below does NOT offer certification programs?
all of the above offer certification programs
education records FERPA
all records directly related to the student and maintained by the school or by a party on behalf of the school.
Live forensic acquisition methods are very similar to the methods commonly used on dead systems. In both cases, you _______. Which statement applies?
all statements apply
SQL injection
an attack against a SQL engine parser designed to perform unauthorized database activities
code injection
an attack where unauthorized executable code is injected via an interface in an attempt to get it to run on a system
Team leader, incident lead, It team members ad specialist are key members of what?
an incident response team
evolutionary model
an iterative model designed to enable the construction of increasingly complex versions of a project
Business associate
an organization or person who provides services to the healthcare organization and utilizes PHI in daily functions.
If a drive fails on one system but installs on another, the drive may be usable. The drive may have failed because of which reason listed below?
any of the above could be the reason
business associates HITECH
any person or organization other than a member of a covered entity workforce that performs services and activities for, or on behalf of, a covered eneity, if such services involve use/disclosure of PHI
Zero-balance test
applies this same logic to control account
CalOPPA
applies to any person or company whose website collects personally identifiable info from california consumers. requires conspicuously posted privacy policy
Data backup procedures
are designed to deal with situation where information is not accessible because of relevant files or databases have become corrupted as a result of hardware failure, software problems, or human error, but the information system itself is still functioning
canonicalization error
arises from the fact that inputs to a web application may be processed by multiple applications, such as the web server, application server, and database server, each with its own parsers to resolve appropriate canonicalization issues
Entered transaction data into the system
as data are entered, the system performs several preliminary validation tests.
It is impossible to prevent all security incidents. Therefore, when a security incident does occur, an organization must _______ its impact.
assess
app attacks -- Directory Traversal
attacker is able to browse directories & files outside of web application itself exposes directory structure of app, web server, and underlying OS, providing attacker access to potentially secure or restricted pages, files, source code, and info countermeasures - define access rights - apply checks and patches to prevent directory traversal attacks thru vulnerabilities like Unicode normalization
Some forensic tools can mathematically __________ with a high level of accuracy.
authenticate data
Which of the following logs should a computer forensics lab keep? Select 2 a. Computer use log b. Lab visitors' log c. Evidence container log d. Criminal log
b & c lab visitors' log & evidence container log
Which of the following provides guidelines for managing a forensics lab and acquiring crime and forensics lab certification? a. NIST b. ASCLD c. FRE d. DFRWS
b. ASCLD
Regarding BCP and DRP, which of the following does not prevent potential data loss? a. Disk mirroring b. Offsite storage of backup media c. Redundant array of independent disk d. Load balancing
b. Although offsite storage of backup media enables a computer system to be recovered, data added to or modified on the server since the previous backup could be lost during a disruption or disaster. To avoid this potential data loss, a backup strategy may need to be complemented by redundancy solutions, such as disk mirroring, redundant array of independent disk (RAID), and load balancing.
Which of the following disaster recovery plan testing options should not be scheduled at critical points in the normal processing cycle? a. Checklist testing b. Parallel testing c. Full-interruption testing d. Structured walk-through testing
c. Full-interruption testing, as the name implies, disrupts normal operations and should be approached with caution.
statutory authority of FTC
sec 5 of ftc act 15 usc 45 -- broad authority to prohibit unfair or deceptive acts or practices sect 13b of ftc act 15 usc 53 authorizes commission to file suit in US DCt to enjoin an act or practice that is in violation of any provision of law enforced by FTC.
Regarding BCP and DRP, which of the following IT platforms typically provide some inherent level of redundancy? a. Mainframe systems b. Distributed systems c. Desktop computers d. Websites
b. Distributed systems use the client-server relationship model to make the application more accessible to users in different locations, and they rely extensively on LAN and WAN connectivity. Because all data resides at a company's headquarters location and is replicated to the local sites, the distributed system provides some inherent level of redundancy. The other three choices cannot provide that kind of redundancy.
Which of the following is the best organizational structure and management style during a disaster? a. People-oriented b. Production-oriented c. Democratic-oriented d. Participative-oriented
b. During the creation of a disaster recovery and restoration plan, the management styles indicated in the other three choices are acceptable due to the involvement and input required of all people affected by a disaster. However, the situation during a disaster is entirely different requiring execution, not planning. The command-and-control structure, which is a productionoriented management style, is the best approach to orchestrate the recovery, unify all resources, and provide solid direction with a single voice to recover from the disaster. This is not the time to plan and discuss various approaches and their merits. The other three choices are not suitable during a disaster.
Regarding BCP and DRP, the board of directors of an organization is not required to follow which of the following? a. Duty of due care b. Duty of absolute care c. Duty of loyalty d. Duty of obedience
b. Duty of absolute care is not needed because reasonable and normal care is expected of the board of directors because no one can anticipate or protect from all disasters. However, the directors need to follow the other three duties of due care, loyalty, and obedience.
The primary objective of emergency planning is to: a. Minimize loss of assets. b. Ensure human security and safety. c. Minimize business interruption. d. Provide backup facilities and services.
b. Emergency planning provides the policies and procedures to cope with disasters and to ensure the continuity of vital data center services. The primary objective of emergency planning is personnel safety, security, and welfare; secondary objectives include (i) minimizing loss of assets, (ii) minimizing business interruption, (iii) providing backup facilities and services, and (iv) providing trained personnel to conduct emergency and recovery operations.
Which of the following is the name for the process of making data unreadable to anyone except those who have the correct key?
b. Encryption
Which of the following is a good forensic analysis tool for those who are just starting to learn about forensics or do not have the time to invest in many different expensive tools?
b. FTK
Which of the following is a good forensic analysis tool for those who are just starting to learn about forensics or do not have the time to invest in many different expensive tools? a. EnCase b. FTK c.AnaDisk d. TextSearch Plus e. Filter_G
b. FTK
Which of the following is a data collection process that involves creating a replica system and luring an attacker into it for further monitoring? a. Collecting artifacts b. Honeypotting c. Freezing the scene d. Sandboxing
b. Honeypotting
Which of the following alternative computing backup facilities is intended to serve an organization that has sustained total destruction from a disaster? a. Service bureaus b. Hot sites c. Cold sites d. Reciprocal agreements
b. Hot sites are fully equipped computer centers. Some have fire protection and warning devices, telecommunications lines, intrusion detection systems, and physical security. These centers are equipped with computer hardware that is compatible with that of a large number of subscribing organizations. This type of facility is intended to serve an organization that has sustained total destruction and cannot defer computer services. The other three choices do not have this kind of support.
Which of the following is a backup that transfers only the data that has changed since the last backup
b. Incremental backup
Which of the following is often a missing link in developing a local-area network methodology for contingency planning? a. Deciding which applications can be handled manually b. Deciding which users must secure and back up their own-data c. Deciding which applications are to be supported offsite d. Deciding which applications can be handled as standalone personal computer tasks
b. It is true that during a disaster, not all application systems have to be supported while the local-area network (LAN) is out of service. Some LAN applications may be handled manually, some as standalone PC tasks, whereas others need to be supported offsite. Although these duties are clearly defined, it is not so clear which users must secure and back up their own data. It is important to communicate to users that they must secure and back up their own data until normal LAN operations are resumed. This is often a missing link in developing a LAN methodology for contingency planning.
The greatest cost in data management comes from which of the following? a. Backing up files b. Restoring files c. Archiving files d. Journaling files
b. Manual tape processing has the tendency to cause problems at restore time. Multiple copies of files exist on different tapes. Finding the right tape to restore can become a nightmare, unless the software product has automated indexing and labeling features. Restoring files is costly due to the considerable human intervention required, causing delays. Until the software is available to automate the file restoration process, costs continue to be higher than the other choices. Backing up refers to a duplicate copy of a data set that is held in storage in case the original data are lost or damaged. Archiving refers to the process of moving infrequently accessed data to less accessible and lower cost storage media. Journaling applications post a copy of each transaction to both the local and remote storage sites when applicable.
Which of the following requires advance planning to handle a real flood-driven disaster? a. Call tree list, power requirements, and air-conditioning requirements b. Power requirements and air-conditioning requirements c. Air-conditioning requirements and media communications d. Call tree list and media communications
b. Power and air-conditioning requirements need to be determined in advance to reduce the installation time frames. This includes diesel power generators, fuel, and other associated equipment. Media communications include keeping in touch with radio, television, and newspaper firms. The call tree list should be kept current all the time so that the employee and vendor-notification process can begin as soon as the disaster strikes. This list includes primary and secondary employee names and phone numbers as well as escalation levels.
Which of the following is the best type of evidence to support a case? a. Testimonial evidence b. Real evidence c. Hearsay d. Rules of evidence
b. Real evidence
Regarding BCP and DRP, redundant array of independent disk (RAID) does not do which of the following? a. Provide disk redundancy b. Provide power redundancy c. Decrease mean-time-between-failures d. Provide fault tolerance for data storage
b. Redundant array of independent disk (RAID) does not provide power redundancy and should be acquired through an uninterruptible power supply system. However, RAID provides the other three choices.
Contingency planning for local-area networks should consider all the following except: a. Incident response b. Remote computing c. Backup operations d. Recovery plans
b. Remote computing is not applicable to a local-area network (LAN) because the scope of a LAN is limited to local area only such as a building or group of buildings. Wide-area networks or metropolitan-area networks are good for remote computing. A contingency plan should consider three things: incident response, backup operations, and recovery. The purpose of incident response is to mitigate the potentially serious effects of a severe LAN security-related problem. It requires not only the capability to react to incidents but also the resources to alert and inform the users if necessary. Backup operation plans are prepared to ensure that essential tasks can be completed subsequent to disruption of the LAN environment and can continue until the LAN is sufficiently restored. Recovery plans are made to permit smooth, rapid restoration of the LAN environment following interruption of LAN usage. Supporting documents should be developed and maintained that minimize the time required for recovery. Priority should be given to those applications and services that are deemed critical to the functioning of the organization. Backup operation procedures should ensure that these critical services and applications are available to users.
Business continuity plans (BCP) need periodic audits to ensure the accuracy, currency, completeness, applicability, and usefulness of such plans in order to properly run business operations. Which one of the following items is a prerequisite to the other three items? a. Internal audits b. Self-assessments c. External audits d. Third-party audits
b. Self-assessments are proactive exercises and are a prerequisite to other types of audits. Self-assessments are in the form of questionnaires and usually a company's employees (for example, supervisors or mangers) conduct these self-assessments to collect answers from functional management and IT management on various business operations. If these selfassessments are conducted with honesty and integrity, they can be eye-opening exercises because their results may not be the same as expected by the company management. The purpose of self-assessments is to identify strengths and weaknesses so weaknesses can be corrected and strengths can be improved. In addition, self-assessments make an organization ready and prepared for the other audits such as internal audits by corporate internal auditors, external audits by public accounting firms, and third-party audits by regulatory compliance auditors, insurance industry auditors, and others. In fact, overall audit costs can be reduced if these auditors can rely on the results of selfassessments, and it can happen only when these assessments are done in an objective and unbiased manner. This is because auditors do not need to repeat these assessments with functional and IT management, thus saving their audit time, resulting in reduction in audit costs. However, auditors will conduct their own independent tests to validate the answers given in the assessments. The audit process validates compliance with disaster recovery standards, reviews recovery problems and solutions, verifies the appropriateness of recovery test exercises, and reviews the criteria for updating and maintaining a BCP. Here, the major point is that self-assessments should be performed in an independent and objective manner without the company management's undue influence on the results. Another proactive thinking is sharing these self-assessments with auditors earlier to get their approval prior to actually using them in the company to ensure that right questions are asked and right areas are addressed.
What should be the last step in a risk assessment process performed as a part of business continuity plan? a. Consider possible threats. b. Establish recovery priorities. c. Assess potential impacts. d. Evaluate critical needs.
b. The last step is establishing priorities for recovery based on critical needs. The following describes the sequence of steps in a risk assessment process: 1. Possible threats include natural (for example, fires, floods, and earthquakes), technical (for example, hardware/software failure, power disruption, and communications interference), and human (for example, riots, strikes, disgruntled employees, and sabotage). 2. Assess impacts from loss of information and services from both internal and external sources. This includes financial condition, competitive position, customer confidence, legal/regulatory requirements, and cost analysis to minimize exposure. 3. Evaluate critical needs. This evaluation also should consider timeframes in which a specific function becomes critical. This includes functional operations, key personnel, information, processing systems, documentation, vital records, and policies and procedures. 4. Establish priorities for recovery based on critical needs.
With respect to business continuity planning/disaster recovery planning (BCP/DRP), risk analysis is part of which of the following? a. Cost-benefit analysis b. Business impact analysis c. Backup analysis d. Recovery analysis
b. The risk analysis is usually part of the business impact analysis. It estimates both the functional and financial impact of a risk occurrence to the organization and identifies the costs to reduce the risks to an acceptable level through the establishment of effective controls. The other three choices are part of the correct choice.
A contingency planning strategy consists of the following four parts. Which of the following parts are closely related to each other? a. Emergency response and recovery b. Recovery and resumption c. Resumption and implementation d. Recovery and implementation
b. The selection of a contingency planning strategy should be based on practical considerations, including feasibility and cost. Risk assessment can be used to help estimate the cost of options to decide an optimal strategy. Whether the strategy is onsite or offsite, a contingency planning strategy normally consists of emergency response, recovery, resumption, and implementation. In emergency response, it is important to document the initial actions taken to protect lives and limit damage. In recovery, the steps that will be taken to continue support for critical functions should be planned. In resumption, what is required to return to normal operations should be determined. The relationship between recovery and resumption is important. The longer it takes to resume normal operations, the longer the organization will have to operate in the recovery mode. In implementation, it is necessary to make appropriate preparations, document the procedures, and train employees. Emergency response and implementation do not have the same relationship as recovery and resumption does.
Which of the following is the most important consideration in locating an alternative computing facility during the development of a disaster recovery plan? a. Close enough to become operational quickly b. Unlikely to be affected by the same contingency issues as the primary facility c. Close enough to serve its users d. Convenient to airports and hotels
b. There are several considerations that should be reflected in the backup site location. The optimum facility location is (i) close enough to allow the backup function to become operational quickly, (ii) unlikely to be affected by the same contingency, (iii) close enough to serve its users, and (iv) convenient to airports, major highways, or train stations when located out of town.
Which of the following refers to anything that changes or destroys digital evidence between the time the evidence is created and when the case goes to court? a. Disk forensics b. Evidence dynamics c. Spoliation d. Live system forensics
b. evidence dynamics
Port numbers are divided into three ranges. Which of the following is not one of the ranges?
b. open ports
In a __________, hardware, software, maintenance, and support are provided together for a single price.
bundled product
Which of the following is an example of a recovery time objective (RTO) for a payroll system identified in a business impact analysis (BIA) document? a. Time and attendance reporting may require the use of a LAN server and other resources. b. LAN disruption for 8 hours may create a delay in time sheet processing. c. The LAN server must be recovered within 8 hours to avoid a delay in time sheet processing. d. The LAN server must be recovered fully to distribute payroll checks on Friday to all employees.
c. "The LAN server must be recovered within 8 hours to avoid a delay in time sheet processing" is an example of BIA's recovery time objective (RTO). "Time and attendance reporting may require the use of a LAN server and other resources" is an example of BIA's critical resource. "LAN disruption for 8 hours may create a delay in time sheet processing" is an example of BIA's resource impact. "The LAN server must be recovered fully to distribute payroll checks on Friday to all employees" is an example of BIA's recovery point objective (RPO).
Which of the following are closely connected to each other when conducting business impact analysis (BIA) as a part of the IT contingency planning process? 1. System's components 2. System's interdependencies 3. System's critical resources 4. System's downtime impacts a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
c. A business impact analysis (BIA) is a critical step to understanding the information system components, interdependencies, and potential downtime impact. Contingency plan strategy and procedures should be designed in consideration of the results of the BIA. A BIA is conducted by identifying the system's critical resources. Each critical resource is then further examined to determine how long functionality of the resource could be withheld from the information system before an unacceptable impact is experienced. Therefore, system's critical resources and system's downtime impacts are closely related to each other than the other items.
Which of the following disaster-recovery alternative facilities eliminates the possibility of competition for time and space with other businesses? a. Hot sites b. Cold sites c. Mirrored sites d. Warm sites
c. A dedicated second site eliminates the threat of competition for time and space with other businesses. These benefits coupled with the ever-growing demands of today's data and telecommunications networks have paved the way for a new breed of mirrored sites (intelligent sites) that can serve as both primary and contingency site locations. These mirrored sites employ triple disaster avoidance systems covering power, telecommunications, life support (water and sanitation), and 24-hour security systems. Mirrored sites are fully redundant facilities with automated real-time information mirroring. A mirrored site (redundant site) is equipped and configured exactly like the primary site in all technical respects. Some organizations plan on having partial redundancy for a disaster recovery purpose and partial processing for normal operations. The stocking of spare personal computers and their parts or LAN servers also provide some redundancy. Hot, cold, and warm sites are operated and managed by commercial organizations, whereas the mirrored site is operated by the user organization.
What is an alternative processing site that is equipped with telecommunications but not computers? a. Cold site b. Hot site c. Warm site d. Redundant site
c. A warm site has telecommunications ready to be utilized but does not have computers. A cold site is an empty building for housing computer processors later but equipped with environmental controls (for example, heat and air conditioning) in place. A hot site is a fully equipped building ready to operate quickly. A redundant site is configured exactly like the primary site.
Regarding contingency planning, an organization obtains which of the following to reduce the likelihood of a single point of failure? a. Alternative storage site b. Alternative processing site c. Alternative telecommunications services d. Redundant secondary system
c. An organization obtains alternative telecommunications services to reduce the likelihood of encountering a single point of failure with primary telecommunications services because of its high risk. The other choices are not high-risk situations.
When an organization is interrupted by a catastrophe, which of the following cost categories requires management's greatest attention? a. Direct costs b. Opportunity costs c. Hidden costs d. Variable costs
c. Hidden costs are not insurable expenses and include (i) unemployment compensation premiums resulting from layoffs in the work force, (ii) increases in advertising expenditures necessary to rebuild the volume of business, (iii) cost of training new and old employees, and (iv) increased cost of production due to decline in overall operational efficiency. Generally, traditional accounting systems are not set up to accumulate and report the hidden costs. Opportunity costs are not insurable expenses. They are costs of foregone choices, and accounting systems do not capture these types of costs. Both direct and variable costs are insurable expenses and are captured by accounting systems.
Which of the following organization's functions are often ignored in planning for recovery from a disaster? a. Computer operations b. Safety c. Human resources d. Accounting
c. Human resource policies and procedures impact employees involved in the response to a disaster. Specifically, it includes extended work hours, overtime pay, compensatory time, living costs, employee evacuation, medical treatment, notifying families of injured or missing employees, emergency food, and cash during recovery. The scope covers the pre-disaster plan, emergency response during recovery, and post-recovery issues. The major reason for ignoring the human resource issues is that they encompass many items requiring extensive planning and coordination, which take a significant amount of time and effort.
Which of the following IT contingency solutions increases a server's performance and availability? a. Electronic vaulting b. Remote journaling c. Load balancing d. Disk replication
c. Load balancing systems monitor each server to determine the best path to route traffic to increase performance and availability so that one server is not overwhelmed with traffic. Electronic vaulting and remote journaling are similar technologies that provide additional data backup capabilities, with backups made to remote tape or disk drives over communication links. Disk replication can be implemented locally or between different locations.
Which of the following disaster recovery plan test results would be most useful to management? a. Elapsed time to perform various activities b. Amount of work completed c. List of successful and unsuccessful activities d. Description of each activity
c. Management is interested to find out what worked (successful) and what did not (unsuccessful) after a recovery from a disaster. The idea is to learn from experience.
IT resource criticality for recovery and restoration is determined through which of the following ways? 1. Standard operating procedures 2. Events and incidents 3. Business continuity planning 4. Service-level agreements a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
c. Organizations determine IT resource criticality (for example, firewalls and Web servers) through their business continuity planning efforts or their service-level agreements (SLAs), which document actions and maximum response times and state the maximum time for restoring each key resource. Standard operating procedures (SOPs) are a delineation of the specific processes, techniques, checklists, and forms used by employees to do their work. An event is any observable occurrence in a system or network. An incident can be thought of as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
Which of the following commonly used system forensics tools can quickly search hard disk drives, zip disks, and CDs for keywords or specific patterns of text? a. AnaDisk b. CopyQM Plus c. TextSearch Plus d. Filter_G
c. TextSearch Plus
Which of the following commonly used system forensics tools is utilized primarily to scan for anomalies that identify odd formats, extra tracks, and extra sectors?
c. TextSearch Plus
Which of the following is the best course of action to take for retrieving the electronic records stored at an offsite location? a. Installing physical security controls offsite a. Installing environmental security controls offsite c. Ensuring that software version stored offsite matches with the vital records version d. Rotating vital records between onsite and offsite
c. The IT management must ensure that electronic records are retrievable in the future, requiring the correct version of software that created the original records is tested and stored offsite, and that the current software version is matched with the current version of vital records. The other three choices are incorrect because, although they are important in their own way, they do not directly address the retrieval of electronic records. Examples of physical security controls include keys and locks, sensors, alarms, sprinklers, and surveillance cameras. Examples of environmental controls include humidity, air conditioning, and heat levels. Rotating vital records between onsite and offsite is needed to purge the obsolete records and keep the current records only.
Unlike jailbreaking, which of the following does not install any additional software or modify the user data partition in any way?
c. The Zdziarski technique
Unlike jailbreaking, which of the following does not install any additional software or modify the user data partition in any way? a. UFED b. Device Seizure c. The Zdziarski technique d. EnCase
c. The Zdziarski technique
If the disaster recovery plan is being tested for the first time, which of the following testing options can be combined? a. Checklist testing and simulation testing b. Simulation testing and full-interruption testing c. Checklist testing and structured walk-through testing d. Checklist testing and full-interruption testing
c. The checklist testing can ensure that all the items on the checklists have been reviewed and considered. During structured walk-through testing, the team members meet and walk through the specific steps of each component of the disaster recovery process and find gaps and overlaps. Simulation testing simulates a disaster during nonbusiness hours, so normal operations will not be interrupted. Full-interruption testing is not recommended because it activates the total disaster recovery plan. This test is costly and disruptive to normal operations and requires senior management's special approval.
Availability
ensuring the systems and information are available for use whenever needed. objective is to minimize the risk of system downtime
3 exceptions to data breach notification laws
entities subject to other, more stringent laws (HIPAA, GLBA); entities that already follow breach notification procedures as part of their own info security policies; encryption -- typically incident is not considered a breach if data was encrypted or redacted and key remains secure.
The decision to fully activate a disaster recovery plan is made immediately: a. After notifying the disaster b. Before damage control c. After damage assessment and evaluation d. Before activating emergency systems
c. The decision to activate a disaster recovery plan is made after damage assessment and evaluation is completed. This is because the real damage from a disaster could be minor or major where the latter involves full activation only after damage assessment and evaluation. Minor damages may not require full activation as do the major ones. The decision to activate should be based on cost-benefit analysis. A list of equipment, software, forms, and supplies needed to operate contingency category I (high priority) applications should be available to use as a damage assessment checklist.
The final consideration in the disaster recovery strategy must be which of the following? a. Criticality of data and systems b. Availability of data and systems c. Final costs and benefits d. Recovery time objective requirements
c. The final consideration in the disaster recovery strategy must be final costs and benefits; although, cost and benefit data is considered initially. No prudent manager or executive would want to spend ten dollars to obtain a one dollar benefit. When costs exceed benefits, some managers accept the risk and some do not. Note that it is a human tendency to understate costs and overstate benefits. Some examples of costs include loss of income from loss of sales, cost of not meeting legal and regulatory requirements, cost of not meeting contractual and financial obligations, and cost of loss of reputation. Some examples of benefits include assurance of continuity of business operations, ability to make sales and profits, providing gainful employment, and satisfying internal and external customers and other stakeholders. The recovery strategy must meet criticality and availability of data and systems and recovery time objective (RTO) requirements while remaining within the cost and benefit guidelines.
After a disaster, at what stage should application systems be recovered? a. To the last online transaction completed b. To the last batch processing prior to interruption c. To the actual point of interruption d. To the last master file update prior to interruption
c. The goal is to capture all data points necessary to restart a system without loss of any data in the work-in-progress status. The recovery team should recover all application systems to the actual point of the interruption. The other three choices are incorrect because there could be a delay in processing or posting data into master files or databases depending on their schedules.
Rank the following objectives of a disaster recovery plan (DRP) from most to least important: 1. Minimize the disaster's financial impact on the organization. 2. Reduce physical damage to the organization's property, equipment, and data. 3. Limit the extent of the damage and thus prevent the escalation of the disaster. 4. Protect the organization's employees and the general public. a. 1, 2, 3, and 4 b. 3, 2, 1, and 4 c. 4, 1, 3, and 2 d. 4, 2, 1, and 3
c. The health and safety of employees and general public should be the first concern during a disaster situation. The second concern should be to minimize the disaster's economic impact on the organization in terms of revenues and sales. The third concern should be to limit or contain the disaster. The fourth concern should be to reduce physical damage to property, equipment, and data.
Which of the following natural disasters come with an advanced warning sign? a. Earthquakes and tornadoes b. Tornadoes and hurricanes c. Hurricanes and floods d. Floods only
c. The main hazards caused by hurricanes most often involve the loss of power, flooding, and the inability to access facilities. Businesses may also be impacted by structural damage as well. Hurricanes are the only events that give advanced warnings before the disaster strikes. Excessive rains lead to floods. Earthquakes do not give advanced warnings. Tornado warnings exist but provide little advance warning, and they are often inaccurate.
Rank the following benefits to be realized from a comprehensive disaster recovery plan (DRP) from most to least important: 1. Reduce insurance costs. 2. Enhance physical and data security. 3. Provide continuity of organization's operations. 4. Improve protection of the organization's assets. a. 1, 2, 3, and 4 b. 3, 2, 1, and 4 c. 3, 4, 2, and 1 d. 4, 2, 3, and 1
c. The most important benefit of a comprehensive disaster recovery plan is to provide continuity of operations followed by protection of assets, increased security, and reduced insurance costs. Assets can be acquired if the business is operating and profitable. There is no such thing as 100 percent security. A company can assume self-insurance.
Which of the following is most important in developing contingency plans for information systems and their facilities? a. Criteria for content b. Criteria for format c. Criteria for usefulness d. Criteria for procedures
c. The only reason for creating a contingency plan is to provide a document and procedure that will be useful in time of emergency. If the plan is not designed to be useful, it is not satisfactory. Suggestions for the plan content and format can be described, but no two contingency plans will or should be the same.
The main body of a contingency or disaster recovery plan document should not address which of the following? a. What? b. When? c. How? d. Who?
c. The plan document contains only the why, what, when, where, and who, not how. The how deals with detailed procedures and information required to carry out the actions identified and assigned to a specific recovery team. This information should not be in the formal plan because it is too detailed and should be included in the detail reference materials as an appendix to the plan. The why describes the need for recovery, the what describes the critical processes and resource requirements, the when deals with critical time frames, the where describes recovery strategy, and the who indicates the recovery team members and support organizations. Keeping the how information in the plan document confuses people, making it hard to understand and creating a maintenance nightmare.
Which of the following contingency plan test results is most meaningful? a. Tests met all planned objectives in restoring all database files. b. Tests met all planned objectives in using the latest version of the operating systems software. c. Tests met all planned objectives using files recovered from backups. d. Tests met all planned objectives using the correct version of access control systems software.
c. The purpose of frequent disaster recovery tests is to ensure recoverability. Review of test results should show that the tests conducted met all planned objectives using files recovered from the backup copies only. This is because of the no backup, no recovery principle. Recovery from backup also shows that the backup schedule has been followed regularly. Storing files at a secondary location (offsite) is preferable to the primary location (onsite) because it ensures continuity of business operations if the primary location is destroyed or inaccessible.
Disaster notification fees are part of which of the following cost categories associated with alternative computer processing support? a. Initial costs b. Recurring operating costs c. Activation costs d. Development costs
c. There are three basic cost elements associated with alternate processing-support: initial costs, recurring operating costs, and activation costs. The first two components are incurred whether the backup facility is put into operation; the last cost component is incurred only when the facility is activated. The initial costs include the cost of initial setup, including membership, construction or other fees. Recurring operating costs include costs for maintaining and operating the facility, including rent, utilities, repair, and ongoing backup operations. Activation costs include costs involved in the actual use of the backup capability. This includes disaster notification fees, facility usage charges, overtime, transportation, and other costs.
COPPA
children's online privacy protection act. applies to operators of commercial websites directed to kids or who know kids use who collect use or disclose personal info. parental consent to disclose required. use method reasonably calculated to ensure its a parent. FTC oversight.
Which native Microsoft Windows tool can you use to repair inconsistencies on a hard disk that resulted from logical damage?
chkdsk
$25,000
civil penalties for failure to comply -fine per year for multiple violations -fine cap per year per requirement
When people try to destroy incriminating evidence contained on a computer, they leave behind a vital ________
clues
communications privacy
concerned with protection of means of correspondence
customer EBR
consumer has purchased, rented, or leased seller's goods or services within 18 months preceeding call
prospect ebr
consumer made an application or inquiry regarding sellers goods and services within 3 months of date of injury
CAN-SPAM
controlling the assault of non solicited pornography and marketing. provides mechanism for legitimate companies to email prospects and respect rights to opt out. Requirements: 1. prohibits false headers, 2. requires functioning return address and cost free opt out, 3. clear conspicuous notification the message is commercial and must include valid physical address.
Quick and complete recovery and resumption of normal operations
controls: backup procedures; disaster recovery plan; business continuity plan
Differential back up
copies all changes made since the last full back up; each back up file contains the cumulative effects of all activity since the last full backup
incremental back up
copying only the data items that have changed since the last partial backup
Packet crafting and protocol bending are two _______ techniques
covert
A number that is suitable for an encryption function is called_____
cryptographically random
app attacks -- Integer Overflows
errors that occur when number is too large to be stored in a variable causes - crashes - data corruption - arbitrary code execution
EBR
established business relationship: sellers can call a consumer that they have a relationship with provided they have not been asked to be put on do not call.
Disaster recovery strategies must consider or address which of the following? 1. Recovery time objective 2. Disruption impacts 3. Allowable outage times 4. Interdependent systems a. I only b. 1 and 2 c. 1, 2, and 3 d. 1, 2, 3, and 4
d. A disaster recovery strategy must be in place to recover and restore data and system operations within the recovery time objective (RTO) period. The strategies should address disruption impacts and allowable outage times identified in the business impact analysis (BIA). The chosen strategy must also be coordinated with the IT contingency plans of interdependent systems. Several alternatives should be considered when developing the strategy, including cost, allowable outage times, security, and integration into organization-level contingency plans.
Regarding contingency planning, which of the following IT platforms requires vendor service-level agreements? a. Desktop computers b. Servers c. Distributed systems d. Wide-area networks
d. A wide-area network (WAN) is a data communications network that consists of two or more local-area networks (LANs) that are dispersed over a wide geographical area. WAN communication links, usually provided by a public carrier, enable one LAN to interact with other LANs. Service-level agreements (SLAs) can facilitate prompt recovery following software or hardware problems associated with the network. An SLA also may be developed with the network service provider (NSP) or the Internet service provider (ISP) to guarantee the desired network availability and establish tariffs if the vendor's network is unavailable. Desktop computers, servers, and distributed system are not as complicated as WANs requiring SLAs.
Organizations practice contingency plans because it makes good business sense. Which of the following is the correct sequence of steps involved in the contingency planning process? 1. Anticipating potential disasters 2. Identifying the critical functions 3. Selecting contingency plan strategies 4. Identifying the resources that support the critical functions a. 1, 2, 3, and 4 b. 1, 3, 2, and 4 c. 2, 1, 4, and 3 d. 2, 4, 1, and 3
d. Contingency planning involves more than planning for a move offsite after a disaster destroys a data center. It also addresses how to keep an organization's critical functions operating in the event of disruptions, both large and small. This broader perspective on contingency planning is based on the distribution of computer support throughout an organization. The correct sequence of steps is as follows: Identify the mission or business or critical functions. Identify the resources that support the critical functions. Anticipate potential contingencies or disasters. Select contingency planning strategies.
Which of the following may not reduce the recovery time after a disaster strikes? a. Writing recovery scripts b. Performing rigorous testing c. Refining the recovery plans d. Documenting the recovery plans
d. Documenting the recovery plan should be done first and be available to use during a recovery as a guidance. The amount of time and effort in developing the plan has no bearing on the real recovery from a disaster. On the other hand, the amount of time and effort spent on the other three choices and the degree of perfection attained in those three choices will definitely help in reducing the recovery time after a disaster strikes. The more time spent on these three choices, the better the quality of the plan. The key point is that documenting the recovery plan alone is not enough because it is a paper exercise, showing guidance. The real benefit comes from careful implementation of that plan in actions.
Which of the following ensures the successful completion of tasks in the development of business continuity and disaster recovery plans? a. Defining individual roles b. Defining operational activities c. Assigning individual responsibility d. Exacting individual accountability
d. It is important to ensure that individuals responsible for the various business continuity and contingency planning activities are held accountable for the successful completion of individual tasks and that the core business process owners are responsible and accountable for meeting the milestones for the development and testing of contingency plans for their core business processes.
Which of the following computing backup facilities has a cost advantage? a. Shared contingency centers b. Hot sites c. Cold sites d. Reciprocal agreements
d. Reciprocal agreements do not require nearly as much advanced funding as do commercial facilities. They are inexpensive compared to other three choices where the latter are commercial facilities. However, cost alone should not be the overriding factor when making backup facility decisions.
Which of the following tasks is not a part of disaster recovery planning (DRP)? a. Restoration procedures b. Procuring the needed equipment c. Relocating to a primary processing site d. Selecting an alternate processing site
d. Tasks are different between business continuity plan (BCP) and disaster recovery planning (DRP) because of timing of those tasks. For example, selecting an alternative processing site should be planned out prior to a disaster, which is a part of a BCP. The other three choices are a part of DRP. Note that DRP is associated with data processing and BCP refers to actions that keep the business running in the event of a disruption, even if it is with pencil and paper.
Regarding contingency planning, which of the following actions are performed when malicious attacks compromise the confidentiality or integrity of an information system? 1. Graceful degradation 2. System shutdown 3. Fallback to manual mode 4. Alternate information flows a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4
d. The actions to perform during malicious attacks compromise the confidentiality or integrity of the information system include graceful degradation, information system shutdown, fallback to a manual mode, alternative information flows, or operating in a mode that is reserved solely for when the system is under attack.
When comparing alternative computer processing facilities, the major objective is to select the alternative with the: a. Largest annualized profit b. Largest annualized revenues c. Largest incremental expenses d. Smallest annualized cost
d. The major objective is to select the best alternative facility that meets the organization's recovery needs. An annualized cost is obtained by multiplying the annual frequency with the expected dollar amount of cost. The product should be a small figure.
The post-incident review report after a disaster should not focus on: a. What happened? b. What should have happened? c. What should happen next? d. Who caused it?
d. The post-incident review after a disaster has occurred should focus on what happened, what should have happened, and what should happen next, but not on who caused it. Blaming people will not solve the problem.
The least costly test approach for contingency plans is which of the following? a. Full-scale testing b. Pilot testing c. Parallel testing d. End-to-end testing
d. The purpose of end-to-end testing is to verify that a defined set of interrelated systems, which collectively support an organizational core business area or function, interoperate as intended in an operational environment. Generally, end-to-end testing is conducted when one major system in the end-to-end chain is modified or replaced, and attention is rightfully focused on the changed or new system. The boundaries on end-to-end tests are not fixed or predetermined but rather vary depending on a given business area's system dependencies (internal and external) and the criticality to the mission of the organization. Full-scale testing is costly and disruptive, whereas end-to-end testing is least costly. Pilot testing is testing one system or one department before testing other systems or departments. Parallel testing is testing two systems or two departments at the same time.
A full-scale testing of application systems cannot be accomplished in which of the following alternative computing backup facilities? a. Shared contingency centers and hot sites b. Dedicated contingency centers and cold sites c. Hot sites and reciprocal agreements d. Cold sites and reciprocal agreementsxpose
d. The question is asking about the two alternative computing facilities that can perform full-scale testing. Cold sites do not have equipment, so full-scale testing cannot be done until the equipment is installed. Adequate time may not be allowed in reciprocal agreements due to time pressures and scheduling conflicts between the two parties. Full-scale testing is possible with shared contingency centers and hot sites because they have the needed equipment to conduct tests. Shared contingency centers are essentially the same as dedicated contingency centers. The difference lies in the fact that membership is formed by a group of similar organizations which use, or could use, identical hardware.
non personal information
data cannot be used to identify an individual (privacy laws do not apply)
As a result of not acquiring data at a unified moment, live system forensics presents a problem with _________
data consistency
Redundant Arrays of Independent Drives (RAID)
data is written to multiple disk drives simultaneously so if one disk drive fails, data can be readily accessed from another
Checksums
data that are transmitted, the sending device can calculate a hash of file
The following are some of the benefits of __________ . It limits the impact on the compromised system, analysis is repeatable, and you can ask new questions after the analysis
dead system analysis
Security Rule (HIPAA)
deals with electronic PHI and how to protect it. based on principles of confidentiality, integrity, and availability
What term is used to describe an attack in which an attacker deprives people of the services they are entitled to access or provide?
denial of service (DoS) attack
The banning of ___ helps improve code quality by using safer library calls
deprecated functions
Reasonableness test
determines the correctness of the logical relationship between two data items.
Field check
determines whether the characters in a field are of the proper type. For example numeric values having alphabetic characters
Sign check
determines whether the data in a field have the appropriate arithmetic signs. For example quantity order field should never be negative
The first step in application hardening is
determining the application configuration baselin
The system forensics specialty that involves acquiring and analyzing data stored on physical storage media, such as computer hard drives and removable media is called ___________
disks forensics
The process of going through a target's trash searching for information that can be used in an attack, or to gain knowledge about a system or network is known as ______________.
dumpster diving
A(n) __________ is any observable occurrence within a system or network.
event
facility directory
example of a disclosure that the patient has the right to agree or object
Disposal rule FACTA
explicitly dictates the way in which organizations must dispose of credit information
protection of pupil rights amendment
extends protection of student records to parents
To which domains of a typical IT infrastructure does system forensics apply?
f. All of the above
Hot site
facility that is prewired for telephone and internet access; contains all necessary computing and office equipment
software development methodology
framework that is used to structure, plan, and control the process of developing an information system.
On a well-used hard disk drive, gigabytes of storage space may contain data associated with previously erased files. This space is known as __________________
free space, unallocated space
Covered Entity
health plans, healthcare clearinghouse and healthcare providers who electronically transmit information under standards of operation established by HHS
The collective term used to refer to the systems that are used to maintain the comfort of an office environment and that are often controlled by computer systems is ___________.
heating, ventilation, and conditioning (HVAC)
An operating system can't access any unallocated space in a partition That space can contain __________
hidden data
An operating system can't access any unallocated space in a partition. That space can contain __________
hidden data
policies
high-level, broad statements of what the organization wants to accomplish
security
how we protect PHI from accidental or intentional disclosure, alteration, destruction, or loss
Prompting
in which the system requests each input data items and waits for an acceptable response, ensure that all necessary data are entered
Transposition error
in which two adjacent digits were inadvertently reserved
A user providing illegal copies of software to others through peer-to-peer (P2P) file sharing services, is an example of what kind computer security incident?
inappropriate usage
Transaction log
includes a detail record of all transaction, including a unique transaction identifier, the date and time of entry, and who entered the transaction
Security is built into the software by
including security concerns and reviews throughout the software development process
health information (HIPAA)
info created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and relates to the past, present or future physical or mental health of an individual, the provision of health care to an individual, or past present or future payment for the provision of health care to an individual.
________ is data that has been processed and assembled so that it is relevant to an investigation
information
Types of Privacy
information; bodily; spatial; communications
privacy notice GLBA
institution must provide initial and annual privacy notices to customers. notifies customers of their right to opt out if they don't want their information shared with certain third parties - must be processed within 30 days
The fact that individual pieces of data may have more than one possible _______ compounds system complexity.
interpretation
A(n) _________________ is a device designed to provide power to essential equipment for a period of time when normal power is lost.
interruptive power supply (UPS)
app attacks -- Session Hijacking
intruder takes control of legit TCP/IP session by spoofing the source address - spoofed packet inserted into victim's communication stream redirecting session to intruder - valid client is ejected from session & intruder takes over mitigation includes use of unique ISN(initial serial numbers) & web session cookies header manipulation: changing values in HTTP headers in order to falsify access
Turnaround document
is a record of company data sent to an external party and then returned by the external party to the system as input
Parity bits
is an extra digit added to the beginning of every character that can be used to check transmission accuracy
Check digit
is contained in authorized ID. Ex: system could assign each new employee 9 digit number, then calculate a tenth digit ID number form the original number and append that calculated number to the original 9 to form a 10 digit number
Header Record
is located at the beginning of each file and contains the files name, expiration date, and other identification data
Trailer record
is located at the end of the file and contains the batch totals calculated during input
Back up
is the exact copy of the most current version of a database, file, or software program that can be used in the event that the original is no longer available
Change control
is the formal process used to ensure that modifications to hardware, software, or processes do not reduce systems reliability
Record count
is the number of record in batch
Exceptions to HIPAA privacy rule
law enforcement, considered necessary for the good of society
In terms of physical security, ___________ refers to protecting important assets by using several perimeters - layered access - multifactor access control - dual authentication - Intrusion detection system
layered access
DNC Safe Harbor
less liability if you have procedures, training, etc on ensuring compliance with DNC and you accidentally call
app attacks -- cross-site scripting (XSS)
leverages scripts served by malicious/compromised server or web application, to access site visitor's computer stored XSS attack: malicious code is injected into the server/web app itself reflected XSS: malicious code is injected into server/web app by user (e.g. email) can be used to.... -disclose user session cookies - disclose info on user's computer - install malware - redirect users to another server/application
An interesting trend in next-generation digital forensics is ______; which is analysis of machines that may remain in operation as you examine them.
live system forensics
FTC
main regulatory authority for privacy. independent of presidential control.
Real-time mirroring
maintaining two copies of the database at two separate data centers at all times and updating both copies in real time as each transaction occurs
systems software
managing the resources of the computer, such as the CPU, communications links and output devices Microsoft OS: Windows XP, Windows 2000, Windows Vista, Windows 7, Windows 8 Apple OS: Cheetah, Puma, Jaguar, Panther, Tiger, Leopard, Snow Leopard, and Lion UNIX Flavors: UNIX, Linux, HP-UX, AIX, Solaris
Standards
mandatory elements regarding the implementation of a policy. They are accepted specifications providing specific details on how a policy is to be enforced
Recovery point objective
maximum about of data that the organization is willing to potentially lose
Red Flags Rule
meant to combat identity theft. rules require financial institutions and creditors to develop and implement a written identity theft prevention program.
An organization should have the names and phone numbers of people in the organization who should be notified of an incident. This includes members of the incident response team and those in charge of __________.
media relations
System __________ contain(s) information about processes, network connections, and temporary data used a particular point in time. Unlike nonvolatile data, ______ data vanishes and leaves behind no trail after the machine is powered off.
memory
A fork is _________, such as a data element. A fork's size is arbitrary. In some cases, a fork may be even larger than the files data. A data element may have one or more forks.
metadata associated with a file system object
app attacks -- Cookie/Session Poisoning
modifying the contents of a cookie w/ malicious content to modify the user's session & potentially obtain unauthorized info cookies can also be read from user's hard drive & any sensitive info contained in them (e.g. usernames, passwords, ID, etc) can be compromised compromising info in cookies is also called "Cookie Snooping"
Significant changes in network traffic may indicate a problem For example, if a worm infects your network, network traffic may increase resulting in decreased performance. If you catch this before it's serious, you may be able to contain the threat. For this kind of execution to occur, what incident and intrusion response step is recommended?
monitor network traffic
most adequate change control
monitoring and reviewing by top management to ensure the proposed and implemented changes are consistent with the organization's multi year strategic plan
File labels
need to be checked to ensure that the correct and most current files are being updated
A _______ is a collection of computers and devices joined by connection media.
network
Cross border data transfer
no federal restrictions on data transfers. GLBA and HIPAA both apply to their respective areas.
Exceptions to DNC
non profits; established business relationship, opt in
app attacks -- XML Injection
non-validated input into an XML based form can allow an attacker to enumerate the backend system - single tick mark e.g. username = 'user - double quotation mark e.g. username = "user - ampersand e.g. username = @user
Completeness check
on each input record determines whether all required data item have been entered
state breach notification laws
only alabama and south dakota have no security breach law. most are reactive type and establish requirements for responding to breach
minimum necessary
only allowing access to minimum necessary for business activities
Port numbers are divided into three ranges. Which of the following is not one of the ranges?
open ports
A great deal of software is now developed using a collaborative _______ model. In this model, no one person assumes responsibility for system integrity or performance.
open source
Software forensics tools can be either __________ or commercial.
open source
A disaster recovery plan (DRP)
outlines the procedures to restore an organization's IT function in the event that its data center is destroyed by a natural disaster or act of terrorism
Prepare and distribute output
output include billing and or shipping documents and a control report
Applications require
patching as well as the OS, and proper enterprise application patch management is important
PCI-DSS
payment card industry's data security standards; voluntary, but has been incorporated into law in several states
desktop applications
performs a specified set of tasks under a user's control ex.) calculator, paint, word, media player)
Reconciliation procedures
periodically, all transaction and other system update should be reconciled to control reports, file status/update reports, or other control mechanism
business associates (HIPAA)
person or entity that performs certain functions or activities that involve the use or disclosure of PHII on behalf of, or provides services to, a covered entity
Spam e-mail messages can also be _______ attempts. _______ scams that typically take place via e-mail or instant messaging. They're a form of Internet fraud where attackers attempt to steal valuable personal information from their victims.
phishing
ActiveX
pre-compiled executables implemented by Microsoft to customize client usability can be embedded in web pages executes w/ permissions of logged on user settings in lcient's browser determines if user is prompted to approve execution is restricted by whether it is signed uses technology Authenticode to validate certificate **auto-accepting ActiveX components may cause malicious code to be executed or other system vulnerability exploitation
If an official public law enforcement officer notifies an Internet service provider (ISP) that a certain user is being investigated, the ISP is obligated by law to __________.
preserve any information it would have normally logged or collected
MA breach laws
preventative style. Prescribes list of technical and physical and administrative security protocols aimed at protecting personal info that affected companies must implement into their security architecture and describe in a comprehensive written information security program.
Concurrent update control
prevents errors by locking out one user until the system has finished processing the transaction entered by the other
Processing integrity
principle of the Trust Services Framework states that a reliable system is one that produces information that is accurate, complete, timely and valid.
HIPAA Administrative Simplification
process implemented to standardize the electronic transmission of health data.
healthcare operations
process of reviewing information in medical records for those patients admitted within specific time frame after discharge
PHI
protected health information -- any individually identifiable health information. identifiable refers not only to data that is explicitly linked to a particular individual, but also includes health information with data elements that could be reasonably expected to allow individual identification
portability
protects and guarantees health insurance coverage when an employee changes jobs
accountability
protects health data integrity, confidentiality, and availability
note of privacy practices
purpose: to provide consumers with adequate notice of uses or disclosures of PHI -must be written in plain language; must be provided at the time of first service or assessment for eligibility; has to provide privacy officer contact information
The _________ lines list every point an e-mail passed through on its journey, along with the date and time.
received
Guidelines
recommendations relating to a policy
Guidelines
recommendations relating to a policy that are not mandatory steps.
self regulation
refers to businesses and industries. involves trade association or group of firms establishing rules concerning collection, use, and transfer of personal information and procedures for applying rules
__________ was originally called computer forensics because it focused on hard drives and storage devices.
system forensics
Guidance Software is the creator of the EnCase software and sponsor the EnCase Certified Examiner (EnCE) certification program. This certification is open to the public and private sectors, and it focuses on the use and mastery of __________ using EnCase.
system forensics analysis
app attacks -- Zero Day Exploits
target vulnerabilities in application or OS for which developer does not know yet about do not yet exist for 0-day exploits & underlying vulnerability - anti-virus signatures - patch/update for vulnerability - IDS alert strings - mitigation strategy
National do not call registry
telemarketers required to keep track of the list, updating their internal list monthly. must also keep track of individuals who ask them specifically not to call
TCPA
telephone consumer protection act 1991. applies to all autodialed calls and text messages. prohibits automated systems, artificial callers, and prerecorded messages
Only after collecting volatile and __________ should you begin to collect persistent data.
temporary data
Range check
test whether a numerical amount falls between predetermined lower and upper limits
Limit check
tests numerical amount against a fixed value. For example, the regular hours worked cant exceed a certain hour
app attacks -- Cookies
text fie sent to web browser from a server & sent back to server each time it is accessed used for tracking client history, authentication, & other user info allowing cookies may reveal personal info rejecting cookies may make some websites unusable
Forensic workstations may be connected to an isolated local area network (WAN) or a metropolitan area network (MAN). Forensic workstations should not directly connect to the _______
the Internet
Fault Tolerance
the ability of a system to function if a particular component fails ex: redundant arrays of independent drives
Input validation is
the best method of insuring against buffer overflows and code injection errors
Sometimes, individuals operate seized computers without know that they are destroying potential evidence and __________
the chain of custody
If the computer has been left on for several days, _______ contain a tremendous amount of information.
the file slack areas
Recovery time objective
the length of time that the organization is willing to attempt to function without its information systems
authorization
the mechanism for obtaining consent form a patient for the use and disclosure of health information for a purpose that is not treatment, payment, or healthcare operations required to disclose PHI to person or agency outside the facility
Data matching
two or more items of data must match before an transaction can take place
Code injection errors can result in
undesired code execution as defined by the end user
AccessData is the crator of Forensic Toolkit (FTK) software. AccessData sponsors the Access Data Certified Examiner (ACE) certification program ACE certification is open to the public and private sectors. This certification is specific to _________. Requirements for taking the ACE exam include completing the AccessData boot camp and Windows forensic courses.
use and mastery of FTK
Security-related use cases can be
used to test for specific security requirements
Use of collaborative investigation techniques involves its own concerns and considerations. Unrestricted collaboration is feasible only if is limited to specific individuals. These individuals must be ________ for credentials and capability to protect data and follow proper forensic procedures.
vetted
possible responses to complaint to FTC
warning letter, access letter, civil investigative letter
The _____ is a linear software engineering model with no repeating steps.
waterfall model
building/physical; computer/electronic
what are the 2 types of security in HIPAA
testing phase
while the requirements phase marks the beginning of the generation of security in code, then the _______ marks the other boundary
FCC privacy rule
would have incorporated browsing history and apps usage as sensitive information, requiring opt in consent. repealed by trump in april.
A(n)____is a vulnerability that has been discovered be hackers, but not by the developers of the software.
zero day
