TestOut Security Pro Chapter 12 - 14
Which SOC type reports focus on predetermined controls that are audited and a detailed report that attests to a company's compliance?
II
Your network performs a full backup every night. Each Sunday, the previous night's backup tape is archived. On a Wednesday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data?
1
12.1.5
12.1.5
13.2.7
13.2.7
13.3.8
13.3.8
14.1.7
14.1.7
14.2.5
14.2.5
14.3.10
14.3.10
Which ISO publication lays out guidelines for selecting and implementing security controls?
27002
You have conducted a risk analysis to protect a key company asset. You identify the following values: Asset value = 400 Exposure factor = 75 Annualized rate of occurrence = .25 What is the annualized loss expectancy (ALE)?
75
Which of the following are control categories? (Select three.)
> Managerial > Operational > Technical
Which of the following BEST describes phishing?
A fraudulent email that claims to be from a trusted organization.
You have been receiving a lot of phishing emails sent from the domain kenyan.msn.pl. Links within these emails open new browser windows at youneedit.com.pl. You want to make sure that these emails never reach your inbox, but you also want to make sure that emails from other senders are not affected. What should you do?
Add kenyan.msn.pl to the email blacklist.
Which of the following is an example of a preventative control type?
An advanced network appliance
What is the average number of times that a specific risk is likely to be realized in a single year?
Annualized rate of occurrence
How often should change-control management be implemented?
Any time a production system is altered.
Which of the following is a collection of recorded data that may include details about logons, object access, and other activities deemed important by your security policy and is often used to detect unwanted and unauthorized user activity?
Audit trail
A recreation of historical events is made possible through which of the following?
Audit trails
Which of the following terms identifies the process of reviewing log files for suspicious activity and threshold compliance?
Auditing
Which of the following is an important aspect of evidence-gathering?
Back up all log files and audit trails.
A file server with data is consider which of the following asset types?
Both tangible and intangible
Which of the following laws was designed to protect a child's information on the internet?
COPPA
Which of the following frameworks introduced the first cloud-centric individual certification?
CSA
You have been asked to draft a document related to evidence-gathering that contains details about personnel in possession and control of evidence from the time of discovery up through the time of presentation in court. Which type of document is this?
Chain of custody
14.1.6 Enable Device Logs You are the IT security administrator for a small corporate network. You need to enable logging on the switch in the networking closet. In this lab, your task is to: Enable logging and the Syslog Aggregator. Configure RAM Memory Logging as follows: Emergency, Alert, and Critical: Enable Error, Warning, Notice, Informational, and Debug: Disable Configure Flash Memory Logging as follows: Emergency and Alert: Enable Critical, Error, Warning, Notice, Informational, and Debug: Disable Copy the running configuration file to the startup configuration file using the following settings: Source File Name: Running configuration Destination File Name: Startup configuration Start Lab
Complete this lab as follows: Access the Log Settings for the switch. From the left menu, expand Administration > System Log. Select Log Settings. Enable Logging and Syslog Aggregator. For Logging, mark Enable. For Syslog Aggregator, mark Enable. Configure RAM and Flash memory logging: Under RAM Memory Logging: Mark Emergency, Alert, and Critical. Clear Error, Warning, Notice, Informational, and Debug. Under Flash Memory Logging: Mark Emergency and Alert. Clear Critical, Error, Warning, Notice, Informational, and Debug. Select Apply. From the top menu bar, select Save. Under Copy/Save Configuration, select Apply. Select OK. Select Done.
13.3.7 Secure Email on iPad You work as the IT security administrator for a small corporate network. The receptionist, Maggie Brown, uses an iPad to manage employee schedules and messages. You need to help her secure her email and browser on her iPad. In this lab, your task is to complete the following: Configure Maggie's email account to use SSL for incoming mail. Secure the internet browser as follows: Turn off AutoFill Turn on Block Pop-ups Block all cookies Turn on Fraudulent Website Warning Turn off JavaScript
Complete this lab as follows: Configure email for SSL. Select Settings. Scroll down and select Accounts & Passwords. From the right pane, select Gmail. Select Account [email protected]. Select Advanced. Under Incoming Settings, set Use SSL to ON. From the top, select Account to return to the Account menu. Select Done. Turn off AutoFill. From the Settings menu, select Safari. From the right pane, select AutoFill. Set Use Contact Info to OFF. Set Names and Passwords to OFF. From the top, select Safari to return to the Safari menu Block all pop-up and cookies. From the right pane, set Block Pop-ups to ON. Set Block All Cookies to On. Turn on the fraudulent website Warning and turn off JavaScript. From the right pane, set Fraudulent Website Warning to ON. Select Advanced. Set JavaScript to OFF.
13.3.5 Configure Email Filters You are the IT security administrator for a small corporate network. You helped your boss remove a lot of junk email, and now he would like you to only allow emails and attachments from senders on his safe sender list. In this lab, your task is to configure email filtering as follows: Only allow emails from the safe senders list. Report junk email messages to your email provider. Only allow attachments from the safe senders list.
Complete this lab as follows: In the upper right corner of the WebEmail interface, select Options > More Options. Under Preventing junk email, select Filters and reporting. Under Choose a junk email filter, select Exclusive. Under Report junk messages, select Report junk. Under Block content from unknown senders, select Block attachments, pictures, and links for anyone not in my safe senders list. Select Save.
You are configuring a source-initiated subscription on the collector computer in Event Viewer. Which of the following do you need to specify?
Computer group
You have detected and identified a security event. What's the first step you should complete?
Containment
You suspect cache poisoning or spoofing has occurred on your network. Users are complaining of strange web results and being redirected to undesirable sites. Which log would help you determine what is going on?
DNS logs
When you dispose of a computer or sell used hardware, it is crucial that none of the data on the hard disks can be recovered. Which of the following actions can you take to ensure that no data is recoverable?
Damage the hard disks so badly that all data remanence is gone.
You have a computer with three hard disks. A RAID 0 volume uses space on Disk 1 and Disk 2. A RAID 1 volume uses space on Disk 2 and Disk 3. Disk 2 fails. Which of the following is true?
Data on the RAID 1 volume is accessible; data on the RAID 0 volume is not.
Which of the following is the LEAST reliable means of cleaning or purging media?
Degaussing
In a high-security environment, which of the following is the most important concern when removable media is no longer needed?
Destruction
Which type of control is used to discourage malicious actors from attempting to breach a network?
Deterrent
When you inform an employee that he or she is being terminated, which of the following is the most important activity?
Disable his or her network access
During a recent site survey, you found a rogue wireless access point on your network. Which of the following actions should you take first to protect your network while still preserving evidence?
Disconnect the access point from the network.
You suspect a bad video driver is causing a user's system to randomly crash and reboot. Where would you go to identify and confirm your suspicions?
Dump files
14.1.4 Configure Advanced Audit Policy You work as the IT security administrator for a small corporate network. As part of an ongoing program to improve security, you want to implement an audit policy for all workstations. You plan to audit user logon attempts and other critical events. In this lab, your task is to configure the following audit policy settings in WorkstationGPO:
Edit Audit Policies as follows: Using Group Policy Management, access CorpNet.local's Group Policy Objects > WorkgroupGPO. From Server Manager's menu bar, select Tools > Group Policy Management. Expand Forest: CorpNet.local > Domains > CorpNet.local > Group Policy Objects. Maximize the windows for better viewing. Access the WorkstationGPO's Security Settings Local Policies. Right-click WorkstationGPO and select Edit. Maximize the windows for better viewing. Under Computer Configuration, expand Policies > Windows Settings > Security Settings > Local Policies. Modify Local Policies. Select Security Options. From the right pane, double-click the policy you want to edit. Select Define this policy setting. Select the policy settings as required. Select OK. Select Yes to confirm changes as necessary. Repeat steps 3b - 3f for additional policy settings. Modify the Event Log. From the left pane, select Event Log. From the right pane, double-click the policy you want to edit. Select Define this policy setting. Select the policy settings as required. Select OK. Modify Advanced Audit Policy Configuration. From the left pane, expand Advanced Audit Policy Configuration > Audit Policies. Select the audit policy category. From the right pane, double-click the policy you want to edit. Select Configure the following audit events. Select the policy settings as required. Select OK. Repeat steps 5b-5f for additional policy settings.
Your company is preparing to enter into a partner relationship with another organization. It will be necessary for the information systems used by each organization to connect and integrate with each other. Which of the following is of primary importance as you take steps to enter into this partner relationship?
Ensure that the integration process maintains the security of each organization's network
You would like to get a feel for the amount of bandwidth you are using in your network. What is the first thing you should do?
Establish a baseline.
Change control should be used to oversee and manage changes over which aspect of an organization?
Every aspect
Which type of audit is performed by either a consultant or an auditing firm employee?
External audit
You want to allow RDP 3389 traffic into your network for a group of users to access a particular workstation that has a special application in your office. Which endpoint security tool would you use to make this happen?
Firewall rules
By default, events received from the source computers in Event Subscription are saved in which log?
Forwarded Events log
Which backup strategy backs up all files from a computer's file system, regardless of whether the file's archive bit is set or not, and then marks them as backed up?
Full
Which of the following government acts protects medical records and personal health information?
HIPAA
Your organization has discovered that an overseas company has reverse-engineered and copied your main product and is now selling a counterfeit version. Which of the following BEST describes the type of consequence your organization has suffered?
IP theft
Which of the following standards relates to the use of credit cards?
PCI DSS
Which of the following BEST describes an email security gateway?
It monitors emails that originate from an organization.
When should a hardware device be replaced in order to minimize downtime?
Just before its MTBF is reached
What is the primary goal of business continuity planning?
Maintain business operations with reduced or restricted infrastructure capabilities or resources
Which type of control makes use of policies, DPRs, and BCPs?
Managerial
Users in your organization receive email messages informing them that suspicious activity has been detected on their bank accounts. They are directed to click a link in the email to verify their online banking username and password. The URL in the link is in the .ru top-level DNS domain. Which kind of attack has occurred?
Phishing
Which of the following security frameworks is used by the federal government and all its departments, including the Department of Defense?
NIST
A broken water pipe that floods the reception area would be considered which type of threat?
Natural
Which of the following would you do to help protect against phishing?
Only open emails if you recognize the sender.
You install a new Linux distribution on a server in your network. The distribution includes a Simple Mail Transfer Protocol (SMTP) daemon that is enabled by default when the system boots. The SMTP daemon does not require authentication to send email messages. Which type of email attack is this server susceptible to?
Open SMTP relay
Which of the following BEST describes compensating controls?
Partial control solution that is implemented when a control cannot fully meet a requirement.
Your disaster recovery plan calls for backup media to be stored at a different location. The location is a safe deposit box at the local bank. Because of this, the disaster recovery plan specifies that you choose a method that uses the least amount of backup media, but also allows you to quickly back up and restore files. Which backup strategy would BEST meet the disaster recovery plan?
Perform a full backup once per week and a differential backup the other days of the week.
If you lose your wallet or purse and it ends up in the wrong hands, several pieces of information could be used to do personal harm to you. These pieces of information include the following: Name and address Driver license number Credit card numbers Date of birth Which of the following classifications does this information fall into?
Personally identifiable information (PII)
A system failure has occurred. Which of the following restoration processes would result in the fastest restoration of all data to its most current state?
Restore the full backup and the last differential backup
Which component of an IT security audit evaluates defense in depth and IT-related fraud?
Risk evaluation
You would like to enhance your incident-response process and automate as much of it as possible. Which of the following elements would you need to include? (Select two.)
Playbooks Runbooks
To prevent server downtime, which of the following components should be installed redundantly in a server system?
Power supply
Which of the following is the primary purpose of change control?
Prevent unmanaged change
HIPAA is a set of federal regulations that define security guidelines. What do HIPAA guidelines protect?
Privacy
What does the hashing of log files provide?
Proof that the files have not been altered
Which type of report is used for marketing and letting future partners know that compliance has been met?
SOC Type III
Which of the following is a government audit by the SEC that relates to internal controls and focuses on IT security, access controls, data backup, change management, and physical security?
SOX
Which of the following data destruction techniques uses a punch press or hammer system to crush a hard disk?
Pulverizing
When analyzing assets, which analysis method assigns financial values to assets?
Quantitative
Which of the following terms describes the actual time required to successfully recover operations in the event of an incident?
Recovery time objective (RTO)
Your organization has suffered a data breach, and it was made public. As a result, stock prices have fallen, as consumers no longer trust the organization. Which of the following BEST describes the type of consequence your organization has suffered due to the breach?
Reputation damage
Your company has developed and implemented countermeasures for the greatest risks to their assets. However, there is still some risk left. What is the remaining risk called?
Residual risk
You want to set up a collector-initiated environment for event subscriptions. Which commands would you run? (Select two.)
Run wecutil qc on the collector computer. Run winrm qc -q on the source computer.
For some reason, your source computers are not communicating properly with the collector. Which tool would you use to verify communications?
Runtime Status
Which of the following mechanisms can you use to add encryption to email? (Select two.)
S/MIME PGP
You need to limit the impact of a security breach for a particular file server with sensitive company data. Which strategy would you employ?
Segmentation
An attacker sends an unwanted and unsolicited email message to multiple recipients with an attachment that contains malware. Which kind of attack has occurred in this scenario?
Spam
If an SMTP server is not properly and securely configured, it can be hijacked and used maliciously as an SMTP relay agent. Which activity could result if this happens?
Spamming
Which type of malicious activity can be described as numerous unwanted and unsolicited email messages sent to a wide range of victims?
Spamming
Which of the following are required to configure Event Subscription for event forwarding? (Select three.)
Start Windows Event Collector service on collector computer. Start Windows Remote Management service on both the source and collector computers. Create a Windows firewall exception for HTTP or HTTPS on all source computers.
Which of the following is a standard for sending log messages to a central logging server?
Syslog
Which of the following is true concerning internal audits?
They are generally nonobjective.
The government and military use the following information classification system: Unclassified Sensitive But Unclassified Confidential Secret Top Secret Drag each classification on the left to the appropriate description on the right.
The lowest level of classified information used by the military. Release of this information could cause damage to military efforts. Confidential If this information is released, it poses grave consequences to national security. Top Secret This information can be accessed by the public and poses no security threat. Unclassified If this information is disclosed, it could cause some harm, but not a national disaster. Sensitive But Unclassified If this information is disclosed, it could cause severe and permanent damage to military actions. Secret
Which of the following best defines single loss expectancy (SLE)?
The total monetary loss associated with a single occurrence of a threat.
Which of the following types of auditing verifies that systems are utilized appropriately and in accordance with written organizational policies?
Usage audit
Which of the following describes privilege auditing?
Users' and groups' rights and privileges are checked to guard against creeping privileges.
A forensic investigator gathers potential evidence from many software, hardware, and other sources. There is an order in which the evidence needs to be gathered. The order of volatility describes the process of capturing data based on the volatility of said data. Place the following items in the correct order of volatility in the gathering of potential evidence.
1-Random Access Memory (RAM) 2-Swap/page file 3-Hard drive 4-Remote logs 5-Archived data
12.2.5
12.2.5
12.3.11
12.3.11
12.4.6
12.4.6
12.5.10
12.5.10
12.6.8
12.6.8
12.7.9
12.7.9
12.8.12
12.8.12
13.1.9
13.1.9
Your network uses the following backup strategy: Full backups every Sunday night Differential backups Monday night through Saturday night On Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data?
2
You have been asked to implement a RAID 5 solution for your network. What is the minimum number of hard disks that can be used to configure RAID 5?
3
Your network uses the following backup strategy: Full backups every Sunday night Incremental backups Monday night through Saturday night On a Thursday morning, the storage system fails. How many restore operations would you need to perform to recover all of the data?
4
What is a service level agreement (SLA)?
A guarantee of a specific level of service.
Which of the following describes a system image backup? (Select two.)
A system image contains everything on the system volume, including the operating system, installed programs, drivers, and user data files. A system image backup consists of an entire volume backed up to .vhd files.
Which of the following components are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range?
Alerts
Some users report that frequent system crashes have started happening on their workstations. Upon further investigation, you notice that these users all have the same application installed that has been recently updated. Where would you go to conduct a root cause analysis?
Application log
After an intrusion has occurred and the intruder has been removed from the system, which of the following is the best step or action to take next?
Back up all logs and audits regarding the incident.
Which of the following is true of an incremental backup's process?
Backs up all files with the archive bit set and resets the archive bit.
You are in charge of making sure the IT systems of your company survive in case of any type of disaster in any of your locations. Your document should include organizational charts, phone lists, and order of restore. Each business unit should write their own policies and procedures with guidelines from corporate management. Which of the following documents should you create for this purpose?
Business continuity plan
What is the most important element related to evidence in addition to the evidence itself?
Chain of custody document
Which of the following network strategies connects multiple servers together so that if one server fails, the others immediately take over its tasks, preventing a disruption in service?
Clustering
Which of the following is a recovery site that may have electricity connected, but there are no servers installed and no high-speed data lines present?
Cold site
12.8.10 Backup a Domain Controller You are the IT administrator for a small corporate network. You need to back up the system state of your domain controllers so that, in the event of a disaster, Active Directory is backed up. You want to configure regular backups on CorpDC4. In this lab, your task is to perform the following using Windows Server Backup on CorpDC4: Create a regular backup schedule for the CorpDC4 server using the following settings: Backup items: System State Backup schedule: once per day at 1:00 a.m. Backup location: \\CorpFiles\Backup Take an immediate backup using the following settings: Backup items: System State and C: drive Backup location: \\CorpFiles\Backup
Complete this lab as follows: Access Windows Server Backup on the CorpDC4 server. From Hyper-V Manager, select CORPSERVER2. From the Virtual Machines pane, double-click CorpDC4. From the Server Manager menu bar, select Tools > Windows Server Backup. Maximize the window for easier viewing. Create a backup schedule. From the left pane, select Local Backup. From the far right pane, under Actions, select Backup Schedule. Select Next in the wizard. From the Select Backup Configuration window, select Custom; then select Next. Select Add items. Select System state; then select OK. Select Next. Make sure Once a day is selected. Using the Select time of day drop-down list, select 1:00 AM; then select Next. Select Back up to a shared network folder; then select Next. Read the warning message; then select OK. In the Location field, enter \\CorpFiles\Backup; then select Next. Select Finish. Select Close. Perform an immediate backup. From the far right pane, under Actions, select Backup Once. From the Backup Options window, select Different options; then select Next. From the Select Backup Configuration window, select Custom; then select Next. Select Add items. Select System state. Select Local Disk (C:). Select OK. Select Next. Select Remote shared folder; then select Next. In the Location field, enter \\CorpFiles\Backup; then select Next. Select Backup to start the backup. When the backup is complete, select Close.
12.8.6 Back Up Files with File History You have recently installed a new Windows 10 computer. To protect valuable data, you need to implement file history backups on this computer. In this lab, your task is to configure automatic backups for the Exec computer as follows: Save the backup to the Backup (E:) volume. Back up files daily. Keep backup files for six months. Back up the entire Data (D:) volume. Make a backup now.
Complete this lab as follows: Access the File History Backup options. Right-click Start and then select Settings. Select Update & Security. From the left pane, select Backup. Configure and run a file history backup plan. From the right pane, select Add a drive. Select Backup (E:). Under Automatically back up my files, slide the switch to On. Select More options. Under Back up my files, use the drop-down menu to select Daily. Under Keep my backups, use the drop-down menu to select 6 months. Under Back up these folders, select Add a folder. Double-click the Data (D:) volume and then select Choose this folder. Select Back up now. Wait for the backup to complete.
12.8.8 Recover a File from File History Susan produces your organization's monthly magazine. While working on an upcoming issue, Susan accidentally deleted significant portions of the layout image. She also made extensive changes to the cover artwork, but has now been asked to discard the changes and use the original artwork. Susan has asked you to help her recover older versions of her files in the Pictures library so she can still meet her publishing deadline. In this lab, your task is to complete the following: Using the Settings app, access the program needed to restore files from a current backup. From the File History dialog, restore the following files: File File Version to Restore Pictures\Layouts\June2020_Issue.jpg Wednesday, March 16, 2020 11:15 AM Pictures\Images\coverart.jpg Wednesday, March 16, 2020 12:15 PM
Complete this lab as follows: Access the File History options using the Settings app. Right-click Start and then select Settings. Select Update & Security. From the left pane, select Backup. Make sure Automatically back up my files is set to On. Select More options. Scroll to the bottom of the Backup options dialog and select Restore files from a current backup. Maximize the window for better viewing. Restore the June2020_Issue.jpg file. From the bottom of the File History dialog, select the Previous version button (left arrow) to navigate to the backups captured on Monday, March 16, 2020 11:15 AM. Double-click Pictures. Double-click Layouts. Select the June2020_Issue.jpg file. Select the green Restore to original location arrow located at the bottom center. Select Replace the file in the destination.The Layouts folder where the file was restored is opened. From the Layouts folder, right-click the June2020_Issue.jpg file and then select Properties. Verify that the file is 115.44 MB in size and was last modified on March 16, 2020 at 11:15:12 AM. Select OK. Close the Layouts window. Restore the Coverart.jpg file. In the top left of the File History dialog, select the up arrow to navigate to the Home\Pictures folder. Select the Previous version button at the bottom to navigate to the backups captured on Monday, March 16, 2020 12:15 PM. Double-click Images. Select the coverart.jpg file. Select the green Restore to original location arrow located at the bottom center. Select Replace the file in the destination. Right-click the coverart.jpg file and select Properties. Verify that the file is 1.09 MB in size and was last modified on March 16, 2020 at 12:15:12 PM Select OK.
Your organization entered into an interoperability agreement (IA) with another organization a year ago. As a part of this agreement, a federated trust was established between your domain and the partner domain. The partnership has been in the ongoing operations phase for almost nine months now. As a security administrator, which tasks should you complete during this phase? (Select two.)
Conduct periodic vulnerability assessments Verify compliance with the IA documents
You would like to make sure users are not accessing inappropriate content online at work. Which endpoint security strategy would you employ?
Content filtering
How can a criminal investigator ensure the integrity of a removable media device found while collecting evidence?
Create a checksum using a hashing algorithm
You want to store your computer-generated audit logs in case they are needed in the future for examination or to be used as evidence in the event of a security incident. Which method can you use to ensure that the logs you put in storage have not been altered when you use them in the future?
Create a hash of each log.
Which of the following BEST describes a constant?
Data or a value that does not change.
Which two types of service accounts must you use to set up event subscriptions?
Default machine account Specific user service account
You set up Event Subscription, but you are getting an overwhelming amount of events recorded. What should you do?
Define a filter
As a security analyst, you have discovered the victims of an malicious attack have several things in common. Which tools would you use to help you identify who might be behind the attacks and prevent potential future victims?
Diamond Model of Intrusion Analysis Mitre Att@cks
When you conduct a forensic investigation, which of the following initial actions is appropriate for preserving evidence?
Document what is on the screen.
You are conducting a forensic investigation. The attack has been stopped. Which of the following actions should you perform first?
Document what is on the screen.
You wish to configure collector-initiated event subscriptions. On the collector computer, in which program do you configure a subscription?
Event Viewer
For source-initiated subscriptions, which tool do you use to configure event forwarding?
Group Policy
Which method can you use to verify that a bit-level image copy of a hard drive is an exact clone of the original hard drive collected as evidence?
Hashing
You have been asked to deploy a network solution that includes an alternate location where operational recovery is provided within minutes of a disaster. Which of the following strategies would you choose?
Hot site
A conditional statement that selects the statements to run depending on whether an expression is true or false is known as which of the following?
If else statement
You need to limit a compromised application from causing harm to other assets in your network. Which strategy should you employ?
Isolation
Your company is about to begin litigation, and you need to gather information. You need to get emails, memos, invoices, and other electronic documents from employees. You'd also like to get printed, physical copies of documents. Which tool would you use to gather this information?
Legal hold
The chain of custody is used for which purpose?
Listing people coming into contact with evidence
Match each network sniffing method with the correct definition.
MAC spoofing - Allows an attacker's computer to connect to a switch using an authorized MAC address. MAC flooding - The process of intentionally overwhelming the CAM table with Ethernet frames, each originating from a different MAC address. ARP poisoning - The MAC address of the attacker can be associated with the IP address of another host. Port mirroring - Creates a duplicate of all network traffic on a port and sends it to another device.
As a security analyst, you are configuring your environment to be able to properly gather digital forensic information. Which of the following must be set up to help create a timeline of events?
Make sure all client computers have their time set accurately by a time server.
12.7.6 Configure Fault-Tolerant Volumes You are the IT administrator for a small corporate network. You have installed the Windows Server 2019 operating system on a server named CorpServer2. During this installation, you created a single partition that took up the entire first disk. You would like to add fault tolerance to the system volume and create an additional fault tolerant volume for storing data. Four additional, uninitialized hard disks have been installed in the server for this purpose. In this lab, your task is to complete the following: To add fault tolerance for the System (C:) volume, create a mirrored volume using Disk 1. Create a new volume that provides both fault tolerance and improved performance using the following settings: Disks: Disk 2, Disk 3, and Disk 4 Volume size: 2048000 MB (2 TB) Drive letter: R Format: NTFS Volume label: Data
Mirror an existing volume as follows:Right-click Start and select Disk Management.Click OK to initialize new disks.Maximize the Disk Management window to better view the volumes.Right-click the System (C:) volume and select Add Mirror.Select Disk 1 that will be used for the mirrored copy.Select Add Mirror.Click Yes to convert the basic disk to a dynamic disk. Create a RAID 5 volume as follows:In Disk Management, right-click a disk with free space and select New RAID-5 Volume.Click Next.Select Disk 2, Disk 3, and Disk 4 to be part of the new volume; then select Add.Click Next.From the drive letter drop-down dialog, select R; then click Next.Make sure that NTFS is selected as the file system.In the Volume label field, enter Data.Click Next.Click Finish to create the volume.Click Yes to convert the basic disk to a dynamic disk.
As a security analyst, you suspect a threat actor used a certain tactic and technique to infiltrate your network. Which incident-response framework or approach would you utilize to see if other companies have had the same occurrence and what they did to remedy it?
Mitre Att@ck
You need to remotely wipe an android phone for one of your rogue users. Which endpoint tool would you use?
Mobile device management (MDM)
Which of the following are backed up during an incremental backup?
Only files that have changed since the last full or incremental backup.
Which of the following BEST describes PuTTy?
Open-source software that is developed and supported by a group of volunteers.
!= or <> refers to Not Equal in which scripting language?
Python
Which of the following disk configurations might sustain losing two disks? (Select two.)
RAID 1+0 RAID 0+1
Which of the following drive configurations is fault tolerant?
RAID 5
What is the primary security feature that can be designed into a network's infrastructure to protect and support availability?
Redundancy
As a security analyst, you are looking for a platform to compile all your security data generated by different endpoints. Which tool would you use?
SOAR
Which of the following is defined as a contract that prescribes the technical support or business parameters a provider bestows to its client?
Service level agreement
You have a large number of source computers in your IT environment. Which subscription type would be most efficient to employ?
Source-initiated
Match each interoperability agreement document on the left with the appropriate description on the right. Each document may be used once, more than once, or not at all.
Specifies exactly which services are to be performed by each party- SLA Creates an agreement with a vendor to provide services on an ongoing basis- BPO Summarizes which party is responsible for performing specific tasks- MOU, Documents how data is to be shared-ISA Defines how disputes are managed-SLA, Specifies a preset discounted pricing structure-BPO
Over the past few days, a server has gone offline and rebooted automatically several times. You would like to see a record of when each of these restarts has occurred. Which log type should you check?
System
You would like to simulate an attack on your network so you can test defense equipment and discover vulnerabilities in order to mitigate risk. Which tool would you use to simulate all the packets of an attack?
TCPReplay
What is the purpose of audit trails?
To detect security-violating events.
Why should backup media be stored offsite?
To prevent the same disaster from affecting both the network and the backup media
You are concerned that an attacker can gain access to your web server, make modifications to the system, and alter the log files to hide his or her actions. Which of the following actions would best protect the log files?
Use syslog to send log entries to another server.
What is the best definition of a security incident?
Violation of a security policy
Daily backups are completed at the ABD company location, and only a weekly backup is maintained at another network location. Which of the following disaster recovery strategies is ABD using?
Warm site
Which log file type is one of the most tedious to parse but can tell you exactly when users log onto your site and what their location is?
Web server logs
This application endpoint-protection rule implicitly denies unless added to the rule. Which of the following processes describes this?
Whitelisting
You are worried about email spoofing. What can be put throughout an email's header that provides the originating email account or IP address and not a spoofed one?
X-headers
For some reason, when you capture packets as part of your monitoring, you aren't seeing much traffic. What could be the reason?
You forgot to turn on promiscuous mode for the network interface.
Your browser has blocked your from your crucial secure intranet sites. What could be the problem?
Your SSL certificate status has been revoked.
You need to find the text string New Haven in 100 documents in a folder structure on a Linux server. Which command would you use?
grep
You would like to add some entries into the system log file. Which command would you use?
logger
You would like to see only the last 15 lines of /home/user/logfile on your Linux machine. Which command line interface (CLI) command would you use?
tail -n 15 /home/user/logfile