uCertify Chapter 14
Which of the following is not a commonly recommended best practice of the incident analysis process based on NIST's guidelines?
Maintain backups of every system and device.
Matt's incident response team has collected log information and is working on identifying attackers using that information. Which two stages of the NIST incident response process is his team working on in the given scenario? Each correct answer represents a complete solution. Choose two.
Detection and analysis Containment, eradication, and recovery
Which of the following is not typically found in a cybersecurity incident report?
Identification of an attacker performing an attack
What strategy does the National Institute of Standards and Technology (NIST) suggest about identifying attackers during an incident response process?
Identifying attackers is not an important part of the incident response process
Which of the following activities is not normally conducted during the recovery validation phase?
Implementing new firewall rules
Your organization is merged with another organization in legal jurisdiction and wants to improve its network security posture in ways that do not require additional resources to implement data isolation. Which of the following would be the best solution for improving the organization's network security?
Implementing network segmentation
Alice works as a cybersecurity analyst in an organization. While monitoring, she confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems to cut off an attack. Which strategy is Alice pursuing in the given scenario?
Isolation
Which of the following is not a common use of formal incident reports?
Sharing with other organizations
Mark works as an incident team lead at XYZ Inc. Following the successful response to a data-leakage incident, he facilitates an exercise that focuses on continuous improvement of the organization's incident response capabilities. Which of the following he has facilitated in the given scenario?
Lessons learned report
Mark, a security analyst, wants to analyze an incident and determine actions that were taken during the analysis and steps needed to prevent a future occurrence. Which of the following will he use in the given scenario?
Lessons learned report
Which of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?
Log records generated by the strategy
Which of the following data elements would not normally be included in an evidence log?
Malware signatures
You've been asked to implement a policy that defines how retired hard drives are sanitized securely. Which of the following would be the least acceptable?
Format hard drives.
Sondra works as a cybersecurity analyst. She determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which of the following strategies would meet Sondra's goal in the given scenario?
None of these
Allen needs to evaluate, test, and deploy software updates. Which of the following management techniques will she use?
Patch
Joe works as a cybersecurity analyst. He would like to determine the appropriate disposition of a flash drive, which is used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner who is an outside contractor. Which is the appropriate disposition option Joe considered to use for performing the task in the given scenario?
Destroy
Which incident response activity focuses on removing any artifacts of an incident that may remain on an organization's network?
Eradication
A user is responding to a security incident and determines that an attacker is using the Internet on systems on the user's network to attack a third party. Which of the following containment approaches will prevent the user's system from being used by the attacker in the given scenario?
Removal
Which of the following is not a purging activity?
Resetting a device to a factory state
Which of the following actions is not a common activity during the recovery phase of an incident response process?
Reviewing accounts and adding new privileges
After observing an attacker on the wireless connection of a system, a user decides to detach the Internet connection entirely, leaving the system running but inaccessible from outside the quarantine VLAN. Which strategy is the user pursuing to accomplish his goals in the given scenario?
Removal
Jamie works as a security worker in an organization. After a major compromise in an organization, he needs to conduct a forensic examination of the compromised systems. Which containment method should Jamie use to ensure that he can fully investigate systems that were involved while minimizing the risk to his organization's other production systems?
Removal
Which of the following activities applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques?
Purge
Which NIST publication contains guidance on cybersecurity incident handling?
SP 800-61
Which of the following tools may be used to isolate attackers so that they may not cause damage to production systems but may still be observed by cybersecurity analysts?
Sandbox
Which of the following is an act of permanently removing all the data from a storage device?
Sanitization
Which of the following activities does CompTIA classify as part of the recovery validation effort?
Scanning
Alice works as a cybersecurity analyst in an organization. She is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places the system on a quarantine VLAN with limited access to other networked systems. Which containment strategy is Alice pursuing in the given scenario?
Segmentation
As part of her post-incident recovery process, Alicia created a separate virtual network, as shown in the figure, to contain compromised systems she needs to investigate. Which containment technique is Alicia using in the given scenario?
Segmentation
As part of his incident response program, Allan is designing a playcourse for zero-day threats. Which of the following should be in his plan to handle these threats? Each correct answer represents a complete solution. Choose all that apply.
Segmentation Using threat intelligence Whitelisting
Lisa is following the CompTIA process for validation after a compromise. Which of the following activities should be included in the validation phase?
Setting permissions
Which of the following pieces of information is most critical to conduct a solid incident recovery effort?
Root cause of an attack
Which of the following properly lists sanitization descriptions from least to most effective activities for media sanitization?
Clear > purge > destroy
During an incident response process, Susan heads to a compromised system and pulls its network cable. Which phase of the incident response process is Susan performing?
Containment, eradication, and recovery
Which of the following phases of incident response involves active undertakings designed to minimize the damage that an attacker might cause?
Containment, eradication, and recovery
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which of the following activities should be Tamara's first priority?
Containment
Bob's manager has asked him to ensure that a compromised system has purged of the compromise. What is Bob's best course of action to ensure this?
Wipe and rebuild the compromised system.
A vulnerability is discovered in an application. Before a patch is available, this vulnerability is used to gain access to sensitive data. What type of vulnerability is being described in the given scenario?
Zero-day