14-Containment, Eradication, and Recovery
Applies logical methods to sanitize data in all user-addressable storage locations A)Purge B)Clear C)Destroy
Clear
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which of the following activities should be Tamara's first priority? A)Eradication B)Identification of the source of an attack C)Recovery D)Containment
Containment
Which of the following phases of incident response involves active undertakings designed to minimize the damage that an attacker might cause? A)Preparation B)Post-incident activity C)Detection and analysis D)Containment, eradication, and recovery
Containment, eradication, and recovery
Joe works as a cybersecurity analyst. He would like to determine the appropriate disposition of a flash drive, which is used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner who is an outside contractor. Which is the appropriate disposition option Joe considered to use for performing the task in the given scenario? A)Erase B)Purge C)Destroy D)Clear
Destroy
Renders target data recovery infeasible using state-of-the-art laboratory methods and results in the subsequent inability to use media for storage of data A)Purge B)Clear C)Destroy
Destroy
Which incident response activity focuses on removing any artifacts of an incident that may remain on an organization's network? A)Post-incident Activity B)Eradication C)Containment D)Recovery
Eradication
Question 6 :Which of the following is not typically found in a cybersecurity incident report? A)Chronology of events for an incident and response efforts B)Identification of an attacker performing an attack C)Estimates of the impact of an incident on an organization and its stakeholders D)Documentation of issues identified during the lessons learned review
Identification of an attacker performing an attack
Which of the following activities is not normally conducted during the recovery validation phase? A)Implementing new firewall rules B)Conducting vulnerability scans on all systems C)Verifying that all systems are logging properly D)Verifying the proper restoration of permissions assigned to each account
Implementing new firewall rules
Alice works as a cybersecurity analyst in an organization. While monitoring, she confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems to cut off an attack. Which strategy is Alice pursuing in the given scenario? A)Eradication B)Removal C)Segmentation D)Isolation
Isolation
Connects a quarantine network directly to the Internet and provides no access to other systems A)Isolation B)Segmentation C)Removal
Isolation
Which of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy? A)Evidence preservation requirements B)Log records generated by the strategy C)Cost of the strategy D)Effectiveness of the strategy
Log records generated by the strategy
Which of the following data elements would not normally be included in an evidence log? A)Record of handling B)Storage location C)Malware signatures D)Serial number
Malware signatures
Sondra works as a cybersecurity analyst. She determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which of the following strategies would meet Sondra's goal in the given scenario? A)Isolation B)None of these C)Removal D)Segmentation
None of these
Applies physical or logical methods that render target data recovery infeasible using laboratory methods A)Purge B)Clear C)Destroy
Purge
Which of the following activities applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques? A)Clear B)Destroy C)Purge D)Erase
Purge
Eliminates the need to reconfigure everything except reconfiguring standard images A)Sanitization B)Reconstruction/Reimage
Reconstruction/Reimage
Involves reinstalling operating systems, updating systems, and implementing security settings of any organization A)Sanitization B)Reconstruction/Reimage
Reconstruction/Reimage
A user is responding to a security incident and determines that an attacker is using the Internet on systems on the user's network to attack a third party. Which of the following containment approaches will prevent the user's system from being used by the attacker in the given scenario? A)Removal B)Segmentation C)Detection D)Isolation
Removal
After observing an attacker on the wireless connection of a system, a user decides to detach the Internet connection entirely, leaving the system running but inaccessible from outside the quarantine VLAN. Which strategy is the user pursuing to accomplish his goals in the given scenario? A)Segmentation B)Isolation C)Eradication D)Removal
Removal
Disconnects affected systems completely from other networks A)Isolation B)Segmentation C)Removal
Removal
Which of the following is not a purging activity? A)Block erase B)Cryptographic erase C)Resetting a device to a factory state D)Overwriting
Resetting a device to a factory state
What are the elements included in a post-incident report? A) The root cause of the incident B) The location and description of evidence gathered C) Results of the new security controls D) Chronology of the events for the incident and response efforts E) Estimates the impact of the incident on a organization F) Remediation of the issues identified G)Results of post-recovery validation efforts H)Documentation of issues identified during the lessons-learned review
Results of post-recovery validation efforts Estimates the impact of the incident on an organization Documentation of issues identified during the lessons-learned review Chronology of events for the incident and response efforts The root cause of an incident The location and description of evidence gathered
Which of the following pieces of information is most critical to conduct a solid incident recovery effort? A)Identification of an attacker B)Time of an attack C)Root cause of an attack D)Attacks on other organizations
Root cause of an attack
Which NIST publication contains guidance on cybersecurity incident handling? A)SP 800-88 B)SP 800-18 C)SP 800-61 D)SP 800-53
SP 800-61
Which of the following tools may be used to isolate attackers so that they may not cause damage to production systems but may still be observed by cybersecurity analysts? A)Data loss prevention B)Intrusion detection system C)Playpen D)Sandbox
Sandbox
Refers to removing all traces of a threat by overwriting a drive multiple times A)Sanitization B)Reconstruction/Reimage
Sanitization
Works well for mechanical hard disk drives but not with solid-state drives as they cannot be overwritten A)Sanitization B)Reconstruction/Reimage
Sanitization
Which of the following activities does CompTIA classify as part of the recovery validation effort? A)Secure disposal B)Sanitization C)Rebuilding systems D)Scanning
Scanning
Alice works as a cybersecurity analyst in an organization. She is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places the system on a quarantine VLAN with limited access to other networked systems. Which containment strategy is Alice pursuing in the given scenario? A)Isolation B)Segmentation C)Removal D)Eradication
Segmentation
Prevents the spread of future security incidents by splitting a computer network into subnetworks A)Isolation B)Segmentation C)Removal
Segmentation
Which of the following is not a common use of formal incident reports? A)Developing new security controls B)Assisting with legal action C)Training new team members D)Sharing with other organizations
Sharing with other organizations
A media sanitization option that applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple noninvasive data recovery techniques. A)destroy B)clear C)isolation D)removal E)purge
clear
An incident response phase that isolates an incident and prevents it from spreading further. A)recovery B)eradication C)degaussing D)containment E)sanitization
containment
A form of purging that uses extremely strong magnetic fields to disrupt stored data on a device. A)recovery B)eradication C)degaussing D)containment E)sanitization
degaussing
A media sanitization option that renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data. A)destroy B)clear C)isolation D)removal E)purge
destroy
An incident response phase that removes any of the artifacts of an incident that may remain in an organization's network. A)recovery B)eradication C)degaussing D)containment E)sanitization
eradication
A containment technique that connects a quarantine network directly to the Internet and provides no access to other systems. A)destroy B)clear C)isolation D)removal E)purge
isolation
A media sanitization option that applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques. A)destroy B)clear C)isolation D)removal E)purge
purge
An incident response phase that focuses on restoring normal operations and correcting security control deficiencies that may have led to an attack. A)recovery B)eradication C)degaussing D)containment E)sanitization
recovery
A containment technique that disconnects affected systems completely from other networks. A)destroy B)clear C)isolation D)removal E)purge
removal
A thorough process of completely removing data from a storage medium so that data cannot be recovered. A)recovery B)eradication C)degaussing D)containment E)sanitization
sanitization
