CySA+ Chapter 8
Tamara is a cyber analyst for a private business that is suffering from a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority? A. Identifying the source of the attack B. Eradication C. Containment D. Recovery
Containment
Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause? A. Containment, Eradication, and Recovery B. Preparation C. Post-Incident Activity D. Detection and Analysis
Containment, Eradication, and Recovery
Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition? A. Destroy B. Clear C. Erase D. Purge
Destroy
What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network? A. Containment B. Recovery C. Post-Incident Activities D. Eradication
Eradication
Which one of the following is not typically found in a cybersecurity incident report? A. Chronology of events B. Identity of the attackers C. Estimates of the impact D. Documentation of lessons learned
Identity of the attackers
Which one of the following activities is not normally conducted during the recovery validation phase? A. Verify the permissions assigned to each account B. Implement new firewall rules C. Conduct vulnerability scans D. Verify logging is functioning properly
Implement new firewall rules
Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing? A. Eradication B. Isolation C. Segmentation D. Removal
Isolation
Which one of the following criteria is NOT normally used when evaluating the appropriateness of a cybersecurity incident containment strategy? A. Effectiveness of the strategy B. Evidence preservation requirements C. Log records generated by the strategy D. Cost of the strategy
Log records generated by the strategy
Which one of the following data elements would not normally be included in an evidence log? A. Serial number B. Record of handling C. Storage location D. Malware signatuers
Malware signatures
Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal? A. Isolation B. Segmentation C. Removal D. None of the above
None of the above
Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information? A. Clear B. Erase C. Purge D. Destroy
Purge
After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing?
Removal
Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner? A. Removal B. Isolation C. Detection D. Segmentation
Removal
Which one of the following is not a purging activity? A. Resetting to factory state B. Overwriting C. Block erase D. Cryptographic erase
Resetting to factory state
Which one of the following pieces of information is most critical to conducting a solid incident recovery effort? A. Identity of the attacker B. Time of the attack C. Root cause of the attack D. Attacks on other organizations
Root cause of the attack
What NIST publication contains guidance on cybersecurity incident handling? A. SP 800-53 B. SP 800-88 C. SP 800-18 D. SP 800-61
SP 800-61
Which one of the following tools may be used to isolate an attacker so that he or she may not cause damage to production systems but may still be observed by cyber analysts? A. Sandbox B. Playpen C. IDS D. DLP
Sandbox
Which one of the following activities does CompTIA classify as part of the recovery validation effort? A. Rebuilding systems B. Sanitization C. Secure disposal D. Scanning
Scanning
Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing? A. Eradication B. Isolation C. Segmentation D. Removal
Segmentation
Which one of the following is not a common use of formal incident reports? A. Training new team members B. Sharing with other organizations C. Developing new security controls D. Assisting with legal action
Sharing with other organizations
