CS-4451 Quiz 13 - Incident Preparation Response and Investigation Study Questions
Which of the following helps achieve data privacy in an enterprise network?
Access control schemes Reason - Access control schemes help data privacy by restricting unauthorized access.
While talking to a new client, the client asked you why access control is mostly used in enterprise networks rather than home networks. How should you reply?
An enterprise network will have more sensitive and confidential information. Reason - When multiple individuals could potentially have access to sensitive information in an enterprise, access control is essential.
In a security meeting, you are asked to suggest access control schemes in which you have high flexibility when configuring access to the enterprise resources. Which of the following should you suggest?
Attribute-based access control Reason - Attribute-based access control is highly flexible, as it uses policies that can combine different attributes.
You are working as a security administrator. Your enterprise has asked you to choose an access control scheme in which a user is authorized to access the resources if the user has a specific attribute and denied if they don't. Which of the following access control schemes should you choose?
Attribute-based access control Reason - Attribute-based access control rules can be formatted using an if-then-else structure.
You are a data steward. You have been asked to restrict User A, who has an access clearance of "top secret" in a MAC-enabled network, from accessing files with the access label "secret." This, in turn, does not affect any other user. What action should you take?
Change the access clearance of User A to "confidential" Reason - Changing User A's access clearance to "confidential" will restrict User A from accessing "secret" files.
Which of the following attack frameworks illustrate that attacks are an integrated end-to-end process, and disrupting any one of the steps will interrupt the entire attack process?
Cyber Kill Chain Reason - Cyber Kill Chain illustrates that attacks are an integrated end-to-end process, and disrupting any one of the steps will interrupt the entire attack process.
Primary investigation after an enterprise security breach revealed that the breach was caused by an unauthorized device physically connected to the enterprise network. Which of the following logs should you examine first while conducting a detailed investigation?
DHCP server logs Reason - DHCP server logs can identify new systems that mysteriously appear and then disappear as part of the network. They can also show what hardware device had which IP address at a specific time.
Who implements access control based on the security level determined by the data owner?
Data custodian Reason - Data custodians, or stewards, implement access control based on the security level determined by the data owner.
Who ensures the enterprise complies with data privacy laws and its own privacy policies?
Data privacy officer Reason - The data privacy officer oversees data privacy compliance and manages data risk.
Which of the following access management controls best fits a home network?
Discretionary access control Reason - DAS best fits a home network since it can be easily managed, and there are fewer restrictions imposed on home networks.
A security breach recently occurred in your enterprise. During the incident investigation, you are asked to examine network-based device logs. Which of the following network devices should you examine first?
Firewall Reason - Firewall log files should be examined first, as the firewall is the primary network device through which traffic passes.
In an interview, you are asked to explain why software forensic tools are used more than forensic hardware workstations. How should you reply?
Forensic hardware workstations are more expensive than forensic software tools. Reason - Forensic hardware workstations are expensive, which makes software forensic tools more favorable to the majority.
Which of the following is a legal complication related to forensics that should be considered when creating a cloud platform?
Jurisdictional applicability Reason - Legal procedures will be based on the jurisdiction where the cloud resources are located, making legal actions on cloud forensics complicated because those laws will likely not be applicable in another jurisdiction in another country.
In a security review meeting, you are asked to make sure that the cybersecurity team is constantly updated on the tactics used by threat actors when they interact with systems during an attack. To which of the following attack frameworks will you refer to meet the goal?
MITRE ATT&CK Reason - MITRE ATT&CK is a knowledge base of attacker techniques that have been broken down and classified in detail. MITRE ATT&CK focuses on how threat actors interact with systems during an operation.
Which of the following is performed during the incident response phase?
Making configuration changes Reason - Making configuration changes to firewall rules, digital certificates, content/URL filters, data loss prevention settings, and mobile device management settings is part of the incident response phase. This is done to reduce the effect of or contain an attack.
Which of the following access control schemes is most secure?
Mandatory access control Reason - MAC is the most restrictive and most secure access control scheme, as the end user has no control over the objects.
Why are mobile devices critical to a digital forensics investigation?
Mobile devices are almost continually in a user's possession. Reason - Mobile devices are almost always in a user's possession, leaving them with significant evidence like call details, GPS data, and app data, making mobile devices more critical in cyber forensics.
Containment is most effective when the network is properly designed. Which of the following contributes to effective network design?
Network segmentation Reason - Network segmentation helps contain attacks in properly designed networks.
Which of the following network-based device logs are the least important when performing an incident investigation?
Routers and Switches Reason - Router and switch log files are the least important, as they cannot be directly targeted by outside attackers. Malicious traffic reaches routers and switches only after breaching all other security devices.
You are working as a security admin in an enterprise and have been asked to choose an access control method so that all users can access multiple systems without crossing their limit of access. Which of the following access control methods is the best fit?
Rule-based access control Reason - Rule-based access control is the best fit in this case, as rule-based access control dynamically assigns roles to subjects based on a set of rules defined by a custodian.
In a security meeting, you were asked about which response method would require less manual intervention per response. Which of the following should you choose?
Runbook Reason - A runbook is a series of automated conditional steps that are part of an incident response procedure. A runbook usually has actions that are performed automatically.
You are a cybersecurity forensic analyst. When conducting an investigation, which of the following actions should you perform first to ensure the highest chance of success in the investigation?
Secure the evidence Reason - Immediately following a security breach, a digital forensic expert must secure the scene by securing evidence.
Which of the following is an example of evidence collected from metadata?
Time stamp Reason - A time stamp is the recorded time that an event took place irrespective of the location of the endpoint. Time stamp metadata can be crucial evidence when investigating an incident.
Windows switches to Secure Desktop Mode when the UAC prompt appears. What is the objective of Secure Desktop Mode?
To prevent malware from tricking users by spoofing what appears on the screen Reason - Secure Desktop Mode allows only integrity level system-trusted processes to run. This prevents malware from spoofing what appears on the screen to trick users.
You are performing digital forensics in an enterprise that recently experienced a security breach. You successfully retrieved all volatile data, and your next focus is hard drives. How should you collect evidence from the hard drives without tainting any evidence?
Use mirror image backups Reason - Mirror image backups replicate every hard drive sector, including all files and any hidden data storage areas.
The devices in your enterprise are configured with mandatory access control in which salaries.xlsx is labeled "secret," transactions.xlsx is labeled "top secret," and employees.xlsx is labeled "confidential." You were asked to configure the user clearance so that User A can access all three files, while User B can only access employees.xlsx. How should you configure the user clearance?
User A: top secret; User B: confidential Reason - Top secret clearance allows User A to access all three files, and confidential clearance only allows User B to access employees.xlsx.
You are a senior security admin in your enterprise. You have been asked to perform an incident response exercise so that you and your colleagues can analyze every possible scenario in case of an attack in the most realistic manner. Which of the following actions should you take?
You should run a plausible simulated attack on the network. Reason - Simulating an attack using a realistic scenario allows for the most realistic analysis of every possible attack scenario.
Your enterprise devices are configured with mandatory access control. How should you control user access so that files with a "top secret" label cannot be accessed by any users while "secret" files remain accessible?
You should set the clearance of all users to "secret." Reason - When user clearance is set to "secret," users cannot access "top secret" files but can still access "secret" files.
You are a cybersecurity investigator who needs query log files for faster analysis during an incident investigation. Which of the following log management tools should you use?
journalctl Reason - journalctl is a Linux utility used for querying and displaying log files.
Which of the following log management tools has content filtering?
syslog-ng Reason - syslog-ng is an open-source utility for UNIX devices that includes content filtering.