sybr 201 final :(
10. Which of the following activities should you not do during an incident response investigation associated with an APT? A. Use the corporate e-mail system to communicate. B. Determine system time offsets. C. Use only qualified and trusted tools. D. Create an off-network site for data collection.
A. Use the corporate e-mail system to communicate.
When the attackers are focused on maintaining a presence during an incident, the type of attack is typically called a(n) _______________.
APT (advanced persistent threat)
When is testing best accomplished?
As early as possible in the process
Which of the following statements about risk is true? A. A manager can accept the risk, which will reduce the risk. B. The risk itself doesn't really change. However, actions can be taken to reduce the impact of the risk. C. A manager can transfer the risk, which will reduce the risk. D. A manager can take steps to increase the risk.
B. The risk itself doesn't really change. However, actions can be taken to reduce the impact of the risk.
A judge has issued an order for all e-mail to be preserved, and that order is in effect. Which of the following statements is correct? A. You can delete old e-mail after the standard retention period. B. You should have legal determine which records must be saved. C. You should continue archiving all e-mail. D. You can delete the e-mail after making a copy to save for e-discovery.
C. You should continue archiving all e-mail.
Which of the following is a security policy enforcement point placed between cloud service consumers and cloud service providers to manage enterprise security policies as cloud-based resources are accessed?
CASB (cloud access security broker)
Which is the most critical element in understanding your current cloud security posture?
Cloud service agreement
Problems in which phase will specifically stop continuous deployment, but not necessarily continuous delivery?
Continuous validation
Resource policies involve all of the following except? A. Permissions B. IAM C. Cost D. Access
Cost
What is the primary downside of a private cloud model?
Cost
You have been tasked with assisting in the forensic investigation of an incident relating to employee misconduct. The employee's supervisor believes evidence of this misconduct can be found on the employee's assigned workstation. Which of the following choices best describes what should be done?
Create a timeline of events related to the scope.
During an initial response to an incident, which of the following is most important? A. Who or what is reporting the incident B. The time of the report C. Who takes the initial report D. Accurate information
D. Accurate information
When determining the level of risk of exposure for data in storage, in transit, or during processing, which of the following is not a factor?
Data type
In which backup strategy are only those portions of the files and software that have changed since the last backup backed up?
Delta
Which of the following correctly describes the minimum contents of an evidence control log book?
Description, Investigator, Case #, Date, Time, Location, Reason (who what when where how and why)
A(n) _______________ is an artifact that can be used to detect the presence of an attack.
IOC (Indicator of attack)
You are planning to move some applications to the cloud, including your organization's accounting application, which is highly customized and does not scale well. Which cloud deployment model is best for this application?
IaaS
Which of the following correctly describes the chain of custody for evidence?
It accounts for all persons who handled or had access to a specific item of evidence.
Your organization experienced an APT hack in the past and is interested in preventing a reoccurrence. What step of the attack path is the best step at which to combat APT-style attacks?
Lateral movement
What is the last step of the incident response process?
Lessons learned
One of the primary resources in use at your organization is a standard database that many applications tie into. Which cloud deployment model is best for this kind of application?
PaaS
What is the most useful tool to determine the next steps when investigating a common incident, like malware on a server?
Playbook
Common cryptographic failures include which of the following?
Poor encryption protocols
Which cloud deployment model has the fewest security controls?
Public
Asset value × exposure factor = _______________.
Single Loss Expectancy (SLE)
Which of the following correctly defines real evidence?
Tangible objects that prove or disprove a fact.
A sysadmin thinks a machine is under attack, so he logs in as root and attempts to see what is happening on the machine. Which common technical mistake is most likely to occur?
The alteration of date/time stamps on files and objects in the system
Which of the following correctly defines documentary evidence?
The evidence is presented in the form of business records, printouts, manuals, and other items.
what is qualitative risk management
The process of subjectively determining the impact of an event that affects a project, program, or business
Why should developers and testers avoid using "live" production data to perform various testing activities?
The use of "live" production data can jeopardize the confidentiality and integrity of the production data.
What is the purpose of establishing software change management procedures?
To add structure and control to the development of software systems
What is the purpose of a change control board (CCB)?
To facilitate management oversight and better project coordination
_______________ is the infrastructure needed to enable the hosting of a desktop environment on a central server.
VDI (virtual desktop infrastructure)
When software, either malware or an attacker, escapes from one VM to the underlying OS, this is referred to as _______________.
VM escape
The _______________ is a linear software engineering model with no repeating steps.
Waterfall method
Why is VM sprawl an issue?
When servers are no longer physical, it can be difficult to locate a specific machine.
Which of the following is not involved with a code injection error?
a pointer in the c language
Single loss expectancy × annualized rate of occurrence = _______________.
annualized loss expectancy
A _______________ describes a system as it is built and functioning at a point in time.
baseline
Input validation is important to prevent what?
buffer overflow
Code review by a second party is helpful to do what?
catch errors early in the programming process
Modifying a SQL statement through false input to a function is an example of _______________.
code injection
The document that contains all the information about various data sources available to incident responders is referred to as the _______________.
collection management framework
Evidence that is legally qualified and reliable is _______________.
competent
The process of verifying that configuration items are built and maintained according to requirements, standards, or contractual agreements is called a _______________.
configuration auditing
_______________ is the process of controlling changes to items that have been baselined.
configuration control
When you identify which assets need to be managed and controlled, you are performing _______________.
configuration identification
A number that is suitable for an encryption function is called _______________.
cryptographically random
One methodology for planning incident response defenses is known as _______________.
cyber kill chain
The banning of _______________ helps improve code quality by using safer library calls.
deprecated functions
A backup that includes only the files that have changed since the last full backup was completed is called a _______________.
differential backup
_____________ is oral testimony or other evidence that proves a specific fact (such as an eyewitness's statement, fingerprint, photo, and so on). The knowledge of the facts is obtained through the five senses of the witness. There are no inferences or presumptions.
direct evidence
Determining what data and processes are needed to restore critical processes is called a _______________.
disaster recovery plan
You have deployed a network of Internet-connected sensors across a wide geographic area. These sensors are small, low-power IoT devices, and you need to perform temperature conversions and collect the data into a database. The calculations would be best managed by which architecture?
edge computing
Documents, verbal statements, and material objects admissible in a court of law are called _______________.
evidence
Evidence collected in violation of the Fourth Amendment of the U.S. Constitution, the Electronic Communications Privacy Act (ECPA), or other aspects of the U.S. Code may not be admissible to a court under the terms of the _______________.
exclusory
The _______________ measures the magnitude of the loss of an asset.
exposure factor
_______________ is a distributed form of cloud computing, where the workload is performed on a distributed, decentralized architecture.
fog computing
The determination of boundaries during an attack is a process called _______________.
footprinting
_____________ consists of the preservation, identification, documentation, and interpretation of computer data to be used in legal proceedings.
forensics
_______________ consists of the remaining sectors of a previously allocated file that are available for the operating system to use.
free space
Using a series of malformed inputs to test for conditions such as buffer overflows is called _______________.
fuzzing
A(n) _______________ is a circumstance that increases the likelihood or probable severity of a loss.
hazard
A(n) _______________ structure is one where elements are combined from private, public, and community cloud structures.
hybrid cloud
When a threat exploits a vulnerability, you experience a(n) _______________.
impact
The largest class of errors in software engineering can be attributed to which of the following?
improper input validation
A(n) _______________ is any event in an information system or network where the results are different than normal.
incident
The steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system are called _______________.
incident response
A key measure used to prioritize incident response actions is _______________
information criticality
The name of a capability that must be enabled on firewalls, secure web gateways, and cloud access security brokers (CASBs) to determine if the next system in a communication chain is legitimate or not is called _______________.
instance awareness
Using an administrator-level account for all functions is a violation of the principle of _______________.
least privileged
A(n) _______________ causes an application to malfunction because of a misrepresented name for a resource.
mechanicalization
If you reduce the likelihood of a threat occurring, you _______________ the risk.
mitigate
Which security control is a policy or procedure used to limit physical security risk?
operational
_______________ is the term used to describe the offering of a computing platform in the cloud.
platform as a service
When discussing qualitative risk assessment versus quantitative risk assessment, which of the following is true?
purely quantitative is impossible but purely qualitative is possible
To understand time values relative to other systems in a network, one should _______________.
record time offset
_______________ is the maximum period of time in terms of data loss that is acceptable during an outage.
recovery point objective
____________ is evidence that is material to the case or has a bearing on the matter at hand.
relevant evidence
The _______________ is the first opportunity to address security functionality during a project.
requirements phase
Risk analysis is synonymous with ____________.
risk assessment
_______________ is the term used to denote the policies and procedures employed to connect the IAM systems of the enterprise and the cloud to enable communication with the data.
secrets management
_______________ is the process of assigning responsibilities to different individuals such that no single individual can commit fraudulent or malicious actions.
separation of duties
Specifying compute requirements in terms of resources needed (for example, processing power and storage) is an example of _______________.
serverless architecture
_____________ is the unused space on a disk drive when a file is smaller than the allocated unit of storage.
slack space
The rule whereby courts prefer original evidence rather than a copy to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred is termed the _______________.
the best evidence rule
Which of the following correctly defines residual risk?
the risk still remaining after
Any circumstance or event with the potential to cause harm to an asset is a(n) _______________.
threat
_______________ is a proactive approach to finding an attacker in a network.
threat hunting
A(n) _______________ is a network connection that is used to interconnect virtual private clouds (VPCs) and on-premises networks.
transit gateway
Which of the following is one of the most fundamental rules to good coding practice?
validate all inputs
A(n) _______________ allows connections to and from a virtual private cloud instance.
virtual private cloud end point
A characteristic of an asset that can be exploited by a threat to cause harm is its _______________.
vulnerability
A _______________ is a partially configured backup processing facility that usually has the peripherals and software but perhaps not the more expensive main processing computer.
warm site
A(n) _______________ is a vulnerability that has been discovered by hackers but not by the developers of the software.
zero day
