CSA+ Chapter 8
15. Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal?
15. D. Even removing a system from the network doesn't guarantee that the attack will not continue. In the example given in this chapter, an attacker can run a script on the server that detects when it has been removed from the network and then proceeds to destroy data stored on the server.
1. Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause?
A. Containment, Eradication, and Recovery
16. Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition?
A. Destroy
20. Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner?
A. Removal
19. Which one of the following is not a purging activity?
A. Resetting to factory state
6. Which one of the following tools may be used to isolate an attacker so that he or she may not cause damage to production systems but may still be observed by cybersecurity analysts?
A. Sandbox
17. Which one of the following is not typically found in a cybersecurity incident report?
B. Identity of the attacker
11. Which one of the following activities is not normally conducted during the recovery validation phase?
B. Implement new firewall rules
4. Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing?
B. Isolation
13. Which one of the following is not a common use of formal incident reports?
B. Sharing with other organizations
7. Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority?
C. Containment
2. Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?
C. Log records generated by the strategy
10. Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information?
C. Purge
9. Which one of the following pieces of information is most critical to conducting a solid incident recovery effort?
C. Root cause of the attack
3. Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing?
C. Segmentation
12. What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network?
D. Eradication
14. Which one of the following data elements would not normally be included in an evidence log?
D. Malware signatures
5. After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing?
D. Removal
18. What NIST publication contains guidance on cybersecurity incident handling?
D. SP 800-61
8. Which one of the following activities does CompTIA classify as part of the recovery validation effort?
D. Scanning