CYBER CH20-25
IOC
A(n) _______________ is an artifact that can be used to detect the presence of an attack
Incident
A(n) _______________ is any event in an information system or network where the results are different than normal.
Statutory Law
A(n) _______________ is passed by a legislative branch of government.
Which of the following correctly defines risk?
A. The risk still remaining after an iteration of risk management B. The loss that results when a vulnerability is exploited by a threat C. Any circumstance or event with the potential to cause harm to an asset D. The possibility of suffering harm or loss
A _______________ describes a system as it is built and functioning at a point in time.
Baseline
D
Breaking into another computer system in the United States, even if you do not cause any damage, is regulated by what law? A. State law, as the damage is minimal B. Federal law under the Identity Theft and Assumption Deterrence Act C. Federal law under the Electronic Communications Privacy Act (ECPA) of 1986 D. Federal law under the USA PATRIOT Act of 2001
B
Circumventing technological controls to prevent reverse engineering is a violation of which of the following? A. HIPAA B. DMCA C. ECPA D. All of the above
PII
Data that can be used to identify a specific individual is referred to as _______________.
Determining what data and processes are needed to restore critical processes is called a _______________.
Disaster recovery plan
evidence
Documents, verbal statements, and material objects admissible in a court of law are called _______________.
D
During an initial response to an incident, which of the following is most important? A. Who or what is reporting the incident B. The time of the report C. Who takes the initial report D. Accurate information
A
European privacy laws are built upon which of the following? A. General Data Protection Regulations B. Personal Information Protection and Electronic Data Act (PIPEDA) C. Safe Harbor principles D. Common law practices
Exclusionary Rule
Evidence collected in violation of the Fourth Amendment of the U.S. Constitution, the Electronic Communications Privacy Act (ECPA), or other aspects of the U.S. Code may not be admissible to a court under the terms of the _______________.
Competent evidenve
Evidence that is legally qualified and reliable is _______________.
B
Export of encryption programs is regulated by which entity? A. U.S. State Department B. U.S. Commerce Department C. U.S. Department of Defense D. National Security Agency
The _______________ measures the magnitude of the loss of an asset.
Exposure Factor
B
For the FBI to install and operate Carnivore (or subsequent tool) on an ISP's network, what is required? A. A court order specifying specific items being searched for B. An official request from the FBI C. An impact statement to assess recoverable costs to the ISP D. A written request from an ISP to investigate a computer trespass incident
D
HIPAA requires which of the following controls for medical records? A. Encryption of all data B. Technical safeguards C. Physical controls D. Administrative, technical, and physical controls
A(n) _______________ is a circumstance that increases the likelihood or probable severity of a loss.
Hazard
Section 404
IT controls were mandated in public companies by _______________, part of the Sarbanes-Oxley Act.
B
In the United States, company responses to data disclosures of PII are regulated by which of the following? A. Federal law, the Privacy Act B. A series of state statutes C. Contractual agreements with banks and credit card processors D. The Gramm-Leach-Bliley Act (GLBA)
Opt Out, Opt In
In the United States, the standard methodology for consumers with respect to privacy is to _______________, whereas in the EU it is to ______________.
D
In which backup strategy are only those portions of the files and software that have changed since the last backup backed up? A. Full B. Differential C. Incremental D. Delta
When discussing qualitative risk assessment versus quantitative risk assessment, which of the following is true?
It is impossible to conduct a purely quantitative risk assessment, but it is possible to conduct a purely qualitative risk assessment.
D
Key elements of GDPR include which of the following? A. Conducting EU data-breach notification stress tests B. Appointing a data protection officer reporting directly to top-level management of the firm C. Right to Erasure D. All of the above
D
Logging in as your boss to fix your time records is: A. OK, if you are accurately reporting your time B. One of the obscure elements of DMCA C. A violation of the Separation of Duties Law D. A form of computer trespass
Notice
Many privacy regulations have specified that firms provide an annual _______________ to customers.
HIPAA
Medical information in the United States is protected via the _______________.
Cyber Kill cahin
One methodology for planning incident response defenses is known as _______________.
Which security control is a policy or procedure used to limit physical security risk?
Operational
A
Privacy is defined as: A. One's ability to control information about oneself B. Being able to keep one's information secret C. Making data-sharing illegal without consumer consent D. Something that is outmoded in the Internet age
Cookie Cutters
Programs used to control the use of ___________ during web browsing are referred to as _________.
C
Publication of flaws in encryption used for copy protection is a potential violation of which of the following? A. HIPAA B. U.S. Commerce Department regulations C. DMCA D. National Security Agency regulations
is the maximum period of time in terms of data loss that is acceptable during an outage.
Recovery point objective
_______________ is the process of assigning responsibilities to different individuals such that no single individual can commit fraudulent or malicious actions.
Separation of duties
Red Flag Rule
The FTC mandates firms' use of _______________ procedures to identify instances where additional privacy measures are warranted
Configuration auditing
The process of verifying that configuration items are built and maintained according to requirements, standards, or contractual agreements is called a _______________.
best evidence rule
The rule whereby courts prefer original evidence rather than a copy to ensure that no alteration of the evidence (whether intentional or unintentional) has occurred is termed the _______________.
Incident response
The steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system are called _______________.
Privacy Impact Assessment (PIA)
To evaluate the privacy risks in a firm, a(n) _______________ can be performed.
A
What is the purpose of a change control board (CCB)? A. To facilitate management oversight and better project coordination B. To identify which assets need to be managed and controlled C. To establish software processes that are structured enough that success with one project can be repeated for another similar project D. To track and maintain data relative to each configuration item in the baseline
B
What is the purpose of establishing software change management procedures? A. To ensure continuity of business operations in the event of a natural disaster B. To add structure and control to the development of software systems C. To ensure changes in business operations caused by a management restructuring are properly controlled D. To identify threats, vulnerabilities, and mitigating actions that could impact an enterprise
D
What is/are the primary factor(s) behind data-sharing compliance between U.S. and European companies? A. U.S. firms adopting provisions of the GDPR B. Safe Harbor provisions C. U.S. FTC enforcement actions D. All of the above
C
When determining the level of risk of exposure for data in storage, in transit, or during processing, which of the following is not a factor? A. Time B. Quantity C. Data type D. Access
ATP
When the attackers are focused on maintaining a presence during an incident, the type of attack is typically called a(n) _______________.
Configuration Identification
When you identify which assets need to be managed and controlled, you are performing _______________.
A
Which of the following activities should you not do during an incident response investigation associated with an APT? A. Use the corporate e-mail system to communicate. B. Determine system time offsets. C. Use only qualified and trusted tools. D. Create an off-network site for data collection.
ACD
Which of the following are critical elements in an incident response toolkit? (Choose all that apply.) A. Accurate network diagram B. Findings of last penetration test report C. List of critical data/systems D. Phone list of people on-call by area
A
Which of the following correctly defines documentary evidence? A. The evidence is presented in the form of business records, printouts, manuals, and other items. B. The knowledge of the facts is obtained through the five senses of the witness. C. The evidence is used to aid the jury and may be in the form of a model, experiment, chart, or other item and be offered to prove an event occurred. D. Physical evidence that links the suspect to the scene of a crime.
A
Which of the following correctly defines evidence as being relevant? A. The evidence is material to the case or has a bearing on the matter at hand. B. The evidence is presented in the form of business records, printouts, or other items. C. The evidence is convincing or measures up without question. D. The evidence is legally qualified and reliable.
D
Which of the following correctly defines free space? A. The unused space on a disk drive when a file is smaller than the allocated unit of storage (such as a sector). B. The space on a disk drive that is occupied by the boot sector. C. The space located at the beginning of a partition. D. The remaining sectors of a previously allocated file that are available for the operating system to use.
D
Which of the following correctly defines real evidence? A. The evidence is convincing or measures up without question. B. The evidence is material to the case or has a bearing on the matter at hand. C. The evidence is used to aid the jury and may be in the form of a model, experiment, chart, or other item and be offered to prove an event occurred. D. Tangible objects that prove or disprove a fact.
D
Which of the following correctly defines slack space? A. The space on a disk drive that is occupied by the boot sector B. The space located at the beginning of a partition C. The remaining sectors of a previously allocated file that are available for the operating system to use D. The unused space on a disk drive when a file is smaller than the allocated unit of storage
A
Which of the following correctly defines the exclusionary rule? A. Any evidence collected in violation of the Fourth Amendment is not admissible as evidence. B. The evidence consists of tangible objects that prove or disprove a fact. C. The knowledge of the facts is obtained through the five senses of the witness. D. The evidence is used to aid the jury and may be in the form of a model, experiment, chart, or the like, offered to prove an event occurred.
B
Which of the following correctly describes the chain of custody for evidence? A. The evidence is convincing or measures up without question. B. It accounts for all persons who handled or had access to a specific item of evidence. C. Description, Investigator, Case #, Date, Time, Location, Reason. D. The evidence is legally qualified and reliable.
A
Which of the following correctly describes the minimum contents of an evidence control log book? A. Description, Investigator, Case #, Date, Time, Location, Reason B. Description, Investigator, Case #, Date, Location, Reason C. Description, Case #, Date, Time, Location, Reason D. Description, Coroner, Case #, Date, Time, Location, Reason
A
Which of the following does not adhere to the principle of separation of duties? A. Software development, testing, quality assurance, and production should be assigned to the same individuals. B. Software developers should not have access to production data and source-code files. C. Software developers and testers should be restricted from accessing "live" production data.
D
Which of the following is an acceptable PII disposal procedure? A. Shredding B. Burning C. Electronic destruction per military data destruction standards D. All of the above
B
Which of the following is not PII? A. Customer name B. Customer ID number C. Customer Social Security number or taxpayer identification number D. Customer birth date
B
Which of the following is not an indicator of compromise (IOC)? A. Unusual outbound traffic B. Increase in traffic over port 80 C. Traffic to unusual foreign IP addresses D. Discovery of large encrypted data blocks that you don't know the purpose of
C
Which of the following is the least rigorous investigative method? A. Using a dedicated forensic workstation B. Verifying software on a suspect system and using that software for the investigation C. Examining the suspect system using its software without verification D. Booting the suspect system with a verified external OS kernel and tools
B
Which of the following is the name for a partially configured environment that has the peripherals and software that the normal processing facility contains and that can be operational within a few days? A. Hot site B. Warm site C. Online storage system D. Backup storage facility
D
Which of the following should trigger a response under the red flag rule? A. All credit requests for people under 25 or over 75 B. Any new customer credit request, except for name changes due to marriage C. Request for credit from a customer who has a history of late payments and poor credit D. Request for credit from a customer with a credit freeze on their credit reporting record
B
Why should developers and testers avoid using "live" production data to perform various testing activities? A. The use of "live" production data ensures a full and realistic test database. B. The use of "live" production data can jeopardize the confidentiality and integrity of the production data. C. The use of "live" production data ensures an independent and objective test environment. D. Developers and testers should be allowed to use "live" production data for reasons of efficiency.
A
You are arrested as a result of your hacking activities, and investigators find you have been breaking password files and sharing them across the Internet. Which law have you violated? A. CFAA B. ECPA C. DMCA D. HIPAA
A
You have been tasked with assisting in the forensic investigation of an incident relating to employee misconduct. The employee's supervisor believes evidence of this misconduct can be found on the employee's assigned workstation. Which of the following choices best describes what should be done? A. Create a timeline of events related to the scope. B. Copy the user profile to reduce the search space. C. Sign in as the user and search through their recent efforts. D. Examine log file entries under the user's profile.
C
Your Social Security number and other associated facts kept by your bank are protected by what law against disclosure? A. The Social Security Act of 1934 B. The USA PATRIOT Act of 2001 C. The Gramm-Leach-Bliley Act D. HIPAA
C
Your organization experienced an APT hack in the past and is interested in preventing a reoccurrence. What step of the attack path is the best step at which to combat APT-style attacks? A. Escalate privilege B. Establish foothold C. Lateral movement D. Initial compromise
relevant evidence
______________ is evidence that is material to the case or has a bearing on the matter at hand.
STIX,TAXII,CybOX
_______________ and _______________ are used to communicate cyberthreat information between organizations.
Common Law
_______________ comes from the judicial branch of government.
forensics
_______________ consists of the preservation, identification, documentation, and interpretation of computer data to be used in legal proceedings.
free space
_______________ consists of the remaining sectors of a previously allocated file that are available for the operating system to use.
Threat hunting
_______________ is a proactive approach to finding an attacker in a network.
direct evidence
_______________ is oral testimony or other evidence that proves a specific fact (such as an eyewitness's statement, fingerprint, photo, and so on). The knowledge of the facts is obtained through the five senses of the witness. There are no inferences or presumptions.
Configuration Control
_______________ is the process of controlling changes to items that have been baselined.
Privacy
_______________ is the right to control information about oneself.
slack space
_______________ is the unused space on a disk drive when a file is smaller than the allocated unit of storage
D
6. True or false? Writing viruses and releasing them across the Internet is a violation of law. A. Always true. All countries have reciprocal agreements under international law. B. Partially true. Depends on the laws in the country of origin. C. False. Computer security laws do not cross international boundaries. D. Partially true. Depends on the specific countries involved, both of the virus author and the recipient
Differential Backup
A backup that includes only the files that have changed since the last full backup was completed is called a _______________.
Computer Tresspass
A catchall law to prosecute hackers is the statute on _______________.
D
A good backup plan will include which of the following? A. The critical data needed for the organization to operate B. Any software that is required to process the organization's data C. Specific hardware to run the software or to process the data D. All of the above
C
A judge has issued an order for all e-mail to be preserved, and that order is in effect. Which of the following statements is correct? A. You can delete old e-mail after the standard retention period. B. You should have legal determine which records must be saved. C. You should continue archiving all e-mail. D. You can delete the e-mail after making a copy to save for e-discovery.
Information criticality
A key measure used to prioritize incident response actions is ________________.
A
A privacy impact assessment: A. Determines the gap between a company's privacy practices and required actions B. Determines the damage caused by a breach of privacy C. Determines what companies hold information on a specific person D. Is a corporate procedure to safeguard PII
A
A sysadmin thinks a machine is under attack, so he logs in as root and attempts to see what is happening on the machine. Which common technical mistake is most likely to occur? A. The alteration of date/time stamps on files and objects in the system B. Failure to recognize the attacker by process ID C. Erasure of logs associated with an attack D. The cutting of a network connection between an attacker and the current machine
CFAA (1986 ) (War Games)
The _______________ is the primary U.S. federal law on computer intrusion and misuse.
PCI DSS
The contractual set of rules governing credit card security is the _______________.
Footprinting
The determination of boundaries during an attack is a process called _______________.
Collection management frmework
The document that contains all the information about various data sources available to incident responders is referred to as the _______________.
System
The document used by the change control board to track changes to software is called a _______________. 9. When you identify which a
B
The goals of an incident response process include all of the following except which one? A. Confirm or dispel an incident occurrence. B. Minimize security expenditures. C. Protect privacy rights. D. Minimize system disruption.
Privacy Act of 1974, Freedom information act
The major U.S. privacy statutes are the ____________ and the _______________.
GDPR (General Data Protection Regulation)
The newer set of privacy rules and regulations in the EU are referred to as the _______________.
Administrative Law
The power of government-sponsored agencies lies in _______________.
record time offset
To understand time values relative to other systems in a network, one should _______________.
A
True or false? A sysadmin who is reading employee e-mail to look for evidence of someone stealing company passwords is protected by the company-owned equipment exemption on eavesdropping. A. False, there is no "company-owned exemption." B. True, provided they have their manager's approval. C. True, provided they have senior management permission in writing. D. True, if it is in their job description
A _______________ is a partially configured backup processing facility that usually has the peripherals and software but perhaps not the more expensive main processing computer.
Warm Site
C
What is configuration auditing? A. The process of controlling changes to items that have been baselined B. The process of identifying which assets need to be managed and controlled C. The process of verifying that the configuration items are built and maintained properly D. The procedures for tracking and maintaining data relative to each configuration item in the baseline
A
What is configuration control? A. The process of controlling changes to items that have been baselined B. The process of identifying which assets need to be managed and controlled C. The process of verifying that the configuration items are built and maintained properly D. The procedures for tracking and maintaining data relative to each configuration item in the baseline
D
What is configuration identification? A. The process of verifying that the configuration items are built and maintained properly B. The procedure for tracking and maintaining data relative to each configuration item in the baseline C. The process of controlling changes to items that have been baselined D. The process of identifying which assets need to be managed and controlled
D
What is the last step of the incident response process? A. Reconstitution B. Recovery C. Follow-up D. Lessons learned
C
What is the most useful tool to determine the next steps when investigating a common incident, like malware on a server? A. Runbook B. SIEM data C. Playbook D. Security orchestration, automation, and response (SOAR)
D
What is the order of collecting evidence at a scene? A. Take a picture of the screen, RAM, copy USBs, copy hard disk, live network connections B. RAM, live network connections, temporary swap space, data on hard disk(s) C. Hard disk, RAM, any USBs D. ARP cache, live network connections, RAM, hard disk
