CySA+ Chapter 8

Ace your homework & exams now with Quizwiz!

Tamara is a cyber analyst for a private business that is suffering from a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority? A. Identifying the source of the attack B. Eradication C. Containment D. Recovery

Containment

Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause? A. Containment, Eradication, and Recovery B. Preparation C. Post-Incident Activity D. Detection and Analysis

Containment, Eradication, and Recovery

Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition? A. Destroy B. Clear C. Erase D. Purge

Destroy

What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network? A. Containment B. Recovery C. Post-Incident Activities D. Eradication

Eradication

Which one of the following is not typically found in a cybersecurity incident report? A. Chronology of events B. Identity of the attackers C. Estimates of the impact D. Documentation of lessons learned

Identity of the attackers

Which one of the following activities is not normally conducted during the recovery validation phase? A. Verify the permissions assigned to each account B. Implement new firewall rules C. Conduct vulnerability scans D. Verify logging is functioning properly

Implement new firewall rules

Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing? A. Eradication B. Isolation C. Segmentation D. Removal

Isolation

Which one of the following criteria is NOT normally used when evaluating the appropriateness of a cybersecurity incident containment strategy? A. Effectiveness of the strategy B. Evidence preservation requirements C. Log records generated by the strategy D. Cost of the strategy

Log records generated by the strategy

Which one of the following data elements would not normally be included in an evidence log? A. Serial number B. Record of handling C. Storage location D. Malware signatuers

Malware signatures

Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal? A. Isolation B. Segmentation C. Removal D. None of the above

None of the above

Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information? A. Clear B. Erase C. Purge D. Destroy

Purge

After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing?

Removal

Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner? A. Removal B. Isolation C. Detection D. Segmentation

Removal

Which one of the following is not a purging activity? A. Resetting to factory state B. Overwriting C. Block erase D. Cryptographic erase

Resetting to factory state

Which one of the following pieces of information is most critical to conducting a solid incident recovery effort? A. Identity of the attacker B. Time of the attack C. Root cause of the attack D. Attacks on other organizations

Root cause of the attack

What NIST publication contains guidance on cybersecurity incident handling? A. SP 800-53 B. SP 800-88 C. SP 800-18 D. SP 800-61

SP 800-61

Which one of the following tools may be used to isolate an attacker so that he or she may not cause damage to production systems but may still be observed by cyber analysts? A. Sandbox B. Playpen C. IDS D. DLP

Sandbox

Which one of the following activities does CompTIA classify as part of the recovery validation effort? A. Rebuilding systems B. Sanitization C. Secure disposal D. Scanning

Scanning

Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing? A. Eradication B. Isolation C. Segmentation D. Removal

Segmentation

Which one of the following is not a common use of formal incident reports? A. Training new team members B. Sharing with other organizations C. Developing new security controls D. Assisting with legal action

Sharing with other organizations


Related study sets

Cisco Module 3: Protecting your privacy & data

View Set

Lecture 3 Exam: TRUE / FALSE QUESTIONS

View Set

Information Security Framework, Infrastructure & Architecture

View Set

Health - Group Accident And Health Insurance - Quiz

View Set