Domain 7 Practice Questions Part 2

A

Alan is assessing the potential for using machine learning and artificial intelligence in his cybersecurity program. Which of the following activities is most likely to benefit from this technology? A. Intrusion detection B. Account provisioning C. Firewall rule modification D. Media sanitization

C

Allie is responsible for reviewing authentication logs on her organization's network. She does not have the time to review all logs, so she decides to choose only records where there have been four or more invalid authentication attempts. What technique is Allie using to reduce the size of the pool? A. Sampling B. Random selection C. Clipping D. Statistical analysis

A, B, C

Amanda is configuring her organization's firewall to implement egress filtering. Which one of the following traffic types should not be blocked by her organization's egress filtering policy? (Select all that apply.) A. Traffic rapidly scanning many IP addresses on port 22 B. Traffic with a broadcast destination C. Traffic with a source address from an external network D. Traffic with a destination address on an external network

A

Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. ----- Ann continues her investigation and realizes that the traffic generating the alert is abnormally high volumes of inbound UDP traffic on port 53. What service typically uses this port? A. DNS B. SSH/SCP C. SSL/TLS D. HTTP

D

Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. ----- As Ann analyzes the traffic further, she realizes that the traffic is coming from many different sources and has overwhelmed the network, preventing legitimate uses. The inbound packets are responses to queries that she does not see in outbound traffic. The responses are abnormally large for their type. What type of attack should Ann suspect? A. Reconnaissance B. Malicious code C. System penetration D. Denial-of-service

C

Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. ----- At this point in the incident response process, what term best describes what has occurred in Ann's organization? A. Security occurrence B. Security incident C. Security event D. Security intrusion

B

Ann is a security professional for a midsize business and typically handles log analysis and security monitoring tasks for her organization. One of her roles is to monitor alerts originating from the organization's intrusion detection system. The system typically generates several dozen alerts each day, and many of those alerts turn out to be false alarms after her investigation. This morning, the intrusion detection system alerted because the network began to receive an unusually high volume of inbound traffic. Ann received this alert and began looking into the origin of the traffic. ----- Now that Ann understands that an attack has taken place that violates her organization's security policy, what term best describes what has occurred in Ann's organization? A. Security occurrence B. Security incident C. Security event D. Security intrusion

D

Barry is the CIO of an organization that recently suffered a serious operational issue that required activation of the disaster recovery plan. He would like to conduct a lessons learned session to review the incident. Who would be the best facilitator for this session? A. Barry, as chief information officer B. Chief information security officer C. Disaster recovery team leader D. External consultant

B

Brandon observes that an authorized user of a system on his network recently misused his account to exploit a system vulnerability against a shared server that allowed him to gain root access to that server. What type of attack took place? A. Denial-of-service B. Privilege escalation C. Reconnaissance D. Brute-force

C

Brent is reviewing the controls that will protect his organization in the event of a sustained period of power loss. Which one of the following solutions would best meet his needs? A. Redundant servers B. Uninterruptible power supply (UPS) C. Generator D. RAID

C

Brian is developing the training program for his organization's disaster recovery program and would like to make sure that participants understand when disaster activity concludes. Which one of the following events marks the completion of a disaster recovery process? A. Securing property and life safety B. Restoring operations in an alternate facility C. Restoring operations in the primary facility D. Standing down first responders

C

Bruce is seeing quite a bit of suspicious activity on his network. After consulting records in his SIEM, it appears that an outside entity is attempting to connect to all of his systems using a TCP connection on port 22. What type of scanning is the outsider likely engaging in? A. FTP scanning B. Telnet scanning C. SSH scanning D. HTTP scanning

A

Candace is designing a backup strategy for her organization's file server. She would like to perform a backup every weekday that has the smallest possible storage footprint. What type of backup should she perform? A. Incremental backup B. Full backup C. Differential backup D. Transaction log backup

B

Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated? A. Entitlement B. Aggregation C. Transitivity D. Isolation

C

Carolyn is concerned that users on her network may be storing sensitive information, such as Social Security numbers, on their hard drives without proper authorization or security controls. What third-party security service can she implement to best detect this activity? A. IDS B. IPS C. DLP D. TLS

A

Darcy is a computer security specialist who is assisting with the prosecution of a hacker. The prosecutor requests that Darcy give testimony in court about whether, in her opinion, the logs and other records in a case are indicative of a hacking attempt. What type of evidence is Darcy being asked to provide? A. Expert opinion B. Direct evidence C. Real evidence D. Documentary evidence

A

During an incident investigation, investigators meet with a system administrator who may have information about the incident but is not a suspect. What type of conversation is taking place during this meeting? A. Interview B. Interrogation C. Both an interview and an interrogation D. Neither an interview nor an interrogation

C

During what phase of the incident response process do administrators take action to limit the effect or scope of an incident? A. Detection B. Response C. Mitigation D. Recovery

C

During which phase of the incident response process would an analyst receive an intrusion detection system alert and verify its accuracy? A. Response B. Mitigation C. Detection D. Reporting

B

Dylan believes that a database server in his environment was compromised using a SQL injection attack. Which one of the following actions would Dylan most likely take during the remediation phase of the attack? A. Rebuilding the database from backups B. Adding input validation to a web application C. Reviewing firewall logs D. Reviewing database logs

C

Fran is considering new human resources policies for her bank that will deter fraud. She plans to implement a mandatory vacation policy. What is typically considered the shortest effective length of a mandatory vacation? A. Two days B. Four days C. One week D. One month

D

Frank is seeking to introduce a hacker's laptop in court as evidence against the hacker. The laptop does contain logs that indicate the hacker committed the crime, but the court ruled that the search of the apartment that resulted in police finding the laptop was unconstitutional. What admissibility criteria prevents Frank from introducing the laptop as evidence? A. Materiality B. Relevance C. Hearsay D. Competence

C

Gavin is the disaster recovery team leader for his organization, which is currently in the response phase of an incident that has severe customer impact. Gavin just received a phone call from a reporter asking for details on the root cause and an estimated recovery time. Gavin has this information at his fingertips. What should he do? A. Provide the information to the reporter. B. Request a few minutes to gather the information and return the call. C. Refer the matter to the public relations department. D. Refuse to provide any information.

C

Gina is the firewall administrator for a small business and recently installed a new firewall. After seeing signs of unusually heavy network traffic, she checked the intrusion detection system, which reported that a SYN flood attack was underway. What firewall configuration change can Gina make to most effectively prevent this attack? A. Block SYN from known IPs. B. Block SYN from unknown IPs. C. Enable SYN-ACK spoofing at the firewall. D. Disable TCP.

C

Gordon suspects that a hacker has penetrated a system belonging to his company. The system does not contain any regulated information, and Gordon wants to conduct an investigation on behalf of his company. He has permission from his supervisor to conduct the investigation. Which of the following statements is true? A. Gordon is legally required to contact law enforcement before beginning the investigation. B. Gordon may not conduct his own investigation. C. Gordon's investigation may include examining the contents of hard disks, network traffic, and any other systems or information belonging to the company. D. Gordon may ethically perform "hack back" activities after identifying the perpetrator.

D

Hunter is reviewing his organization's monitoring strategy and identifying new technologies that they might deploy. His assessment reveals that the firm is not doing enough to monitor employee activity on endpoint devices. Which one of the following technologies would best meet his needs? A. EDR B. IPS C. IDS D. UEBA

B

Jerome is conducting a forensic investigation and is reviewing database server logs to investigate query contents for evidence of SQL injection attacks. What type of analysis is he performing? A. Hardware analysis B. Software analysis C. Network analysis D. Media analysis

C

Kevin is developing a continuous security monitoring strategy for his organization. Which one of the following is not normally used when determining assessment and monitoring frequency? A. Threat intelligence B. System categorization/impact level C. Security control operational burden D. Organizational risk tolerance

1C, 2B, 3A, 4D

Match each of the numbered terms with its correct lettered definition: Terms 1. Honeypot 2. Honeynet 3. Pseudoflaw 4. Darknet Definitions A. An intentionally designed vulnerability used to lure in an attacker B. A network set up with intentional vulnerabilities C. A system set up with intentional vulnerabilities D. A monitored network without any hosts

1B, 2D, 3C, 4A

Match each of the numbered types of recovery capabilities to their correct lettered definition: Terms 1. Hot site 2. Cold site 3. Warm site 4. Service bureau Definitions A. An organization that can provide on-site or off-site IT services in the event of a disaster B. A site with dedicated storage and real-time data replication, often with shared equipment that allows restoration of service in a very short time C. A site that relies on shared storage and backups for recovery D. A rented space with power, cooling, and connectivity that can accept equipment as part of a recovery effort

C

Melanie suspects that someone is using malicious software to steal computing cycles from her company. Which one of the following security tools would be in the best position to detect this type of incident? A. NIDS B. Firewall C. HIDS D. DLP

A, B, D

Nancy is leading an effort to modernize her organization's antimalware protection and would like to add endpoint detection and response (EDR) capabilities. Which of the following actions are normally supported by EDR systems? (Select all that apply.) A. Analyzing endpoint memory, filesystem, and network activity for signs of malicious activity B. Automatically isolating possible malicious activity to contain the potential damage C. Conducting simulated phishing campaigns D. Integration with threat intelligence sources

C

Patrick was charged with implementing a threat hunting program for his organization. Which one of the following is the basic assumption of a threat hunting program that he should use as he plans his work? A. Security controls were designed using a defense-in-depth strategy. B. Audits may uncover control deficiencies. C. Attackers may already be present on the network. D. Defense mechanisms may contain unpatched vulnerabilities.

D

Pauline is reviewing her organization's emergency management plans. What should be the highest priority when creating these plans? A. Protection of mission-critical data B. Preservation of operational systems C. Collection of evidence D. Preservation of safety

C

Quigley Computing regularly ships tapes of backup data across the country to a secondary facility. These tapes contain confidential information. What is the most important security control that Quigley can use to protect these tapes? A. Locked shipping containers B. Private couriers C. Data encryption D. Media rotation

C

Roger recently accepted a new position as a security professional at a company that runs its entire IT infrastructure within an IaaS environment. Which one of the following would most likely be the responsibility of Roger's firm? A. Configuring the network firewall B. Applying hypervisor updates C. Patching operating systems D. Wiping drives prior to disposal

B

Sally is building a new server for use in her environment and plans to implement RAID level 1 as a storage availability control. What is the minimum number of physical hard disks that she needs to implement this approach? A. One B. Two C. Three D. Five

A

Timber Industries recently got into a dispute with a customer. During a meeting with his account representative, the customer stood up and declared, "There is no other solution. We will have to take this matter to court." He then left the room. When does Timber Industries have an obligation to begin preserving evidence? A. Immediately B. Upon receipt of a notice of litigation from opposing attorneys C. Upon receipt of a subpoena D. Upon receipt of a court order

C

Veronica is considering the implementation of a database recovery mechanism recommended by a consultant. In the recommended approach, an automated process will move database backups from the primary facility to an off-site location each night. What type of database recovery technique is the consultant describing? A. Remote journaling B. Remote mirroring C. Electronic vaulting D. Transaction logging

B

What technique can application developers use to test applications in an isolated virtualized environment before allowing them on a production network? A. Penetration testing B. Sandboxing C. White-box testing D. Black-box testing

D

What technique has been used to protect the intellectual property in the following image? A. Steganography B. Clipping C. Sampling D. Watermarking

B

What type of disaster recovery test activates the alternate processing facility and uses it to conduct transactions but leaves the primary site up and running? A. Full interruption test B. Parallel test C. Checklist review D. Tabletop exercise

B

When designing an access control scheme, Hilda set up roles so that the same person does not have the ability to provision a new user account and assign superuser privileges to an account. What information security principle is Hilda following? A. Least privilege B. Separation of duties C. Job rotation D. Security through obscurity

A, B, C, E, F

Which of the following events would constitute a security incident? (Select all that apply.) A. An attempted network intrusion B. A successful database intrusion C. A malware infection D. A successful attempt to access a file E. A violation of a confidentiality policy F. An unsuccessful attempt to remove information from a secured area

B

Which one of the following individuals poses the greatest risk to security in most well-defended organizations? A. Political activist B. Malicious insider C. Script kiddie D. Thrill attacker

D

Which one of the following techniques is not commonly used to remove unwanted remnant data from magnetic tapes? A. Physical destruction B. Degaussing C. Overwriting D. Reformatting

C

Which one of the following tools helps system administrators by providing a standard, secure template of configuration settings for operating systems and applications? A .Security guidelines B. Security policy C. Baseline configuration D. Running configuration

B

Which one of the following tools provides an organization with the greatest level of protection against a software vendor going out of business? A. Service-level agreement B. Escrow agreement C. Mutual assistance agreement D. PCI DSS compliance agreement

B

You are performing an investigation into a potential bot infection on your network and want to perform a forensic analysis of the information that passed between different systems on your network and those on the internet. You believe that the information was likely encrypted. You are beginning your investigation after the activity concluded. What would be the best and easiest way to obtain the source of this information? A. Packet captures B. NetFlow data C. Intrusion detection system logs D. Centralized authentication records

D

You are working to evaluate the risk of flood to an area as part of a business continuity planning (BCP) effort. You consult the flood maps from the Federal Emergency Management Agency (FEMA). According to those maps, the area lies within a 200-year flood plain. What is the annualized rate of occurrence (ARO) of a flood in that region? A. 200 B. 0.01 C. 0.02 D. 0.005